Blog Post
I got a SAR on Monday; searched across my files on Tuesday, extended the deadline on Wednesday; and on Thursday and Friday and Saturday; I disclosed on Sunday (An updated SAR response deadline from the ICO)
The latest updated guidance from the ICO regarding the calculation of the time limit to respond to a subject access request ("SAR") has reduced the amount of time that controllers have to comply with such requests.
Blog Post
CJEU rules that companies using social plugins are liable for the collection and transmission of data
On 29 July 2019, the Court of Justice of the European Union (the "CJEU") ruled that a company embedding on its website a social plugin, such as a Facebook “Like” button, can be considered a data controller, when the inclusion of the plugin results in the browser of a visitor fetching content from the plugin provider and sending personal data of the visitor to that provider. The CJEU found that although the company may not be found responsible for the subsequent processing of data carried out by the social plugin provider, it is nevertheless responsible for facilitating the collection and transmission of data to the plugin provider via the insertion of the plugin on the website.
Blog Post
CNIL publishes revised guidelines on cookies and other tracking technology
Cookies are one of the hot topics of the summer! As announced in our previous blog post, the French Data Protection Authority (CNIL) has adopted on 4th July a revised version of its guidelines on the use of cookies and other forms of online tracking technology (hereafter "Guidelines"), which were published in the French Official Journal on 19 July 2019. In the UK, the ICO also updated its guidelines on cookies a few days ago (see our blog post here). So what exactly has changed? To understand exactly how cookie regulation is evolving, we have summarized in the table below the key elements of the CNIL's Guidelines in comparison with its previous position of 2013.
Blog Post
CNIL issues fine of €180.000 for failure to implement "basic security measures"
On Thursday 25th July, the French data protection authority, the CNIL, announced that it has issued a fine of €180,000 against insurer Active Assurances, on the basis that the company had “breached its obligation to secure personal data provided for by Article 32" of the GDPR.
Blog Post
National transposition of the European NIS Directive: state of play for Belgium
IntroductionOn 3 May 2019, the Belgian Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for the public security (the "Belgian Act")
Blog Post
A few practical tips for managing subject access requests
Data subject access requests often prove one of the most challenging areas of the GDPR for organisations to manage. But it doesn’t have to be that way, and by taking a few practical measures organisations can provide more efficient, consistent and timely DSAR responses.
Blog Post
ICO proposes fines against British Airways and Marriott
Last week was packed in terms of new developments in the area of privacy. On Monday 8th July, the UK's data protection authority, the Information Commissioner’s Office (the ICO), announced its intention to fine British Airways in the amount of £183,390 million (equivalent to about EUR 204 million, which according to media reports, is about 1.5% of the company's worldwide turnover last year) for infringements of the EU General Data Protection Regulation (GDPR). The proposed fine relates to a cyber incident involving user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were allegedly harvested by attackers. The ICO’s investigation found that a variety of information of approximately 500,000 customers was compromised in this incident, including log in, payment card, and travel booking details as well name and address information.
Blog Post
Everyone's talking about cookies!
In the last few days cookies have made the headlines several times – with the CNIL announcing that they intend to make online advertising a "top priority" in 2019 and the ICO releasing first their adtech update report and then, most recently, their updated cookie guidance.
Blog Post
CNIL puts more pressure on the adtech sector
On 28 June 2018, the CNIL issued a statement on its website which says in bold letters that online advertising is a "top priority" for 2019. This leaves little room for doubt. The CNIL is not done with the ad tech business and, on the contrary, is just warming up.
Blog Post
Security: lessons from GDPR fines
Post-GDPR, cyber and data security remain a major practical concern (alongside data subject rights, among other issues), and security compliance failures remain the number one way to a regulatory fine (alongside marketing rules violations, among other compliance failures).