stefan – Page 34 – Privacy Design®

January 21, 2021January 21, 2021

Switzerland – revised FADP/DSG .. links (Rosenthal/Vasella)

David Rosenthal in Jusletter: “Das neue Datenschutzgesetz”
https://www.rosenthal.ch/downloads/Rosenthal-revidiertesDSG.pdf

Webinars with David Rosenthal: Revision Datenschutzgesetz: Zehn Schritte zur Umsetzung der neuen gesetzlichen Anforderungen für Unternehmen
https://www.vischer.com/know-how/webinare/article/revision-datenschutzgesetz-zehn-schritte-zur-umsetzung-der-neuen-gesetzlichen-anforderungen-fuer-unternehmen-38771/

Das revidierte Datenschutzgesetz – Empfehlungen zur Umsetzung
Deutsch – https://www.walderwyss.com/user_assets/publications/201118_Newsletter-146_D.pdf
English – https://www.walderwyss.com/user_assets/publications/201118_Newsletter-146_E.pdf

January 20, 2021January 20, 2021

Germany GDPR damages table (GDPR Art 82): Latham & Watkins : DSGVO Schadenersatztabelle

https://de.lw.com/thoughtLeadership/Latham-DSGVO-Schadensersatztabelle

January 19, 2021

EDPB: Guidelines 01/2021 on Examples regarding Data Breach Notification

https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2021/guidelines-012021-examples-regarding-data-breach_en

January 19, 2021January 19, 2021

ENISA: “Cloud Security for Healthcare Services” and “Procurement Guidelines for Cybersecurity in Hospitals”

Brand-new ENISA Report on Cloud Security for Healthcare Services

incl. threat catalog, security measures, names good practices
– “Medical Devices” as one of three examples.

Incl. GDPR requirements etc – nicely embedded in the discussion.

Also links to the ENISA “Procurement Guidelines for Cybersecurity in Hospitals” from last year

Procurement Guidelines for Cybersecurity in Hospitals
https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services

Cloud Security for Healthcare Services
https://www.enisa.europa.eu/publications/cloud-security-for-healthcare-services

January 15, 2021January 15, 2021

AEPD blog post on connected devices that can monitor and control health indicators like physical activity and sleep quality.

https://www.aepd.es/es/prensa-y-comunicacion/blog/iot-ii-del-iot-al-iob

January 13, 2021January 13, 2021

Spain: AEPD guidance on AI auditing framework

https://www.aepd.es/sites/default/files/2021-01/requisitos-auditorias-tratamientos-incluyan-ia.pdf

January 13, 2021January 13, 2021

Germany: Niedersachen/Lower Saxony – Survey on Cookies and Trackers in Websites

https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/prufung-zu-cookies-und-drittdiensten-auf-nieder-sachsischen-webseiten-194909.html
incl. scope, approach, results, guidance and questionnaire

Questionnaire
https://lfd.niedersachsen.de/download/161171

Guidance on consent on web sites
https://lfd.niedersachsen.de/startseite/themen/internet/datenschutzkonforme-einwilligungen-auf-webseiten-anforderungen-an-consent-layer-194906.html

January 9, 2021January 9, 2023

CNIL guidance on Blockchain (in English) – 2018

https://www.cnil.fr/fr/node/24899

https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf

January 8, 2021January 8, 2021

Germany: LG Bonn, 1&1 case (900,000 EUR fine) final

(in German) AG Bonn, 11.11.2020, 29 OWi 430 Js-OWi 366/20-1/20 LG:
http://www.justiz.nrw.de/nrwe/lgs/bonn/lg_bonn/j2020/29_OWi_1_20_Urteil_20201111.html

900,000 EUR for weak authentication/process in a call center, which allowed the ex-wife of a customer to get the new mobile number of her ex-husband.

Important:
1. To calculate the fine, the court used the global turnover of the group of enterprises (not just the German affiliate).
2. The court did not stick to the GDPR fine catalog of the German DPAs, but rather went much lower..

A nice quote at the end. (via Google translate, with manual fixes)

It should also be taken into account that the publicly effective issue of the fine notice resulted in a damage to K’s reputation. Due to the amount of the fine initially imposed, the public got the impression that it was a matter of a serious data protection breach – also and especially with regard to fault. However, this is not the case.

After carefully weighing all the circumstances relevant to the assessment, the Chamber has determined a much lower fine than the originally proposed on, despite the high range of possible fines ,

900,000 euros

as being appropriate to the act and guilt. This is effective, proportionate and, given the many mitigating aspects, also sufficiently deterrent.

So 900,000 EUR for a non-serious breach.

January 7, 2021January 7, 2021

Note: employee as vulnerable person

from wp248 rev.01 (adopted)
[Guidelines on Data Protection Impact Assessment (DPIA) and determining whether
processing is “likely to result in a high risk” for the purposes of Regulation 2016/679]

https://ec.europa.eu/newsroom/document.cfm?doc_id=47711

page 10:

“Data concerning vulnerable data subjects (recital 75): the processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights. Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data), employees , more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc.), and in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.”