General Data Protection Regulation (GDPR)

Italy, which is currently dealing with the most serious COVID-19 outbreak in Europe, weighs in on health data and GDPR .

Employers should NOT:

  • systematically collect (e.g. through specific requests to employees or unauthorized investigations) information on the presence of any flu symptoms or travel of employees or closest contacts.
This means do not:
      • collect

France’s Data Processing Authority CNIL weighs in on Coronavirus and GDPR.

Employers should NOT:

  • Collect in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee/agent and their relatives.
This means:
  •  No mandatory readings of the body temperatures of each employee
  • No

Tell me, don’t sell me, the GDPR version.

The Dutch Data Protection Authority (AP) has imposed a fine of 525,000 euros on tennis association KNLTB for selling personal data without proper consent.

In 2018, the KNLTB unlawfully provided personal data of a few hundred thousand of its members to two sponsors for a fee. The

It’s not a sprint. It’s a marathon.

“That is the crux of the problem with compliance: Privacy requires business commitment as data travels and accumulates. Keeping track of data, wherever it migrates to, will keep companies compliant — not a privacy policy hidden at the bottom of a website.”

“Whether in a cut-and-paste scenario or

Risky business.

“All in all, the privacy risk can be defined as the possibility of an unwanted or unexpected consequence from the perspective of the individual, causing any level of harm or nuisance to her, resulting from the loss of either confidentiality, integrity or availability (information security issues) of her personal data or from insufficient

Don’t miss our annual Privacy Summit, scheduled for April 16. This information-packed, daylong event will bring you fully up to date on the latest, emerging issues in cybersecurity and data privacy.  The program kicks off with keynote speaker Leslie Ireland — former Assistant Secretary for Intelligence and Analysis, U.S. Department of the Treasury, and National

European Union Data Protection Authorities discussed enforcement priorities at the International Association of Privacy Professionals (IAPP) Data Protection Intensive.

Key takeaways:

  • CNIL: Online advertising and cookies are a focus right now.
  • Ireland DPC: currently handling 10,000 complaints with 23 investigations into so-called big tech companies, and two investigations at the decision-making stage. An area of

Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.


Continue Reading