by Jutta-Sonja Oberlin and Lukas Lezzi 1 Introduction It is crucial for compliance of intra-group[1] data processing activities under the GDPR (General Data Protection Regulation)[2] to answer the question as to whether such cooperation in data processing constitutes order processing…
Microsoft is driving its customers into non-compliance
Microsoft is secretly transferring data of user’s behaviour to the US for its own purpose. With this misuse of data Microsoft is driving its customers into non-compliance since the data transfer to Microsoft is lacking a legal basis. In addition,…
Threat of fines also applies to public-sector undertakings
by Lana Dachlauer-Baron The General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (FDPA) have come into force since 25 May 2018. In the meantime, all German federal states have also adapted their data protection acts (LDSG)…
Facebook-hack: stress test for Irish DPA
Facebook has reported a hack of 3 million European users personal data to the Irish DPA.[1] The Irish DPA is under pressure to answer to the key question of GDPR: do national DPAs have the power to force multinationals like…
ECHR: Mass surveillance by British secret service violated European Convention on Human Rights
by Peter Schaar On 13 September 2018, the European Court of Human Rights (ECHR) in Strasbourg ruled that the mass surveillance of the British intelligence service GCHQ (Government Communications Headquarters) carried out in cooperation with the US National Security Agency…
IT maintenance is ‘data processing on behalf’ according to German DPAs
With the application of the GDPR the question how to qualify IT maintenance in terms of data protection arises. This aspect is of great relevance while any software contains personal data. E.g. Microsoft, Oracle and SAP process personal data of…
Google is tracking location of users without consent
Associated Press (AP) has reported that Google is tracking the location of Android-users without their consent.[1] Adroid provided an option to activate the location setting to its users. Although users did not activate the location setting Google tracked the location…
‘Data processing on behalf’ within a group
Any exchange of data requires a legal basis. This fundamental principle applies not only for the data transfer from one controller to a different external third party. This principle equally applies to data transfer from one legal entity to another…
Ban of Facebook Customs Audience – decision of German DPA upheld
The ban of a German Federal DPA (state of Bavaria) on an online shop for using Facebook Customs Audience has been upheld by the respective Administrative court. In an injunction the Administrative court stated that the decision of the Bavarian…