The Council of Europe Convention on AI
Following two years of work – a fairly limited time frame for an international treaty – the Convention on Artificial Intelligence (“AI”), the first legally binding international treaty on AI, was approved on May 17, 2024, at the annual meeting of the Council of Europe’s Committee of Ministers. The Convention consists of 36 articles, grouped […]
Data retention periods
In the bulletin of May 9, 2024, we recalled that retention is a processing operation and that personal data should be retained for a limited time, indeed, for the minimum amount of time necessary to fulfill the stated purpose. In this round, we focus on the legal value of determining retention periods. Retention periods and […]
Amendments to the Italian Privacy Code
The decree-law for the implementation of the National Recovery and Resilience Plan (so-called “PNRR Decree” Decree No. 19 of March 2, 2024, converted with amendments by Law No. 56/2024), provided in Article 44.1-bis, the amendment of Articles 2-sexies and 110 of the Privacy Code. Both amendments intervene in the context of the regulation of special […]
Data retention
In this article, we address one of the thorniest aspects of the data protection discipline: data retention and, in particular, the limitation of the time of retention of personal data. It is not so much the principle itself that is complex – according to which personal data should be retained for as long as is […]
Pay or Consent
The European Data Protection Board (EDPB) on April 17 issued its long-awaited Opinion 08/2024 on the GDPR compliance of the “pay or consent” mode of using personal data for behavioral advertising, which has long been used by operators of major online platforms and online media providers. Summary The opinion was requested by Dutch, Norwegian, and […]
Liability in the GDPR
With today’s episode on liability, we complete our legal analysis on the triad of adequacy, accountability and liability with regard to data protection law. Adequacy Adequacy – as stated in the January 25, 2024 Bulletin – is the element on which the level of compliance required by law relates for those requirements that assume a […]
Facial recognition for time and attendance: lawfulness and GDPR compliance
The Italian Data Protection Authority’s newsletter number 520 of March 28, 2024 reports the issuance of five decisions by the authority against as many companies involving the implementation and operation of a facial recognition system to detect workplace attendance by employees at waste disposal sites. Following the establishment of a number of violations with […]
Accountability in the GDPR
The application perimeter of the accountability principle is not that of merely demonstrating what, if anything, the data controller claims in terms of GDPR compliance; in fact, accountability consists of a twofold obligation: Comply with the general principles (“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (of Article […]
Code of Conduct for Employment Agencies
In the February 29, 2024 bulletin, news was given of the completion of the Code of Conduct for Employment Agenciesby dwelling on the legal bases identified for typical processing of personnel data, as these can provide useful guidance to any employer attempting to compile its own processing register, as a controller, even beyond the context […]
CJEU on processing and personal data
Three CJEU pronouncements have clarified some important aspects of the general concepts of “processing” and “personal data.” Some of the Court’s considerations are of general relevance; others must be contextualized to the case before the Luxembourg judges. The rulings were all delivered on March 7, 2024; two are in response to references for preliminary rulings, […]
