Complaints filed by Privacy International (Nov 2019)

on tracking, cookies, data brokers
https://privacyinternational.org/advocacy/2426/our-complaints-against-acxiom-criteo-equifax-experian-oracle-quantcast-tapad

This includes good summaries of legal theories and business models for

Prior authorization/notification requirements (from Baker McKenzie 2019)

General comparison via Baker McKenzie (via compare jurisdiction and topics)
https://globaltmt.bakermckenzie.com/data-privacy-security/views/comparison-view?ids=969b220521f94e21a8358fa9cabce1ff,7b3389f4364545d8933d7ccb76b6d5c8

In many articles it is stated that prior notification/authorization requirements had been replaced with GDPR by the need to have high-risk Data Protection Impact Assessments reviewed by the Supervisory Authorities (GDPR Art 36). – However, there are still cases in which more specific prior notification/authorization requirements exist (GDPR Art 36 (5) and Member state laws (via opening clauses)).

According to the above source, in the EU, -and omitting DPO registrations – there are requirements for
(check source above for the precise wording, my own summary below)

  • Belgium
    (CCTV, sometimes communication of health data)
  • Denmark
    (purpose-related: warning someone to engage in some business, creditchecks/financial standing-related, legal information system-related)
  • France
    (sometimes for processing of person’s NIR (national identification registry) number; state investigations; biometric or genetic data for authentication on behalf of the state; some transfers of personal data to a third country (GDPR 43 (3) a);
    ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (“référentiels”) of the CNIL. Failing that, article 54 of the Data Protection Act states that processing shall be subject to the CNIL’s prior authorization, except in the field of health research or study. ” (quote from URL above) [Exceptions for some bodies and services listed via a Ministerial Order]

For France/CNIL: Overview by Baker McKenzie
https://globaltmt.bakermckenzie.com/sitesearch?keyword=france&matrixid=33ba308e82f14292a36ec822d367795e&scroll=900

CNIL/France: Pior authorization for healthdata, pharmacovigilance and CNIL standards

Article by TwoBirds ” The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector. ”
https://www.twobirds.com/en/news/articles/2019/global/new-cnil-standard-for-all-companies-doing-product-vigilance-activities

Quote: ” The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization. “

Link to inofficial translation by TwoBirds at https://www.twobirds.com/~/media/pdfs/france/new-french-cnil-standard.pdf?la=en&hash=8AE9FA58104BDE6D234289328ACB6BBCE25DCBD2

TwoBird article on overall background at https://www.twobirds.com/en/news/articles/2019/france/processing-health-data-in-france-what-to-look-out-for-after-gdpr – incl. need for prior authorization and CNIL reference methods