CNIL guide 2018 – “Security of Personal Data”

in English, incl.

  • Raising user awareness
  • Authenticating users
  • Access Management
  • Logging access and managing incidents
  • Securing workstations
  • Securing mobile data processing
  • Protecting the internal network
  • Securing servers
  • Securing websites
  • Ensuring continuity
  • Archiving securely
  • Supervising maintenance and data destruction
  • Managing data processors
  • Securing exchanges with other organisations
  • Physical security
  • Supervising software development
  • Encrypting, guaranteeing integrity and signing
  • Assess the security level of the personal data in your organisation

https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf

Norwegian DPA files complaint against Grindr mobile app data sharing (HIV status, ..)

https://fil.forbrukerradet.no/wp-content/uploads/2018/04/2018-04-03-complaint-grindr.pdf

Quote:

[..] “Insufficient consent

According to the SINTEF report, Grindr shares personal data with different of third parties.

When a user registers a user account in Grindr, the app asks for consent to the terms of service in whole, without individual elements being emphasized or singled out (see attached picture).

In the view of the Consumer Council, information about sensitive personal  data being shared with third parties should not be hidden away in long terms of service and privacy policies. The Consumer Council cannot see that Grindr fulfill  the conditions for gathering an informed and explicitly given consent.

During the process of registration and inside the app, there is no further description of how data may be shared, other than what is hidden away in the terms of service and privacy policy. There is also no separate consent for sharing sensitive personal data with third parties.

The app does not provide an opportunity to not share personal data with third parties.”

[..]

Irish DPA – Guide to Audit Process

v2.0 August 2014

https://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf

“This guidance was originally published in 2009. This revised version has been updated to take account of legislative developments and to reflect any changes in the approach of the Office of the Data Protection Commissioner to the audit process. The guidance is designed to assist organisations selected for audit by the Office of the Data Protection Commissioner. It is hoped that
this resource will provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under Irish Data Protection Law”