Be Prepared: New Tech Enables Floods of Subject Access Requests

In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for consumers to “reclaim your data.”  Users of this service have already sent out thousands of requests emphasizing how easy it is to generate hundreds of requests. Achieved is already handling Mine requests on…

READ MORE
GDPR Identity Verification

Loose Identity Verification Puts You at Risk for Fraud

Subject Access Requests (SARs) under the GDPR Now is the time to tighten up your identity verification methods. Without tight verification methods, you open yourself up to GDPR regulators and you put your customers at risk of being a victim of fraud. Individuals Can Request Access to Their Personal Data Article 15 of the GDPR gives individuals a “right of access” to their personal data, under which they can request specifics about the personal data a business holds about them, or the organization’s purpose for processing the data, the categories of personal data held, who has access to the data, whether or not it will be transferred outside of…

READ MORE

Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…

READ MORE

EDPB Releases New Guidance: When Can Companies Rely on the Need to Fulfill the Terms of a Contract as a Legal Basis to Process?

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements. Background To lawfully process data, companies must establish one of six legal bases articulated in Article…

READ MORE