General Data Protection Regulation (GDPR)

Danish data protection authority Datatilsynet has ordered a bus company to explain, by July 15,  how it will amend its IT systems to allow for compliance with the right to rectification (correction) under GDPR and provide a timetable for the implementation of the changes.
  • Your IT system must allow for correction of data when

“There are very good reasons to care about privacy laws, including those of other states and countries” – says Gary D. Weingarden Esq., CDPO, CIPM, GDPR-R, “but fear of cross-border fines isn’t at the top of the list.”

Per Weingarden:

  • If you’ve certified compliance with Privacy Shield, you should comply.
  • Individuals and classes of plaintiffs

“Privacy policies … have evolved from … largely factual statements to become, nowadays, either long, verbose and impenetrable legalese, or else vague and soothing PR exercises. Either approach places the burden on the individual to understand complex data practices and act rationally in her own best interests.”  says European Data Protection Supervisor Giovanni Buttarelli.


The Finnish Data Protection Authority has ordered a company to modify its automated practices for assessing creditworthiness.

The authority held that the Credit Decision Service in the company’s online environment is an automatic decision-making procedure under Article 22 GDPR.

The company was ordered, within 30 days to:

  • amend its disclosure information so that the borrower

“The Federal Trade Commission is aiming to bring more EU-U.S. Privacy Shield enforcement actions for significant violations of the cross-border data transfer program, the agency’s consumer protection chief said April 26.”

There are a group of cases the FTC is “looking at right now and they include” alleged substantive violations of the Privacy Shield program

Enforcement is coming – says CNIL, the French Data Protection Authority.

CNIL published its enforcement priorities for 2019. CNIL will no longer refrain from enforcing new obligations imposed by GDPR, but it will continue to exercise judgment in the choice of corrective measures and will not resort to fines every time. CNIL’s enforcement program will

Caveat Data Processor.

Italian Data Protection Authority, Garante, has issued a 50,000 EUR fine against a data processor platform for its failures to implement several information security measures.

Service providers should ensure that the data entrusted to them by their data controller customers is adequately protected. Some specific measures addressed by Garante:

  • conducting periodic vulnerability

Will the CCPA entitle the State of California to adequate status for transfers of personal data from the EU?

“The CCPA has many of the basic criteria that the EDPB’s adequacy guidance document notes must be present in the legal system to meet the adequacy standard. For example, the CCPA employs a similarly expansive definition

The GDPR that stole communion…

Some schools in Ireland have been banning photographs at communion, citing GDPR.

The Irish Data Protection Commission clarified in a guidance titled “Taking Photos at School Events: Where Common Sense Comes Into Play” that this is not mandated by GDPR.

  • Taking a photo in public is generally fine; it’s what