EDPS Guidelines on controller, processor, and joint controllers: an overview

On November 7, 2019, the European Data Protection Supervisor (EDPS) [i] issued the Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Guidelines”). As a background, Regulation (EU) 2018/1725[ii] (“Regulation”) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. The Guidelines aim at providing […]

Tags: ,

ICO’s Guidance on legitimate interests

This guidance aims at helping controllers “to decide when to rely on legitimate interests as … basis for processing personal data and when to look at alternatives.” The entire Guidance is helpful but particularly helpful are the sections: “Are there cases when legitimate interests is likely to apply?” The GDPR highlights some processing activities where […]

Tags: ,

ICO’s opinion on live facial recognition by enforcement authorities

On October 31, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an opinion on live facial recognition (“LFR”) by enforcement authorities: The use of live facial recognition technology by law enforcement in public places (“Opinion”) The ICO points out that a statutory and binding code of practice issued by government, modelled on […]

Tags: ,

EDPB’s 14th Plenary Session

On October 8th and 9th, 2019, the European Data Protection Board (“EDPB“), which is the EU body in charge of the application of the General Data Protection Regulation (“GDPR) and consists of a representative of each EU DPA and of the European Data Protection Supervisor (EDPS), met for its fourteenth plenary session and: – adopted the final […]

Tags: ,

Samantha V. Ettari, Handling Internet of Things Data

Author describes which are the most common cases implicating IoT devices and collected data, how to preserve those data, and how to collect and request them. Author suggests how to effectively extract relevant IoT “information in litigation while balancing the operational and privacy challenges that these new sources of digital evidence raise.”   The full […]

Tags: , , ,

EDPS adopts Guidelines on GDPR’s territorial scope

On November 16, 2018, the European Data Protection Board (EDPB) adopted guidelines on the territorial application of the GDPR. Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU- Version for public consultation. The guidelines are now open to public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data […]

Tags: ,

FTC’s cybersecurity guidance for small businesses

On October 18, 2018, the Federal Trade Commission (FTC) published – along with Department of Homeland Security, the National Institute of Standards and Technology, and the Small Business Administration – guidance for small businesses on how to deal with cyber threats and increase data security. The FTC highlighted a dozen need-to-know topics: Cybersecurity Basics, Understanding […]

Tags: , ,

ENISA, Technical Guideline on Minimum Security Measures

On October 4, 2014, the European Union Agency for Network and Information Security (ENISA) published the technical guideline for Minimum Security Measures to provide guidance to national regulators on the security measures they should take into account when assessing compliance to the revised Telecommunications Framework Directive . Article 13a of the most recent update of the Telecommunications Framework […]


Records of processing activities of Article 30 GDPR – some model forms

UPDATED Novembre 19, 2019 Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record. Some DPA made available model forms and notes for keeping records of processing activities: the […]

Tags: ,

Italian DPA allows collection of photos of lawyers participating in e-learning to verify identity

On July 17, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, approved the use of computer systems to verify the correspondence between the identity of attorneys enrolled in professional training e-courses (CLEs trainings) and that of people actually connected to the events. The system aims at preventing participants from […]

1 2 3 18