The GDPR that stole communion…

Some schools in Ireland have been banning photographs at communion, citing GDPR.

The Irish Data Protection Commission clarified in a guidance titled “Taking Photos at School Events: Where Common Sense Comes Into Play” that this is not mandated by GDPR.

  • Taking a photo in public is generally fine; it’s what you do with that photo that can potentially become a data protection issue.
  • If a school is seeks consent from a parent or guardian to photograph their child at school events, the school should provide a clear and accurate account of the types of school events that photographs will be taken at, what these photos are going to be used for and by whom, where these photos are going to appear and how long they will be kept. Parents/guardians should be told they have a right to withdraw their consent at any time.
  • Schools may find it easier to request this consent from parents/guardians at the beginning of each school term or year.
  • GDPR does not apply to parents taking photos of kids as a memento, even if they subsequently post them on social media. If you post a picture that includes another child, take it down if requested by the child’s parent.

Read the full text of the guidance.

The “data lemon,” a company you acquire without sufficient data protection due diligence that turns out to be rife with issues, is really more like “data lemon ice cream.” Once it melts, and you uncover a serious breach, it will not return to its original state again.

Read the Harvard Business Review’s take on the importance of thorough data security due diligence in mergers and acquisitions.

The Dutch Data Protection Authority makes six recommendations on drafting your data protection policy, based on its audits of privacy policies of blood banks, IVF clinics and political parties.

A good data protection policy shows the individuals and the Supervisory Authority that it complies with GDPR.

Three mandatory components were examined:

  • a description of the (categories of) personal data
  • a description of the purposes of data processing
  • the rights of data subjects.


  • Assess whether you are required to have a written data protection policy. Even if not required, a data protection policy is recommended.
  • Use internal and / or external expertise.
  • Record the policy in one document; prevent fragmentation of information in a privacy statement, a processing register and a policy.
  • Be specific and describe how you implement the GDPR principles in practice. Repeating standards from the GDPR is not enough.
  • Make the policy known; Though not required, publication of the data protection policy is recommended. But beware of including confidential details on your information security.

Read the full text.

“Rather than view data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of the business to ensure comprehensive coverage and consistency.”

“Regulation can only go so far – if businesses focus on best practices for cybersecurity, data protection and combine this with compliance they will be giving themselves the best chance of business success, whilst protecting their customers and their data.”

Businesses “should strive to have an open dialogue with their customers to educate them on how their data is being used and ultimately protected. A continuous commitment to this approach will go far in maintaining trust and bolstering reputation, even if an incident occurs.”

Read the full article in TechRadar from Webroot’s Matthew Aldridge.

“I have long advocated for privacy protections that include the principles of knowledge, notice and the right to say ‘no’ to companies that want our information. But it is increasingly clear that a true 21st-century comprehensive privacy bill must do more than simply enshrine notice and consent standards,” said Sen. Edward Markey (D-Mass.), the author of the Privacy Bill of Rights Act.

Markey said the bill was crafted in response to the continuing number of data breaches and “revelations about myriad companies sharing consumers’ personal information without their consent.” The bill would create rules that stop companies from using Americans’ information in discriminatory ways and would require companies to “protect and secure” personal information they have, according to Markey.

It also aims to make sure companies only collect personal information on consumers to provide specific requested services. The Privacy Bill of Rights Act would also allow for Americans to bring a “private right of action” to bring lawsuits against companies that violate the bill’s rules.

Details from the Daily Dot.

The French Data Protection Agency CNIL received 11,077 complaints in 2018, up 32.5 percent compared to 2017.

Other highlights from the CNIL 2018 report

  • CNIL carried out 310 investigations in 2018, of which 204 were onsite, 51 online and 51 on the basis of documentation.
  • 49 orders were adopted in 2018, of which five were in the insurance sector; and four concerned companies specialized in advertising targeting via a technology (Software Development Kit) installed in mobile applications.

Areas of focus for 2019:

  • data subject rights
  • sharing of responsibilities between processors and subcontractors
  • data of children

Read the report from CNIL.

“What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge — a lot of times without our permission — and is being used in ways that can negatively affect our credit scores, our health insurance premiums, or car insurance premiums, and even what kind of cars and hotels you’ll be able to get into,” said Rep. Giovanni Capriglione, R-Texas, author of the the Texas Privacy Protection Act (HB 4390).

He made the remarks in a public hearing held by the Texas House Committee on Business and Industry on House Bill 4390, also known as the Texas Privacy Protection Act, and House Bill 4518, also known as the Texas Consumer Privacy Act.

At the hearing, Michelle Beckley, D-Texas, raised concerns that federal legislation could take too long, stating that “right now, [federal legislation] seems like it’s just an idea, whereas we have something we can vote on. Beckley also added that states adopting their own data privacy laws could be the very thing that leads to a single national framework.

Details from the International Association of Privacy Professionals

“Where the sponsor processes personal data of data subjects in the EU, including in the context of managing the clinical trial, GDPR is fully applicable, including the obligation to designate a representative in the EU.”

The European Commission has updated FAQs on the interplay between the forthcoming Clinical Trials Regulation (CTR) and GDPR.

Key Takeaways:

  • Each trial subject should receive information related to the clinical trial as required by the CTR as well as GDPR. Sponsors may need to provide, where necessary, additional information to the data subject participating in the ongoing clinical trials.
  • The processing of personal data in the context of clinical trials can be considered as necessary for the performance of a task carried out in the public interest when the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by Union or national law.
  • In other cases, the legal basis may be the legitimate interest of the sponsor or the subject’s consent.
  • The GDPR rules on cross border transfer apply when EU entities transfer personal data to non-EU entities in the context of a trial.

Read the complete FAQ.

The “agree button is one of the biggest lies on the internet. This is not consent. This is not notice,” said U.K. Information Commissioner’s Office Executive Director for Technology Policy and Innovation Simon McDougall.

People are now living in an “age of unhappiness” and are not feeling empowered, says McDougall. With large tech companies, the balance of power has shifted, and “people are feeling unhappy about that.”

“But at the same time… people are still using their devices because they don’t feel like they have a choice,” and “acquiescence does not equal trust.” The digital economy is heading toward a crisis point. “There’s an express train heading toward the privacy community. If we don’t react, we will reap the consequences.

Full details from the IAPP.

The European Data Protection Board (EDPB) has issued draft guidelines on the GDPR legal basis of “necessary for the performance of a contract”.

Key takeaways:

  • You must specify the purpose of the processing and avoid vague or general purposes
  • Necessary for the performance of a contract is not a legal basis for “special categories of data”.
  • Necessity covers only situations where the processing is objectively necessary for the performance of a purpose that is integral to the delivery of the service.
  • Necessary for a contract generally applies to:
    • processing of payment details for the purpose of charging for the service
    • sending formal reminders about outstanding payments
    • bringing a contract back in conformity after smaller incidents and issues
  • Applies in some cases to personalization of content
  • Generally doesn’t apply to:
    • unsolicited marketing
    • collection of organizational metrics relating to a service, or details of user engagement
    • processing for the purposes of improving a service or developing new functions within an existing service
    • processing for fraud prevention purposes
    • behavioral advertising

Read the full text of the draft guidelines.