Category: News

Posted on

CNIL: fines INFOGREFFE 250,000 EUR

Note on data retention related aspect of this fine:

INFOGREFFE stored the data beyond what was said in the privacy notice.
Reminder: Always make sure that what you state in your privacy notice is true, as you will be checked against this!

“The infogreffe.fr website provided that the personal data of members and subscribers (bank details, first and last names, postal and e-mail addresses, phone and mobile phone numbers, secret question and its answer) would be kept for 36 months from the last order for a service and/or document.

However, the CNIL found that the data of 25% of the service’s users was kept beyond the decided retention periods. The manual anonymisation implemented, only on request from users, concerned a very small number of accounts.”

English Summary: https://www.cnil.fr/en/infogreffe-fined-250000-euros

Délibération: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046280956?init=true&page=1&query=san-2022-018&searchField=ALL&tab_selection=all

Posted on

Germany: BFARM: “Prüfkriterien für die von digitalen Gesundheitsanwendungen (DiGA) und digitalen Pflegeanwendungen (DiPA) nachzuweisenden Anforderungen an den Datenschutz Version 0.1 vom 09.08.2022”

“Prüfkriterien für die von digitalen Gesundheitsanwendungen (DiGA) und digitalen Pflegeanwendungen (DiPA) nachzuweisenden Anforderungen an den Datenschutz Version 0.1 vom 09.08.2022”
https://www.bfarm.de/SharedDocs/Downloads/DE/Medizinprodukte/diga-dipa-datenschutzkriterien.pdf;jsessionid=49CAEA4BE514F3061B395919BF48589D.intranet671?__blob=publicationFile

unter:
https://www.bfarm.de/DE/Medizinprodukte/Aufgaben/DiGA-und-DiPA/Datenschutzkriterien/_node.html

mit heise Artikel: https://www.heise.de/news/eHealth-Mehr-Datenschutz-fuer-digitale-Gesundheits-und-Pflegeanwendungen-7260944.html

Posted on

CJEU, C‑184/20, “data that are liable INDIRECTLY to reveal sensitive information.. is not excluded from the strengthened protection regime

CJEU, C‑184/20, “data that are liable INDIRECTLY to reveal sensitive information concerning a … person is not excluded from the strengthened protection regime [Art. 9] since such exclusion might well compromise the effectiveness of that regime”

https://curia.europa.eu/juris/document/document.jsf?text=&docid=263708&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=313150

Posted on

Germany: SDM: B1 Key data protection requirements of the GDPR

  • B1.1 Transparency for data subjects
  • B1.2 Purpose limitation
  • B1.3 Data minimisation
  • B1.4 Accuracy
  • B1.5 Storage Limitation
  • B1.6 Integrity
  • B1.7 Confidentiality
  • B1.8 Accountability and Verifiability
  • B1.9 Identification and Authentication
  • B1.10 Support in the exercise of data subjects’ rights
  • B1.11 Rectification of data
  • B1.12 Erasure of data
  • B1.13 Restriction of data processing
  • B1.14 Data portability
  • B1.15 Possibility to intervene in processes of automated decisions
  • B1.16 Freedom from error and discrimination in profiling
  • B1.17 Data protection by Default
  • B1.18 Availability
  • B1.19 Resilience
  • B1.20 Recoverability
  • B1.21 Evaluability
  • B1.22 Remedy and Mitigation of Data Protection Breaches
  • B1.23 Adequate Supervision of Processing
  • B2 Consent Management
  • B3 Implementation of Supervisory Orders

Source: https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf

Posted on

ICO: draft guidance on Privacy Enhancing Technologies (PET)

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/ico-publishes-guidance-on-privacy-enhancing-technologies/

Draft document: https://ico.org.uk/media/about-the-ico/consultations/4021464/chapter-5-anonymisation-pets.pdf

Whats PETs are there?

  • Homomorphic encryption (HE)
  • Secure multiparty computation (SMPC)
  • Private set intersection (PSI)
  • Federated learning
  • Trusted execution environments
  • Zero-knowledge proofs
  • Differential privacy
  • Synthetic data