In a letter to the country’s Social Security Administration, Iceland’s Data Protection Authority Personuvernd states that IP addresses are not a reliable way to determine a person’s true location.

The DPA was reviewing a decision of the state Social Security Administration that had relied on an IP address to determine whether individuals on the unemployment

Per the German DSK (the Conference of Independent German Federal and State Data Protection Supervisory Authorities), emails need to be encrypted in order to meet the minimum requirements of Article 32 of the General Data Protection Regulation (GDPR).

This means:
  • TLS (transport layer encryption) at minimum
  • Additional measures like end-to-end encryption and qualified transport encryption

The COVID-19 pandemic has upended global business, but European regulators say it won’t stop them from promoting privacy and data protection, according to the International Association of Privacy Professionals.

“What’s clear about the regulators’ enforcement strategies is that they each intend to keep pushing data protection forward, knowing its general importance is only growing as

The European Data Protection Board (EDPB) has issued a strong statement on the suspension of certain aspects of the General Data Protection Regulation in Hungary.

Per the EDPB: Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights … without any clear limitation in time, [is

Key takeaways from my recent presentation titled “Service Providers v. Data Processors: What Should Your Agreement Address?”  with Lexology and Exterra.

  • As the “business,” the “buck stops with you” as it relates to liability to the individual regarding processing their data.
  • Between you and your service provider/data processor, you can and should impose liability for

The European Data Protection Supervisor addressed the coronavirus crisis in a post titled “Carrying the torch in times of darkness.”

“The outbreak of Covid-19 is affecting our lives at an unprecedented pace. It is testing the resilience of our societies as we respond to this global crisis and try to contain its consequences, both in

Data Protection Authorities for France and the Netherlands have weighed in on the use of temperature taking in the fight against the spread of COVID-19.

Netherlands’ Autoriteit Persoonsgegevens:

“We hear that all kinds of organizations use different means to check people quickly for fever. Not only with a thermometer, but also with thermal cameras”

“That’s not allowed. This is a serious offense under [GDPR] . If this happens, we will enforce.”

“We don’t want to wake up in a few months in a society with a kind of Chinese situation, in which the employer is constantly watching you and can even see your care data and have all kinds of consequences.”

  • Employers may not check people’s temperature and process their health data.
  • Consent as a legal basis is not possible in an employment relationship, because an employee may feel pressured to give permission.
  • Only a doctor should do health tests and process the medical data of personnel.
  • You may not check temperature of visitors or vendors either. Consent here is not possible because there is no equivalence here either. The visitor will feel compelled to agree.
  • Employees of companies that measure temperature should report this to the works council and to the data protection officer.
Spain’s Agencia Española Proteccíon Datos:

Continue Reading Temperature-Taking Under GDPR: Guidance from Spain, the Netherlands

Coronavirus and Data Protection: The UK Information Commissioner’s Office has issued an opinion on the Google-Apple joint initiative for contact tracing apps.

Key Takeaways

  • The Google and Apple framework appears to be aligned with data protection principles.
  • The app developers have primary responsibility to ensure data protection principles are met.
  • There must be transparency as

The European Law Blog posts on how COVID-19 related data collection activities in third countries should affect EU data transfer adequacy decisions.

“The data collection and processing measures taken in third countries to combat the coronavirus are relevant to an evaluation of the continued validity of existing adequacy decisions and the potential conclusion of new