GDPR and Data Privacy Consultants

The European Data Protection Board (EDPB) has recently published its Guidelines on Pseudonymisation under the General Data Protection Regulation (GDPR). These guidelines provide critical insights into how pseudonymisation can be used effectively as a safeguard for data protection. Below, we unpack the key takeaways and their implications for organizations handling personal data.

The DUA Bill has shifted in tone from its predecessor and now seeks to promote enabling greater use of data to grow the economy, improve public services and make people’s lives easier. According to the UK government, the DUA Bill is largely focused on making better use of data across many sectors of the UK’s economy and improving public sector services.

On October 24th, 2024, the Irish DPA, the Data Protection Commission (DPC) published its decision to fine LinkedIn 310 million Euros for multiple violations of the GDPR, related to the processing of personal data for behavioural analysis and targeted advertising. What are the key takeaways from this decision for those not working for large social media companies?

Two key pieces of legislation govern AI solutions in the EU: the Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR). Concepts such as automated individual decision-making, explainability, and transparency from GDPR are vital in the context of AI. Additionally, data controllers and processors may face new responsibilities based on their roles under the AI Act and the associated risk level of the AI systems they develop or use.

The implementation of the ePrivacy Regulation (ePR) will transform how electronic communications are managed and protected in the European Union (EU). Both the digital landscape and legal frameworks are evolving, and this brings our online interactions to a newer level each day. Therefore, the European Union (EU) takes the steps to ensure individuals data are protected. One of the key legislative tools in this effort is the ePrivacy Regulation (ePR), which is set to replace the outdated ePrivacy Directive (ePD).

Failing to conduct a TIA when required can result in significant fines and damage to a company’s reputation. By being proactive about international data transfers, organizations can avoid risks. This helps them keep the trust of their customers and partners.

The European Data Protection Board (EDPB) has just released its much-anticipated guidelines on the processing of personal data based on legitimate interest. This legal basis, outlined in Article 6(1)(f) of the GDPR, allows data controllers to process personal data when they have a legitimate interest, provided they meet specific criteria.

With this checklist we explain to you which data you must include in a record of processing activities according to the General Data Protection Regulation (GDPR). We give you an explanation of each point and tell you what you need to keep in mind to comply with the legal obligations.

It’s becoming increasingly common for employees to use digital assistants at work, whether to answer customer queries or summarize large documents. While these tools can save time and reduce mundane tasks, they also come with significant risks.

Numerous websites utilize cookies, which are generally divided into ‘essential’ (functioning website) and ‘non-essential’ (for example, store important information and user preferences) categories. The regulation of cookies falls under the ePrivacy Directive, translated into national laws of EU Member States. The ePrivacy Directive mandates that websites offer transparent information about cookie usage and seek consent for placing non-essential cookies.

The much-anticipated EU AI Act was published in the EU’s Official Journal on 12th July 2024 and promises to reshape the landscape of artificial intelligence across Europe. As we stand at the cusp of this groundbreaking legislation, it’s crucial to understand the roadmap ahead. Here, we detail the key dates and milestones leading up to the full implementation of the EU AI Act, ensuring you’re well-prepared for the changes to come.

Curious about the latest developments in digital privacy and regulation? Our whitepaper, “E-Privacy Unveiled: Decoding the Regulatory Realm of ePR”, provides an in-depth look into the upcoming e-Privacy Regulation (ePR) from the European Union. This comprehensive guide is a must-read for anyone looking to understand how the e-Privacy Regulation will transform the protection of electronic communications and what it means for your organization.

In 2023, the benefits scandal (Toeslagen affaire) advanced with hearings led by the parliamentary committee on Fraud Policy and Services. Despite these sessions, it became evident that little had changed. This lack of progress was unexpected, especially given the frequent summoning of the Dutch Data Protection Authority (AP) by the committee to address previous shortcomings. However, the AP continued to confront challenges related to algorithms and discrimination, as outlined in their 2023 annual report.

Judges and appeals committees must be vigilant regarding government decisions where algorithms have played a role. Additionally, the government should proactively be transparent about its use of algorithms. This was advocated by Aleid Wolfsen, chairman of the Dutch Data Protection Authority (AP), during a meeting in the Week of the Rule of Law on artificial intelligence (AI) in the judiciary.

The draft law allowing government agencies to proactively approach individuals eligible for benefits or allowances requires further modifications, according to the Dutch Data Protection Authority (AP). Specifically, individuals should receive clear information in advance about which personal data will be exchanged between agencies. The AP’s findings come after reviewing the proposed Law on Proactive Service Provision by the Ministry of Social Affairs and Employment (SZW), which amends the Implementation Structure Act on Work and Income (SUWI).

Since the introduction of the European Artificial Intelligence Act (“AI Act”) in March this year, guidance and recommendations by various Data Protection Authorities (“DPAs”) has been published. The most recent recommendations of the French Data Protection Authority (“CNIL”) are no different.

In April 2024, the European Parliament approved the European Health Data Space (EHDS) regulation, which is expected to be ratified by EU member states soon. The aim of these data spaces is to unlock extensive repositories of existing data and facilitate their accessibility for research, innovation, and development, while ensuring compliance with pertinent data protection regulations.

New problems arise for Facebook (and its owner Meta) in the EU. After receiving a fine of €390 million from the Irish Data Protection Commission (DPC) over the legal basis for targeted advertising, the Dutch Data Protection Authority questioned the use of Facebook by governmental bodies.

Due to the number of frequently asked questions the Dutch Data Protection Authority has received about the use of facial recognition, the AP has released a guidance about the use of facial recognition.

In recent years, the deployment of “tracking traffic lights” in the Netherlands has raised significant privacy concerns among both policymakers and citizens. These innovative traffic lights, designed to communicate with mobile phones of road users, have the capability to gather vast amounts of personal data, prompting intervention from the Dutch Data Protection Authority (AP). With the AP sounding the alarm once again, it is imperative for the Ministry of Infrastructure and Water Management (IenW) to take decisive action to address these privacy risks. 

The American Privacy Rights Act (“APRA”) has been unveiled. This comprehensive draft legislation sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state data privacy laws and establishes robust enforcement mechanisms to hold violators accountable, including the private right of action for individuals.

In April 2024, the European Parliament approved the European Health Data Space (EHDS) regulation, which is expected to be ratified by EU member states soon. The aim of these data spaces is to unlock extensive repositories of existing data and facilitate their accessibility for research, innovation, and development, while ensuring compliance with pertinent data protection regulations.

On the 13th of March 2024, the AI Act passed the scrutiny of the European Parliament and is ready to become a law of the Union. This comprehensive regulatory framework aims to govern the development and use of artificial intelligence (AI) across the European Union (EU). The AI Act’s primary aim is to ensure that AI technologies are developed and used in a manner that is ethical, transparent, and respects fundamental rights, and covers a wide range of AI systems used in various sectors, including healthcare, transport, and finance.

After its inquiry, the European Data Protection Supervisor (EDPS) found that the European Commission breached numerous essential data protection rules while using Microsoft 365. As a consequence, the EDPS has mandated that the Commission implement specific corrective actions.

In the era where data breaches are not just a possibility but also an unavoidable threat, the Health Insurance Portability and Accountability Act (HIPAA) positions as a ray of hope and security for the healthcare industry. HIPAA is more than just a regulatory requirement.

In the complex world of healthcare and data protection, the Health Insurance Portability and Accountability Act (HIPAA) provides crucial guidelines for safely handling patient data. Our latest whitepaper, authored by experts Johan Martens, Emine Bilsin, and Deniz Naz Kaya, offers in-depth analyses and practical advice for navigating the challenges and opportunities HIPAA presents.

Consent Mode v2, developed by Google, enables the transmission of consent signals from websites cookie banners directly to Google. This ensures that user consent preferences of the user are, in fact, honored. In practice, this tool provides a direct line of communication between the websites, where the user has given their preference to agree to share personal data, directly with Google for advertising purposes and personalization. It is an effective and efficient tool that streamlines procedures while at the same time providing users with more control regarding their personal data. When the user does opt to provide consent, Google can utilize these tools for detailed analytics. Conversely, if the user chooses not to consent, Google restricts the use of cookies and identifiers respectively.

In a recent development, the Italian DPA has taken decisive actions against Autostrade per l’Italia and Amazon Italia, fining them €100,000 and €40,000 respectively for having mishandled Data Subjects Access Requests (DSARs) from (former)employees. Article 15 GDPR outlines the Data Subject’s right to access, and its pivotal role has also been acknowledged by the European Data Protection Board (EDPB) guidelines 01/2022 on the right of access as updated on the 28th of March 2023. In particular, this right allows individuals to confirm the processing of their data, access personal information, and obtain details about the processing, including:

On 2024, the Dutch Data Protection Authority (AP) plans to increase its scrutiny of cookie consent practices to ensure compliance with regulations. Practice has shown that organizations quite often make use of misleading cookie banners, such as hidden rejection buttons or requiring the consumer to go through various clicks before rejecting cookies.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP), in collaboration with the privacy watchdogs of Norway and Germany, is set to launch a European procedure addressing privacy concerns related to personalized advertisements. The regulators aim to present a clear stance, in conjunction with their EU counterparts, on how online platforms obtain user consent for displaying personalized ads.