News

Corrected and added some links, removed duplicate in short summary. }}}} An DPA denied a complaint against a public body under Articles 9 and 77 GDPR, holding that publication of a data subject’s political donation did not violate the GDPR because the controller had a lawful basis.An DPA denied a complaint against a public body under [[Article 9 GDPR|Articles 9]] and [[Article 77 GDPR|77 GDPR]], holding that publication of a data subject’s political donation did not violate them because the cont

Facts }}}} The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulfills a statutory duty.The Supreme Court upheld rules requiring legal counsels to keep a client register and to ensure confidentiality. It held that keeping a client register is necessary to comply with the legal obligation to check for potenti

Facts }}}} The Supreme Court of Poland upheld rules requiring legal counsels to keep client data confidential and maintain a client register. The Court held processing was lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to meet legal obligations.The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulf

In the first part of our blog series on the dodgy digital security practices underlying advanced AI tools, we unpack how LLMs can jeopardize the confidentiality of people’s data. The post Artificial Insecurity: how AI tools compromise confidentiality appeared first on Access Now.

==Commentary====Commentary== Article 39 GDPR, is titled "''Tasks of the data protection officer''" and accordingly outlines the primary responsibilities of the Data Protection Officer (DPO). This provision should therefore be read in conjunction with the other provisions provisions governing the role of the DPO; i.e. [[Article 37 GDPR]] (designation of the DPO) and [[Article 38 GDPR]] (position of the DPO). Article 39 GDPR is titled "''Tasks of the data protection o

==Commentaar== Artikel 39 van de AVG, getiteld "Taken van de functionaris gegevensbescherming", beschrijft de belangrijkste verantwoordelijkheden van de functionaris gegevensbescherming (FG). Deze bepaling moet daarom in samenhang met de andere bepalingen die betrekking hebben op de rol van de FG worden gelezen, namelijk [[Artikel 37 AVG]] (aanwijzing van de FG) en [[Artikel 38 AVG]] (positie van de FG). Artikel 39 van de AVG, getiteld "Taken van de functionaris gegevensbescherming".

==Commentary== Article 39 of the GDPR, titled "Tasks of the Data Protection Officer," describes the key responsibilities of the Data Protection Officer (DPO). This provision should therefore be read in conjunction with the other provisions relating to the role of the DPO, namely [[Article 37 GDPR]] (appointment of the DPO) and [[Article 38 GDPR]] (position of the DPO). Article 39 of the GDPR, titled "Tasks of the Data Protection Officer."

Facts: A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University.

A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party).

An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller). The c

Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke). Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke).

Facts === Facts ====== Facts === An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An assistant professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

}}}} Een Oostenrijks mediabedrijf is door de Autoriteit voor Gegevensbescherming een boete van 6.820 euro opgelegd, omdat het nalatig was bij het implementeren van een bindende aanwijzing om het cookiebanner op zijn website te wijzigen. Hierdoor werden de opties voor toestemming van gebruikers vertraagd, ondanks dat alle bezwaren werden afgewezen. De Autoriteit voor Gegevensbescherming heeft een mediabedrijf een boete van 6.820 euro opgelegd omdat het cookiebanner niet was aangepast om te voldoen aan de wetgeving, en er geen visueel gelijkwaardige optie was om cookies te weigeren. De Autoriteit had eerder aan het bedrijf opgedragen dit te doen, in overeenstemming met artikel 58(2)(d) van de AVG.

Een Oostenrijks mediabedrijf (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatiecodes om bezoekers te volgen. In augustus 2021.

}}}} An Austrian media company was fined €6,820 by the Data Protection Authority for negligently failing to implement a binding order to modify its website’s cookie banner, delaying user consent options despite all appeals being rejected.The DPA fined a media company €6,820 for failing to bring its cookie banner into compliance by implementing a visually equivalent option to reject cookies. The DPA previously ordered the controller to do so in accordance with Article 58(2)(d) GDPR. == English Su

An Austrian media company (the responsible party) that published local news operated a website that collected personal data from visitors using cookies and a banner requesting consent for the use of cookies. These cookies contained unique identification codes to track visitors. This occurred in August 2021.

An Austrian media company has been fined €6,820 by the Data Protection Authority because it failed to implement a binding instruction to modify the cookie banner on its website. This resulted in delays in providing users with consent options, despite all objections being rejected. The Data Protection Authority imposed a fine of €6,820 on the media company because the cookie banner had not been adjusted to comply with the law, and there was no visually equivalent option for users to reject cookies. The Authority had previously instructed the company to do so, in accordance with Article 58(2)(d) of the GDPR.

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. In augustus 2021.

On 19 November, the European Commission has published two Omnibus proposals: one that rewrites key parts of the General Data Protection Regulation (GDPR) and ePrivacy rules, along with other data-related laws, and another that amends the AI Act. This article focuses on the first proposal. It explains how the changes would weaken core rights to data protection and the confidentiality of communications, and why the combined effect risks reshaping long-standing safeguards for people in the EU. The

On November 19th, the European Commission published two so-called "omnibus" proposals: one revising key aspects of the General Data Protection Regulation (GDPR) and the ePrivacy rules, along with other data-related laws, and the other an amendment to the AI Act. This article focuses on the first proposal. It explains how the proposed changes could weaken fundamental rights related to data protection and the confidentiality of communications, and why the combined effect risks undermining long-standing safeguards for individuals within the EU.

Op 19 november heeft de Europese Commissie twee zogenaamde "omnibus"-voorstellen gepubliceerd: het ene herziening van belangrijke onderdelen van de Algemene Verordening Gegevensbescherming (AVG) en de ePrivacy-regels, samen met andere wetten met betrekking tot gegevens, en het andere een amendement op de AI-wet. Dit artikel richt zich op het eerste voorstel. Het legt uit hoe de voorgestelde wijzigingen fundamentele rechten op gegevensbescherming en de vertrouwelijkheid van communicatie zouden verzwakken, en waarom het gecombineerde effect het risico loopt om lang bestaande beschermingsmaatregelen voor mensen in de EU te veranderen.

Government.

Three recommendations from the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten - AP) combined: (regarding the handling of data breaches; a task to improve the privacy organization of the Tax Authority; and exemption from the obligation of tax confidentiality in cases of suspected violations of tax integrity under Article 67, paragraph 3, of the Act on Financial Supervision).

> Read through the most interesting developments at the intersection of human rights and technology from the Netherlands. This is the second update in this series.

> Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit —  the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highligh

> Lastly, the DPA held that the controller, by entrusting its DPO with its defence in court proceedings, placed the DPO in a position of conflict of interest in violation of Article 38(6) GDPR. This was especially because it led to the data subject feeling unable to contact the DPO with regard to issues related to processing of their personal data and to the exercise of their rights under Article 38(4) GDPR.

Tenslotte oordeelde de gegevensbeschermingsautoriteit dat de verantwoordelijke, door de functionaris gegevensbescherming (FG) te betrekken bij de verdediging in rechtszaken, de FG in een positie van belangenconflict bracht, in strijd met artikel 38(6) van de AVG. Dit was met name omdat dit ertoe leidde dat de betrokkene het gevoel had niet in staat te zijn om contact op te nemen met de FG met betrekking tot kwesties die verband houden met de verwerking van hun persoonlijke gegevens en de uitoefening van hun rechten zoals uiteengezet in artikel 38(4) van de AVG.

> The Berlin Commissioner for Data Protection and Freedom of Information issued a 525,000 euro fine to a Berlin-based retailer for violation of data protection officer requirements under the \[GDPR]. An investigation found an alleged conflict of interest concerning the DPO's employment status and decision-making responsibilities that violated Article 38(6) of the GDPR. The company received a warning from the regulator in 2021.

De Berlijnse Commissaris voor Gegevensbescherming en Vrijheid van Informatie heeft een boete van 525.000 euro opgelegd aan een detailhandelaar gevestigd in Berlijn wegens schending van de eisen met betrekking tot de functionaris gegevensbescherming (FG) zoals vastgelegd in de [AVG]. Een onderzoek wees op een vermeend belangenconflict met betrekking tot de arbeidsstatus en de beslissingsbevoegdheden van de FG, wat in strijd is met artikel 38(6) van de AVG. Het bedrijf ontving in 2021 een waarschuwing van de toezichthouder.

De Europese Toezichthouder op de Bescherming van Persoonsgegevens heeft Europol opgedragen om persoonlijke gegevens over te dragen aan de Nederlandse activist Frank van der Linde. Dit besluit is het resultaat van een onderzoek van twee jaar naar de manier waarop Europol de persoonlijke gegevens van Van der Linde bewaart en verwerkt.

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.

The new data governance regulation sets out the conditions for the reuse of certain government data. In addition, the regulation provides a notification and oversight framework for the provision of data mediation services. Furthermore, the regulation contains a framework for the voluntary registration of entities that collect and process data made available for altruistic purposes. The rules will apply from September 2023.

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).