Dutch DPA Report

Dutch Report Provides a Window on GDPR-Related Complaints and DPA Response

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the Dutch DPA) published a report on privacy complaints it received between January 2019 and June 2019. The report reviews the rate of consumer complaint activity since the enactment of the GDPR, the nature of those complaints, and how they are handled by the Dutch data authority. Overview of the Dutch DPA Report During the first half of 2019, just over 19,000 individuals and organizations contacted the Dutch DPA with concerns and questions related to the European Union’s (EU) General Data Protection Regulation (GDPR) or other privacy-related concerns. Of these, the Dutch DPA identified 15,313 inquiries as privacy complaints,…

READ MORE
Privacy Guidelines

New Privacy Guidance From NIST and ISO

National Institute of Standards and Technology, ISO Release Privacy Guidance Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act. The NIST Privacy Framework   In September, NIST, an agency of the U.S. Department of Commerce, released a preliminary draft of…

READ MORE

Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…

READ MORE

EDPB Releases New Guidance: When Can Companies Rely on the Need to Fulfill the Terms of a Contract as a Legal Basis to Process?

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements. Background To lawfully process data, companies must establish one of six legal bases articulated in Article…

READ MORE