Spanish DPA publishes guide on processing of patients' personal data

(Nov 15, 2019) The Spanish data protection authority, the AEPD, has published a guide created to answer questions patients have about the processing of their personal data. The document covers whether consent is needed when personal data is processed and who has access to patient information. The guide also lays out the data rights patients have under both the EU General Data Protection Regulation and Spain’s Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rig... Read More

Notes from the IAPP Europe Managing Director, 15 Nov. 2019

(Nov 14, 2019) Greetings from Brussels! Busy times at the IAPP as we prepare for the 9th IAPP Europe Data Protection Congress in Brussels next week. If you are traveling in, we look forward to welcoming you! We do have a packed couple of days with trainings, workshops, networking and the conference itself. No doubt, it promises to be a great and bustling week.  If you have a ticket to Congress, consider yourself lucky! We sold out three weeks ago and have had an extended waiting list in place since. Unfortun... Read More

Facebook testifies on day one of Schrems case

(Nov 14, 2019) A Facebook representative testified in front of the Vienna Regional Court in the first day of a trial based on the case brought forth by Max Schrems, according to NOYB, an organization he co-founded. Facebook EMEA Privacy Policy Director Cecilia Álvarez testified on behalf of the tech company. Álvarez said Facebook users who signed up to the new terms and conditions that went live when the EU General Data Protection Regulation went into effect agreed to “personalized advertising,” which Schrems ... Read More

ICO opens call for views on POCA powers

(Nov 14, 2019) The U.K. Information Commissioner’s Office has opened a call for views on its powers under the Proceeds of Crime Act 2002. The ICO seeks the ability to “apply to the court” for Restraint and Confiscation orders, “access to information relevant to the investigation of money laundering offences” and other powers. While the EU General Data Protection Regulation has introduced additional financial penalties for breaches, the ICO argues it needs additional POCA powers since “the only sanction availab... Read More

EDPB adopts guidelines for GDPR territorial scope

(Nov 14, 2019) Following a public consultation and an adoption at its 15th plenary meeting, the European Data Protection Board has published a final version of its guidelines on the territorial scope under Article 3 of the EU General Data Protection Regulation. The guidelines were drawn up to assist data protection authorities with their application of the GDPR on certain data-processing activities, including those of EU companies working outside the European Economic Area. The EDPB also used the plenary meeti... Read More

ICO publishes updated guidance on special category data under GDPR

(Nov 14, 2019) The U.K. Information Commissioner’s Office has published updated guidance on special category data under the EU General Data Protection Regulation. The revamped guidance has a template for an appropriate policy document, which organizations use to outline compliance measures and retention policies when data is processed. It also includes definitions on the special categories of data, the rules on such information and the conditions for processing. “There is more to do when processing special cat... Read More

Icelandic DPA offers children's privacy ruling

(Nov 13, 2019) The Icelandic Data Protection Authority has ruled Icelandic Health Insurance was right to request child custody verification in exchange for access to a child's personal information. The case presented to the DPA involved a complaint from a data requester regarding the insurance company's verification policy, which called for either consent from a custodian or the presentation of a custody certificate. The DPA affirmed IHI's actions based on the complainant's lack of a family number on the Natio... Read More

Merkel: EU should claim 'digital sovereignty' to reduce reliance on US tech companies

(Nov 13, 2019) German Chancellor Angela Merkel called for the EU to claim “digital sovereignty” to take back control of data from U.S. tech companies, the Financial Times reports. Merkel suggested the EU develop its own platform to manage information. “So many companies have just outsourced all their data to [U.S.] companies,” Merkel said. “I’m not saying that’s bad in and of itself — I just mean that the value-added products that come out of that, with the help of artificial intelligence, will create dependen... Read More

EDPS candidates submit answers to LIBE questions

(Nov 13, 2019) The European Parliament Committee on Civil Liberties, Justice and Home Affairs has received written answers on its preliminary questions for European Data Protection Supervisor candidates. Acting EDPS Wojciech Wiewiórowski, Baker McKenzie Partner and IAPP Country Leader for France Yann Padova, and Hungary National Authority of Data Protection and Freedom of Information Vice President Endre Szabó each submitted responses to questions regarding their vision for the EDPS office and views on third-p... Read More

ICO: DfE violated data protection regulations

(Nov 13, 2019) The U.K. Information Commissioner’s Office said the Department for Education did not comply with data protection regulations, sharing personal data of 1,500 children monthly with the Home Office, the Guardian reports. The ruling followed a complaint from campaigning organization Against Borders for Children. Human rights organization Liberty, representing ABC, said there are concerns the data could be used for immigration enforcement. A letter to Liberty from the ICO said the department failed t... Read More