Another Belgian DPA decision on how long to keep the e-mail address of an ex-employee alive. The Belgian DPA repeats its position that is now almost constant (but in cases that do not appear to have been appealed): block access to a mailbox on the day of departure, then kill the e-mail address within 3 […]
This is not an AIAct post. Let’s not forget that before 2 August 2026 (the date that matters to most companies re that Act), there are already many other rules that apply – and have applied for some time – to all kinds of AI systems. For instance, data protection rules (such as the GDPR […]
Some seem to suggest that “unavailability of IT system = security incident = personal data breach”. While data protection *authorities* regularly suggest unavailability is a breach, the main EU *law* on data protection, the GDPR, doesn’t say so. Definition of “personal data breach” in Art. 4(12) GDPR: “breach of security leading to the accidental or […]
Does the GDPR mean gender-neutral language is required? Today’s Opinion by Advocate General Szpunar challenges a common practice in certain languages, namely asking for title (“Madame” & “Monsieur” in French) for contract-related communications. Many organisations want the opening line of an e-mail to be personalised in the name of customer service (“Cher Monsieur XX”, “Ch�re […]
A complaint is just that – a complaint. It is not a decision, it is not authoritative. Yet complaints by well-known campaigners and NGOs are spread widely here and on other platforms, while decisions of lower courts (you know, with judges and their decisions that are actually part of the legal order) are claimed by […]
First come, first served! Register now for an exclusive event on 2 September with the Belgian DPA for the 5th anniversary of its Litigation Chamber, in French & Dutch (with live translation into the other language – but no English foreseen). Very honoured to be among the very select group of speakers – and as […]
Art. 64(2) GDPR is really problematic. It’s a horrendous mechanism, as currently applied by data protection authorities and the EDPB: – If a supervisory authority (SA) thinks something is important it can ask an Opinion from the EDPB, which has 8 weeks (+ 6, so 14 in total, in complex cases) to respond. Not much […]
Good analysis by Rob Corbet and his team. [+ thanks for the references to my op-eds!*] We have been advising many companies and associations on this, notably on possibilities to challenge this Opinion (and other EDPB positions) or to influence the coming Guidelines on Consent or Pay. Interesting times ahead regarding subscription models and advertising-based […]
Bias by the EDPB in its “facial recognition in airports” Opinion? “[T]he data storage period [= 48h] is not a decisive factor, on its own merit, for the overall compatibility of said architecture, as such retention periods may be subject to changes by the controllers” (para. 72, page 30). Surprising that they should stress this, […]
What a sight outside during our debate today on “Privacy by Design Online Marketing”, with Tobias Judin ?????? of the Norwegian DPA / Datatilsynet (great exchanges between us of course), Dr. Sachiko Scheuing of Acxiom/FEDMA (ever practical insights into how organisations approach digital marketing) and Luca Bolognini of ICT Legal Consulting (fantastic ideas regarding transparency), […]