Records of processing activities of Article 30 GDPR – some model forms

Posted on by Federica Romanelli
Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record. Some DPA made available model forms and notes for keeping records of processing activities: the BayLDA, the Bavarian DPA for the controller and for the processor; the ICO, the UK Information Commissioner’s Officer, see here; the AEPD, the Spanish Read more [...]

Digital Single Market: unjustified geoblocking to end by the end of 2018

Posted on by Federica Romanelli
On November 20, 2017, the European Parliament, the Council and the Commission committed to end all geoblocking that unnecessarily impedes consumers to buy products or services online within the EU. The EU digital single market should “give consumers the same possibility to access the widest range of offers regardless of whether they physically enter a shop in another country or whether they shop online.” No justification for different treatments among customers from different EU Member Read more [...]

WP29 published criteria for appropriate administrative fines in GDPR’s breach

Posted on by Federica Romanelli
As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR). Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the breach. To achieve a consistent approach through the EU, the Guidelines provide principles and criteria that Read more [...]

Spanish DPA issues Eur 1.2 million fine to Facebook

Posted on by Federica Romanelli
On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use these data”. These data are processed, among others, for advertising purposes without the express Read more [...]

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Posted on by Federica Romanelli
The Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01, are available here. The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)). In line with Read more [...]