The Belgian Data Protection Authority holds that a Data Protection Officer (DPO) may not himself/herself delete personal information of a data subject.
Doing so constitutes a violation of the General Data Protection Regulation’s prohibition of conflicts of interest for the DPO (Article 38(6) of GDPR).
Rather, all decisions regarding the processing must be taken by
The Hellenic DPA has issued an opinion regarding the appropriate legal basis for processing employee data under GDPR:
“We would like the chance to think about it first”
Feedback from 1,200 Irish school children on key issues of data protection provides insight and some actionable steps for companies processing children’s information and subject to the EU GDPR (or to the US COPPA).
The European Data Protection Supervisor has produced an Accountability Toolkit that provides a detailed framework for conducting Data Protection Impact Assessments (DPIA) which can be useful for controllers and processors subject to GDPR as well.
Some basic principles:
India will approach the European Union seeking “adequacy” status with the General Data Protection Regulation once the country finalizes and passes its own Personal Data Protection Bill – reports the India Economic Times.
An adequacy status stands for a recognition by the EU authorities that a country provides an adequate level of data protection.
A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.
When a user visits a website on which a Facebook “Like” button is installed, their personal data is transmitted to Facebook Ireland.
This includes:
The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.
The transfer of information happens:
A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed
The operator of a website that features a Facebook “Like” button can be a controller jointly with Facebook in respect to the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication, by transmission, of the data in question.
Tardiness with transposing data protection laws comes with a hefty fine.
The European Commission is asking the Court of Justice of the European Union to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the May 6, 2018, deadline, according to a news
Web crawling and data protection: CNIL has issued a 180,000 EUR fine against a provider of automobile insurance policies for failure to adequately protect data in violation of GDPR, specifically citing disallowing web crawling as a way to protect personal data from wrongful access.
The European Commission has published a report looking at the impact of the EU data protection rules, and how implementation can be improved further.
For next steps, the Commission states that in 2020 it will assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted under
“Some of Ireland’s best known heritage sites – such as Kilmainham Gaol, Dublin Castle and Muckross House – have been ordered to remove visitor books due to concerns they breach EU privacy and data protection rules.
The Office of Public Works (OPW) believes the books, in which visitors leave brief remarks along with their names