General Data Protection Regulation (GDPR)

The Belgian Data Protection Authority holds that a Data Protection Officer (DPO) may not himself/herself delete personal information of a data subject.

Doing so constitutes a violation of the General Data Protection Regulation’s prohibition of conflicts of interest for the DPO (Article 38(6) of GDPR).

Rather, all decisions regarding the processing must be taken by

“We would like the chance to think about it first”​

Feedback from 1,200 Irish school children on key issues of data protection provides insight and some actionable steps for companies processing children’s information and subject to the EU GDPR (or to the US COPPA).

Read the full list of takeaways.

The European Data Protection Supervisor has produced an Accountability Toolkit that provides a detailed framework for conducting Data Protection Impact Assessments (DPIA) which can be useful for controllers and processors subject to GDPR as well.

Some basic principles:

  • Map out your processing against the data protection principles
  • Assess and mitigate risks
  •  Seek prior consultation when

India will approach the European Union seeking “adequacy” status with the General Data Protection Regulation once the country finalizes and passes its own Personal Data Protection Bill – reports the India Economic Times.

An adequacy status stands for a recognition by the EU authorities that a country provides an adequate level of data protection.

A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.

At issue: The legal framework surrounding embedding a Facebook “Like” button on your website.

When a user visits a website on which a Facebook “Like” button is installed, their personal data is transmitted to Facebook Ireland.

This includes:

  • the IP address of the visitor’s computer
  • technical data of the browser (so that the server can determine the format in which the content is delivered to this address)
  • information about the desired content.

The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.

The transfer of information happens:

  • whether or not the individual is a member of the social network Facebook
  • whether or not the person has clicked on the “Like” button
  • in many cases, without the individual being aware that the information is being collected or transmitted to Facebook

Key takeaways:

A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed

The operator of a website that features a Facebook “Like” button can be a controller jointly with Facebook in respect to the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication, by transmission, of the data in question.


Continue Reading

Tardiness with transposing data protection laws comes with a hefty fine.

The European Commission is asking the Court of Justice of the European Union to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the May 6, 2018, deadline, according to a news

Web crawling and data protection: CNIL has issued a 180,000 EUR fine against a provider of automobile insurance policies for failure to adequately protect data in violation of GDPR, specifically citing disallowing web crawling as a way to protect personal data from wrongful access.

In particular the company :
  1. sent usernames and passwords in cleartext

“Some of Ireland’s best known heritage sites – such as Kilmainham Gaol, Dublin Castle and Muckross House – have been ordered to remove visitor books due to concerns they breach EU privacy and data protection rules.

The Office of Public Works (OPW) believes the books, in which visitors leave brief remarks along with their names