You may have heard of the California Consumer Protection Act (CCPA) which entered into effect at the beginning of this year. You can find more information here. In the state ballot in November 2020, Californians will be asked to decide the fate of another new privacy law, the California Privacy Rights Act (CPRA). The proposition […]
mb-firstprivacyenglisch
Are portable body temperature cameras GDPR compliant?
According to the French Conseil d’Etat: No! In order to combat Covid-19, the French municipality of Lisses installed one fixed thermal camera in a municipal building that was able to report excessive body temperatures. Additionally, several portable thermal cameras were entrusted to municipal officials who at the entrance of schools could measure excessive temperatures of […]
The CJEU rules in favour of Schrems and invalidates Privacy Shield Decision
In a landmark ruling (‘Data Protection Commissioner v Facebook Ireland and Maximilian Schrems’)[1], the CJEU invalidated the Privacy Shield Decision[2], whereby the Commission had determined that the United States ensured an adequate level of protection for personal data transferred from the Union to organisations in the US. Many organisations involved in transborder data transactions will […]
Is it a duty to notify the Supervisory Authorities of the appointment of the Data Protection Officer under the GDPR?
The General Data Protection Regulation (GDPR) in article 37.2 mentions the possibility of appointing a Data Protection Officer (DPO) for a business group, provided that the DPO is accessible from each establishment. This article has led to the conclusion that by appointing a DPO for the group the obligation is met. However, it is relevant […]
USA: Email marketing rules under the CAN-SPAM Act
There exists a misconception across Europe that the USA does not have any state laws enacted which protect consumer rights and privacy of consumers. The European Commission has enacted a very powerful tool with the implementation and development of the GDPR, which sometimes makes us reconsider other country’s rules. The USA has a wide range […]
Right to deletion? Dutch Court: Not if overriding interests exist!
Dutch Arnhem-Leeuwarden Court of Appeal (hereinafter “Court”) seems to give insides on what accounts to an overriding interest according to Art. 21 para. 1 GDPR, when considering the right to deletion according to Art. 17 para. 1 lit. c GDPR (see here). Facts The data subject who works as an accountant had provided false information […]
Belgian DPA issues €50.000 fine on an Organisation for non-compliance with GDPR DPO appointment procedure
The Organisation (defendant) designated their Head of Compliance, Risk and Audit as their Data Protection Officer (DPO). The DPA ruled that in doing so, the Organisation violated art. 38(6) GDPR which requires that any tasks of the data protection officer do not result in a conflict of interest. According to the defendant, no conflict of […]
Perfect time to „phish“
The uncertainty caused by COVID 19 has led to a marked increase in a in so-called ‚phishing attacks‘ by cyber criminals. Phishing is highly used as the first step in cyber-attacks and is amongst the most prominent causes of data breaches and security incidents for both targeted and opportunistic attacks. Therefore, we would like to […]
Belgian DPA requires small companies using CCTV to maintain a record of processing activity
The APD/GBA (Belgian DPA) in April 2020 decided upon a complaint made in September 2018 with the authority.[1] The affected person claimed that he was filmed by CCTV of a store while walking outside on the sidewalk. The DPA investigated the complaint and requested from the store owner what can be expected: Storage period of […]
Dutch DPA imposes fine on company using fingerprint technology for attendance and time registration
The Autoriteit Persoonsgegevens, Dutch data protection authority, imposed a fine on a company, which relied on scanning their employees’ fingerprints for attendance and time registration.[1] Facts in a nutshell In the case at hand, the respective company introduced the new fingerprint system in order to reduce the fraudulent abuse of the previous attendance and time […]
COVID-19 – New Guidelines on the processing of health data for scientific research
On 21st April 2020, the European Data Protection Board (EDPB) released new guidelines. As a preliminary remark, the EDPB sees that “there are currently great scientific research efforts in the fight against SARS-CoV-2”, which should lead to research results as soon as possible. At the same time, there are legal questions regarding the processing of […]
Dutch Data Protection Authority publishes Decision Aid for Video calling Apps
As a result of the ongoing corona crisis, a lot of companies, as well as private individuals, have increasingly been making use of video calling applications. The Dutch Data Protection Authority (AP) received many questions on how privacy-compliant these apps are and have analysed the 13 most commonly used apps, in particular, their privacy aspects. […]
The Marketing Guide to the GDPR- Video Series
We are proud to present the first chapter of 4 whiteboard videos that focus on the most common issues faced by Marketing Departments regarding GDPR obligations. “The Marketing Guide to the GDPR” contains relatable and comprehensible examples that allow for the viewer to grasp a very broad overview of the impact of personal data in […]
Should we copy the South Korean model of fighting Covid-19?
Covid-19 is spreading rapidly across Europe right now with rising case counts and deaths, especially in Spain and Italy. As a result, many countries have enforced lockdowns and closed their borders to mitigate a further spreading of the virus. Inevitably, these measures are prone to detrimentally affect the economy and our mental health. The Regional […]
Fine imposed on Royal Dutch Lawn Tennis Association for non-compliance with GDPR
Following a two-year long investigation, the Dutch Data Protection Authority (AP) has issued a fine of 525.000€ on the Royal Dutch Lawn Tennis Association (KNLTB) for selling personal data of its members to third parties. Which data was sold? KNLTB sold personal data of a few hundred thousand of its members to two sponsors in […]