News

Corrected and added some links, removed duplicate in short summary. }}}} An DPA denied a complaint against a public body under Articles 9 and 77 GDPR, holding that publication of a data subject’s political donation did not violate the GDPR because the controller had a lawful basis.An DPA denied a complaint against a public body under [[Article 9 GDPR|Articles 9]] and [[Article 77 GDPR|77 GDPR]], holding that publication of a data subject’s political donation did not violate them because the cont

Facts }}}} The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulfills a statutory duty.The Supreme Court upheld rules requiring legal counsels to keep a client register and to ensure confidentiality. It held that keeping a client register is necessary to comply with the legal obligation to check for potenti

Facts }}}} The Supreme Court of Poland upheld rules requiring legal counsels to keep client data confidential and maintain a client register. The Court held processing was lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to meet legal obligations.The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulf

In the first part of our blog series on the dodgy digital security practices underlying advanced AI tools, we unpack how LLMs can jeopardize the confidentiality of people’s data. The post Artificial Insecurity: how AI tools compromise confidentiality appeared first on Access Now.

Facts: A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University.

A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party).

An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller). The c

Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke). Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke).

Facts === Facts ====== Facts === An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An assistant professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University

}}}} An Austrian media company was fined €6,820 by the Data Protection Authority for negligently failing to implement a binding order to modify its website’s cookie banner, delaying user consent options despite all appeals being rejected.The DPA fined a media company €6,820 for failing to bring its cookie banner into compliance by implementing a visually equivalent option to reject cookies. The DPA previously ordered the controller to do so in accordance with Article 58(2)(d) GDPR. == English Su

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

}}}} Een Oostenrijks mediabedrijf is door de Autoriteit voor Gegevensbescherming een boete van 6.820 euro opgelegd, omdat het nalatig was bij het implementeren van een bindende aanwijzing om het cookiebanner op zijn website te wijzigen. Hierdoor werden de opties voor toestemming van gebruikers vertraagd, ondanks dat alle bezwaren werden afgewezen. De Autoriteit voor Gegevensbescherming heeft een mediabedrijf een boete van 6.820 euro opgelegd omdat het cookiebanner niet was aangepast om te voldoen aan de wetgeving, en er geen visueel gelijkwaardige optie was om cookies te weigeren. De Autoriteit had eerder aan het bedrijf opgedragen dit te doen, in overeenstemming met artikel 58(2)(d) van de AVG.

An Austrian media company has been fined €6,820 by the Data Protection Authority because it failed to implement a binding instruction to modify the cookie banner on its website. This resulted in delays in providing users with consent options, despite all objections being rejected. The Data Protection Authority imposed a fine of €6,820 on the media company because the cookie banner had not been adjusted to comply with the law, and there was no visually equivalent option for users to reject cookies. The Authority had previously instructed the company to do so, in accordance with Article 58(2)(d) of the GDPR.

An Austrian media company (the responsible party) that published local news operated a website that collected personal data from visitors using cookies and a banner requesting consent for the use of cookies. These cookies contained unique identification codes to track visitors. This occurred in August 2021.

Een Oostenrijks mediabedrijf (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatiecodes om bezoekers te volgen. In augustus 2021.

Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. In augustus 2021.

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

Op 19 november heeft de Europese Commissie twee zogenaamde "omnibus"-voorstellen gepubliceerd: het ene herziening van belangrijke onderdelen van de Algemene Verordening Gegevensbescherming (AVG) en de ePrivacy-regels, samen met andere wetten met betrekking tot gegevens, en het andere een amendement op de AI-wet. Dit artikel richt zich op het eerste voorstel. Het legt uit hoe de voorgestelde wijzigingen fundamentele rechten op gegevensbescherming en de vertrouwelijkheid van communicatie zouden verzwakken, en waarom het gecombineerde effect het risico loopt om lang bestaande beschermingsmaatregelen voor mensen in de EU te veranderen.

On 19 November, the European Commission has published two Omnibus proposals: one that rewrites key parts of the General Data Protection Regulation (GDPR) and ePrivacy rules, along with other data-related laws, and another that amends the AI Act. This article focuses on the first proposal. It explains how the changes would weaken core rights to data protection and the confidentiality of communications, and why the combined effect risks reshaping long-standing safeguards for people in the EU. The

On November 19th, the European Commission published two so-called "omnibus" proposals: one revising key aspects of the General Data Protection Regulation (GDPR) and the ePrivacy rules, along with other data-related laws, and the other an amendment to the AI Act. This article focuses on the first proposal. It explains how the proposed changes could weaken fundamental rights related to data protection and the confidentiality of communications, and why the combined effect risks undermining long-standing safeguards for individuals within the EU.

Government.

Three recommendations from the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten - AP) combined: (regarding the handling of data breaches; a task to improve the privacy organization of the Tax Authority; and exemption from the obligation of tax confidentiality in cases of suspected violations of tax integrity under Article 67, paragraph 3, of the Act on Financial Supervision).

> Thirteen non-EU countries sometimes accept “social media profiles and phone contacts” as evidence of identity for the purpose of deportations, according to an internal European Commission assessment of third country cooperation on readmission.

> Read through the most interesting developments at the intersection of human rights and technology from the Netherlands. This is the second update in this series.

> Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit —  the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highligh

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.

De Europese Toezichthouder op de Bescherming van Persoonsgegevens heeft Europol opgedragen om persoonlijke gegevens over te dragen aan de Nederlandse activist Frank van der Linde. Dit besluit is het resultaat van een onderzoek van twee jaar naar de manier waarop Europol de persoonlijke gegevens van Van der Linde bewaart en verwerkt.

The new data governance regulation sets out the conditions for the reuse of certain government data. In addition, the regulation provides a notification and oversight framework for the provision of data mediation services. Furthermore, the regulation contains a framework for the voluntary registration of entities that collect and process data made available for altruistic purposes. The rules will apply from September 2023.

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).