General Data Protection Regulation (GDPR)

The European Data Protection Board (EDPB) publishes it’s first annual report and reveals a road map for guidance to come.

In 2019 and 2020, the EDPB aims to focus on data subjects’ rights, the concept of the controller and processor and legitimate interest.

The EDPB will also consider technologies such as connected vehicles, blockchain, artificial

The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000

Checklist for drafting your controller-controller data sharing agreement (from the ICO Data Sharing Code of Conduct now out for public consultation):

  • What is the purpose of the data sharing initiative?
  • Which other organizations will be involved in the data sharing?
  • Are we sharing data along with another controller?
  • What data items are we going to

Questions to ask when sharing data between two data controllers (from the ICO Data Sharing Code of Conduct):

  • What is the sharing meant to achieve?
  • What information do we need to share?
  • Could we achieve the objective without sharing the data or by anonymizing it?
  • What risks does the data sharing pose to individuals?
  • Is

The UK Information Commissioner’s Office has issued a data sharing code of conduct for public consultation.

Key takeaways:
  • When considering sharing data, assess your overall compliance with the data protection legislation. Consider conducting a Data Protection Impact Assessment (DPIA) even if not required.
  • It is good practice to have a data sharing agreement. It sets

The European Data Protection Board has issued guidance on the use of video surveillance.
Key takeaways:
  • The monitoring purposes of cameras should be documented in writing.
  • Data subjects must be informed of the purpose(s) of the processing: “safety” or “for your safety” is not sufficient
  • The most likely legal bases for video surveillance are: legitimate

The European Data Protection Board has issued an opinion on lead supervisory authority in the event of a change of location of the main establishment of an organization.

  • Competence to act as lead supervisory authority can switch to another supervisory authority until a final decision has been reached.
  • Relocation of a main establishment to

The European Data Protection Board’s addressed some interesting issues during its 12th Plenary Session on July 9 and 10:

  • Guidelines on how the GDPR applies to the processing of personal data when using video devices.
  • Opinion on the draft Standard Contractual Clauses (SCCs) for framing the processing by a processor submitted to the Board by