If you condition participation in a sweepstakes on receiving advertising on a particular topic from the provider of the sweepstakes or from other third parties — this is still valid consent under GDPR, says the Higher Regional Court of Frankfurt, Germany.

Key takeaways:
  • Requiring consent to marketing as a condition to participation in a sweepstakes

Ireland’s privacy regulator is weighing potential probes into how some online companies handle children’s data.

The Irish privacy office is “scoping” children’s privacy enforcement actions

“There will absolutely have to be changes and will be changes in terms of how” online companies handle children’s data… It’s a “big area of importance” for the commission –

A German investigation into Facebook Inc. shows that multinational companies could face probes from multiple data-protection regulators in Europe over the same missteps.

If you are a non-EU entity subject to GDPR, or are a part of a group of companies, the GDPR one stop shop mechanism may not help you.

Thinking through the role

The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:

  • Processing carried out under guidelines previously established or authorized by the DPA
  • Processing carried out under the guidelines of an approved code of conduct
  • Processing necessary to comply with a legal

School Fined for Using Facial Recognition Technology to Take Attendance

The Swedish data protection authority fined a school SEK 200,000 (approximately 19,000 EUR) for using facial recognition technology to take attendance.

Key takeaways:

  • Biometric information is sensitive and special care must be taken when processing it.
  • Attendance can be taken by less invasive means.
  • Consent

Shortly after the recent video surveillance guidance from the EDPB, the Information Commissioner of the Isle of Man published an updated CCTV data protection guidance.

Key takeaways for controllers:

General Considerations and Governance:
  • CCTV images identify living individuals and are, therefore, personal data. This means that the use of CCTV will be covered

The Irish Data Protection Commission and Polish Data Protection Authority have issued guidance on data breach notification under GDPR in which they address the following questions, and more:

  • When do you “become aware”​ of a data breach?
  • What should a data breach notification include?
  • How do you communicate a data breach notification?

The guidance offers