#ЯрмаркаВакансий
💬Автор: Олег Блинов
This week I’m testing out breaking the news into sections: major news, general news, enforcement. Here’s an update of news for this week and enforcement practice.
Major News
🔸Digital Services Act (DSA) published; Digital Markets Act (DMA) enters into force starting November https://www.lexology.com/library/detail.aspx?g=2ae49fde-1b07-4312-bc39-b77a872549d2: Two major legislative changes introduced to EU regulatory landscape: DMA and DSA.
🔹🔹DMA is targeted at gatekeepers (there is a cumulative criterion for what constitutes a gatekeeper, e.g. the annual turnover has to exceed €7.5 billion). DMA has a couple of privacy-adjacent requirements, including the rights to use the service without personalization; restriction on use of aggregated data for dual role (e.g. where data obtained from marketplace model is re-used for own cheap product line); informing stakeholders of the online advertising system used.
🔹🔹DSA targets providers of intermediary services. From privacy perspective, it prohibits dark patters that may encourage decisions that harm the user; prohibits targeted advertising based on profiling with special categories of personal data or on minors; disclosure requirements on recommendation mechanisms.
🔸Case C-129/21 Proximus NV v. Gegevensbeschermingsautoriteit https://curia.europa.eu/juris/document/document_print.jsf?mode=lst&pageIndex=0&docid=267605&part=1&doclang=FR&text=&dir=&occ=first&cid=595480: The case sheds light on the right to erasure under Art. 17. While it (the case) concerns public phone directories and ePrivacy Directive, its logic may be extended to other similar situations:
🔹🔹the CJEU stated that consent: (1) may be collected by a third party for the benefit of the controller, even if unnamed (para 55-56); (2) transmission to a third party does not require further legal basis if it can be guaranteed that the recipient will use the data for the same purpose (para 48);
🔹🔹the CJEU stated that a request to delete data shall be understood as Article 17 right to erasure request and revocation of consent. In the absence of any other legal basis for such processing after revocation of consent, the data shall be erased (para 66). Interesting that the CJEU said nothing about contract and LI legal bases;
🔹🔹remember the weird Art. 19 obligation to inform third parties of erasure? What always confused me is that there is no corresponding obligation of the onward recipient to do anything about it. The CJEU clarifies in para 78 that revocation of consent also invalidates legal grounds for processing for subsequent recipients.
🔹🔹In para 99 the CJEU states that the DPA may force the controller to also re-index their website by Google.
💬Автор: Олег Блинов
This week I’m testing out breaking the news into sections: major news, general news, enforcement. Here’s an update of news for this week and enforcement practice.
Major News
🔸Digital Services Act (DSA) published; Digital Markets Act (DMA) enters into force starting November https://www.lexology.com/library/detail.aspx?g=2ae49fde-1b07-4312-bc39-b77a872549d2: Two major legislative changes introduced to EU regulatory landscape: DMA and DSA.
🔹🔹DMA is targeted at gatekeepers (there is a cumulative criterion for what constitutes a gatekeeper, e.g. the annual turnover has to exceed €7.5 billion). DMA has a couple of privacy-adjacent requirements, including the rights to use the service without personalization; restriction on use of aggregated data for dual role (e.g. where data obtained from marketplace model is re-used for own cheap product line); informing stakeholders of the online advertising system used.
🔹🔹DSA targets providers of intermediary services. From privacy perspective, it prohibits dark patters that may encourage decisions that harm the user; prohibits targeted advertising based on profiling with special categories of personal data or on minors; disclosure requirements on recommendation mechanisms.
🔸Case C-129/21 Proximus NV v. Gegevensbeschermingsautoriteit https://curia.europa.eu/juris/document/document_print.jsf?mode=lst&pageIndex=0&docid=267605&part=1&doclang=FR&text=&dir=&occ=first&cid=595480: The case sheds light on the right to erasure under Art. 17. While it (the case) concerns public phone directories and ePrivacy Directive, its logic may be extended to other similar situations:
🔹🔹the CJEU stated that consent: (1) may be collected by a third party for the benefit of the controller, even if unnamed (para 55-56); (2) transmission to a third party does not require further legal basis if it can be guaranteed that the recipient will use the data for the same purpose (para 48);
🔹🔹the CJEU stated that a request to delete data shall be understood as Article 17 right to erasure request and revocation of consent. In the absence of any other legal basis for such processing after revocation of consent, the data shall be erased (para 66). Interesting that the CJEU said nothing about contract and LI legal bases;
🔹🔹remember the weird Art. 19 obligation to inform third parties of erasure? What always confused me is that there is no corresponding obligation of the onward recipient to do anything about it. The CJEU clarifies in para 78 that revocation of consent also invalidates legal grounds for processing for subsequent recipients.
🔹🔹In para 99 the CJEU states that the DPA may force the controller to also re-index their website by Google.
Lexology
European Union: The Digital Services Act (DSA) and the Digital Markets Act (DMA) finally approved
On 4 October 2022, the Council of the European Union definitively approved the Digital Services Act (DSA), maintaining unchanged the content proposed…
#PrivacyNews
💬Автор: Олег Блинов
General News
🔸Techpump Solutions fined €525,000 in Spain for every GDPR violation https://www.aepd.es/es/documento/ps-00555-2021.pdf: It is easier to say which obligations under GDPR the company followed rather than those which were breached: cookies, privacy policy, retention, RoPA you name it. The fine can be a source of a ballpark estimation of the fine for companies living under the “we don’t need any privacy compliance” motto: it’s approximately 5 times larger than Spain’s average fine amount of EUR 112k;
🔸ICO: How do we comply with the rules on sending marketing by electronic mail? https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-direct-marketing-using-electronic-mail/how-do-we-comply-with-the-rules-on-sending-marketing-by-electronic-mail/: Very nice guide on soft opt-in. Good primer for emarketing + some very helpful answers on previously unclear questions:
🔹🔹to benefit from the soft opt-in, the contact details must be obtained in “negotiations for a sale”. No actual sale needs to take place, but at the same time, a mere login with an email does not constitute sufficient engagement;
🔹🔹it must be possible to opt-out during collection of contact details. E.g. “We will send you marketing text messages about our special offers. If you don’t want to receive these please tick here [ ].” Having an unsubscribe link in the Privacy Policy is not enough;
🔹🔹when a controller encourages (“instigates”) people to refer the product to friends and family (viral marketing), consent of the recipient is also required! Since it is not possible for the company to obtain such consent, it is effectively prohibited. The ICO recommends to “take steps to avoid being the instigator of the messages” and “not actively encouraging customers to send an email or text message to their friends and family”.
💬Автор: Олег Блинов
General News
🔸Techpump Solutions fined €525,000 in Spain for every GDPR violation https://www.aepd.es/es/documento/ps-00555-2021.pdf: It is easier to say which obligations under GDPR the company followed rather than those which were breached: cookies, privacy policy, retention, RoPA you name it. The fine can be a source of a ballpark estimation of the fine for companies living under the “we don’t need any privacy compliance” motto: it’s approximately 5 times larger than Spain’s average fine amount of EUR 112k;
🔸ICO: How do we comply with the rules on sending marketing by electronic mail? https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-direct-marketing-using-electronic-mail/how-do-we-comply-with-the-rules-on-sending-marketing-by-electronic-mail/: Very nice guide on soft opt-in. Good primer for emarketing + some very helpful answers on previously unclear questions:
🔹🔹to benefit from the soft opt-in, the contact details must be obtained in “negotiations for a sale”. No actual sale needs to take place, but at the same time, a mere login with an email does not constitute sufficient engagement;
🔹🔹it must be possible to opt-out during collection of contact details. E.g. “We will send you marketing text messages about our special offers. If you don’t want to receive these please tick here [ ].” Having an unsubscribe link in the Privacy Policy is not enough;
🔹🔹when a controller encourages (“instigates”) people to refer the product to friends and family (viral marketing), consent of the recipient is also required! Since it is not possible for the company to obtain such consent, it is effectively prohibited. The ICO recommends to “take steps to avoid being the instigator of the messages” and “not actively encouraging customers to send an email or text message to their friends and family”.
#privacy #events
Когда: 15,16,18 ноября
Где: онлайн
Тема: Специальный модуль «Трансграничная передача персональных данных»
Организатор: Data Privacy Office
Спикеры: Денис Садовников, CIPP/E, CPM, FIP, Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, Анастасия Пархимович, LLM, CIPP/E
Язык: русский
Стоимость: 270 EUR по кодовому слову Privacy GDPR Russia
Регистрация: здесь
Когда: 15,16,18 ноября
Где: онлайн
Тема: Специальный модуль «Трансграничная передача персональных данных»
Организатор: Data Privacy Office
Спикеры: Денис Садовников, CIPP/E, CPM, FIP, Сергей Воронкевич, CIPP/E, CIPM, CIPT, FIP, Анастасия Пархимович, LLM, CIPP/E
Язык: русский
Стоимость: 270 EUR по кодовому слову Privacy GDPR Russia
Регистрация: здесь
#awareness #privacy
Кампания по повышению осведомлённости для работников.
Ребятки создали супер-героев и нарисовали мини-мульты.
Youtube
Кампания по повышению осведомлённости для работников.
Ребятки создали супер-героев и нарисовали мини-мульты.
Youtube
YouTube
Privacy Superheroes (English) - YouTube
#PrivacyNews
💬Автор: Олег Блинов
Another week of privacy news!
🔸 Hesse: HBDI issues statement on use of Google Fonts https://datenschutz.hessen.de/datenschutz/internet-und-medien/hinweise-des-hbdi-zu-google-fonts-abmahnungen: The German regulator once again recommends to switch to self-hosting fonts instead of using Google Fonts as they require users to transfer their IP and other header information to the US.
🔸 Google Analytics prohibited in Hungary (NAIH (Hungary) - NAIH-3561-4/2022) https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-3561-4/2022: Another case against Google Analytics, went just as well as you would expect it from previous GA news (meaning it went real bad for Google). This time the review was initiated by a data subject supported by NOYB.
🔸 Amazon QLDB introduces redacting documents for GDPR compliance https://docs.aws.amazon.com/qldb/latest/developerguide/working.redaction.html: it’s been a source of constant confusion for me how to handle data deletion in immutable data sources (e.g. blockchain, S3-based analytics & logs etc.). Seems AWS is gradually implementing data redaction features, which is really awesome.
🔸 How to assess and gain confidence in your supply chain cyber security https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf: not so much “news”, but a nice source of approaches on how to do supplier management. Props to @krakozubla for posting this to her channel
🔸 ENISA cybersecurity threat landscape report https://www.enisa.europa.eu/news/volatile-geopolitics-shake-the-trends-of-the-2022-cybersecurity-threat-landscape: can be used as a source of baseline. Interesting facts: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020. The number of data compromises increased by 68%.
💬Автор: Олег Блинов
Another week of privacy news!
🔸 Hesse: HBDI issues statement on use of Google Fonts https://datenschutz.hessen.de/datenschutz/internet-und-medien/hinweise-des-hbdi-zu-google-fonts-abmahnungen: The German regulator once again recommends to switch to self-hosting fonts instead of using Google Fonts as they require users to transfer their IP and other header information to the US.
🔸 Google Analytics prohibited in Hungary (NAIH (Hungary) - NAIH-3561-4/2022) https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-3561-4/2022: Another case against Google Analytics, went just as well as you would expect it from previous GA news (meaning it went real bad for Google). This time the review was initiated by a data subject supported by NOYB.
🔸 Amazon QLDB introduces redacting documents for GDPR compliance https://docs.aws.amazon.com/qldb/latest/developerguide/working.redaction.html: it’s been a source of constant confusion for me how to handle data deletion in immutable data sources (e.g. blockchain, S3-based analytics & logs etc.). Seems AWS is gradually implementing data redaction features, which is really awesome.
🔸 How to assess and gain confidence in your supply chain cyber security https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf: not so much “news”, but a nice source of approaches on how to do supplier management. Props to @krakozubla for posting this to her channel
🔸 ENISA cybersecurity threat landscape report https://www.enisa.europa.eu/news/volatile-geopolitics-shake-the-trends-of-the-2022-cybersecurity-threat-landscape: can be used as a source of baseline. Interesting facts: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020. The number of data compromises increased by 68%.
Когда: 16 ноября в 10:00 по мск
Где: онлайн
Темы:
— кибербезопасность в России (изменения в законодательстве, SOC, пентест);
— импортозамещение в новых реалиях (переход на отечественные ИТ-решения, реальные проблемы и пути их решения, практические кейсы).
Спикеры:
— Роскомнадзор
— Калуга Астрал
— Positive Technologies
— Р7
— Код Безопасности
— РЕД СОФ
Программа конференции
Организатор: Астрал.Безопасность
Стоимость: бесплатно
Регистрация: здесь
Где: онлайн
Темы:
— кибербезопасность в России (изменения в законодательстве, SOC, пентест);
— импортозамещение в новых реалиях (переход на отечественные ИТ-решения, реальные проблемы и пути их решения, практические кейсы).
Спикеры:
— Роскомнадзор
— Калуга Астрал
— Positive Technologies
— Р7
— Код Безопасности
— РЕД СОФ
Программа конференции
Организатор: Астрал.Безопасность
Стоимость: бесплатно
Регистрация: здесь
#PrivacyNews
Автор: Олег Блинов
Privacy news for this week:
🔸 Commercial interest is legitimate interest? https://www.lexology.com/library/detail.aspx?g=ededc1c1-9b97-4696-9fd0-3cc60136dec2: Not so long ago the Dutch DPA claimed that commercial interest is not LI for GDPR purposes. Even though prior to that the EDPB and CJEU already provided a wider interpretation. A Dutch court disagreed with the DPA in the famous VoetbalTV case. Now, in the KNLTB case, the Amsterdam District Court referred the question whether commercial interest is LI, to the CJEU.
🔸 Sanction of 800,000 euros against DISCORD INC. https://www.cnil.fr/fr/sanction-de-800-000-euros-lencontre-de-la-societe-discord-inc: Several interesting points here: (1) failure to delete inactive accounts (3+ years) is a retention violation; (2) art. 32 is breached through failure to enforce strong password requirements (which begs the question whether passwords are the only area where services have to protect people from themselves); and (3) clicking “X” in the application only minimized the window, which is in breach of Privacy by Design (finally some interesting stuff with PbD!).
🔸 UK ICO TIA Tool & Guidance (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/blog-international-transfers-empowering-innovation-and-growth-whilst-protecting-people-s-personal-information/): Worth having a look at as an alternative (or supplement) to Rosenthal’s TIA which is to my knowledge the only good publicly available TIA template.
🔸 Serious criticism of JP/Politik’s consent solution at www.eb.dk (https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/nov/alvorlig-kritik-af-jppolitikens-samtykkeloesning-paa-wwwebdk): For Pete’s sake, now they don’t like the “accept all” button since it is not granular enough, even though there was a “only necessary” button on the same layer. Really tired of these changing goalposts.
🔸 Privacy for America research An Information Economy Without Data (https://www.privacyforamerica.com/wp-content/uploads/2022/11/Study-221115-Beales-and-Stivers-Information-Economy-Without-Data-Nov22-final.pdf): the source seems to be heavily biased in favour of the behavioral advertising industry, so take it with a grain of salt. The summary reads that “Limiting online advertising’s access to data about audience interests and demographics substantially reduces revenue to online content providers, by 50 to 70 percent”
🔸 META US Settlement for USD90M (https://www.govinfo.gov/content/pkg/USCOURTS-cand-5_12-md-02314/pdf/USCOURTS-cand-5_12-md-02314-14.pdf): Meta paid out 90M for cookies tracking via the Like button.
🔸 Forty Attorneys General Announce Historic $391.5M Settlement with Google over Location Tracking Practices (https://www.njoag.gov/forty-attorneys-general-announce-historic-settlement-with-google-over-location-tracking-practices/): Google continued to geo-track users despite users switching “Location History” off. There was a separate second switch, so this could also count as a Privacy by Design violation.
🔸 Unsealed court documents reveal data anarchy at Meta (https://www.iccl.ie/wp-content/uploads/2022/11/ICCL-to-Commission-17-November-2022.pdf): the Irish Council for Civil Liberties investigated Meta’s court disclosures and identified lack of Meta’s internal understanding, which data, for which purpose and by whom is being processed.
🔸 Shopify illegal? How the data protection authority declared the use of my Shopify shop to be illegal (field report) https://lsww.de/shopify-illegal/: A small Shopify store shares its tragic story of being attacked by the DPA due to Shopify’s use of US-based CDNs (content delivery networks). This adds to previous news on risks in connection with Google Fonts + is a good example that small business may also be targeted by DPAs.
Автор: Олег Блинов
Privacy news for this week:
🔸 Commercial interest is legitimate interest? https://www.lexology.com/library/detail.aspx?g=ededc1c1-9b97-4696-9fd0-3cc60136dec2: Not so long ago the Dutch DPA claimed that commercial interest is not LI for GDPR purposes. Even though prior to that the EDPB and CJEU already provided a wider interpretation. A Dutch court disagreed with the DPA in the famous VoetbalTV case. Now, in the KNLTB case, the Amsterdam District Court referred the question whether commercial interest is LI, to the CJEU.
🔸 Sanction of 800,000 euros against DISCORD INC. https://www.cnil.fr/fr/sanction-de-800-000-euros-lencontre-de-la-societe-discord-inc: Several interesting points here: (1) failure to delete inactive accounts (3+ years) is a retention violation; (2) art. 32 is breached through failure to enforce strong password requirements (which begs the question whether passwords are the only area where services have to protect people from themselves); and (3) clicking “X” in the application only minimized the window, which is in breach of Privacy by Design (finally some interesting stuff with PbD!).
🔸 UK ICO TIA Tool & Guidance (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/blog-international-transfers-empowering-innovation-and-growth-whilst-protecting-people-s-personal-information/): Worth having a look at as an alternative (or supplement) to Rosenthal’s TIA which is to my knowledge the only good publicly available TIA template.
🔸 Serious criticism of JP/Politik’s consent solution at www.eb.dk (https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/nov/alvorlig-kritik-af-jppolitikens-samtykkeloesning-paa-wwwebdk): For Pete’s sake, now they don’t like the “accept all” button since it is not granular enough, even though there was a “only necessary” button on the same layer. Really tired of these changing goalposts.
🔸 Privacy for America research An Information Economy Without Data (https://www.privacyforamerica.com/wp-content/uploads/2022/11/Study-221115-Beales-and-Stivers-Information-Economy-Without-Data-Nov22-final.pdf): the source seems to be heavily biased in favour of the behavioral advertising industry, so take it with a grain of salt. The summary reads that “Limiting online advertising’s access to data about audience interests and demographics substantially reduces revenue to online content providers, by 50 to 70 percent”
🔸 META US Settlement for USD90M (https://www.govinfo.gov/content/pkg/USCOURTS-cand-5_12-md-02314/pdf/USCOURTS-cand-5_12-md-02314-14.pdf): Meta paid out 90M for cookies tracking via the Like button.
🔸 Forty Attorneys General Announce Historic $391.5M Settlement with Google over Location Tracking Practices (https://www.njoag.gov/forty-attorneys-general-announce-historic-settlement-with-google-over-location-tracking-practices/): Google continued to geo-track users despite users switching “Location History” off. There was a separate second switch, so this could also count as a Privacy by Design violation.
🔸 Unsealed court documents reveal data anarchy at Meta (https://www.iccl.ie/wp-content/uploads/2022/11/ICCL-to-Commission-17-November-2022.pdf): the Irish Council for Civil Liberties investigated Meta’s court disclosures and identified lack of Meta’s internal understanding, which data, for which purpose and by whom is being processed.
🔸 Shopify illegal? How the data protection authority declared the use of my Shopify shop to be illegal (field report) https://lsww.de/shopify-illegal/: A small Shopify store shares its tragic story of being attacked by the DPA due to Shopify’s use of US-based CDNs (content delivery networks). This adds to previous news on risks in connection with Google Fonts + is a good example that small business may also be targeted by DPAs.
Lexology
Is a commercial interest a legitimate interest?
The processing of personal data requires a legal basis, as mentioned in Article 6 of the General Data Protection Regulation (GDPR). Such a basis…
#privacy #events
Когда: 01 декабря в 10:00 (по мск)
Где: в онлайн пространстве
Тема: Практический вебинар «152-ФЗ: всё, о чём вы стеснялись спросить»
Организатор: Kept (ex. KPMG)
Спикеры: Роман Мартинсон, Екатерина Басниева
Язык: русский
Стоимость: бесплатно, только для внутренних специалистов (модерация)
Регистрация
🔆БОНУС🔆
Перед мероприятием мы соберём ваши вопросы и постараемся на них ответить в рамках самого ивента.
Задать вопрос по ссылке.
Когда: 01 декабря в 10:00 (по мск)
Где: в онлайн пространстве
Тема: Практический вебинар «152-ФЗ: всё, о чём вы стеснялись спросить»
Организатор: Kept (ex. KPMG)
Спикеры: Роман Мартинсон, Екатерина Басниева
Язык: русский
Стоимость: бесплатно, только для внутренних специалистов (модерация)
Регистрация
🔆БОНУС🔆
Перед мероприятием мы соберём ваши вопросы и постараемся на них ответить в рамках самого ивента.
Задать вопрос по ссылке.
#PrivacyNews
💬Автор: Олег Блинов
Hi all! Weekly privacy updates here:
🔷 Dutch DPIA of Facebook Pages (https://www.privacycompany.eu/blogpost-en/human-rights-impact-assessment-of-facebook-pages): a 150+ page document which could be easily converted into a holistic GDPR textbook. Really useful for understanding GDPR principles, privacy risk management, transfers, contracts etc. Brilliant, reasonably in-depth, easy to read. Treat yourself.
🔷 Irish DPA on disclosure of international transfers in Privacy Notices (https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf): EDPB published the final version of the Whatsapp deliberations. It seems that DPA understands the Art. 13 provision on disclosure of international transfers to include explicit statement of countries and whether an adequacy decision has been made on them. If not, then detailed safeguards need to be described. As if privacy notices weren’t legalese enough
🔷 Apple’s analytics data include an ID called “dsId” (https://www.digitalinformationworld.com/2022/11/new-report-proves-apples-phone-usage.html): the headline is a bit clickbait-y and I haven’t been able to fully verify the story. The researchers looked into web-based AppStore’s analytics traffic and noticed that it includes a dsId param which is also present in their iCloud account. From this, they infer that iPhones track you using personalized ids. At a minimum, the AppStore they inspected was interacted with using a web browser, which already throws a wrench into the analysis.
🔷 Reproductive Health Rights on the App Store (https://www.nj.gov/oag/newsreleases22/2022-1121_Apple-final-signature-blocks.pdf): a coalition of US attorneys asked Apple to pay special attention to reproductive health apps, including to ensure that they: (1) delete all non-essential data; (2) provide clear notices; (3) that the apps using Apple Health sync ensure the same security & privacy level as Apple itself.
💬Автор: Олег Блинов
Hi all! Weekly privacy updates here:
🔷 Dutch DPIA of Facebook Pages (https://www.privacycompany.eu/blogpost-en/human-rights-impact-assessment-of-facebook-pages): a 150+ page document which could be easily converted into a holistic GDPR textbook. Really useful for understanding GDPR principles, privacy risk management, transfers, contracts etc. Brilliant, reasonably in-depth, easy to read. Treat yourself.
🔷 Irish DPA on disclosure of international transfers in Privacy Notices (https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf): EDPB published the final version of the Whatsapp deliberations. It seems that DPA understands the Art. 13 provision on disclosure of international transfers to include explicit statement of countries and whether an adequacy decision has been made on them. If not, then detailed safeguards need to be described. As if privacy notices weren’t legalese enough
🔷 Apple’s analytics data include an ID called “dsId” (https://www.digitalinformationworld.com/2022/11/new-report-proves-apples-phone-usage.html): the headline is a bit clickbait-y and I haven’t been able to fully verify the story. The researchers looked into web-based AppStore’s analytics traffic and noticed that it includes a dsId param which is also present in their iCloud account. From this, they infer that iPhones track you using personalized ids. At a minimum, the AppStore they inspected was interacted with using a web browser, which already throws a wrench into the analysis.
🔷 Reproductive Health Rights on the App Store (https://www.nj.gov/oag/newsreleases22/2022-1121_Apple-final-signature-blocks.pdf): a coalition of US attorneys asked Apple to pay special attention to reproductive health apps, including to ensure that they: (1) delete all non-essential data; (2) provide clear notices; (3) that the apps using Apple Health sync ensure the same security & privacy level as Apple itself.
www.privacycompany.eu
Human rights impact assessment of Facebook Pages | Privacy Company Blog
If you want to know how a service affects human rights, you have to perform a 'HRIA', a Human Rights Impact Assessment. The Dutch central government has already developed its own model to analyse the human rights impact of an algorithm, the IAMA model. Using…
Tрудовые споры :: 10.pdf
1.1 MB
#materials #152ФЗ
▫️Как работать с данными третьих лиц, полученных от работников и соискателей ?
▫️Может ли соискатель совмещать функции субъекта и оператора персональных данных?
▫️Что учесть при разработке реферальной программы найма с точки зрения законодательства о
🍒 Полный текст статьи выше, но можно также ознакомиться в первоисточнике.
▫️Как работать с данными третьих лиц, полученных от работников и соискателей ?
▫️Может ли соискатель совмещать функции субъекта и оператора персональных данных?
▫️Что учесть при разработке реферальной программы найма с точки зрения законодательства о
🍒 Полный текст статьи выше, но можно также ознакомиться в первоисточнике.
RPPA PRO: Privacy • AI • Cybersecurity • IP
#privacy #events Когда: 01 декабря в 10:00 (по мск) Где: в онлайн пространстве Тема: Практический вебинар «152-ФЗ: всё, о чём вы стеснялись спросить» Организатор: Kept (ex. KPMG) Спикеры: Роман Мартинсон, Екатерина Басниева Язык: русский Стоимость: бесплатно…
#events #152ФЗ
Уже вот-вот и проведём мероприятие, в рамках которого ответим на твои вопросы по приватности.
Регистрация
Задать вопрос по ссылке.
Уже вот-вот и проведём мероприятие, в рамках которого ответим на твои вопросы по приватности.
Регистрация
Задать вопрос по ссылке.
#ЯрмаркаВакансий
Data protection officer / Руководитель направления по защите персональных данных в БКС Мир Инвестиций, только на RPPA.ru
Data protection officer / Руководитель направления по защите персональных данных в БКС Мир Инвестиций, только на RPPA.ru
#materials #iapp
⛄️Я календарь переверну, а там уже декабрь ⛄️
Тем временем, IAPP опубликовала свой ежегодный отчет IAPP-EY Annual Privacy Governance Report 2022, здесь же он.
⛄️Я календарь переверну, а там уже декабрь ⛄️
Тем временем, IAPP опубликовала свой ежегодный отчет IAPP-EY Annual Privacy Governance Report 2022, здесь же он.
iapp.org
Privacy Governance Report 2024 – Executive Summary
This report provides comprehensive research on the location, performance and significance of privacy governance within organizations.
#ЯрмаркаВакансий
Руководитель направления Центра DPO в Сбер.
Руководитель направления по защите персональных данных в Интеко.
Только на RPPA.ru
Руководитель направления Центра DPO в Сбер.
Руководитель направления по защите персональных данных в Интеко.
Только на RPPA.ru