Who of us has expected the coronavirus? In Europe, public life has been reduced to zero, we #stay-at-home, companies are going bankrupt, people are loosing their jobs, hospitals are overloaded and people are dying at the end of the day.…
Junk mail from a dating portal (decision of Austrian DPA)
by Andreas Rohner, Gerald Trieb// The Austrian Data Protection Authority (DPA)1 ruled that the absence of a ”double opt-in” procedure can, in some cases, constitutes a breach of Article 32 GDPR.2 Double opt-in In a ”double opt-in” procedure, a user gives his…
Internal Audit, DPO and the adjustment of Three-Lines-of-Defense-Modell
Internal audit usually follows the Three-Lines-of-Defense-Modell (T-LoD).1 Within this modell the 1LoD is the business line – like sales and marketing. The 2LoD is checking whether the 1LoD adheres to internal policies, external law and adequatly manages the risk. Risk…
Irish DPC: liability for failure to act against Facebook
The divergence between strict legal requirements and poor implementation of the GDPR is significant. One key finding is the reluctance of the Irish DPC1 to take any action against global players like Facebook. Allthogh the Irish DPC has a discretion…
Google Analytics: Injunctive relief, information requests and damages
Peter Hense // Dresden Regional Court on Google Analytics1 Irrespective of the GDPR, claims for injunctive relief against the disclosure of personal data can also be based on German tort law according to a decision of the Regional Court of…
Data Protection in Japan
//by Toshihiro Wada The European Commission adopted the adequacy decision on Japan pursuant to Article 45(3) GDPR on 23 January 2019.1 On the same day, the Japanese data protection authority, the Personal Information Protection Commission (PPC), judged that the EU…
The “Whitelist” and its Value during a Data Protection Impact Assessment
by Iheanyi Samuel Nwankwo // Background The EU General Data Protection Regulation (GDPR) solidifies the risk-based approach in data protection through several references that tie the obligation of data controllers to the risk exposure associated with their data processing. This…
The DPO and the messanger of bad news
The strong legal position of the DPO, which is provided by the GDPR, does not prevent the DPO1 in practice of the risk of either being sued or being fired by the controller. Role of DPO according to GDPR The…