Sector-specific codes of conduct contribute to application of GDPR

In a note from the Presidency to the Permanent Representatives Committee (Part 2)/Council, published on 19 December 2019, "Council position and findings on the application of the General Data Protection Regulation (GDPR)", the Presidency underlined the usefulness of Codes of Conduct, writing that: "Drafting sector-specific codes of conduct in accordance with Article 40 of ...

Joint Controllership: A collection of recent guidance

Article 26 GDPR on Joint controllers determines that, "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the ...

Italian Garante: Not permissible to keep a former employee’s mail account active after the termination of the employment relationship

The Italian DPA (Garante) has stated that it is not allowed for a company to keep the email account of a former employee active following termination of the employment relationship and to access the emails contained in the inbox. The Decision  of the Garante follows a complaint from an individual who complained that their privacy ...

Brexit and data protection: What’s next?

On 12 December 2019 in the UK general election, Boris Johnson secured his position as UK Prime Minister, with his Conservative party winning its first substantial majority in decades. The results of the election have set the way for the UK to exit the European Union by its scheduled exit date of 31 January 2020.  The results ...

Italian DPA: Second semester inspection plan focuses on whistleblowing

The Italian Data Protection Supervisory Authority recently published the measure whereby it decided on the audit plan for this six-month period, citing one of the processing activities that could be inspected: “1. For the period from July to December 2019, the auditing activity initiated and carried out by the Data Protection Supervisory Authority, including through the Guardia di ...

CSA CODE OF CONDUCT for GDPR COMPLIANCE: CSA EMEA Congress 2019

This week I attended the CSA EMEA Congress 2019 where I presented on the CSA Code of Conduct for GDPR Compliance, also in my quality of Co-Chair of the CSA PLA WG. My presentation covered the fundamentals of the GDPR and the CSA Code of Conduct and discussed the game-changers and pillars of the Code ...

GDPR Temperature Tool: A new free resource for European SMEs to understand their risk of GDPR-related sanctions

«The GDPR came into force in May 2018 with a blaze of publicity but 18 months on, still many businesses are unclear on how at risk they are from GDPR-related sanctions. The vast majority of business leaders believe that it is essential to comply with the GDPR, especially as companies can risk crippling fines. Indeed, ...

European Data Protection Board adopts Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

The European Data Protection Board has published its updated Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects following public consultation. The Guidelines were adopted by the Board on 8 October 2019 and concern the "applicability of Article 6(1)(b) to ...

Irish Data Protection Commission publishes guidance on common online risks

The Irish Data Protection Commission has published Guidance for data subjects entitled "What should you be aware of online? Some common online risks". The document, directed towards consumers, provides a simple but thorough overview of data protection principles such as Transparency/purpose limitation and practical advice for how data subjects can understand the risks towards ...

Don’t use consent for the processing of employee data! Greek DPA issues first fine under GDPR

The Hellenic DPA in Decision no 26/2019 decided that for personal data to be processed in compliance with the GDPR, all the principles outlined in Article 5(1) GDPR should be met. The Decision came to light after the DPA received complaints concerning the processing of PriceWaterhouseCoopers employee data where employees were required to provide their ...