Data Protection Bulletins

Data Governance Act “DGA”

The EU Commission’s proposal for a data governance regulation was published in November 2020 and completed its process, becoming a European law (EU Regulation 2022/868) with its publication in the Official Journal of the European Union on June 3, 2022. The figure below outlines the

Read more »

Calculation of administrative fines under the GDPR -1

The European Data Protection Board (EDPB) released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022. The General Regulation made significant changes in the area of administrative fines that Directive 95/46/EC, on the other

Read more »

FAQ for standard contractual clauses

On May 25, 2022, the European Commission published a set of questions and answers on the two sets of standard contractual clauses: (1) one for the use between controllers and processors (Art. 28 GDPR) and (2) one for the transfer of personal data to countries

Read more »

European health data space

As part of the European data strategy, the EU Commission has released the first proposal for a European data space in a specific area, focusing on health data, in particular on electronic health data. These are the main objectives of this proposal: Enable more transparency,

Read more »

EDPB Annual Report 2021

Around May-June of each year the supervisory authorities release their annual report for their activities carried out in the previous year: this has already been done by the CNIL (press version), among others, and likewise by the EDPB, while the Italian Garante’s report is expected soon.

Read more »

“Privacy” access as a power of control

More and more, legislators, both supranational and national, are recognizing a right of access for individuals to information held by third parties that affects them in some way or that is functional to the exercise of their rights under the law. The GDPR is no

Read more »

Complaints against GDPR violations

The several complaints lodged with national supervisory authorities, by international non-profits such as NoyB, La Quadrature du Net, Privacy International and others, are a practical example of the provisions of Article 80(1) of the GDPR, which allows data subjects to exercise their remedies recognized by

Read more »

Data sharing

The data economy is based on “data sharing”, that is, the sharing of data with third parties. The EU strategy on the data economy, aimed at stimulating its development and eliminating the barriers that stand in its way, has promoted a series of legislative acts,

Read more »

The Italian “Do-not-call” – 2

Let’s resume our analysis of the reform of the Italian “Do-not-call” Register (Registro Pubblico delle Opposizioni), completed with the publication in the Official Gazette of the implementing regulation (Presidential Decree no. 26/2022), replacing the previous Presidential Decree no. 178/2010. In the meantime, the Ministry of

Read more »

One Stop Shop

The EDPB has released the Guidelines 02/2022 on the application of Article 60 of the GDPR, i.e., the procedural modalities of the cooperation mechanism, known as the “one-stop-shop.” The document, at first glance, would appear to be aimed primarily at supervisory authorities, but offers useful

Read more »

The Italian “Do-not-call” – 1

The official gazette of March 29, 2022 (no. 74) – the editorial body that publishes with official value the regulations of the Italian Republic – has published the long-awaited regulation of the Italian “Do Not Call” Register (Registro Pubblico delle Opposizioni). The Italian Do-not-call Register

Read more »

EU – U.S. data flows: political agreement

On the sidelines of the European and global level meetings held in Brussels, the joint press conference of the President of the United States and the President of the EU Commission on March 25, 2022, broke the news that an agreement “in principle” had been

Read more »

Clearview Case – Takeaways

The business of the American company – consisting in the web scraping of images of internet users, in the matching with metadata identifying the subjects and in the comparison with photos provided by the customers of the application in order to obtain their identification – has been

Read more »

Artificial Intelligence in the GDPR

EU Data Strategy The proposal for an Artificial Intelligence Regulation is part of the broader EU data strategy that has already produced a large number of regulations aimed at creating a single European data market:    the Data Governance Act and the Data Act, which aim

Read more »

Exercise of Rights

The EDPB Guidelines 01/2022 on the “privacy” right of access contain indications that can be also applied generally with regard to the exercise of other GDPR rights. In this roundup, for example, we will discuss two aspects that are common to the exercise of any right under the regulation: the matter of

Read more »

Data Act

The European Commission has published the long-awaited proposal for a regulation on data law (“Data Act“). This is, after the Data Governance Act, the second most important regulatory measure crossing all sectors of the EU Data Strategy (see Bulletin of 22/7, 9/9, 11/11 and 23/12/2021).   EU Data Strategy

Read more »

Data Barter

If it is true that data – and “personal” data in particular – are the lifeblood of the digital economy, it is equally true that their availability is essential for the performance of any type of activity, whether of a commercial or non-profit nature. Entering

Read more »

Belgian Authority vs. IAB Europe

A complex investigation into the GDPR compliance of the Transparent and Consent Framework platform of the IAB Europe federation, which brings together stakeholders in the field of behavioral advertising, has come to an end with a €250,000 sanctioning decision adopted by the Belgian authority. Measure of the

Read more »

EDPB Guidelines on the Right of access

The European Data Protection Board has released Guidelines 01/2022 on the right of access subjecting them, as is customary, to public consultation; any comments should be sent by March 11, 2022. The guidelines contain an explanatory flow chart, which we will use to better describe

Read more »

CNIL vs. Google

The disputes between the French supervisory authority and the Californian company are still going on for alleged violations of European regulations on the protection of personal data and privacy in electronic communications. On December 31, 2021, the CNIL fined for a total of 150 million

Read more »

Sanction for telemarketing and more

The Italian authority intervened once again regarding telemarketing activities that did not comply with the applicable regulations, imposing one of the largest fines of 26.5 million euros. The measure – which also regarded violations of a different nature – was issued at the end of

Read more »

Grindr sanctioning measure

The case in which the Norwegian supervisory authority (Datatilsynet) sanctioned the American company Grindr LLC, supplying the mobile application Grindr, the world’s largest social networking app for the LGBTQ community, offers elements to be considered both from the point of view of the strategy for

Read more »

Advertiser privacy roles

In the context of the implementation of advertising campaigns, in reference to the topic of the identification of subjective privacy roles, we’ll discuss the specific role assumed by the advertiser. The latter, hired by the client, implements the campaign using personal data in his exclusive

Read more »

Data Governance Act – 2

One of the main regulations in the EU data strategy is the proposed Data Governance Act. In the bulletin of November 11th, we described its general aspects; in this one, we will focus on its relative impacts on the discipline dictated by the GDPR, in

Read more »

Data on criminal convictions and offences

Data relating to criminal convictions and offenses receive heightened protection under the GDPR because of the sensitivity of the information they cover and the high impact they can have on the rights and freedoms of data subjects. According to the CJEU, this type of information

Read more »

Connected vehicles

On March 9, 2021, the European Data Protection Board (EDPB), following the public consultation phase, adopted the final version (v.2.0) of Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications. Considering the wide context of reference, the topic

Read more »

EU Data Strategy – 3

The European Union’s data strategy takes shape through an articulated complex of regulatory acts, some already enacted and others in the course of completing the legislative process among the European institutions.   EU Regulations for data sharing   Once the data protection regime has been

Read more »

Targeted advertising to social media users

On April 13, 2021, the European Data Protection Board (EPDB) adopted the final version (v. 2.0) of the 8/2020 Guidelines on targeting of social media users following the conclusion of the public consultation phase.  Subsequently, on July 7, 2021, the same EDPB released a new

Read more »

Lead Generation

Let’s take a closer look at “lead generation”, that is, the preliminary step of advertising campaigns consisting of promotional solicitation aimed at collecting the names of customers who express their general interest in the particular product or service to be promoted.   Solicitations of leads

Read more »

DGA -1

In the European strategy for data, an important step is the proposal for a regulation known as the Data Governance Act or DGA. It complements other initiatives that aim to achieve developmental conditions for the data economy while respecting the platform of safeguards and measures

Read more »

Responsibilities of a EU Representative

In the event that an organization under the jurisdiction of a country outside the EU/EEA processes personal data that falls within the scope of the GDPR and does not have its own establishment in the EU, it must designate, in writing, a Representative established in

Read more »

Social engineering

The expression “social engineering”, in the domain of information security, usually groups together all those cases of artifices and deceptions aimed at manipulating the human predisposition to trust. In fact, unlike to what might appear at first sight, the human being is inclined to have

Read more »

A. I. between expectations and doubts – second part

Anticipated by the work of the High-Level Expert Group on AI (Ethics Guidelines for Trustworthy AI of April 2019 and Policy and Investment Recommendations for Trustworthy AI of June 2019) and the EU Commission’s own White Paper on AI (19/2/2020), the proposed Artificial Intelligence Act

Read more »

Additional measures in personal data transfers

On June 18, 2021, the European Committee released the updated version (v.2.0) of Recommendations 1/2020 on additional measures to be adopted in the event that those provided by Article 46 of the GDPR to legitimize data transfers to third countries, are not sufficient following the

Read more »

Green Pass, green Privacy

The Covid pandemic has forced us to a difficult exercise of new balances between fundamental rights and freedoms, some synergistic – such as public and private health as well as protection of personal data – others where there was more evidence of a backward step

Read more »

Relationship between domestic and European law

Often, even in the course of this Covid-19 pandemic, we have witnessed uncertainties on the part of the legislators of individual EU member states in identifying ways to intervene in issues and rights already governed by European law. Especially in the field of personal data

Read more »

EU Representative

The appointment of the EU Representative is required if the company in question is subject to the law of a country which is not a member of the European Union and only under certain circumstances and conditions.   Summary     How to determine if

Read more »

EU Data Strategy – 2

We resume our analysis of the European data strategy and the main purpose of promoting the development of a “data driven” economy of the union.  In the Alert of July 22nd, 2021, we highlighted the strategic value of “data” and examined the ranking of the

Read more »

Code of Conduct on commercial information

After two years since its approval on June 12, 2019 (see Editorial of 6/27/2019), on May 27, 2021, the “Code of Conduct prepared by the National Association between Business Information and Credit Management Companies (Ancic)” (“Code on commercial information”) came into force in Italy through

Read more »

Standard clauses between controllers and processors – 2

The Legal Information Service will be paused for the month of August and will recommence with the bulletin of September 2nd. We complete the analysis of the EU Commissione 2021/915 decision which adopts the standard clauses between data controllers and data processors, considering their structure

Read more »

EU data strategy – 1

The European Commission, with the publication of the “European data strategy” document of 2020, launched the five-year strategic plan for the creation of the European Common Data Space and the Data-based digital economy. The plan starts from the observation that the two major “players” of

Read more »

Cookies: new guidelines of the Italian Garante

The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR. Although they come out in the middle of the negotiation of the trilogue between

Read more »

The EU Commission has adopted the new SCCs – 2

Let’s go back to examining the new standard clauses adopted by the EU Commission aimed at legitimizing the transfer of personal data to third countries (see Alert of 10/6/2021). The transfer of personal data to a third country (i.e. neither belonging to the EU nor

Read more »

Data breach: notification forms

There is an aphorism in the world of information security that says “do not ask yourself if you will ever have a data breach, but rather when it will be your turn”. In the domain of personal data protection, data security is a principle of

Read more »

Italian Antitrust against Facebook

The second round in the confrontation between the AGCM and Facebook also came to an end with the imposition of a new overall fine of € 7 million against Facebook Ireland Ltd. and Facebook Inc. jointly and severally. The story shows how the current business

Read more »

Cookie “banner”, “barrier” and “wall”

The EU Commission’s proposal for the new ePrivacy regulation did not explicitly refer to the circumstances that practice has identified with the terms “cookie banner”, “cookie barrier” and “cookie wall”.  The version of Parliament approved by the LIBE commission provides for the prohibition of “cookie

Read more »

Advertising and Data Protection

Individual advertising or “direct” promotion, in a broad sense, is that promotional operations that address the advertising message directly to the potential customer (therefore also called “direct marketing”); this aspect distinguishes it from general advertising which, on the other hand, is aimed at a general

Read more »

International data flows: the new SCCs

Within a few days, answers were given, albeit not definitive, to the stringent expectations that followed the decision of the CJEU on the Schrems II case.  The decision of the Court, as is known, invalidated the Privacy Shield agreement and considered the standard or “SCC”

Read more »

ENISA Threat scenario

The EU Cyber Security Agency (ENISA) has published the 2019-2020 threat scenario. This is the eighth edition but also the first since the entry into force of the Cybersecurity Act which strengthened the role and competences of the agency by giving it a permanent mandate.

Read more »

ICO reduces the fine on British Airways

Following a major security incident that caused the breach of sensitive personal data of over 400,000 individuals (passengers), the British Information Commissioner (“ICO”) the 08/07/2019 communicated to the airline the intention to sanction it for the significant sum of 183.39 million pounds (€ 204M) for

Read more »

Brazilian privacy law

After an initial postponement in February 2020, on 26th of August the Brazilian Senate approved the entry into force of the Brazilian law on the protection of personal data “Lei Geral de Proteção de Dados Pessoais” (LGPD) with effect from 15 August 2020, ie two

Read more »

Data Subject Requests

Learning from previous cases The provisions of the national supervisory authorities, together with the guidelines and opinions of the EDPB, if read in watermark allow us to obtain important information on how to operate in organizations in order to respond adequately to the principle of

Read more »

Schrems II

On 16 July 2020, the Court of Justice of the European Union issued the expected decision on the preliminary ruling in the case known as Schrems II (C-311/18) which deemed the Privacy Shield instrument invalid, with immediate effect and clarified some aspects regarding the scope

Read more »

The 6 rules for personal data breach

Last week’s Alert pointed out hacker opportunism taking advantage of emergencies, as recorded in these Coronavirus times. There are many profiles of increased vulnerability in this situation: work outside the corporate context, where the level of protection – physical and logical – is certainly higher

Read more »