Internal audit usually follows the Three-Lines-of-Defense-Modell (T-LoD).1 Within this modell the 1LoD is the business line – like sales and marketing. The 2LoD is checking whether the 1LoD adheres to internal policies, external law and adequatly manages the risk. Risk…
Irish DPC: liability for failure to act against Facebook
The divergence between strict legal requirements and poor implementation of the GDPR is significant. One key finding is the reluctance of the Irish DPC1 to take any action against global players like Facebook. Allthogh the Irish DPC has a discretion…
The DPO and the messanger of bad news
The strong legal position of the DPO, which is provided by the GDPR, does not prevent the DPO1 in practice of the risk of either being sued or being fired by the controller. Role of DPO according to GDPR The…
Data breach: 72 hours period extended on weekend
GDPR requires companies to notify data breaches to the supervisory authority „…without undue delay and, where feasible, not later than 72 hours…“1 Insofar the notice period of 72 hours would include weekends companies were required to organise an urgency duty…
In the face – of Facebook
Landmark decision of German Anti-trust Authority In a landmark decision the Bundeskartellamt (German Antitrust Authority) is prohibiting Facebook from combining user data from different sources – of its subsidiaries like Whatsapp and of other third parties.1 The decision of the…
Microsoft is driving its customers into non-compliance
Microsoft is secretly transferring data of user’s behaviour to the US for its own purpose. With this misuse of data Microsoft is driving its customers into non-compliance since the data transfer to Microsoft is lacking a legal basis. In addition,…
Facebook-hack: stress test for Irish DPA
Facebook has reported a hack of 3 million European users personal data to the Irish DPA.[1] The Irish DPA is under pressure to answer to the key question of GDPR: do national DPAs have the power to force multinationals like…