Category: News

Posted on

DPA Liechtenstein – Verfahrensbeschreibung für Datenschutzüberprüfungen

Process description for data protection inspections / privacy inspections / audits.

https://www.datenschutzstelle.li/application/files/9215/9281/0055/DSS_Verfahrensbeschreibung_Datenschutzpruefungen.pdf

In a first step, the DPA is gathering information and statements based on a questionnaire.

In addition, the DPA regularly requests the following information in an electronic format or on paper:

  • Records of processing activities (GDPR Art. 30 (4));
  • Information to the affected persons (GDPR Art. 13 and 14);
  • Templates of consent forms (GDPR Art. 7);
  • Information about data protection trainings of employees;
  • Contracts with processors (GDPR Art. 28 (3)) or other current contracts with external parties that get in touch with personal data, such as hardware and software partners, software vendors, application service providers, in which the applicable data protection controls need to be emphasized;
  • Documentation of data breaches (GDPR Art. (5));
  • Data protection impact assessments (GDPR Art. (35)).

In order to assess compliance to GDPR and the effectiveness of the controls, the DPA regularly asks for

  • Organisational structure
  • Privacy directive (privacy policy), security policy, emergency planning
  • Review and audit reports – esp. in context of IT in scope
  • Basic documentation of the IT infrastructure (hardware and software in use)
  • Access control concept, especially access rights of administrators, external staff, sub-processors and other external parties
  • Policies, instructions to users for the use of IT
  • Non-disclosure, confidentiality agreements and other relevant instructions/agreements
  • Controls and arrangements regarding the retention time and deletion of personal data (deletion concept)
Posted on

Book (also free online): Law for Computer Scientists and Other Folk

By Mireille Hildebrandt

which includes e.g. sections on Machine Learning, Dsitributed Ledger and Legal by Design…

https://www.cohubicol.com/about/publications/law-for-computer-scientists-and-other-folk/

Available on OpenReview at MIT’s pubpub
https://lawforcomputerscientists.pubpub.org/

and as a PDF download
https://www.cohubicol.com/assets/uploads/law_for_computer_scientists.pdf

as well as hardcopy.

Posted on

DPIA of the German Corona Warn App

What doas a Data Protection Impact Assessment look like that the German Federal Data Protection Authority reviewed?

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf

Interesting sections from the document structure

  • information on the organisation (with privacy team setup)
  • necessity of the DPIA
  • description of processing activities (evaluation target), with
    • context
    • purpose
    • process steps
    • system architecture
    • data flows and processes
    • data categories
    • data deletion
    • actors involved in the processing
    • additional documents
  • consideration of stakeholders’ vire
  • legal privacy assessment
    • categories of personal data
    • legal grounds
    • data subject rights
    • privacy-by-design measures
    • other privacy requirements
  • assessment of the necessity and proportionality of the processing
  • risk analysis
  • continuous privacy reviews
Posted on

CNIL – Developer’s Guide sheets

The CNIL publishes a GDPR guide for developers

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

https://www.cnil.fr/en/cnil-publishes-gdpr-guide-developers

All the material via tag search:
https://www.cnil.fr/en/tag/Developer%E2%80%99s+Guide

Github to participate in further development: – https://github.com/LINCnil/GDPR-Developer-Guide

Local copy of the sheets (might be outdated):
https://www.privacydesign.ch/cnil-gdpr-developer-sheets/

Currently it includes:
Sheet n°0: Develop in compliance with the GDPR
Sheet n°1: Identify personal data
Sheet n°2: Prepare your development
Sheet n°3: Secure your development environment
Sheet n°4: Manage your source code
Sheet n°5: Make an informed choice of architecture
Sheet n°6: Secure your websites, applications and servers
Sheet n°7: Minimize the data collection
Sheet n°8: Manage user profiles
Sheet n°09: Control your libraries and SDKs
Sheet n°10: Ensure quality of the code and its documentation
Sheet n°11: Test your applications
Sheet n°12: Inform users
Sheet n°13: Prepare for the exercise of people’s rights
Sheet n°14: Define a data retention period
Sheet n°15: Take into account the legal basis in the technical implementation
Sheet n°16: Use analytics on your websites and applications

Posted on

CNIL on amonymization (2020, blog post)

https://www.cnil.fr/fr/lanonymisation-de-donnees-personnelles

including e.g. (via Google Translate)
If these three criteria are not fully met, the data controller who wishes to anonymize a data set must demonstrate, via an in-depth assessment of the identification risks, that the risk of re-identification with reasonable means is zero.

As anonymization and re-identification techniques are subject to regular changes, it is essential for any data controller concerned to carry out regular monitoring to preserve the anonymity of the data produced over time. This watch must take into account the technical means available as well as the other sources of data which can allow to lift the anonymity of the information.