Can't find what you're looking for? Try the search bar or refine your parameters using the Frameworks & Concepts button above.
Stunned to see that Global Privacy Control won’t work as a refusal mechanism under the GDPR / Digital Omnibus, as it doesn’t support active change notifications. Some context: While the GDPR contains a “data subject request forwarding” obligation regarding erasure, rectification & rectification requests, it doesn’t in relation to consent withdrawal (or objections). In the […]
What is the target audience of the EDPB’s DPIA template? Most who *need* to carry out DPIAs more often have their own templates/tools since 5-10 years. And does it anticipate the Digital Omnibus? Only in part, with the biggest work yet to come. Some comments: 1. On the issue of DPIA requirement screening, its section […]
Judgment analysis: when is a data subject request abusive? Today’s judgment of the EU Court of Justice is significant, though its scope cannot be misused either. These excerpts are essential reading for data protection practitioners: (EDIT: English version now available, quotes updated) Para 27: “It cannot therefore be ruled out […] that a […]
[This is a translation of an op-ed in French that was published in the French journal Revue Politique on SRB and the Digital Omnibus, plus the newest EDPB & EDPS Joint Opinion on the topic. The original in French can be found on the Revue Politique website. + The banner image is a jest – […]
When do contracts have to be provided in response to a data subject access request? And should a controller maintain a copy thereof to enable data subject requests? A new Belgian DPA decision deals with this issue, applying the EU Court of Justice’s CRIF judgment to the issue of bank account contracts. Article 15 GDPR […]
Yes, the EU Data Act is now largely applicable, but what are the actual concerns and opportunities? In my discussions with various organisations, there has been one common fear: does this mean that I have to make all data concerning connected devices, including business-confidential information, available to everyone? The answer, as often in law, is […]
Belgian DPA: 100k EUR fine for a controller for not responding during 14 months to a data subject access request. [Decision of 23 August 2024; fine:
Does training of AI systems involve the processing of personal data, and is it permitted under the GDPR? These were the two fundamental questions that I have already looked into in two previous articles: On the date of that second article, the Cologne Higher Regional Court (the Oberlandesgericht Köln – the Cologne HRC) delivered a […]
The European Commission’s announcement that it will consider simplifying regulatory regimes, notably in relation to data and technology, seems to open Pandora’s box. Is it a chance to draw lessons from what works well and what works less well? In this series on “Better Regulation” in relation to the digital economy, I will be exploring […]
Yesterday, I had the pleasure of giving a 5h presentation on the latest case law on the GDPR and other data protection legislation at various levels (Belgium, other EU countries, the Court of Justice and the European Court of Human Rights) to Data Protection Officers from a broad range of organisations and companies. The past […]
