“Public health AND Privacy” and not “Public health OR Privacy”: A collection of Guidance on COVID-19

Below is an attempt (without the presumption of completeness) to map all the official resources providing guidance on the correct processing of personal data in the context of COVID-19 and Cybersecurity-related information on working remotely in the context of the COVID-19 pandemic. I genuinely hope this will help in the effort of achieving "Public health AND Privacy"! Stay safe and ...

“Public Health AND Privacy” vs. “Public Health OR Privacy” in the time of the COVID-19 pandemic

The COVID-19 outbreak has touched the lives of millions of individuals across the globe. Among those severely affected are the residents of my native Italy who are currently under a mandatory lockdown  (nationwide travel restrictions have been enacted) until an undefined date.  But how should the collection of potentially special category personal data (health data) be managed in a pandemic? Several data protection authorities have provided ...

EDPB on personal data processing in the COVID-19 outbreak

On 16 March the Chair of the European Data Protection Board (EDPB) Andrea Jelinek released a statement to help guide the data processing activities of public authorities, governments, and private organizations within the context of the COVID-19 pandemic. Andrea Jelinek noted that: “Data protection rules (such as GDPR) do not hinder measures taken in ...

Irish DPA Issues Guidance for Protecting Personal Data When Working Remotely

In light if the COVID-19 crisis, many organizations have decided to implement smart working for their employees. To this end, the Irish DPA has issued useful Guidance to protection personal data when working from home which can be found here. DPC Ireland's advice is divided into three macro categories: Devices, Emails, and Cloud/Network Access. Below ...

GDPR and the Coronavirus in Italy

The COVID-19 outbreak has affected the lives of millions of individuals across the globe. Among those affected are the residents of my native Italy who are currently under a mandatory lockdown (nationwide travel restrictions have been enacted) until April 3rd. In this time of crisis, however, it's important to not forget that data ...

Whistleblowing: Italian DPA fines “La Sapienza” University € 30,000

The Italian DPA fined La Sapienza University in Rome € 30,000 for having spread the names of two individuals who had reported potential wrongdoings online. In doing so, the DPA stressed the importance of employers adopting adequate technological procedures for ensuring the the anonymous reporting of potentially illicit behaviour, also known as whistleblowing. Specifically the ...

Successful kick-off of the Data Protection as a Corporate Social Responsibility project

Yesterday, 6 February 2020, the Data Protection as a Corporate Social Responsibility project kick-off meeting was held within the European Centre on Privacy and Cybersecurity (ECPC) within the Faculty of Law at Maastricht University.  The project aims to trigger virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as ...

Launching the Data Protection as a Corporate Social Responsibility research project at ECPC

There’s no better day than today, European Data Protection Day, to announce the 6 February kickoff meeting of the Data Protection as a Corporate Social Responsibility Research Project that I am leading at the European Centre on Privacy & Cybersecurity (ECPC) at Maastricht University.  In our data-centric global economy businesses need to consider privacy and data protection as assets rather than simply ...

Sector-specific codes of conduct contribute to application of GDPR

In a note from the Presidency to the Permanent Representatives Committee (Part 2)/Council, published on 19 December 2019, "Council position and findings on the application of the General Data Protection Regulation (GDPR)", the Presidency underlined the usefulness of Codes of Conduct, writing that: "Drafting sector-specific codes of conduct in accordance with Article 40 of ...

Joint Controllership: A collection of recent guidance

Article 26 GDPR on Joint controllers determines that, "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the ...