Das neue Schweizer Datenschutzgesetz – Die wichtigsten Neuerungen für Unternehmen”
by Daniela Fábián Masoch
AEPD: verification list for Privacy By Design audits
The AEPD gives a non-comprehensive verification list for PrivacybyDesign audits in chapter VIII of its guidance (in English!)
https://www.aepd.es/sites/default/files/2020-10/guia-proteccion-datos-por-defecto-en.pdf
Article: In wake of the Schrems II, CNIL challenges use of Microsoft cloud storage to host public health data lakes (the Health Data Hub case – Part 1 and 2)
Good HoganLovell summary of French DataHub case.
Information portal (in German): Stiftung Datenschutz
Paper (in German): Data processing by Medical Services (of the company)
Die Datenverarbeitung des Betriebsarztes
Hinweise zum datenschutzgerechten Umgang mit Patientendaten durch Betriebsärzte und betriebsärztliche Dienste
https://www.netzwerk-datenschutzexpertise.de/sites/default/files/gut_2020_09_betriebsarzt_v1_0.pdf
(Medizinische Dienste)
EDPB: Criteria for an acceptable DPIA
From Annex 2 of wp248 rev.01 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 at https://ec.europa.eu/newsroom/article29/items/611236:
Annex 2 – Criteria for an acceptable DPIA
The WP29 proposes the following criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR:
- a systematic description of the processing is provided (Article 35(7)(a)):
- nature, scope, context and purposes of the processing are taken into account (recital 90);
- personal data, recipients and period for which the personal data will be stored are recorded;
- a functional description of the processing operation is provided;
- the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels) are identified;
- compliance with approved codes of conduct is taken into account (Article 35(8));
- necessity and proportionality are assessed (Article 35(7)(b)):
- measures envisaged to comply with the Regulation are determined (Article 35(7)(d) and recital 90), taking into account:
- measures contributing to the proportionality and the necessity of the processing on the basis of:
- specified, explicit and legitimate purpose(s) (Article 5(1)(b));
- lawfulness of processing (Article 6);
- adequate, relevant and limited to what is necessary data (Article 5(1)(c));
- limited storage duration (Article 5(1)(e));
- measures contributing to the rights of the data subjects:
- information provided to the data subject (Articles 12, 13 and 14);
- right of access and to data portability (Articles 15 and 20);
- right to rectification and to erasure (Articles 16, 17 and 19);
- right to object and to restriction of processing (Article 18, 19 and 21);
- relationships with processors (Article 28);
- safeguards surrounding international transfer(s) (Chapter V);
- prior consultation (Article 36).
- measures envisaged to comply with the Regulation are determined (Article 35(7)(d) and recital 90), taking into account:
- risks to the rights and freedoms of data subjects are managed (Article 35(7)(c)):
- origin, nature, particularity and severity of the risks are appreciated (cf. recital 84) or, more specifically, for each risk (illegitimate access, undesired modification, and disappearance of data) from the perspective of the data subjects:
- risks sources are taken into account (recital 90);
- potential impacts to the rights and freedoms of data subjects are identified in case of events including illegitimate access, undesired modification and disappearance of data;
- threats that could lead to illegitimate access, undesired modification and disappearance of data are identified;
- likelihood and severity are estimated (recital 90);
- measures envisaged to treat those risks are determined (Article 35(7)(d) and recital 90);
- origin, nature, particularity and severity of the risks are appreciated (cf. recital 84) or, more specifically, for each risk (illegitimate access, undesired modification, and disappearance of data) from the perspective of the data subjects:
- interested parties are involved:
- the advice of the DPO is sought (Article 35(2));
- the views of data subjects or their representatives are sought, where appropriate (Article 35(9)).
Belgian DPA investigation finds that the IAB Transparency and Consent Framework infringes the GDPR.
(IAB TCF = system Google and others use to legitimise online tracking)
Google announces changes to Google Analytics (Oct-2020)
https://blog.google/products/marketingplatform/analytics/
Also integrates with IAB framework 2.0:
https://iabeurope.eu/tcf-2-0/
(And all statements on processor vs. controller likely to be taken with a grain of salt.)
Bavaria: Data Protection Checklists (incl. Guidance on TOMs)
The DPA of Bavaria has published the following checklists (in German)
at https://www.lda.bayern.de/de/checklisten.html:
- Nr. 1: Homeoffice (PDF)
https://www.lda.bayern.de/media/checkliste/baylda_checkliste_homeoffice.pdf - Nr. 2: Cybersicherheit für medizinische Einrichtungen (PDF)
https://www.lda.bayern.de/media/checkliste/baylda_checkliste_medizin.pdf
Interesting: “9 Externe Abrufmöglichkeit für Laborergebnisse” and “10 Fernwartung” - Nr. 3: Patch Management (PDF)
https://www.lda.bayern.de/media/checkliste/baylda_checkliste_patch_mgmt.pdf - Nr. 4: Good Practice bei technischen und organisatorischen Maßnahmen nach Art. 32 DS-GVO (PDF)
https://www.lda.bayern.de/media/checkliste/baylda_checkliste_tom.pdf