Select Page

Author: Privacy Matters

FRANCE: The new Health Information Institute in France

By Carol Umhoefer In France, the Health Information Institute (‘INDS’) has begun to accept requests for authorisation to access the new National Health Data System (‘SNDS’), as part of measures brought in by Act No. 2016-41 of 26 January 2016 (the ‘Reform Law’). Carol Umhoefer (DLA Piper Partner, Miami) and Jeanne Bossi Malafosse, Partner at Delsol Avocats, assess the new authorisation procedure for the provision of health data access in France, and consider the issues that may arise from its implementation. Read their full article which was first published in Digital Health...

Read More

FRANCE: CNIL GDPR guidance for data processors

By Denise Lebeau-Marianna and Caroline Chancé   On September 29, 2017, the French data protection authority (the CNIL) published practical guidance on General Data Protection Regulation (“GDPR”) requirements intended for data processors. The objective is to guide them on how to comply with their new obligations. Under the GDPR, data processors have new responsibilities and liabilities in their own right, and data processors may now be liable to pay damages or be subject to fines or other penalties for non-compliance with the GDPR. The CNIL’s guide explains in a Q&A format the core requirements that all data processors will need to...

Read More

ITALY: The role of the data protection officer according to the Italian privacy authority

The role of the Data Protection Officer (DPO) and what requirements needs to meet has now been partially clarified by the Italian privacy authority. I often define the role of the DPO as one of the most complex “rebus” of the European General Data Protection Regulation. The matter has been clarified in the past by guidelines of the Article 29 Working Party, but the guidelines still left some “gray areas” of unclarity. In order to deal with some of the open questions, the Italian privacy authority (the Garante) issued its first opinion on the matter, in response to a request from a company....

Read More

UK: No ICO notifications, but fees continue under GDPR

By James Clark and Ataikor Ngerebara The ICO has provided some clarity on how its notification and fee regime will change when the General Data Protection Regulation (“GDPR“) enters into force from May 2018. As expected, the ICO has confirmed that it will drop its requirement for organisations which process personal data (known as ‘data controllers’) to notify the ICO and complete an entry on its register of data controllers.  This is consistent with Recital 89 of the GDPR, which calls for “indiscriminate general notification obligations to be abolished”.   The abolition of general notification obligations, such as the ICO’s...

Read More

FRANCE: CNIL ADOPTS NEW SINGLE AUTHORIZATION ON FRAUD PREVENTION SYSTEMS

Pursuant to several provisions of the French Code Monétaire et Financier, entities from the banking and financial sector are required to implement processes and strategies to detect, measure and manage operational risks within their group (on a consolidated basis). Fraud prevention/detection systems must be adapted to the entities’ activities and to the nature, scale and complexity of the risks inherent to their business model and organization. The French data protection authority (CNIL) has just adopted Single Authorization No. AU-054 (the “AU-054”) on July 13, 2017 in order to cover the processing of personal data implemented in relation to these...

Read More

EUROPE: How the EU Privacy Regulation impacts Gaming Affiliates

The EU Privacy Regulation will oblige gaming affiliates to comply with stringent requirements in the processing of personal data of players.  I have already discussed in several blog posts about the EU General Data Protection Regulation (GDPR) and how this is going to represent a ground breaking change in the approach to privacy compliance. And this change in the approach will impact also gaming affiliates, and consequently operators in their selection. Why gaming affiliates will be obliged to take privacy seriously The new approach to privacy compliance is due not only to potential sanctions that will be increased to 4% of the global turnover and can...

Read More

EUROPE: EU publishes new cybersecurity approach

By Jalil Karim With daily announcements of major hacks and cybercrime generating concern about serious attacks on essential services and producing hundreds of billions in revenue for organised crime, it is not surprising that Europe regards this issue as one of the top three existential threats it faces, just above immigration and below climate change. The Commission is taking this threat seriously in announcing a comprehensive series of measures to tackle the issue. On 13 September 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy released a Joint Communication titled “Resilience,...

Read More

UK: ICO GDPR guidance – Contracts and liabilities between controllers and processors

Introduction On 1 August we reported on the launch of the International Regulatory Strategy Group’s “Article 28 GDPR ready contractual terms” for use between controllers and processors. The ICO has now launched its draft guidance on this subject. The purpose of the ICO guidance is to explain, in an accessible fashion, the core requirements that all contracts will need to have in place by 25 May 2018. The guidance consists of the relevant provisions of the Regulation, together with a commentary setting out the rationale for these and how they apply in practice. The guidance does not set out...

Read More