A list of duties of the Data Processor under the upcoming EU GDPR, like:
- adoption of security measures (encrypt data, ensuring data is not lost in incidents plus testing/assessing security)
- ban to adopt a sub-processor
- to report data breach within 72 hours
- adoption of a processing register where to report sistematically processed data
Niece piece from the Netherlands on Cookies.
(i) is necessary to carry out communication,
(ii) is necessary for the service requested by the visitor, or
(iii) is used to obtain information about the quality or effectiveness of the service under the additional condition that this has no or very limited privacy impact. It therefore depends on the nature and purpose of the technique used.
A refresh on teh upcoming EU GDPR.
Clients from CE are already looking into it.
In this case, various employees took part to a group conversation via Whatsapp where they coplained about ther employer’s salary policy and working conditions.
One of these employee shared the conversation with the employer, which, in turn, fired the complaining employee (alleging the trust tie was broken) and issued a warning for the notifier.
The court ruled that such conversation took place outside working time and did not affect their performance.
Therefore, there is an unjustified reason for employer to hold such chat which have also been illegally obtained, by breaching the applicable privacy law.
Another nice reminder from The Netherlands on the upcoming EU GDPR with examples of safety measures:
- encrypting data,
- considering the quality of the services and systems in which processing takes place,
- ensuring that data cannot be permanently lost in an incident, and
- testing and evaluating the security
The Netherlands: a nice reminder about the upcoming EU GDPR.
- A question mark must be avilable and clickable to illustrate more information about what is happening to the personal data,
- Instead of the common “If you do not accept the cookies, some parts of the website will work less well.”, do specify which parts are you talking about,
- Replace “for example” and “among others” with specific data,
- Clearly indicate what is the result in lack of consentment. E.g., in a navigation app, by swithing your location off, users can’t pinpoint the route in real time anmore.
A three-days programme from DLA Piper in Paris for DPO.
Collection of such personal data is on the rise, especially at platforms and tech companies like Facebook and Apples.
Cases and legislation is increasgin too, therefore companies are recommended to keep an eye on it.
The case in this article reverts on (among the other points) whether collection of biometric data from photos stored online can be included in the range of application of the law of Illinois.
Watch out: similar legislation is currently enacted in Texas, Illinois and Texas and similar one is being discussed in New Hampshire, Connecticut, Alaska, Montana and Michigan.
UK: A new draft Bill allows for exceptions tothe upcoming EU GDPR law:
- by journalists, whether necessary for freedom of expression,
- by museums and universities whether necessary for scientific and historical research purposes,
- by national anti-doping organisations to tackle drug cheating,
- by financial services bodies suspecting terrorist financing or money laundering
- regarding criminal conviction data, by employers where this is necessary to fulfil its obligations under employment law,
- regarding child protection
- if in order to prevent and detect fraud