https://hal.inria.fr/hal-02875447/document
by Cristiana Santos, Nataliia Bielova and Célestin Matte
includes 22 legal and technical requirements for valid cookie banners!
(e.g. see page 15)
DPA Liechtenstein – Verfahrensbeschreibung für Datenschutzüberprüfungen
Process description for data protection inspections / privacy inspections / audits.
In a first step, the DPA is gathering information and statements based on a questionnaire.
In addition, the DPA regularly requests the following information in an electronic format or on paper:
- Records of processing activities (GDPR Art. 30 (4));
- Information to the affected persons (GDPR Art. 13 and 14);
- Templates of consent forms (GDPR Art. 7);
- Information about data protection trainings of employees;
- Contracts with processors (GDPR Art. 28 (3)) or other current contracts with external parties that get in touch with personal data, such as hardware and software partners, software vendors, application service providers, in which the applicable data protection controls need to be emphasized;
- Documentation of data breaches (GDPR Art. (5));
- Data protection impact assessments (GDPR Art. (35)).
In order to assess compliance to GDPR and the effectiveness of the controls, the DPA regularly asks for
- Organisational structure
- Privacy directive (privacy policy), security policy, emergency planning
- Review and audit reports – esp. in context of IT in scope
- Basic documentation of the IT infrastructure (hardware and software in use)
- Access control concept, especially access rights of administrators, external staff, sub-processors and other external parties
- Policies, instructions to users for the use of IT
- Non-disclosure, confidentiality agreements and other relevant instructions/agreements
- Controls and arrangements regarding the retention time and deletion of personal data (deletion concept)
Book (also free online): Law for Computer Scientists and Other Folk
By Mireille Hildebrandt
which includes e.g. sections on Machine Learning, Dsitributed Ledger and Legal by Design…
https://www.cohubicol.com/about/publications/law-for-computer-scientists-and-other-folk/
Available on OpenReview at MIT’s pubpub
https://lawforcomputerscientists.pubpub.org/
and as a PDF download
https://www.cohubicol.com/assets/uploads/law_for_computer_scientists.pdf
as well as hardcopy.
New Zealand: National Ethical Standards for Health and Disability Research and Quality Improvement
Belgian DPA fines social media platform Twoo 50,000 EUR over ‘tell-a-friend’ feature
GDPRhub – a free and open wiki on GDPR insights across Europe
powered by noyb.eu and others
From their Welcome page:
“In the decisions section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 50 webpages in each Member State. This page currently contains 300+ decisions and the goal is to reach 500+ by the end of 2020. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the GDPRtoday newsletter!
In the knowledge section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.”
DPIA of the German Corona Warn App
What doas a Data Protection Impact Assessment look like that the German Federal Data Protection Authority reviewed?
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf
Interesting sections from the document structure
- information on the organisation (with privacy team setup)
- necessity of the DPIA
- description of processing activities (evaluation target), with
- context
- purpose
- process steps
- system architecture
- data flows and processes
- data categories
- data deletion
- actors involved in the processing
- additional documents
- consideration of stakeholders’ vire
- legal privacy assessment
- categories of personal data
- legal grounds
- data subject rights
- privacy-by-design measures
- other privacy requirements
- assessment of the necessity and proportionality of the processing
- risk analysis
- continuous privacy reviews
CNIL – Developer’s Guide sheets
The CNIL publishes a GDPR guide for developers
In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.
https://www.cnil.fr/en/cnil-publishes-gdpr-guide-developers
All the material via tag search:
https://www.cnil.fr/en/tag/Developer%E2%80%99s+Guide
Github to participate in further development: – https://github.com/LINCnil/GDPR-Developer-Guide
Local copy of the sheets (might be outdated):
https://www.privacydesign.ch/cnil-gdpr-developer-sheets/
Currently it includes:
Sheet n°0: Develop in compliance with the GDPR
Sheet n°1: Identify personal data
Sheet n°2: Prepare your development
Sheet n°3: Secure your development environment
Sheet n°4: Manage your source code
Sheet n°5: Make an informed choice of architecture
Sheet n°6: Secure your websites, applications and servers
Sheet n°7: Minimize the data collection
Sheet n°8: Manage user profiles
Sheet n°09: Control your libraries and SDKs
Sheet n°10: Ensure quality of the code and its documentation
Sheet n°11: Test your applications
Sheet n°12: Inform users
Sheet n°13: Prepare for the exercise of people’s rights
Sheet n°14: Define a data retention period
Sheet n°15: Take into account the legal basis in the technical implementation
Sheet n°16: Use analytics on your websites and applications
Germany: DiGAV (medical mobile applications) and guideline
DiGAV is now in force.
The accompanying “Digitale-Gesundheitsanwendungen-Verordnung (DiGAV)”
https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl120s0768.pdf#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl120s0768.pdf%27%5D__1592376167435
The accompanying Guideline for DiGAV:
https://www.bfarm.de/SharedDocs/Downloads/DE/Service/Beratungsverfahren/DiGA-Leitfaden.pdf?__blob=publicationFile&v=2
General supporting background material
https://hih-2025.de/diga-summit-summary-video-docs-next-steps/
including an English summary
https://hih-2025.de/wp-content/uploads/2020/04/2020-06-02_DVG-Fast-Track-english-Slide-Deck_Website.pdf
Mapping ISO 27701 to privacy laws (github)
The Data Protection/Privacy Mapping Project (the “Project”) facilitates consistent global comprehension and implementation of data protection with an open source mapping between ISO/IEC 27701 and global data protection and/or privacy laws and regulations.
Data Protection Mapping Project demo site
https://dataprotectionmapping.z21.web.core.windows.net/
Github
https://github.com/microsoft/data-protection-mapping-project
Video
https://www.linkedin.com/feed/update/urn:li:activity:6639237491457163264/