News – Page 43 – Privacy Design®

July 1, 2020July 1, 2020

Blog post: What’s in a CNAME?

The perils of letting third party trackers use your CNAME / subdomain.
https://www.simoahava.com/web-development/whats-in-a-cname/

July 1, 2020July 2, 2020

Germany: SDM 2 – first three modules published

The German Data Protection Authorities are developing a Standard Data Protection Model (SDM), as a guideline for data controllers.
They just published the three first modules – on “Documentation”, “Logging” and “Data deletion”.
So “Data deletion” is obviously a priority to them.

https://www.datenschutz-mv.de/datenschutz/datenschutzmodell/

June 30, 2020June 30, 2020

Paper: Unacceptable, where is my privacy? Exploring Accidental Triggers of Smart Speakers

https://unacceptable-privacy.github.io/

June 30, 2020June 30, 2020

Germany: DIGA digital health applications can’t use Standard Contractual Clauses

in German:
According to the external legal blog post below, DIGA does not allow for standard contractual clauses for transfer of data in countries without an EU adequacy decision. (Note: Not all health apps fall under DIGA).
– This leads to an impact to apps, if US Privacy Shield would not survive Schrems II in mid-July 2020 – in the context of US 3rd parties used (e.g. Google Firebase, etc).

https://www.reuschlaw.de/news/risiko-fuer-betreiber-von-gesundheits-apps-datenuebermittlung-in-die-usa-wegen-eugh-urteil-bald-unzul/

June 29, 2020June 29, 2020

Germany BfDI: Position paper on Anonymization (with focus on telecoms)

https://www.bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_Konsulation-Anonymisierung-TK/Positionspapier-Anonymisierung-DSGVO-TKG.html?nn=5216976

My high-level reading (I’m not a lawyer..):

Anonymization is viewed as a processing activity and requires a legal basis. (The paper argues different approaches).
Transparency obligations must be met.
Anonymization can be used as an alternative to deletion.

June 29, 2020

CNIL: Cookies and other tracking devices: the Council of State issues its decision on the CNIL guidelines

In its decision of 19 June 2020, the Council of State (Conseil d’État) essentially validated the guidelines on cookies and tracking devices adopted by the CNIL on 4 July 2019…..
https://www.cnil.fr/en/cookies-and-other-tracking-devices-council-state-issues-its-decision-cnil-guidelines

June 25, 2020

EDPS’s publicly accessible electronic register of decisions taken by supervisory authorities.

This is the EDPS’s publicly accessible electronic register of decisions taken by supervisory authorities.

https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en

June 24, 2020

EMA Big data web page

https://www.ema.europa.eu/en/about-us/how-we-work/big-data#data-protection-section

also “Discussion paper on the general data protection regulation: secondary use of data for medicines and public health purposes” at
http://www.encepp.eu/events/documents/Discussionpaper.pdf

June 23, 2020

AEPD/EDPS: 14 equívocos con relación a la identificación y autenticación biométrica

14 misconceptions regarding biometric identification and authentication

https://www.aepd.es/sites/default/files/2020-06/nota-equivocos-biometria.pdf

June 22, 2020June 22, 2020

DPA Liechtenstein – Verfahrensbeschreibung für Datenschutzüberprüfungen

Process description for data protection inspections / privacy inspections / audits.

https://www.datenschutzstelle.li/application/files/9215/9281/0055/DSS_Verfahrensbeschreibung_Datenschutzpruefungen.pdf

In a first step, the DPA is gathering information and statements based on a questionnaire.

In addition, the DPA regularly requests the following information in an electronic format or on paper:

Records of processing activities (GDPR Art. 30 (4));
Information to the affected persons (GDPR Art. 13 and 14);
Templates of consent forms (GDPR Art. 7);
Information about data protection trainings of employees;
Contracts with processors (GDPR Art. 28 (3)) or other current contracts with external parties that get in touch with personal data, such as hardware and software partners, software vendors, application service providers, in which the applicable data protection controls need to be emphasized;
Documentation of data breaches (GDPR Art. (5));
Data protection impact assessments (GDPR Art. (35)).

In order to assess compliance to GDPR and the effectiveness of the controls, the DPA regularly asks for

Organisational structure
Privacy directive (privacy policy), security policy, emergency planning
Review and audit reports – esp. in context of IT in scope
Basic documentation of the IT infrastructure (hardware and software in use)
Access control concept, especially access rights of administrators, external staff, sub-processors and other external parties
Policies, instructions to users for the use of IT
Non-disclosure, confidentiality agreements and other relevant instructions/agreements
Controls and arrangements regarding the retention time and deletion of personal data (deletion concept)