The French data protection authority (“Commission nationale de l’informatique et des libertés” or “CNIL”) published, on January 12, 2022, a statement on processor reuse of data entrusted by data controllers. This guidance aims at establishing a legal framework to determine if, and under which conditions, a processor can use personal data it obtained from a controller for purposes broader than just strictly providing services to the controller. Can a processor reuse the data it receives…
Earlier in October, the Spanish Data Protection Agency (AEPD) and the National Data Protection Authority of Brazil (ANPD) signed a memorandum of understanding for the development of joint actions aimed at promoting the dissemination and practical application of data protection regulations. With the signing of this memorandum, the AEPD and the ANPD undertake, among other aspects: to promote technical cooperation mechanisms for the exchange of knowledge and acquired experiencesto promote the carrying out of studies…
Italy experienced one of the longest and most severe lock-downs during the peak of the pandemic. This made it be one of the first countries to launch a national contact tracing App (Immuni) and a national COVID Certificate (green pass) and from October 15, Italy has become the first European country which has made the green pass mandatory to access the workplace. After an intense period of discussions, on September 21st Decree No. 127/2021 introduced…
In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…
In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings. Background FactsOn 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15…
On 24 February 2016, an amendment to the German Act on Injunctive Relief came into force entitling eligible associations to bring cease and desist actions against companies for violations of certain data protection provisions. So far, in Germany, only affected individuals and data protection authorities (and in some very limited circumstances competitors and consumer associations) had standing to sue companies for data protection infringements. Large technology companies (including non-EU companies) targeting data subjects in Germany…
After decades of delay, on February 18, Turkey ratified the Council of Europe’s 1981 Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Data.BackgroundThe start of 2016 has been marked by a flurry of legislative activity with respect to the protection of personal data in Turkey. While the Turkish Parliament is in the final stages of debating the draft Law on the Protection of Personal Data (“Draft Law”) which is expected…