https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf
(262 pages)
DPIA-related resources from Germany
- DSK: Liste der Verarbeitungen, bei denen eine DSFA durchgeführt werden muss
https://www.datenschutzkonferenz-online.de/media/ah/20181017_ah_DSK_DSFA_Muss-Liste_Version_1.1_Deutsch.pdf - LfD Bayern: Datenschutz-Folgenabschätzung – Orientierungshilfe
https://www.datenschutz-bayern.de/technik/orient/oh_dsfa.pdf - BayLDA: Durchführung einer Datenschutz-Folgenabschätzung nach Art. 35 DS-GVO in Anlehnung an die ISO/IEC 29134
https://www.lda.bayern.de/media/03_dsfa_fallbeispiel_baylda_iso29134.pdf - bvitg: Ein praktischer Leitfaden für Datenschutz im Gesundheitswesen mit DSFA
https://www.bvitg.de/praktischer-leitfaden-datenschutz-gesundheitswesen/ - Datenschutzzentrum: Durchführung einer Datenschutz-Folgenabschätzung gem. Art. 35 DSGVO auf der methodischen Grundlage eines standardisierten Prozessablaufes mit Rückgriff auf das SDM am Beispiel eines „Pay as you drive“-Verfahrens
https://www.datenschutzzentrum.de/uploads/datenschutzfolgenabschaetzung/20171106-Planspiel-Datenschutz-Folgenabschaetzung.pdf - „Forum Privatheit“, White Paper „Datenschutz-Folgenabschätzung (DSFA)“ (3. Auflage)
https://www.forum-privatheit.de/wp-content/uploads/Forum-Privatheit-WP-DSFA-3-Auflage-2017-11-29.pdf - Examples:
- DPIA for the Corona-Warn App
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf
- DPIA for the Corona-Warn App
GDD-PRAXISREPORT 2021 – DATENSCHUTZVERLETZUNGEN
Report for 2021 on violations of data protection obligations – by GDD (a German privacy association)
Overview
https://www.gdd.de/aktuelles/startseite/meldepflichten_in_der_datenschutzpraxis_gdd_praxisreport
Report
https://www.gdd.de/downloads/praxishilfen/gdd-praxisreport-2021-datenschutzverletzungen/view
EDPS: results of remote audits of information provided to data subjects when signing up to newsletters and other subscriptions
Mail integrity – DKIM
EDPS/AEPD: 10 Misunderstandings related to Anonymisation
https://edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf
- Misunderstandings:
- “Pseudonymisation is the same as anonymisation”
- Fact: Pseudonymisation is not the same as anonymisation
- “Encryption is anonymisation”
- Fact: Encryption is not an anonymisation technique, but it can be a powerful pseudonymisation tool.
- “Anonymisation of data is always possible”
- Fact: It is not always possible to lower the re-identification risk below a previously defined threshold whilst retaining a useful dataset for a specific processing.
- citing: Rocher, L., Hendrickx, J. M., & De Montjoye, Y. A. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nature communications,
10(1), 1-9, https://doi.org/10.1038/s41467-019-10933-3
- citing: Rocher, L., Hendrickx, J. M., & De Montjoye, Y. A. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nature communications,
- Fact: It is not always possible to lower the re-identification risk below a previously defined threshold whilst retaining a useful dataset for a specific processing.
- “Anonymisation is forever”
- Fact: There is a risk that some anonymisation processes could be reverted in the future. Circumstances might change over time and new technical developments and the availability of additional information might compromise previous anonymisation processes.
- “Anonymisation always reduces the probability of re-identification of a dataset to zero”
- Fact: The anonymisation process and the way it is implemented will have a direct influence on the likelihood of re-identification risks.
- citing: External guidance on the implementation of the European Medicines Agency policy on the publication of clinical data for medicinal products for human use (2016) https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/external-guidance-implementation-european-medicinesagency-policy-publication-clinical-data_en-0.pdf
- Fact: The anonymisation process and the way it is implemented will have a direct influence on the likelihood of re-identification risks.
- “Anonymisation is a binary concept that cannot be measured”
- Fact: It is possible to analyse and measure the degree of anonymization.
- Step 4: Measure the data risk. De-identification Guidelines for Structured Data, Information and Privacy Commissioner of Ontario June 2016. https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-forStructured-Data.pdf
- Fact: It is possible to analyse and measure the degree of anonymization.
- “Anonymisation can be fully automated”
- Fact: Automated tools can be used during the anonymisation process, however, given the importance of the context in the overall process assessment, human expert intervention is needed.
- “Anonymisation makes the data useless”
- Fact: A proper anonymisation process keeps the data functional for a given purpose.
- “Following an anonymisation process that others used successfully will lead our organisation to equivalent results”
- Fact: Anonymisation processes need to be tailored to the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
- “There is no risk and no interest in finding out to whom this data refers to“
- Fact: Personal data has a value in itself, for the individuals themselves and for third parties. Re-identification of an individual could have a serious impact for his rights and freedoms.
Stabsstelle IT-Recht für die bayerischen staatlichen Hochschulen und Universitäten
Podcast: Auslegungssache 37: Anonymität – Der heilige Gral der DSGVO
Podcast: Microsoft und Datenschutz – Eine Frage der Balance? – Rechtsbelehrung 92
Rechtspodcast mit Marcus Richter und Thomas Schwenke – feat. Johannes Nehlsen
Apple: IOS 14.5 – Upcoming AppTrackingTransparency requirements (20 April 2021)
https://developer.apple.com/news/?id=ecvrtzt2
Related:
- Apple App Store Review Guideline
https://developer.apple.com/app-store/review/guidelines/#5.1.2 - User Privacy and Data Use
https://developer.apple.com/app-store/user-privacy-and-data-use/ - App privacy details on the App Store
https://developer.apple.com/app-store/app-privacy-details/