News

The EDPB's upcoming updated guidelines on pseudonymisation are also given more prominence in a compromise text, obtained by Euractiv

(a) No consensus on relevant and reasoned objections On 9 November 2020, the EDPB adopted its first decision under the dispute resolution mechanism laid down by Article 65 GDPR.<ref>EDPB, 9 November 2020, Twitter International Company, Decision 01/2020 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_bindingdecision01_2020_en.pdf here]).</ref> The binding decision seeks to address the dispute which arose following a draft decision issued by the Irish SA as LSA

We, the undersigned organisations and individuals, urge you in the strongest possible terms to reject the deletion of the Article 49(2) transparency safeguard for high-risk AI systems that is proposed in the AI Omnibus. This transparency safeguard ensures that providers of AI systems cannot circumvent the core obligations of the AI Act. The post A call to EU legislators: protect rights and reject the call to delete transparency safeguard in AI Act appeared first on Access Now.

Show changes

=== Verwerking ====== Verwerking === Het geschil betrof de verantwoordelijkheid van de verwerker voor het implementeren van adequate beveiligingsmaatregelen, zoals vereist volgens artikel 32 van de AVG. Het geschil betrof de verantwoordelijkheid van de verwerker voor het implementeren van adequate beveiligingsmaatregelen, zoals vereist volgens artikel 32 van de AVG. "Over de eerlijkheid van de procedure:" "Over de eerlijkheid van de procedure:" "Over verantwoordelijkheden:" "Over verantwoordelijkheden:"

|Court_Original_Name=Oberlandesgericht Frankfurt am Main|Court_Original_Name=Oberlandesgericht Frankfurt am Main |Court_English_Name=Higher Regional Court Frankfurt am Main|Court_English_Name=Higher Regional Court Frankfurt am Main |Court_With_Country=OLG Frankfurt am Main (Germany)|Court_With_Country=OLG Frankfurt (Germany) |Case_Number_Name=6 U 81/23|Case_Number_Name=6 U 81/23 |Party_Link_2=|Party_Link_2= |Appeal_From_Body=LG Frankfurt am Main (Germany)|Appeal_From_Body=LG Frankfurt (Germany)

=== Processing ====== Processing === The dispute concerned the processor's responsibility for implementing adequate security measures, as required by Article 32 of the GDPR. The dispute concerned the processor's responsibility for implementing adequate security measures, as required by Article 32 of the GDPR. "Regarding the fairness of the procedure:" "Regarding the fairness of the procedure:" "Regarding responsibilities:" "Regarding responsibilities:"

=== Holding ====== Holding === The dispute related to the processor’s responsibility for implementing adequate security measures, under article 32 GDPR. The dispute related to the processor’s responsibility for implementing adequate security measures, under Article 32 GDPR. '''On the fairness of the procedure:''' '''On the fairness of the procedure:''' '''About responsibilities:''' '''About r

(4) Non-application to public authorities and bodies. Show changes

(2) Criteria for accreditation from the competent supervisory authority Show changes

(1) Encouragement of CoC <u>EDPB Guidelines</u>:<u>EDPB Guidelines</u>: * EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0) (available here), and * EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0) (available [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]), and * E

Legal Text: Commentary ==Commentary====Commentary== Article 41 GDPR complements [[Article 40 GDPR]] by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector covered by the code. Although the Data Protection Directive 95/46/EC (DPD) included a provision on codes of conduct (Article 27(1) DPD), this did not include any information on how compliance with such codes should be monitored. Accordingly, i

(a) Aantoonbare onafhankelijkheid en expertise ===== (a) Aantoonbare onafhankelijkheid en expertise ========== (a) Aantoonbare onafhankelijkheid en expertise ===== Het is duidelijk uit artikel 41(1) van de AVG dat de instantie een "passend niveau van expertise" moet bezitten op het gebied waar de gedragscode betrekking op heeft, met als doel een effectieve naleving te waarborgen. Dit is ook een vereiste van het proces dat is beschreven in artikel 41(2)(a) van de AVG, volgens welke de toezichthoudende instantie "kan zijn..."

(1) Promotion of codes of conduct and supervisory authorities: * EDPB, 'Guidelines 1/2019 on codes of conduct and supervisory authorities pursuant to Regulation 2016/679', June 4, 2019 (version 2.0) (available here), and * EDPB, 'Guidelines 1/2019 on codes of conduct and supervisory authorities pursuant to Regulation 2016/679', June 4, 2019 (version 2.0) (available at [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]), and * E

(a) Demonstrable independence and expertise (a) Demonstrable independence and expertise (a) Demonstrable independence and expertise It is clear from Article 41(1) of the GDPR that the supervisory authority must possess a "suitable level of expertise" in the area to which the code of conduct applies, with the aim of ensuring effective compliance. This is also a requirement of the process described in Article 41(2)(a) of the GDPR, according to which the supervisory authority "may be..."

(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version

(a) Demonstrated independence and expertise ===== (a) Demonstrated independence and expertise ========== (a) Demonstrated independence and expertise ===== It is clear from Article 41(1) GDPR that the body must have an “''appropriate level of expertise''” in the subject matter the code of conduct aims to ensure effective compliance with. This is also a requirement of the process specified in Article 41(2)(a) GDPR, according to which the monitoring entity “''may be ac

Commentary: Codes of Conduct (CoCs) are voluntary instruments that establish specific data protection rules for certain categories of controllers and processors. In other words, a CoC can serve as a guide for a group of controllers and processors, outlining how a processing activity that complies with the GDPR looks in a specific processing situation. <ref>EDPB, 'Guidelines 1/2019 on Codes of Conduct and Supervisory Authorities under Regulation 2016/679', June 4, 2019 (version 2.0), footnote 7 (available at [https://www.

Commentary: (2) Show changes

Juridische tekst: Toelichting ==Toelichting====Toelichting== Artikel 41 van de AVG vult [[Artikel 40 van de AVG]] aan door te bepalen dat de naleving van een goedgekeurd gedragscode moet worden gecontroleerd door een erkende instantie met het juiste niveau van expertise in de sector die door de code wordt bestreken. Hoewel de Richtlijn gegevensbescherming 95/46/EG (AVG) een bepaling bevatte over gedragscodes (artikel 27(1) AVG), bevatte deze geen informatie over hoe de naleving van dergelijke codes moest worden gecontroleerd. Daarom, i

Commentary CoC are a voluntary accountability tool providing for specific data protection rules for categories of controllers and processors. In other words, CoC can provide a rule book for a group of controllers and processors describing how a GDPR compliant processing operation looks like in the specific processing situation.&lt;ref&gt;EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), margin number 7 (available [https://ww

Legal text: Explanation ==Explanation====Explanation== Article 41 of the GDPR supplements [[Article 40 of the GDPR]] by stipulating that compliance with an approved code of conduct must be monitored by a recognized body with the appropriate level of expertise in the sector covered by the code. While the Data Protection Directive 95/46/EC (GDPR) contained a provision regarding codes of conduct (article 27(1) GDPR), it did not provide information on how compliance with such codes should be monitored. Therefore, i

Commentaar: Codes van Gedrag (CoC) zijn vrijwillige instrumenten die specifieke regels voor gegevensbescherming vaststellen voor bepaalde categorieën van verantwoordelijken en verwerkers. Met andere woorden, een CoC kan een handleiding vormen voor een groep verantwoordelijken en verwerkers, waarin beschreven staat hoe een verwerking die voldoet aan de AVG er in een specifieke verwerkingssituatie uitziet. <ref>EDPB, ‘Richtlijnen 1/2019 over Codes van Gedrag en Toezichthoudende Instanties onder Verordening 2016/679’, 4 juni 2019 (versie 2.0), voetnoot 7 (beschikbaar op [https://ww

(1) Stimulering van gedragscodes en toezichthoudende instanties: * EDPB, 'Richtlijnen 1/2019 over gedragscodes en toezichthoudende instanties in overeenstemming met Verordening 2016/679', 4 juni 2019 (versie 2.0) (beschikbaar hier), en * EDPB, 'Richtlijnen 1/2019 over gedragscodes en toezichthoudende instanties in overeenstemming met Verordening 2016/679', 4 juni 2019 (versie 2.0) (beschikbaar [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf hier]), en * E

(3) Processors and controllers that do not fall under the territorial scope of the GDPR. The focus on a specific sector is intended to provide a cost-effective way to comply with privacy legislation, taking into account all the specific characteristics of data processing that occurs within that sector, with particular attention to the needs of micro, small, and medium-sized enterprises. <ref>EDPB, 'Guidelines 1/2019 on Codes of Conduct and Supervisory Authorities under Regulation 2016/679', June 4, 2019 (version).</ref>

(3) Verwerkers en verantwoordelijken die niet onder de territoriale reikwijdte van de AVG vallen. De focus op een specifieke sector is bedoeld om een kosteneffectieve manier te bieden om te voldoen aan de eisen van de privacywetgeving, rekening houdend met alle specifieke kenmerken van de gegevensverwerking die in die sector plaatsvindt, met bijzondere aandacht voor de behoeften van micro-, kleine en middelgrote ondernemingen. <ref>EDPB, ‘Richtlijnen 1/2019 over gedragscodes en toezichthoudende organen onder Verordening 2016/679’, 4 juni 2019 (versie).</ref>

Brussel, 17 november - Het EDPB organiseert een online evenement om input van belanghebbenden te verzamelen over anonimisering en pseudonimisering, en over de implicaties van het vonnis van het Gerechtshof van de Europese Unie (HvEU) in de zaak EDPS tegen het Single Resolution Board (SRB). Het evenement zal plaatsvinden op 12 december 2025 (tijdstip volgt). Dit biedt een gelegenheid om het EDPB te informeren en te ondersteunen bij zijn lopende werk op deze onderwerpen, zoals uiteengezet in het werkprogramma 2024-2025, en het weerspiegelt de toewijding van het EDPB aan de betrokkenheid van belanghebbenden.

Brussels, 17 November - The EDPB organises a remote event to collect stakeholders’ input on anonymisation and pseudonymisation on implications of the judgement of the Court of Justice of the European Union (CJEU) in EDPS v Single Resolution Board (SRB). The event will take place on 12 December 2025 (time to be confirmed). This will be an opportunity to inform and support the EDPB’s ongoing work on these topics as per its work programme 2024-2025 and it reflects the EDPB’s commitment to stakehold

Brussels, November 17th - The European Data Protection Board (EDPB) is organizing an online event to gather input from stakeholders on the topics of anonymization and pseudonymization, and on the implications of the judgment of the General Court of the European Union (GC EU) in the case of EDPS vs. the Single Resolution Board (SRB). The event will take place on December 12, 2025 (time to be confirmed). This provides an opportunity to inform and support the EDPB in its ongoing work on these topics, as outlined in the 2024-2025 work program, and reflects the EDPB's commitment to stakeholder engagement.

Legislation

Kamerstukken II 36743, nr. 3 - Wijziging van Boek 8 van het Burgerlijk Wetboek in verband met de invoering van het elektronisch cognossement. In paragraaf 3.6 wordt ingegaan op de gevolgen van het invoeren van een elektronisch cognossement voor de verwerking van persoonsgegevens. Zie met name art...

Legislation.

Document II 36743, number 3 - Amendment to Book 8 of the Dutch Civil Code regarding the introduction of the electronic bill of lading. Section 3.6 discusses the implications of introducing an electronic bill of lading for the processing of personal data. Please refer specifically to article...

EDSA schafft mehr Klarheit bei Pseudonymisierung

Since May 2018, the GDPR has been directly applicable in the European Economic Area, including the member states of the European Union, Liechtenstein, Norway, and Iceland. Four years later, awarding damages for GDPR violations is still not a common practice in the Netherlands, despite the fact that news reports regularly mention data breaches and other GDPR violations. This article analyzes Dutch case law over the past four years to see what factors may influence the awarding of damages under th

In 'Vyriausioji Tarnybinės Etikos Komisija' the CJEU held that the name of civil servants' spouse, cohabitant or partner and of the subject of their transactions (indirectly sexual orientation) are special categories of personal data. The Court relies on the broad definition of "data concerning health" in article [4(15) GDPR](https://docs.legal.digital/gdpr/#article-4) & the guidance in [Recital 35](https://docs.legal.digital/gdpr/#rec35) to highlight that context must be taken into account when

In de zaak 'Vyriausioji Tarnybinės Etikos Komisija' heeft het Hof van Justitie van de Europese Unie (HvJEU) vastgesteld dat de naam van de echtgenoot, levenspartner of partner van een ambtenaar, evenals de aard van hun transacties (indirect gerelateerd aan seksuele geaardheid), bijzondere categorieën van persoonsgegevens vormen. Het Hof baseert zich op de brede definitie van "gegevens betreffende de gezondheid" in artikel [4(15) AVG](https://docs.legal.digital/gdpr/#article-4) en de richtlijnen in [Overweging 35](https://docs.legal.digital/gdpr/#rec35) om te benadrukken dat de context in overweging moet worden genomen.

Een overzicht van de boete die aan IAPP is opgelegd: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

> Privacybescherming is niet absoluut. Dat staat zelfs letterlijk zo in de privacywetgeving. De AVG bevat daarom ook allerlei uitzonderingen. Een van de uitzonderingen die enkele keren terugkomt in de AVG ziet op de verwerking van persoonsgegevens in het kader van "de instelling, uitoefening of onderbouwing van een rechtsvordering". Tot op heden was echter niet heel erg duidelijk wat die woorden nu precies betekenen. Een recente uitspraak van de Afdeling bestuursrechtspraak van de Raad van State

The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security

De Deense Autoriteit voor Persoonsgegevens heeft onderzoek gedaan naar het instrument Google Analytics en de bijbehorende instellingen, evenals de voorwaarden waaronder het instrument wordt aangeboden. Op basis van dit onderzoek concludeert de Deense Autoriteit voor Persoonsgegevens dat het instrument, zonder aanvullende maatregelen, niet op een wettelijke manier kan worden gebruikt. Wettelijk gebruik vereist de implementatie van aanvullende maatregelen, naast de instellingen die door Google worden aangeboden.

The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

It is part of the exercise of judicial functions by a court within the meaning of the AVG to make documents originating from a judicial proceeding -in which personal data are included- temporarily available to journalists in order to enable them to better report on the course of that proceeding. This is the EU Court's answer to preliminary questions from the Dutch court.