Children’s data isn’t child’s play.

If you have a product or service that collects information from children, you should:

  • Be transparent. No, really. And figure out the best ways to be transparent for kids, which includes just in time notices, video and audio. It is a good idea to enlist the help of UX/CX experts

CNIL, the Commission Nationale de l’Informatique et des Libertés, which is France’s Data Protection Authority, publishes framework to deal with post-Schrems II cross border transfers following the European Data Protection Board’s final guidelines on supplemental transfer measures:

Step 1
  • Inventory your transfers (involve: DPO, information systems department, purchasing department, operational managers of services, digital service

Hey voice assistant: you’ve got some complying to do.

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants.

Some key points:
  • Transparency is key but is also not easy to do well: 30 pages of single-spaced privacy notice won’t cut it. Think

“Complying with GDPR and ethical considerations when developing a digital service is actually a ‘win win situation.'” – says Forbrukerrådet’s eloquent Finn Lützow-Holm Myrstad in a conversation with IAPP – International Association of Privacy Professionals’ Jedidiah Bracy.

Some key points:
  • If you don’t collect the data, it can’t be peaked or misused. If there is

Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology

  • The CEF is the foundation on which the annual

Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information:

  • Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities