Articles 28 and 29 of the GDPR require a “by a contract or other legal act” in order to engage a processor. Such document must include: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects; the confidentiality agreement; assurance that… Read More »
GDPR (Privacy European Regulation) does not require “notification to the supervisory authority” for special data processings. Such notification was required by previous Directive 95/46/CE. In fact, notification of special processing processings is considered an obsolete tool and, as written in introductory clause 89, “did not in all cases contribute to improving the protection of personal… Read More »
Today in some States there is the opt-out option for the use of public data for the purpose of direct marketing. In some case, data subjects need to declare their right not to be called on telephone numbers on public directories. The new Privacy european regulation (GDPR) does not allow this procedure. Explicit consent need… Read More »
European privacy Regulation (GDPR, Reg. UE 679/2016) requires, in article 35, that controllers carry out, in some special cases, a Data protection impact assessment (usually known as Privacy impact assessment or, shortly, PIA), that is, a document reporting a risk assessment related to processing operations. PIA is required in the case of: a systematic and… Read More »
The European Commission issued a guide for transferring data outside of the EU after Schrems’s sentence: http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm. We now have two ways: using contractual clauses or binding corporate rules (BCR). These two methods are applicable to all transfers to Countries for which there is not an authorization by the European Commission or a local privacy… Read More »
Current Directive 95/46/EC does not regulate sub-processing. A controller can choose a processor, but a processor cannot choose a sub-processor. As a result, many processors chose sub-processors and designated them as their own processors. These cases should have been discussed in the last 20 years, considering that supply chains are getting longer. The last GDPR… Read More »
In two previous posts, I’ve presented some of the ideas for planning and execution of PIA process and report. Risk assessment is a very useful tool for management decision. Unfortunately someone promotes too much complex risk assessment methods that don’t help any management decision, but only increase the time and effort for analysis and don’t… Read More »
Further developments After the first wave of PIA methods, in the last two years, further ideas have been proposed. Unfortunately, they introduce complexity, instead of help for controllers, processors and operators. In 2014 European Commission ruled on smart grid and promoted another model for PIAs. This model has theoretical errors (e.g. “feared events” and “threats”… Read More »
First developments Privacy impact assessment (PIA) is more and more cited in news and technical documents. This article is a first attempt to analyse the first significant contributions on this subject and has no aim of completeness. Present EU Directive 95/46 on data protection requires to data controllers and processors to have measures to “ensure… Read More »