The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000

Checklist for drafting your controller-controller data sharing agreement (from the ICO Data Sharing Code of Conduct now out for public consultation):

  • What is the purpose of the data sharing initiative?
  • Which other organizations will be involved in the data sharing?
  • Are we sharing data along with another controller?
  • What data items are we going to

Questions to ask when sharing data between two data controllers (from the ICO Data Sharing Code of Conduct):

  • What is the sharing meant to achieve?
  • What information do we need to share?
  • Could we achieve the objective without sharing the data or by anonymizing it?
  • What risks does the data sharing pose to individuals?
  • Is

The European Data Protection Board has issued guidance on the use of video surveillance.
Key takeaways:
  • The monitoring purposes of cameras should be documented in writing.
  • Data subjects must be informed of the purpose(s) of the processing: “safety” or “for your safety” is not sufficient
  • The most likely legal bases for video surveillance are: legitimate

The European Data Protection Board has issued an opinion on lead supervisory authority in the event of a change of location of the main establishment of an organization.

  • Competence to act as lead supervisory authority can switch to another supervisory authority until a final decision has been reached.
  • Relocation of a main establishment to

“The General Data Protection Regulation (GDPR), while establishing a needed EU-wide privacy framework, will unfortunately inhibit the development and use of AI in Europe, putting firms in the EU at a competitive disadvantage to their North American and Asian competitors,” say the authors of a new report by the Center for Data Innovation in Washington.

If you retain personal data indefinitely, or have not given thought to your retention schedule – now may be the time to take another look.

The Danish Data Protection Authority has fined a furniture store 200,000 EUR for failure to delete personal data, not having a data retention schedule and not adequately documenting its personal

“In reality, GDPR was never really about getting people’s consent. Consent for data processing is just one way that an individual’s information can be collected and used.”

  • It’s not just about the big fines – the United States does care.
  • It (generally) doesn’t require you to change your entire business model.
  • It’s not all about

Red Card! The Spanish Data Protection Authority has issued LaLiga a 250,000 EUR fine for using its mobile app to detect bars illegally broadcasting soccer matches, without duly disclosing this data processing activity in violation of GDPR.

When installing the application and receiving user approval, LaLiga remotely activated the microphone of any user’s mobile phone

When dealing with data subject access requests (DSAR) under GDPR:
  1. Take your time and think about the response.
  2. Document and audit your response process.

These are the key takeaways from a panel at the recent International Association of Privacy Professionals privacy summit in Washington DC.

Take the time and communicate:
  • Reading over the inquiries thoroughly