Data Protection Bulletins
Data Governance Act “DGA”
The EU Commission’s proposal for a data governance regulation was published in November 2020 and completed its process, becoming a European law (EU Regulation 2022/868) with its publication in the Official Journal of the European Union on June 3, 2022. The figure below outlines the
Calculation of administrative fines under the GDPR -1
The European Data Protection Board (EDPB) released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022. The General Regulation made significant changes in the area of administrative fines that Directive 95/46/EC, on the other
FAQ for standard contractual clauses
On May 25, 2022, the European Commission published a set of questions and answers on the two sets of standard contractual clauses: (1) one for the use between controllers and processors (Art. 28 GDPR) and (2) one for the transfer of personal data to countries
European health data space
As part of the European data strategy, the EU Commission has released the first proposal for a European data space in a specific area, focusing on health data, in particular on electronic health data. These are the main objectives of this proposal: Enable more transparency,
EDPB Annual Report 2021
Around May-June of each year the supervisory authorities release their annual report for their activities carried out in the previous year: this has already been done by the CNIL (press version), among others, and likewise by the EDPB, while the Italian Garante’s report is expected soon.
“Privacy” access as a power of control
More and more, legislators, both supranational and national, are recognizing a right of access for individuals to information held by third parties that affects them in some way or that is functional to the exercise of their rights under the law. The GDPR is no
Complaints against GDPR violations
The several complaints lodged with national supervisory authorities, by international non-profits such as NoyB, La Quadrature du Net, Privacy International and others, are a practical example of the provisions of Article 80(1) of the GDPR, which allows data subjects to exercise their remedies recognized by
Data sharing
The data economy is based on “data sharing”, that is, the sharing of data with third parties. The EU strategy on the data economy, aimed at stimulating its development and eliminating the barriers that stand in its way, has promoted a series of legislative acts,
The Italian “Do-not-call” – 2
Let’s resume our analysis of the reform of the Italian “Do-not-call” Register (Registro Pubblico delle Opposizioni), completed with the publication in the Official Gazette of the implementing regulation (Presidential Decree no. 26/2022), replacing the previous Presidential Decree no. 178/2010. In the meantime, the Ministry of
One Stop Shop
The EDPB has released the Guidelines 02/2022 on the application of Article 60 of the GDPR, i.e., the procedural modalities of the cooperation mechanism, known as the “one-stop-shop.” The document, at first glance, would appear to be aimed primarily at supervisory authorities, but offers useful
The Italian “Do-not-call” – 1
The official gazette of March 29, 2022 (no. 74) – the editorial body that publishes with official value the regulations of the Italian Republic – has published the long-awaited regulation of the Italian “Do Not Call” Register (Registro Pubblico delle Opposizioni). The Italian Do-not-call Register
EU – U.S. data flows: political agreement
On the sidelines of the European and global level meetings held in Brussels, the joint press conference of the President of the United States and the President of the EU Commission on March 25, 2022, broke the news that an agreement “in principle” had been
Clearview Case – Takeaways
The business of the American company – consisting in the web scraping of images of internet users, in the matching with metadata identifying the subjects and in the comparison with photos provided by the customers of the application in order to obtain their identification – has been
Artificial Intelligence in the GDPR
EU Data Strategy The proposal for an Artificial Intelligence Regulation is part of the broader EU data strategy that has already produced a large number of regulations aimed at creating a single European data market: the Data Governance Act and the Data Act, which aim
Exercise of Rights
The EDPB Guidelines 01/2022 on the “privacy” right of access contain indications that can be also applied generally with regard to the exercise of other GDPR rights. In this roundup, for example, we will discuss two aspects that are common to the exercise of any right under the regulation: the matter of
Data Act
The European Commission has published the long-awaited proposal for a regulation on data law (“Data Act“). This is, after the Data Governance Act, the second most important regulatory measure crossing all sectors of the EU Data Strategy (see Bulletin of 22/7, 9/9, 11/11 and 23/12/2021). EU Data Strategy
Data Barter
If it is true that data – and “personal” data in particular – are the lifeblood of the digital economy, it is equally true that their availability is essential for the performance of any type of activity, whether of a commercial or non-profit nature. Entering
Belgian Authority vs. IAB Europe
A complex investigation into the GDPR compliance of the Transparent and Consent Framework platform of the IAB Europe federation, which brings together stakeholders in the field of behavioral advertising, has come to an end with a €250,000 sanctioning decision adopted by the Belgian authority. Measure of the
EDPB Guidelines on the Right of access
The European Data Protection Board has released Guidelines 01/2022 on the right of access subjecting them, as is customary, to public consultation; any comments should be sent by March 11, 2022. The guidelines contain an explanatory flow chart, which we will use to better describe
CNIL vs. Google
The disputes between the French supervisory authority and the Californian company are still going on for alleged violations of European regulations on the protection of personal data and privacy in electronic communications. On December 31, 2021, the CNIL fined for a total of 150 million
Sanction for telemarketing and more
The Italian authority intervened once again regarding telemarketing activities that did not comply with the applicable regulations, imposing one of the largest fines of 26.5 million euros. The measure – which also regarded violations of a different nature – was issued at the end of
Grindr sanctioning measure
The case in which the Norwegian supervisory authority (Datatilsynet) sanctioned the American company Grindr LLC, supplying the mobile application Grindr, the world’s largest social networking app for the LGBTQ community, offers elements to be considered both from the point of view of the strategy for
Defensive employees’ monitoring: from the Italian legal cases
If the employer has the right to check the worker’s performance, the latter does not lose confidentiality margins for the sole fact of working in the company. European Court of Human Rights According to the European Court of Human Rights (ECtHR), the protection of
Advertiser privacy roles
In the context of the implementation of advertising campaigns, in reference to the topic of the identification of subjective privacy roles, we’ll discuss the specific role assumed by the advertiser. The latter, hired by the client, implements the campaign using personal data in his exclusive
Data Governance Act – 2
One of the main regulations in the EU data strategy is the proposed Data Governance Act. In the bulletin of November 11th, we described its general aspects; in this one, we will focus on its relative impacts on the discipline dictated by the GDPR, in
Data on criminal convictions and offences
Data relating to criminal convictions and offenses receive heightened protection under the GDPR because of the sensitivity of the information they cover and the high impact they can have on the rights and freedoms of data subjects. According to the CJEU, this type of information
Connected vehicles
On March 9, 2021, the European Data Protection Board (EDPB), following the public consultation phase, adopted the final version (v.2.0) of Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications. Considering the wide context of reference, the topic
EU Data Strategy – 3
The European Union’s data strategy takes shape through an articulated complex of regulatory acts, some already enacted and others in the course of completing the legislative process among the European institutions. EU Regulations for data sharing Once the data protection regime has been
Targeted advertising to social media users
On April 13, 2021, the European Data Protection Board (EPDB) adopted the final version (v. 2.0) of the 8/2020 Guidelines on targeting of social media users following the conclusion of the public consultation phase. Subsequently, on July 7, 2021, the same EDPB released a new
Lead Generation
Let’s take a closer look at “lead generation”, that is, the preliminary step of advertising campaigns consisting of promotional solicitation aimed at collecting the names of customers who express their general interest in the particular product or service to be promoted. Solicitations of leads
DGA -1
In the European strategy for data, an important step is the proposal for a regulation known as the Data Governance Act or DGA. It complements other initiatives that aim to achieve developmental conditions for the data economy while respecting the platform of safeguards and measures
Responsibilities of a EU Representative
In the event that an organization under the jurisdiction of a country outside the EU/EEA processes personal data that falls within the scope of the GDPR and does not have its own establishment in the EU, it must designate, in writing, a Representative established in
Social engineering
The expression “social engineering”, in the domain of information security, usually groups together all those cases of artifices and deceptions aimed at manipulating the human predisposition to trust. In fact, unlike to what might appear at first sight, the human being is inclined to have
A. I. between expectations and doubts – second part
Anticipated by the work of the High-Level Expert Group on AI (Ethics Guidelines for Trustworthy AI of April 2019 and Policy and Investment Recommendations for Trustworthy AI of June 2019) and the EU Commission’s own White Paper on AI (19/2/2020), the proposed Artificial Intelligence Act
Additional measures in personal data transfers
On June 18, 2021, the European Committee released the updated version (v.2.0) of Recommendations 1/2020 on additional measures to be adopted in the event that those provided by Article 46 of the GDPR to legitimize data transfers to third countries, are not sufficient following the
Green pass: Interactions with the related processing of personal data -2
The discipline of the use of the green pass, as indicated by the Legislative Decree 52/2021 and 127/2021 and as reiterated by the regulation 2021/953, inevitably involves the processing of personal data so, within these areas, you must make sure to comply with both disciplines.
Green Pass, green Privacy
The Covid pandemic has forced us to a difficult exercise of new balances between fundamental rights and freedoms, some synergistic – such as public and private health as well as protection of personal data – others where there was more evidence of a backward step
Relationship between domestic and European law
Often, even in the course of this Covid-19 pandemic, we have witnessed uncertainties on the part of the legislators of individual EU member states in identifying ways to intervene in issues and rights already governed by European law. Especially in the field of personal data
EU Representative
The appointment of the EU Representative is required if the company in question is subject to the law of a country which is not a member of the European Union and only under certain circumstances and conditions. Summary How to determine if
EU Data Strategy – 2
We resume our analysis of the European data strategy and the main purpose of promoting the development of a “data driven” economy of the union. In the Alert of July 22nd, 2021, we highlighted the strategic value of “data” and examined the ranking of the
Code of Conduct on commercial information
After two years since its approval on June 12, 2019 (see Editorial of 6/27/2019), on May 27, 2021, the “Code of Conduct prepared by the National Association between Business Information and Credit Management Companies (Ancic)” (“Code on commercial information”) came into force in Italy through
Standard clauses between controllers and processors – 2
The Legal Information Service will be paused for the month of August and will recommence with the bulletin of September 2nd. We complete the analysis of the EU Commissione 2021/915 decision which adopts the standard clauses between data controllers and data processors, considering their structure
EU data strategy – 1
The European Commission, with the publication of the “European data strategy” document of 2020, launched the five-year strategic plan for the creation of the European Common Data Space and the Data-based digital economy. The plan starts from the observation that the two major “players” of
Cookies: new guidelines of the Italian Garante
The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR. Although they come out in the middle of the negotiation of the trilogue between
The EU Commission has adopted the new SCCs – 2
Let’s go back to examining the new standard clauses adopted by the EU Commission aimed at legitimizing the transfer of personal data to third countries (see Alert of 10/6/2021). The transfer of personal data to a third country (i.e. neither belonging to the EU nor
The Council of State on the Italian Antitrust v. Facebook – 2
The sentence of 29 March 2021 of the Italian Council of State (in Italian) – which concluded the first group of the charges made by the Antitrust (“AGCM”) to Facebook for the unfair commercial practices carried out in relation to the use of the personal
Data breach: notification forms
There is an aphorism in the world of information security that says “do not ask yourself if you will ever have a data breach, but rather when it will be your turn”. In the domain of personal data protection, data security is a principle of
The Italian Council of State on the Antitrust v. Facebook – 1
The first round of the Italian antitrust (“AGCM”) litigation case against Facebook, started on 6 April 2018 to challenge alleged unfair commercial practices implemented by the social provider in the use of personal data of its users / consumers, has come to a conclusion. The
Italian Antitrust against Facebook
The second round in the confrontation between the AGCM and Facebook also came to an end with the imposition of a new overall fine of € 7 million against Facebook Ireland Ltd. and Facebook Inc. jointly and severally. The story shows how the current business
Cookie “banner”, “barrier” and “wall”
The EU Commission’s proposal for the new ePrivacy regulation did not explicitly refer to the circumstances that practice has identified with the terms “cookie banner”, “cookie barrier” and “cookie wall”. The version of Parliament approved by the LIBE commission provides for the prohibition of “cookie
Advertising and Data Protection
Individual advertising or “direct” promotion, in a broad sense, is that promotional operations that address the advertising message directly to the potential customer (therefore also called “direct marketing”); this aspect distinguishes it from general advertising which, on the other hand, is aimed at a general
International data flows: the new SCCs
Within a few days, answers were given, albeit not definitive, to the stringent expectations that followed the decision of the CJEU on the Schrems II case. The decision of the Court, as is known, invalidated the Privacy Shield agreement and considered the standard or “SCC”
ENISA Threat scenario
The EU Cyber Security Agency (ENISA) has published the 2019-2020 threat scenario. This is the eighth edition but also the first since the entry into force of the Cybersecurity Act which strengthened the role and competences of the agency by giving it a permanent mandate.
ICO reduces the fine on British Airways
Following a major security incident that caused the breach of sensitive personal data of over 400,000 individuals (passengers), the British Information Commissioner (“ICO”) the 08/07/2019 communicated to the airline the intention to sanction it for the significant sum of 183.39 million pounds (€ 204M) for
Brazilian privacy law
After an initial postponement in February 2020, on 26th of August the Brazilian Senate approved the entry into force of the Brazilian law on the protection of personal data “Lei Geral de Proteção de Dados Pessoais” (LGPD) with effect from 15 August 2020, ie two
Data Subject Requests
Learning from previous cases The provisions of the national supervisory authorities, together with the guidelines and opinions of the EDPB, if read in watermark allow us to obtain important information on how to operate in organizations in order to respond adequately to the principle of
Schrems II
On 16 July 2020, the Court of Justice of the European Union issued the expected decision on the preliminary ruling in the case known as Schrems II (C-311/18) which deemed the Privacy Shield instrument invalid, with immediate effect and clarified some aspects regarding the scope
The 6 rules for personal data breach
Last week’s Alert pointed out hacker opportunism taking advantage of emergencies, as recorded in these Coronavirus times. There are many profiles of increased vulnerability in this situation: work outside the corporate context, where the level of protection – physical and logical – is certainly higher