Weekly Newsletter: 22 February – 26 February 2021
GDPR EU Representative

March 1, 2021

French decision to have Microsoft host Health Data Hub still attracts criticism

[#Microsoft #Healthdatahub] 

“The French government’s decision to have Microsoft host the country’s Health Data Hub is causing outrage in the French and European digital ecosystem, and it is also worrying data protection advocates.

EURACTIV France reports. […] The new platform was officially created in November 2019 by government decree, to centralise and facilitate the sharing of health data for research and development purposes.

Very quickly, concerns emerged regarding the risks of using a company subject to US data protection law. On top of that, calls for accountability were made with regards to the decision not to give priority to the French and European technology park.”

To read more: Click here.

Personal data might continue to flow between the EU and the UK. But it’s too early to declare victory

[#EDPB #UKAdequacydecision #EUComission]

UK Adequacy decision : next steps

[…] the draft documents do not provide assurance that adequacy will be granted. Rather, they are indicative of the start of a process, which now involves obtaining an opinion from the European Data Protection Board (EDPB), as well as the green light from a committee composed of representatives of the EU Member States. […]

The UK government has urged the EU to “swiftly complete” what was described as a “technical process”. Previous examples, such as the Japanese adequacy decision, have shown that the next steps can in fact take up to four months and require several rounds of discussion with the EDPB. […]

Data protection consultancy Securys has recommended that businesses keep looking at alternative ways of legitimizing transfers from the EU to the UK, in case the adequacy decision fell through […]

“It is clear that the European Commission will keep a particularly watchful eye on any data protection related developments occurring in the UK,” said Guillaume Couneson, partner at law firm Linklaters. “

To read more: Click here

Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A.

[#SpanishDPA #AEPD #EDPB #GDPRfines]

Highest fine imposed by the Spanish data protection authority (AEPD) on Caixabank

“The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). […]

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. […]

In addition to the administrative fine […], the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months. “

To read more: Click here

GDPR representatives in EU and UK after Brexit

[#GDPR #UKrepresentative #NonEUcompanies] EU/UK GDPR representative : no grace period

“ Appointing a GDPR representative is a major compliance obligation introduced to facilitate effective enforcement of the GDPR’s international outreach. But beyond being a nasty task to tick off from the long Brexit list, it can be a “compliance marketing” opportunity for non-EU businesses, as it showcases privacy commitment to the public. […]

In a nutshell, it applies to almost any company falling into the extraterritorial scope of the EU, which has no establishment in the EU. Conversely, as the U.K. GDPR basically copied and pasted the requirement into British law, companies located in the EU and elsewhere now need representation in the U.K.

Either way, businesses finding themselves in the scope of the EU/U.K. GDPR representative obligation should take immediate action, as no grace period has been announced by either authority. Fines for noncompliance are in the 10 million euro tier in the EU and the 8.7 million GBP tier in the U.K.”

Author: Paul Voigt

To read more: Click here.

Datacracy: Microsoft CEO Satya Nadella calls for a common set of global rules governing data— not fragmented local one

[#Microsoft #Globalprivacy] 

“”One thing that I would hope for is that we don’t fragment. We are able to—whether on privacy or safety—bring together a set of global rules that will allow all of us to both comply and make sure that we know what we build is safe to use.”

“[…] regulations are in place and initiatives such as General Data Protection Regulations (GDPR) are spreading worldwide. Tech companies should design and build products keeping in mind user privacy and no lackadaisical attitude in this regard should be tolerated”, he said. […]

“On the post-pandemic working conditions, he said the situation has pushed for more flexibility in terms of work sites and collaboration.””

To read more: Click here.

Luxembourg data watchdog: ‘Big penalties not the aim’

[#LuxembourgDPA #GDPRfines #Amazon #Facebook] Are companies abroad “getting away with murder”?

“ […] amid revelations Amazon is failing to safeguard reams of customer data, the regulator’s words may draw scrutiny of just how it’s changing culture at the companies it oversees. […]

“It is unacceptable that more than two years after the entry into application of the GDPR, we are still waiting on the the Luxembourg (data protection agency) to resolve any of its major cases. Worse still, the DPA has dismissed important international cases,” said Estelle Massé, privacy lead at Access Now, a digital rights NGO. […]

“If DPAs refuse to enforce the GDPR every time a company has no presence in the EU, that would just give the signal to companies to stay abroad to bypass the law,” said Romain Robert, the lawyer behind a legal challenge to the dismissals […]

“They try to push cases to other countries … instead of simply taking charge and making sure that the cases will be resolved,” he added.”

To read more: Click here.