Book (also free online): Law for Computer Scientists and Other Folk

By Mireille Hildebrandt

which includes e.g. sections on Machine Learning, Dsitributed Ledger and Legal by Design…

Available on OpenReview at MIT’s pubpub

and as a PDF download

as well as hardcopy.

DPIA of the German Corona Warn App

What doas a Data Protection Impact Assessment look like that the German Federal Data Protection Authority reviewed?

Interesting sections from the document structure

  • information on the organisation (with privacy team setup)
  • necessity of the DPIA
  • description of processing activities (evaluation target), with
    • context
    • purpose
    • process steps
    • system architecture
    • data flows and processes
    • data categories
    • data deletion
    • actors involved in the processing
    • additional documents
  • consideration of stakeholders’ vire
  • legal privacy assessment
    • categories of personal data
    • legal grounds
    • data subject rights
    • privacy-by-design measures
    • other privacy requirements
  • assessment of the necessity and proportionality of the processing
  • risk analysis
  • continuous privacy reviews

CNIL – Developer’s Guide sheets

The CNIL publishes a GDPR guide for developers

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

All the material via tag search:

Github to participate in further development: –

Local copy of the sheets (might be outdated):

Currently it includes:
Sheet n°0: Develop in compliance with the GDPR
Sheet n°1: Identify personal data
Sheet n°2: Prepare your development
Sheet n°3: Secure your development environment
Sheet n°4: Manage your source code
Sheet n°5: Make an informed choice of architecture
Sheet n°6: Secure your websites, applications and servers
Sheet n°7: Minimize the data collection
Sheet n°8: Manage user profiles
Sheet n°09: Control your libraries and SDKs
Sheet n°10: Ensure quality of the code and its documentation
Sheet n°11: Test your applications
Sheet n°12: Inform users
Sheet n°13: Prepare for the exercise of people’s rights
Sheet n°14: Define a data retention period
Sheet n°15: Take into account the legal basis in the technical implementation
Sheet n°16: Use analytics on your websites and applications

CNIL on amonymization (2020, blog post)

including e.g. (via Google Translate)
If these three criteria are not fully met, the data controller who wishes to anonymize a data set must demonstrate, via an in-depth assessment of the identification risks, that the risk of re-identification with reasonable means is zero.

As anonymization and re-identification techniques are subject to regular changes, it is essential for any data controller concerned to carry out regular monitoring to preserve the anonymity of the data produced over time. This watch must take into account the technical means available as well as the other sources of data which can allow to lift the anonymity of the information.