RPPA PRO: Privacy • AI • Cybersecurity • IP pinned «#EDPC 🌟Запись самой крупной конференции в области приватности года - YouTube🌟 ПРЕЗЕНТАЦИИ»
#PrivacyNews
💬Автор: Олег Блинов
🔸 Bahn app: civil rights activists sue “DB Schnüffel-Navigator” (https://www.heise.de/news/Bahn-App-Buergerrechtler-klagen-gegen-DB-Schnueffel-Navigator-7314938.html): civil rights organization Digitalcourage filed a suit against DB for use of Adobe Marketing Cloud analytics; US-based Optimizely & Crashlytics. Impact: As I predicted, enforcement of consent for tracking via apps will come and so here it goes. This will hit marketing first (marketing attribution, fb&google integrations). I do not believe anyone on the market has a plan at the moment.
🔸 The European Data Protection Board has published its Guidelines 9/2022 on personal data breach notification under GDPR (https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en): The essential update is that non-EU companies do not benefit from the one-stop-shop mechanism and have to notify DPA’s in each country where the affected users are located.
🔸 EU: CJEU interprets purpose and storage limitation principles under the GDPR (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0077): Much ado about nothing, the CJEU essentially reiterated the GDPR text. Only practical implication is that it is not prohibited by purpose limitation to copy data to a separate database from where it was initially collected.
🔸 France: CNIL fines Clearview AI €20 million over facial recognition technology (https://edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en): just another fine against Clearview for its facial recognition software, nothing outstanding.
💬Автор: Олег Блинов
🔸 Bahn app: civil rights activists sue “DB Schnüffel-Navigator” (https://www.heise.de/news/Bahn-App-Buergerrechtler-klagen-gegen-DB-Schnueffel-Navigator-7314938.html): civil rights organization Digitalcourage filed a suit against DB for use of Adobe Marketing Cloud analytics; US-based Optimizely & Crashlytics. Impact: As I predicted, enforcement of consent for tracking via apps will come and so here it goes. This will hit marketing first (marketing attribution, fb&google integrations). I do not believe anyone on the market has a plan at the moment.
🔸 The European Data Protection Board has published its Guidelines 9/2022 on personal data breach notification under GDPR (https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en): The essential update is that non-EU companies do not benefit from the one-stop-shop mechanism and have to notify DPA’s in each country where the affected users are located.
🔸 EU: CJEU interprets purpose and storage limitation principles under the GDPR (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0077): Much ado about nothing, the CJEU essentially reiterated the GDPR text. Only practical implication is that it is not prohibited by purpose limitation to copy data to a separate database from where it was initially collected.
🔸 France: CNIL fines Clearview AI €20 million over facial recognition technology (https://edpb.europa.eu/news/national-news/2022/french-sa-fines-clearview-ai-eur-20-million_en): just another fine against Clearview for its facial recognition software, nothing outstanding.
heise online
Bahn-App: Bürgerrechtler klagen gegen "DB Schnüffel-Navigator"
Digitalcourage macht ernst und reicht Klage gegen Tracking in der Bahn-App DB Navigator ein. Der Grundversorger müsse die Privatsphäre der Reisenden achten.
👍2
Forwarded from Privacy Advocates (Alexey Muntyan)
🌐🔆🧑💻 #edpc #privacy #конференция
🌟20.10.2022 прошел уже второй Евразийский конгресс по защите персональных данных. Благодаря усилиям @ShirmanV были подготовлены небольшими роликами с основными тезисами некоторых выступающих:
🔸Александр Партин
🔸Елизавета Дмитриева
🔸Михаил Емельянников
🔸Алексей Мунтян
🌟20.10.2022 прошел уже второй Евразийский конгресс по защите персональных данных. Благодаря усилиям @ShirmanV были подготовлены небольшими роликами с основными тезисами некоторых выступающих:
🔸Александр Партин
🔸Елизавета Дмитриева
🔸Михаил Емельянников
🔸Алексей Мунтян
👍7
#events #privacy
Когда: во вторник, 25 октября, 16:00-17:00 (Мск)
Где: онлайн
Тема: «Уведомления Роскомнадзора: инструкция по применению. Продолжение»
Спикеры: Сергей Сайганов, партнер, руководитель практики Technology & Product, Comply, и Мария Пономарева, юрист практики IP, Tech & Privacy, Comply
Организатор: Comply
Стоимость: бесплатно
Регистрация: по ссылке
Когда: во вторник, 25 октября, 16:00-17:00 (Мск)
Где: онлайн
Тема: «Уведомления Роскомнадзора: инструкция по применению. Продолжение»
Спикеры: Сергей Сайганов, партнер, руководитель практики Technology & Product, Comply, и Мария Пономарева, юрист практики IP, Tech & Privacy, Comply
Организатор: Comply
Стоимость: бесплатно
Регистрация: по ссылке
👍1
#ЯрмаркаВакансий
Консультант по сертификации в сфере прайваси и информационной безопасности в Толоке, на RPPA.ru
У нас все самое интересное😜
Консультант по сертификации в сфере прайваси и информационной безопасности в Толоке, на RPPA.ru
У нас все самое интересное😜
#НеДляГалочки #podcast
🎙Цели обработки данных: как их найти и не потерять
В новом выпуске подкаста мы отвлекаемся от сложных понятий и концепций и хотим разобраться, что такое цели обработки данных, зачем они нужны и как их определять.
Слушайте подкаст и вооружайтесь знаниями и практическим опытом:
⭐️ что такое цели обработки персональных данных простым языком
⭐️ как определить цели обработки при общении с бизнесом и IT, при оценке IT-систем
⭐️ при чем тут принцип минимизации данных: казусы при запросах субъектов на доступ к данным
⭐️ достижение целей: как определить этот момент и на что можно опереться
⭐️ 3 лайфхака от ведущих
Ведущие выпуска:
Ирина Шурмина, SEAMLESS Legal
Кристина Боровикова, со-основатель RPPA, Kept
Ксения Андреева, Morgan Lewis
Елизавета Дмитриева, data privacy engineer в российском инхаусе
😍 Благодарим всех за поддержку и призываем писать нам отзывы, пожелания и предложения!
Apple | Yandex
🎙Цели обработки данных: как их найти и не потерять
В новом выпуске подкаста мы отвлекаемся от сложных понятий и концепций и хотим разобраться, что такое цели обработки данных, зачем они нужны и как их определять.
Слушайте подкаст и вооружайтесь знаниями и практическим опытом:
⭐️ что такое цели обработки персональных данных простым языком
⭐️ как определить цели обработки при общении с бизнесом и IT, при оценке IT-систем
⭐️ при чем тут принцип минимизации данных: казусы при запросах субъектов на доступ к данным
⭐️ достижение целей: как определить этот момент и на что можно опереться
⭐️ 3 лайфхака от ведущих
Ведущие выпуска:
Ирина Шурмина, SEAMLESS Legal
Кристина Боровикова, со-основатель RPPA, Kept
Ксения Андреева, Morgan Lewis
Елизавета Дмитриева, data privacy engineer в российском инхаусе
😍 Благодарим всех за поддержку и призываем писать нам отзывы, пожелания и предложения!
Apple | Yandex
Apple Podcasts
Цели обработки данных: как их найти и не потерять
Выпуск подкаста · Не для галочки - подкаст о приватности · 25.10.2022 · 58 мин.
👍13
RPPA PRO: Privacy • AI • Cybersecurity • IP pinned «#НеДляГалочки #podcast 🎙Цели обработки данных: как их найти и не потерять В новом выпуске подкаста мы отвлекаемся от сложных понятий и концепций и хотим разобраться, что такое цели обработки данных, зачем они нужны и как их определять. Слушайте подкаст…»
❤4
#ЯрмаркаВакансий
💬Автор: Олег Блинов
This week I’m testing out breaking the news into sections: major news, general news, enforcement. Here’s an update of news for this week and enforcement practice.
Major News
🔸Digital Services Act (DSA) published; Digital Markets Act (DMA) enters into force starting November https://www.lexology.com/library/detail.aspx?g=2ae49fde-1b07-4312-bc39-b77a872549d2: Two major legislative changes introduced to EU regulatory landscape: DMA and DSA.
🔹🔹DMA is targeted at gatekeepers (there is a cumulative criterion for what constitutes a gatekeeper, e.g. the annual turnover has to exceed €7.5 billion). DMA has a couple of privacy-adjacent requirements, including the rights to use the service without personalization; restriction on use of aggregated data for dual role (e.g. where data obtained from marketplace model is re-used for own cheap product line); informing stakeholders of the online advertising system used.
🔹🔹DSA targets providers of intermediary services. From privacy perspective, it prohibits dark patters that may encourage decisions that harm the user; prohibits targeted advertising based on profiling with special categories of personal data or on minors; disclosure requirements on recommendation mechanisms.
🔸Case C-129/21 Proximus NV v. Gegevensbeschermingsautoriteit https://curia.europa.eu/juris/document/document_print.jsf?mode=lst&pageIndex=0&docid=267605&part=1&doclang=FR&text=&dir=&occ=first&cid=595480: The case sheds light on the right to erasure under Art. 17. While it (the case) concerns public phone directories and ePrivacy Directive, its logic may be extended to other similar situations:
🔹🔹the CJEU stated that consent: (1) may be collected by a third party for the benefit of the controller, even if unnamed (para 55-56); (2) transmission to a third party does not require further legal basis if it can be guaranteed that the recipient will use the data for the same purpose (para 48);
🔹🔹the CJEU stated that a request to delete data shall be understood as Article 17 right to erasure request and revocation of consent. In the absence of any other legal basis for such processing after revocation of consent, the data shall be erased (para 66). Interesting that the CJEU said nothing about contract and LI legal bases;
🔹🔹remember the weird Art. 19 obligation to inform third parties of erasure? What always confused me is that there is no corresponding obligation of the onward recipient to do anything about it. The CJEU clarifies in para 78 that revocation of consent also invalidates legal grounds for processing for subsequent recipients.
🔹🔹In para 99 the CJEU states that the DPA may force the controller to also re-index their website by Google.
💬Автор: Олег Блинов
This week I’m testing out breaking the news into sections: major news, general news, enforcement. Here’s an update of news for this week and enforcement practice.
Major News
🔸Digital Services Act (DSA) published; Digital Markets Act (DMA) enters into force starting November https://www.lexology.com/library/detail.aspx?g=2ae49fde-1b07-4312-bc39-b77a872549d2: Two major legislative changes introduced to EU regulatory landscape: DMA and DSA.
🔹🔹DMA is targeted at gatekeepers (there is a cumulative criterion for what constitutes a gatekeeper, e.g. the annual turnover has to exceed €7.5 billion). DMA has a couple of privacy-adjacent requirements, including the rights to use the service without personalization; restriction on use of aggregated data for dual role (e.g. where data obtained from marketplace model is re-used for own cheap product line); informing stakeholders of the online advertising system used.
🔹🔹DSA targets providers of intermediary services. From privacy perspective, it prohibits dark patters that may encourage decisions that harm the user; prohibits targeted advertising based on profiling with special categories of personal data or on minors; disclosure requirements on recommendation mechanisms.
🔸Case C-129/21 Proximus NV v. Gegevensbeschermingsautoriteit https://curia.europa.eu/juris/document/document_print.jsf?mode=lst&pageIndex=0&docid=267605&part=1&doclang=FR&text=&dir=&occ=first&cid=595480: The case sheds light on the right to erasure under Art. 17. While it (the case) concerns public phone directories and ePrivacy Directive, its logic may be extended to other similar situations:
🔹🔹the CJEU stated that consent: (1) may be collected by a third party for the benefit of the controller, even if unnamed (para 55-56); (2) transmission to a third party does not require further legal basis if it can be guaranteed that the recipient will use the data for the same purpose (para 48);
🔹🔹the CJEU stated that a request to delete data shall be understood as Article 17 right to erasure request and revocation of consent. In the absence of any other legal basis for such processing after revocation of consent, the data shall be erased (para 66). Interesting that the CJEU said nothing about contract and LI legal bases;
🔹🔹remember the weird Art. 19 obligation to inform third parties of erasure? What always confused me is that there is no corresponding obligation of the onward recipient to do anything about it. The CJEU clarifies in para 78 that revocation of consent also invalidates legal grounds for processing for subsequent recipients.
🔹🔹In para 99 the CJEU states that the DPA may force the controller to also re-index their website by Google.
Lexology
European Union: The Digital Services Act (DSA) and the Digital Markets Act (DMA) finally approved
On 4 October 2022, the Council of the European Union definitively approved the Digital Services Act (DSA), maintaining unchanged the content proposed…
👍3
#PrivacyNews
💬Автор: Олег Блинов
General News
🔸Techpump Solutions fined €525,000 in Spain for every GDPR violation https://www.aepd.es/es/documento/ps-00555-2021.pdf: It is easier to say which obligations under GDPR the company followed rather than those which were breached: cookies, privacy policy, retention, RoPA you name it. The fine can be a source of a ballpark estimation of the fine for companies living under the “we don’t need any privacy compliance” motto: it’s approximately 5 times larger than Spain’s average fine amount of EUR 112k;
🔸ICO: How do we comply with the rules on sending marketing by electronic mail? https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-direct-marketing-using-electronic-mail/how-do-we-comply-with-the-rules-on-sending-marketing-by-electronic-mail/: Very nice guide on soft opt-in. Good primer for emarketing + some very helpful answers on previously unclear questions:
🔹🔹to benefit from the soft opt-in, the contact details must be obtained in “negotiations for a sale”. No actual sale needs to take place, but at the same time, a mere login with an email does not constitute sufficient engagement;
🔹🔹it must be possible to opt-out during collection of contact details. E.g. “We will send you marketing text messages about our special offers. If you don’t want to receive these please tick here [ ].” Having an unsubscribe link in the Privacy Policy is not enough;
🔹🔹when a controller encourages (“instigates”) people to refer the product to friends and family (viral marketing), consent of the recipient is also required! Since it is not possible for the company to obtain such consent, it is effectively prohibited. The ICO recommends to “take steps to avoid being the instigator of the messages” and “not actively encouraging customers to send an email or text message to their friends and family”.
💬Автор: Олег Блинов
General News
🔸Techpump Solutions fined €525,000 in Spain for every GDPR violation https://www.aepd.es/es/documento/ps-00555-2021.pdf: It is easier to say which obligations under GDPR the company followed rather than those which were breached: cookies, privacy policy, retention, RoPA you name it. The fine can be a source of a ballpark estimation of the fine for companies living under the “we don’t need any privacy compliance” motto: it’s approximately 5 times larger than Spain’s average fine amount of EUR 112k;
🔸ICO: How do we comply with the rules on sending marketing by electronic mail? https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-direct-marketing-using-electronic-mail/how-do-we-comply-with-the-rules-on-sending-marketing-by-electronic-mail/: Very nice guide on soft opt-in. Good primer for emarketing + some very helpful answers on previously unclear questions:
🔹🔹to benefit from the soft opt-in, the contact details must be obtained in “negotiations for a sale”. No actual sale needs to take place, but at the same time, a mere login with an email does not constitute sufficient engagement;
🔹🔹it must be possible to opt-out during collection of contact details. E.g. “We will send you marketing text messages about our special offers. If you don’t want to receive these please tick here [ ].” Having an unsubscribe link in the Privacy Policy is not enough;
🔹🔹when a controller encourages (“instigates”) people to refer the product to friends and family (viral marketing), consent of the recipient is also required! Since it is not possible for the company to obtain such consent, it is effectively prohibited. The ICO recommends to “take steps to avoid being the instigator of the messages” and “not actively encouraging customers to send an email or text message to their friends and family”.
👍1
#privacy #events
Когда: 15,16,18 ноября
Где: онлайн
Тема: Специальный модуль «Трансграничная передача персональных данных»
Организатор: Data Privacy Office
Спикеры: Денис Садовников, CIPP/E, CPM, FIP, Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, Анастасия Пархимович, LLM, CIPP/E
Язык: русский
Стоимость: 270 EUR по кодовому слову Privacy GDPR Russia
Регистрация: здесь
Когда: 15,16,18 ноября
Где: онлайн
Тема: Специальный модуль «Трансграничная передача персональных данных»
Организатор: Data Privacy Office
Спикеры: Денис Садовников, CIPP/E, CPM, FIP, Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, Анастасия Пархимович, LLM, CIPP/E
Язык: русский
Стоимость: 270 EUR по кодовому слову Privacy GDPR Russia
Регистрация: здесь
👍3