What data controllers should do before receiving a subject access request

What data controllers should do before receiving a possible subject access request  As a data controller, you obviously know it: one day you may receive an access request from a data subject. Being available to promptly comply with the request when you receive it is far from being enough. Indeed, there is much more that […]

La disciplina di Google Analytics a cavallo tra Italia e Germania

Nel giugno del 2016, l’Autorità per la protezione dei dati personali (di seguito anche DPA) di Amburgo, in accordo con le altre presenti in Germania, si è occupata della compatibilità di Google Analytics con la normativa nazionale sulla protezione dei dati. Le indicazioni che sono emerse dal provvedimento dell’Autorità di Amburgo  appaiono a un primo […]

Privacy Shield certification does not mean compliance needs to extend beyond European data

When a US organization decides to self-certify under the EU-U.S. Privacy Shield, compliance with Privacy Shield principles becomes compulsory. This may be a problem for many US organizations because certain processing activities that they perform – which are perfectly lawful under American law — are unlawful under a Privacy Shield’s perspective. Why? And what to do? Let’s step […]

Who should you appoint as a DPO? The legal/tech/organizational savvy unicorn?

Article 37(5) General Data Protection Regulation (GDPR) does not list with particularity the professional skills that should be considered when designating the Data Protection Officer (“DPO”). It provides: The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability […]

When does blogging constitute advertising?

In Formal Opinion 2016-196, the California State Bar Ethics Committee dealt with the question of when a blog by a lawyer is subject to the ethics rules on advertising.  If a blog is integrated into a lawyer’s website, it will be treated as advertising.  A separate blog or blog post may or may not be […]

Conflict of interest under the recently issued WP29’s opinion on DPO

In Section 3.5 of Article 29 Working Party (WP29)’s Guidelines on Data Protection Officer (“DPOs”) (“Opinion”), the WP29 discusses the issue of conflict of interest for DPO. See here for more information on this opinion. The WP29 points out that while Article 38(6) GDPR allows a DPO to perform “other tasks and duties”, the organization must avoid appointment in which those […]

Discovery cooperation and preservation agreements are almost always a good idea

Sanctions for lack of preservation in discovery (or other discovery abuse) are not the norm but the case law is increasing fast. Courts impose sanctions, for example, when deletion of electronically stored information is coupled with prejudice to the other side and with some form of bad faith. For example in GN Netcom, Inc. v. […]

Privacy issues in biometrics

Commercial use of biometric data has dramatically increased in recent years: some software are now able to recognize physical characteristics, such as fingerprints, retinas, hand and facial geometry, as well as voices. This technology makes people’s life easier as their hand or voice may be enough to access their phone or bank account, and one single click […]

The privacy problem of cookie-free tracking methods: device fingerprinting

Cookie regulation in Europe is quite strict. In a previous blog we discussed the cookie law of France, Germany, Italy and the UK, focusing on information to users, user consent and consequences of violations. However, cookies are not the only method to track users. There are cookie-free tracking methods that are similarly invasive, for example […]

Making Sure BYOD Does Not Stand For “Breach Your Organization’s Data”

Originally published on South Carolina Lawyer (March 2016)   It is the modern employer’s dilemma:  do you allow employees to bring their personal smartphones, laptops and tablets to work for business purposes?  Do you purchase work devices for them, duplicating what they have?  Or do you simply ban use of any personal device for work […]