In a recent decision, the Icelandic Data Protection Authority (DPA), Persónuvernd, upheld the legitimate interest of companies sending customer satisfaction surveys and cross-referencing caller information. The case involved the insurance company VÍS and one of its customers and addressed whether a data controller could lawfully cross-check a (anonymous) caller’s phone number with its customer database […]
GDPR
Biometric Data and GDPR Compliance – a Case Analysis
The growing use of biometric systems in workplaces has brought new challenges for data protection, especially with the General Data Protection Regulation (GDPR) in Europe. A recent case in Belgium highlights these issues after a company introduced a fingerprint-based time-tracking system without properly adhering to GDPR rules. Facts In 2020, a Belgian company began using […]
The landscape of online proctoring and the intersection of GDPR and US laws
With the rise of remote learning, online proctoring – used to ensure academic integrity during virtual exams – has become widely adopted by schools and universities across the U.S. These tools use methods like identity verification, video and audio monitoring, eye-tracking, and even AI-based behavioral analysis. As this technology proliferates, concerns about how such software […]
Navigating Employee Email Privacy: Lessons from a recent Fine by Italy’s DPA
The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required. The issue arose when the company used a backup of the […]
Unsolicited Email Marketing – Ensuring compliance worldwide
In today’s interconnected world, businesses increasingly depend on email marketing to effectively expand and engage their international customer base. However, when sending unsolicited emails internationally, balancing data protection obligations and the requirements of local laws is crucial for maintaining compliance. This article delves into best practices, outlines the most appropriate legal bases, and examines the […]
CJEU Broadens Definition of Health Data in Pivotal GDPR Ruling
The Court of Justice of the European Union (CJEU) has recently issued a landmark decision (C-21/23 “Lindenapotheke”) that expands the interpretation of what constitutes health data under the General Data Protection Regulation (GDPR). This ruling has significant implications for businesses, especially those involved in the sale of medicinal products online. A Wider Scope of Health […]
Legitimate Interest: new CJEU ruling challenges Dutch Authority’s strict interpretation
On October 4, 2024, the Court of Justice of the European Union (CJEU) issued a ruling in the case C-621/22, addressing whether purely commercial interests can qualify as a legitimate interest for processing personal data under Article 6 para. 1 lit. f of the General Data Protection Regulation (GDPR). This decision challenges the strict stance […]
Can Legitimate Interest Be Used to Train an AI Model? noyb Disagrees
In August 2024, the European Center for Digital Rights (noyb), co-founded by privacy advocate Max Schrems, filed a series of complaints against X (formerly Twitter), the social media platform owned by Elon Musk. The nine complaints, lodged in nine different countries, focus on X’s use of personal data to train its Artificial Intelligence (AI) technologies. […]
GDPR Breach due to Health Data Leak results in 80,000 euro fine for Private Clinic
A private clinic specializing in assisted reproductive technology (ART), experienced a significant data breach due to a cyberattack. The breach compromised the personal data of approximately 400 individuals, including patients and employees. The affected data included identity, contact information, financial details, and sensitive health and genetic information. Even though the breach was detected on 21 […]
PIAs and DPIAs: A Two-Step Process to GDPR Compliance
If you work in a company in the European Union or the UK you have probably heard your fair share about data protection. From HR to Sales, personal data infiltrates almost every aspect of a company. One of the biggest tasks under the General Data Protection Regulation (GDPR) is collecting all the information required and […]
Italian Data Protection Authority imposed the highest fine so far on electricity provider
Telemarketing activities and aggressive practices against the consumers are again in the spotlight of the Italian Data Protection Authority (Garante), that imposed the highest fine ever on the Italian electricity provider Enel Energia. It is unfortunately very common that Italian consumers are harassed by unwanted telephone calls from marketing agencies proposing contracts for different services […]
Groeiende Relevantie AVG en Recordboetes in 2023
Volgens de Financial Times zijn de boetes onder de Algemene Verordening Gegevensbescherming (AVG) in het jaar 2023 met bijna 40 procent gestegen. Toezichthouders van Europese landen hebben vorig jaar een stuk strenger gehandhaafd en leggen steeds vaker druk op bedrijven en instanties. Uit onderzoek van DLA Piper is gebleken dat grote tech- en social mediabedrijven […]
Privacy and AI: Schufa algorithm condemned by the CJEU
In December 2023, the Court of Justice of the European Union (CJEU) issued Judgement C-634/21 on the Schufa case. This landmark ruling is set to shape the GDPR-friendly approach to future AI-based businesses. At a pivotal moment where AI takes center stage in the European Institutions’ agenda, with efforts towards the adoption of the renowned […]
Seven days to retain metadata – legal and business impacts of the Italian DPA decision
Indiscriminate and unrestricted retention of employee data (especially their emails) is a common yet dangerous violation of the GDPR that undermines workers‘ rights from multiple perspectives. But how far can GDPR compliance go without excessively hindering business needs and interests? This is the question behind one of the most recent (and discussed) decisions of the […]
Controlling Working Times and Attendance via the Processing of Biometric Data: Guidelines by the Spanish DPA
In November 2023, the Spanish data protection authority (AEPD) unveiled new guidelines regarding the use of biometric data in the workplace to ensure companies’ compliance with data protection laws while implementing attendance control systems such as fingerprint scanners. Let’s take a look at what it says. Understanding Biometric Data Biometric data, like fingerprints, retina scans, […]