Denmark DPA: Decision on Lowell Danmark A/S – opportunistic TLS encryption of email based on risk assessment
https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/
The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.
The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.
In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.
Poland DPA: Bisnode case (data scraping without notification)
Commentaries and articles
https://www.lexology.com/library/detail.aspx?g=a10fbec0-8234-41da-9ddb-9cac58c360c6
https://www.technologylawdispatch.com/2019/04/privacy-data-protection/processing-publically-available-personal-data-without-telling-data-subjects-the-polish-data-protection-authority-has-bad-news-for-you/
https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/
https://hubun.io/gdpr-enforcement-begins-eu-starts-punishing-covert-data-scraping/
EDPB: Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)
Baker McKenzie: STATE “OMNIBUS” PRIVACY LAW COMPARISON SHEET
ICO: What good cookie compliance looks like..
Romania DPA: Fine on Unicredit for privacy-by-design failure 130,000 EUR
The national ID number of those making payments was displayed in transaction histories of receivers
https://www.dataprotection.ro/?page=Comunicat_Amenda_Unicredit&lang=ro
CNIL: Privacy-by-design knowledge community
NATIONAL ADAPTATIONS OF THE GDPR
What is the deadline for a DSR request made on June 3rd?
Interesting response on twitter.. (Unsure if correct)
” In line with Article 3 of Regulation 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits the one month period would have expired at 23:59:59 on 3rd July 2019. The period would have started on 4th June 2019 and is taken to have “
https://twitter.com/alistair_sloan/status/1147478341160710145