Intervalo: 08/21/2020 - 08/21/2020

In this 22nd edition of the Bulletin you will find the report of the Belgian authority on understanding of GDPR by small and medium-sized companies, the EDPS guidelines for measuring body temperature, the new ICO statutory code for greater protection of children online and much more!

Data Protection at Authorities

Autorité de la protection des données – Belgium

Belgian authority publishes report on GDPR knowledge and understanding among small and medium-sized enterprises

The report indicates that, in general, the knowledge and understanding of SMEs is not so clear in all areas of the GDPR. A large number of companies surveyed have sufficient theoretical knowledge about the implications of processing personal data under the GDPR. However, the results are different in relation to the three central themes of the project: (i) the principle of transparency; (ii) data protection impact assessment (DPIA) and (iii) the concepts of “controller” and “operator”. In addition, the report reveals that SMEs mainly have difficulties with the following topics: (i) the retention periods of personal data; (ii) the registration of processing activities; (iii) subcontracting to external parties and (iv) the principles of privacy by design and privacy by default.

Datatilsynet – Denmark

Danish authority completed three audits focusing on recording processing activities

The authority concluded three planned inspections against the municipalities of Ringkøbing-Skjern, Varde and Holstebro, respectively. The inspections focused on the municipalities’ compliance with the requirement to keep records of processing activities, including, in particular, whether the records kept in municipalities could be used for the purposes on which this requirement is based. In one case, the Danish authority concluded that most of the municipality’s lists were properly prepared, as they generally provide a good overview of the municipality’s processing activities.

Danish authority reports a security breach that occurred in the authority itself

In early August, the Danish authority became aware of a breach of the security of personal data at the Authority’s own premises in Valby. The case includes physical documents, which may contain confidential and sensitive information about citizens, employees, etc. According to the authority, this material was stored electronically in the systems, but it was printed by employees of the authority on occasions when, for example, they had to discuss an internal matter or revise a draft letter or note. The material was then thrown into a container, in the belief that the waste paper would be shredded. However, an employee of the authority found that it was instead disposed of as ordinary trash.

Danish authority criticizes late deletion of citizen information

A citizen made a complaint to the authority that the municipality of Høje-Taastrup did not delete the patient’s medical record. The municipality agreed with the citizen that the patient’s medical record should be deleted, as the information had been sent to the municipality by mistake. The municipality of Høje-Taastrup stated that it tried to get its operator to delete the information and that it was the circumstances of the operator that made the exclusion difficult. In its decision, the Danish authority emphasized that it had taken almost a year from the time the claimants requested that the municipality of Høje-Taastrup request the deletion of the information until this was implemented, and that the municipality, as the controller, must ensure that the rights of the data subject are respected. This means, among other things, that the controller must hire operators who can provide the necessary guarantees that the appropriate technical and organizational measures will be taken to guarantee the protection of the rights of data subjects.

European Data Protection Supervisor – EDPS

EDPS published guidelines on the use of body temperature verification by EU institutions

In its guidelines, EDPS distinguishes between body temperature checks that are subject to GDPR and those that are not: basic checks designed only to measure body temperature and operated manually and not followed by recording, documentation or other processing of personal data from In principle, individuals are not subject to regulation. The other temperature control systems, operated manually or automatically, are subject to the Regulation, followed by the processing of personal data of individuals. Depending on the processing capabilities of the systems used to perform body temperature checks, additional data protection measures need to be implemented. Protection of data by design and by default also means that European institutions must design body temperature checks so that the amount of personal data collected is minimized.

Office of the Data Protection Ombudsman – Finland

Finnish authority fines company for conducting electronic direct marketing without prior consent

In complaints, data subjects reported having received direct marketing messages from the company without consent. According to Finnish law, direct marketing can only be directed to individuals who have given their prior consent. According to article 4 of the GDPR, consent must be a free, specific, informed and unambiguous indication of the data subject’s wishes. Some of the data subjects responded to the marketing message sent as SMS, as requested by the controller, in order to prohibit direct marketing. Despite the ban, data subjects still received new direct marketing messages. Therefore, the controller was unable to implement the right to withdraw consent under the GDPR.

CNIL – France

French authority publishes letter to ensure greater transparency in the agency’s activities

Due to the particularly high risks of the supervision exercised by the authority, she considers it essential that the organizations involved understand the progress of these investigations and know how the CNIL can intervene. The purpose of the CNIL Supervisory Charter is, therefore, to recall, as accurately as possible, the rights and obligations of the bodies subject to supervision, especially with regard to the GDPR. The CNIL also specifies the progress and consequences of an inspection, whatever its form, as well as the principles of good conduct to be followed in this context.

Garante per la Protezione dei Dati Personali – Italy

Garante publishes note on children’s media exposure

In consideration of some recent episodes of exposure of minors in the media, also on the occasion of summer vacation reporting, the Italian authority reminded all media that the legislation on the protection of personal information in the journalistic field establishes guarantees for the protection of minors. In particular, in order to protect their personality, it is necessary to adopt special precautions to avoid exposing minors to the disclosure of information concerning them, including their image, with negative consequences that may have an impact on their development.

Autoriteit Persoonsgegevens – Netherlands

Dutch authority conducts research on smart cities

The research focuses on the processing of personal data in public space with sensors and other technologies. The authority mapped how municipalities deal with the privacy of residents and visitors. Meanwhile, a diverse group of municipalities, spread out in size and location, provided information for the study. During the investigation, the authority requested DPIAs for smart city applications, among other things, and advised cities to: (i) pay attention to the quality of their DPIA. Clearly indicate what data is handled in practice with, for example, sensors and cameras; (ii) keep your DPIA up to date. Check from time to time that the processing is still the same. It may be necessary to review the DPIA in case of changes and (iii) involve citizens in the development of smart city applications and ask for their opinion before the project starts.

Datatilsynet – Norway

Norwegian Authority fines Norwegian Public Road Administration

The Norwegian authority gave the Norwegian Public Road Administration a fine of NOK 400,000 for handling personal data for purposes incompatible with the original purpose and for not deleting camera recordings after 7 days. Personal information was largely collected by fixed cameras on the roads to monitor contractors, employees, subcontractors and employees of subcontractors.

ICO – United Kingdom

British authority publishes statutory code for protecting children online

The code requires organizations to provide better protection for children’s privacy and applies to organizations that provide services and products online that can be accessed by people under the age of eighteen. The code establishes fifteen points that must be followed by online product developers and how they must comply with the data protection regulation. The authority gave a year to make the necessary changes.

British authority publishes research results on public trust in relation to the protection of personal data

The document pointed to an increase in confidence in relation to the NHS, financial services, telecommunications and public service providers. According to the report, confidence remains fairly consistent and the proportion of people with high confidence has decreased slightly, while the proportion of people with low confidence has also decreased. For Elisabeth Denham, UK Information and Information Commissioner, “What is clear is that we must continue to promote the value of data protection. It may not be surprising that people who have had a negative experience with the loss or theft of their data have less confidence and security in organizations that use their data more widely: a small number of underperforming organizations can have a big impact on trust. “

Data Protection at Universities

Digital Contact-Tracing for COVID-19: A Primer for Policymakers

Rhema Vaithianathan, Matthew Ryan, Nina Anchugina, Linda Selvey, Tim Dare, Anna Brown

The article is intended for policymakers and provides an introduction to how digital contact tracking works, including a simplified model of their epidemiological underpinnings, and explores how to gain greater acceptance for the use of technology in the context of public health. emergency, as well as means to carry out a robust and transparent evaluation so that the user can judge for himself if the download and use of the application “are worth the effort”.

Readability of Privacy Policies

Barbara Krumai, Jennifer Klar.

Privacy policies have become an important tool for communicating with users on company websites and informing them about how and for what purpose private data is collected. In these privacy policies, the social, legal and technical aspects must be explained in a clear and understandable way. However, as legal and technical issues often require a specific specialized language, organizations need to find a solution to transfer information in a way that users can understand. The article investigates seven quantitative approaches to measuring readability, applying them to the privacy policies of different companies. Based on the results, the article describes an approach to measure the readability of privacy statements.

Data Protection in the Brazilian Legislative

Senate excludes from MP 859/2020 the postponement of the term of the LGPD

It was decided that the Provisional Measure will remain in effect until the President of the Republic sanctions the conversion bill. In this sense, the General Data Protection Law can only come into force after the sanction of the project, which has a period of fifteen working days to occur.

Proposed Bill amending the LGPD to restrict access to consumer data by credit protection companies

On August 27th, it was proposed by Dep. Fed. Wolney Queiroz of PDT, a bill that alters the General Data Protection Law and the Civil Framework of the Internet to restrict access, processing and sharing of consumer data by credit protection companies. The project is currently at the Board of Directors.

Data Protection in the Brazilian Judiciary

TJSP decision accepts appeal from Google Brasil Internet LTDA for not providing connection data of European origin

Rapporteur Alexandre Coelho upheld the interlocutory appeal No. 2192571-14.2020.8.26.0000 filed by Google alleging partial compliance with the obligation to provide IP data. According to the company, part of the data, specifically those coming from France, could not be provided according to the European Regulation. The judge upheld the appeal, alleging that there was no interference by the company and that, in fact, the obligation was impossible to be fulfilled, under pain of injuring the jurisdiction, sovereignty and intimacy of residents of Europe.