Category: News

https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf

Draft Guidance for Industry, Investigators, and Other Stakeholders – Dec 2021

https://www.fda.gov/regulatory-information/search-fda-guidance-documents/digital-health-technologies-remote-data-acquisition-clinical-investigations

EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

Adopted on 18 November 2021
(e.g. MedTech comments at https://www.medtecheurope.org/resource-library/response-to-the-european-data-protection-board-consultation-on-the-guidelines-05-2021-on-the-interplay-between-article-3-and-the-provisions-on-international-transfers-as-per-chapter-v-of-the-gdpr/ )

https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf

includes:

Example 3: Processor in the EU sends data back to its controller in a third country
XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers, all of them non-EU residents, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and therefore Chapter V applies.

[..]

Example 5: Employee of a controller in the EU travels to a third country on a business trip
George, employee of A, a company based in Poland, travels to India for a meeting. During his stay in India, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR.

[..]

Example 6: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country
The Irish Company A, which is a subsidiary of the U.S. parent Company B, discloses personal data of its employees to Company B to be stored in a centralized HR database by the parent company in the U.S. In this case the Irish Company A processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. Company A is subject to the GDPR pursuant to Article 3(1) for this processing and Company B is situated in a third country. The disclosure therefore qualifies as a transfer to a third country within the meaning of Chapter V of the GDPR.

[..]

Example 7: Processor in the EU sends data back to its controller in a third country
Company A, a controller without an EU establishment, offers goods and services to the EU market. The French company B, is processing personal data on behalf of company A. B re-transmits the data to A. The processing performed by the processor B is covered by the GDPR for processor specific obligations pursuant to Article 3(1), since it takes place in the context of the activities of its establishment in the EU. The processing performed by A is also covered by the GDPR, since Article 3(2) applies to A. However, since A is in a third country, the disclosure of data from B to A is regarded as a transfer to a third country and therefore Chapter V applies.

Material from IPEN webinar 2021: “Pseudonymous data: processing personal data while mitigating risks” – with recorded videos etc..
https://edps.europa.eu/ipen-webinar-2021-pseudonymous-data-processing-personal-data-while-mitigating-risks_en

including e.g.

• On overview of existing pseudonymisation techniques https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-prokopios-drogkaris_en
• Pseudonymisation As a Service https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-cedric-lauradoux_en
• Cryptography at the service of pseudonymisation https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-konstantinos-limniotis_en
• Data subject access requests for pseudonymised diagnostic data https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-sjoera-nas_en
• Pseudonymisation in healthcare research and practice https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-prof-dr-fabian-prasser_en
• How GDPR fosters pseudonymisation in academic research – The perspective of a university hospital DPO https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymisation-data-griet-verhenneman_en
• Pseudonymisation: some feedback from supervisory authorities
  • CNIL https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-monir-azraoui_en
  • ULD (Schleswig-Holstein) https://edps.europa.eu/press-publications/press-news/videos/ipen-2021-pseudonymous-data-benjamin-walczak_en

Stiftung Datenschutz, 13 Dec 2021

https://stiftungdatenschutz.org/veranstaltungen/unsere-veranstaltungen-detailansicht/datentag-datenschutz-und-kuenstliche-intelligenz-239

includes

• Potenziale von Künstlicher Intelligenz mit Blick auf das Datenschutzrecht – Gutachten https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz_Gutachten-Georg-Borges-Potenziale-Kuenstliche-Intelligenz-Datenschutzrecht-2021-12.pdf
• Chancen und Risiken von Künstlicher Intelligenz und Algorithmen aus antidiskriminierungsrechtlicher Perspektive – Gutachten https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz_Gutachten-Dr-Duygu-Damar-2021-12.pdf
• Antidiskriminierungs- und datenschutzrechtliche Grenzen algorithmischer Entscheidungsprozesse – Eine Handreichung https://stiftungdatenschutz.org/fileadmin/Redaktion/Gutachten-Studien/Stiftung-Datenschutz-Wiebke-Froehlich-Handreichung-Datenschutz-und-Gleichstellung-2021-12.pdf

(artificial intelligence, ai)

https://github.com/LINCnil/Guide-RGPD-du-developpeur

What are the new features of this second version?
This major revision of the guide incorporates new files as well as snippets of code to illustrate in a practical way certain requirements of the GDPR.

This content relates in particular to the application of rules on the use of cookies and other online tracers and on audience measurement solutions . This second version also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL and presents examples of measures that would have made it possible to avoid them.

In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project:

Develop in compliance with the GDPR
Identify personal data
Prepare for your development
Secure your development environment
Manage your source code
Make an informed choice of your architecture
Secure your websites, applications and servers
Minimize the data collected
Manage user profiles
Master your libraries and SDKs
Ensure the quality of your code and its documentation
Test your applications
Inform people
Prepare for the exercise of personal rights
Manage the retention period of data
Take into account the legal bases in the technical implementation
(New sheet) Analyze tracking practices on your sites and applications
Measure website and application traffic
(New file) Guarding against computer attacks

These sheets are not intended to meet all the requirements of the regulations nor to be prescriptive. However, they provide a reflection on the GDPR requirements to keep in mind when developing projects.

“The public key of a natural person is a unique identifier and its use in online services is generally associated with other types of information that make it possible to identify and profile the person holding such a key. Under these conditions, the public key is personal data that uniquely identifies a person and thus its processing is subject to the provisions of the GDPR, although it can be considered as a method of pseudonymisation insofar as it can conceal a person’s real name.”

https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-and-privacy-v-the-key-as-personal-data

With the ruling dated August 31, 2021 (Az. August 31, 2021), the Federal Administrative Court of Austria ruled that data controllers can base the data processing after an invalid consent on another legal basis according to Art. 6 Para. 1 GDPR – even if this is not mentioned in the privacy notice!
https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20210831_W256_2227693_1_00/BVWGT_20210831_W256_2227693_1_00.html

• Introduction to the Hash function as a personal data pseudonymisation technique
  
  https://www.aepd.es/en/node/43111

• Encryption and Privacy V: The key as personal data
  
  https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-and-privacy-v-the-key-as-personal-data

• Encryption and Privacy IV: Zero-knowledge proofs
  
  https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-privacy-iv-zero-knowledge-proofs

• Encryption and Privacy III: Homomorphic encryption
  
  https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-privacy-iii-homomorphic-encryption

• Encryption and Privacy II: Lifespan of personal data
  
  https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-and-privacy-ii-lifespan-personal-data

• Encryption and Privacy: Encryption in the GDPR
  
  https://www.aepd.es/en/prensa-y-comunicacion/blog/encryption-and-privacy-encryption-gdpr

https://ec.europa.eu/commission/presscorner/detail/en/IP_21_6428

includes link to text, Q&A and fact sheet