EDPB Support Pool of Experts (SPE) projects
members
–
6 min read
Latest: Legitimate interest OSS case digest.
Personal data breaches – in practice
members
–
2 min read
A breach happens. What now? When are you "aware", how do you assess the risk – and who do you need to notify? 📝 Homework: download the revised breach flowchart, tailor it to your organisation and ensure you have a step-by-step process in place.
Data breaches
members
–
3 min read
🇳🇴 DPA with significant breach page change | Upcoming topic page for breaches, prompted by EDPB's summary document. Links so far: Denmark, Finland, France, Greece, Ireland, Italy, Norway, Spain, Sweden, ICO, EDPB, EDPS, EC.
Denmark Google Workspace for Education Chromebook case (Helsingørgate)
members
–
12 min read
[12 Feb: 🇩🇰 DPA webinar coming up!] [29 Jan: 🇩🇰 DPA applies dreaded EDPB Opinion and signal enforcement change. Must-read for 🇩🇰 folks but crucial to everyone using 🇺🇸 processors] Datatilsynet's landmark decision of 2022 to ban certain use of Google products and US transfers.
Norway DPA orders Helseplattformen to rectify shortcomings
members
–
3 min read
Weird DPA conclusion on controller's responsibility 🤔, will wait for the final decision | 🇳🇴 Datatilsynet notifies Helseplattformen of their intent to order fixes to serious organisational and (less serious) technical deficiencies.
UK ICO fines Capita £14 million for breach after weak security and slow reaction
members
–
8 min read
After first flagging a fine with a potential starting point of £97m, the 🇬🇧 DPA heavily reduced it after several mitigating factors we can all learn from. A decision packed with practical lessons for DPOs, data protection and security teams alike!
🇮🇪 DPC fines Meta €91m for failing to safeguard passwords and notify breaches
members
–
1 min read
UPDATE 1 Jan: Summary + full decision published! The DPC fines Meta for failing to safeguard users' passwords (storing them in plaintext!) and for notifying the breach too late.
CJEU C-768/21 Land Hessen (DPA obligation to act) 26 Sep 2024
members
–
3 min read
⏰ Quickly deal with data breaches and listen to the DPA to reduce the chance of a fine (and keep access logs >3 months). DPAs aren't required to exercise a corrective power, like impose a fine, if not appropriate, necessary or proportionate to remedy the violation and ensure full GDPR compliance.
🇮🇪 DPC fines Meta €251m for failing on data protection by design and default and breach handling
members
–
1 min read
Meta failed to properly notify and document a breach affecting 3m EEA Facebook users and to build in data protection requirements throughout the design and development cycle.
Norway DPA fines university for insufficient access control in MS Teams
members
–
4 min read
The 🇳🇴 University of Agder was fined €12,500 (NOK 150k) for failing to secure personal data on Teams/SharePoint and insufficient internal controls. Short decision, several takeaways for everyone!
France: unemployment breach impacts 43m dating back 20 years
members
–
1 min read
🇫🇷 Massive breach and what we can learn immediately from it: data minimisation, deletion, breach response plans - and communication that people actually understand!
Sweden MedHelp 1177 case
members
–
8 min read
This case is not only a goldmine for DPOs in the Swedish healthcare sector (although particularly so), but DPOs in general, for assessing roles, legal bases and processor liability.