CNIL: Updated GDPR Developer Guide

https://github.com/LINCnil/Guide-RGPD-du-developpeur

What are the new features of this second version?
This major revision of the guide incorporates new files as well as snippets of code to illustrate in a practical way certain requirements of the GDPR.

This content relates in particular to the application of rules on the use of cookies and other online tracers and on audience measurement solutions . This second version also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL and presents examples of measures that would have made it possible to avoid them.

In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project:

    Develop in compliance with the GDPR
    Identify personal data
    Prepare for your development
    Secure your development environment
    Manage your source code
    Make an informed choice of your architecture
    Secure your websites, applications and servers
    Minimize the data collected
    Manage user profiles
    Master your libraries and SDKs
    Ensure the quality of your code and its documentation
    Test your applications
    Inform people
    Prepare for the exercise of personal rights
    Manage the retention period of data
    Take into account the legal bases in the technical implementation
    (New sheet) Analyze tracking practices on your sites and applications
    Measure website and application traffic
    (New file) Guarding against computer attacks

These sheets are not intended to meet all the requirements of the regulations nor to be prescriptive. However, they provide a reflection on the GDPR requirements to keep in mind when developing projects.

AEPD: Spain: Encryption and Privacy V: The key as personal data

“The public key of a natural person is a unique identifier and its use in online services is generally associated with other types of information that make it possible to identify and profile the person holding such a key. Under these conditions, the public key is personal data that uniquely identifies a person and thus its processing is subject to the provisions of the GDPR, although it can be considered as a method of pseudonymisation insofar as it can conceal a person’s real name.”

https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-and-privacy-v-the-key-as-personal-data

Austria: Changing legal basis after an invalid consent (even if not mentioned in privacy notice)

With the ruling dated August 31, 2021 (Az. August 31, 2021), the Federal Administrative Court of Austria ruled that data controllers can base the data processing after an invalid consent on another legal basis according to Art. 6 Para. 1 GDPR – even if this is not mentioned in the privacy notice!
https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20210831_W256_2227693_1_00/BVWGT_20210831_W256_2227693_1_00.html

AEPD. Spain: Various guidances on encryption..