E-commerce businesses process large amounts of personal data, including contact details, payment information, and browsing history, requiring data protection. By implementing strong data protection practices and security measures like encryption and access controls, businesses could reduce the risks of breaches and cyberattacks. 

GDPR compliance for e-commerce businesses demonstrates commitment to protecting customer privacy, and encouraging continued customer relationships, giving businesses a competitive advantage over those that are not GDPR-compliant.

Here are seven actionable steps that may help e-commerce businesses navigate GDPR compliance effectively.

Conduct a data audit 

When deciding to work towards GDPR compliance in e-commerce, it is important to start by conducting a comprehensive inventory of data collection processes. 

The steps to carry out the audit could include:

• Identify all personal data categories collected, such as contact details, payment details, and activity logs, and the granular purposes this collection serves. Determining the retention period is important, as the GDPR does not allow indefinite retention.
• Review how and where personal data is collected and stored, whether on cloud servers, local databases, or third-party platforms. Regularly review third parties and minimize retention periods, with clear specifications on when data will be securely deleted. Additionally, document the security measures implemented to protect the data.

Access consent management

Access to customer data can be limited to authorized employees, IT administrators, and secure third-party providers based on a need to know basis.

Consent for cookies can be effectively implemented through a cookie banner, allowing users to manage or withdraw consent anytime. Use clear opt-in mechanisms for newsletters, cookies, and marketing, avoiding pre-checked boxes. Maintain consent logs for audit compliance, ensuring each data use has separate, revocable consent without affecting core services.

Review and update privacy notice

A companies’ privacy notice should be clear, easily understood, and transparent to ensure GDPR compliance and build customers’ trust. The privacy notice should clearly state:

• What data you collect and why (e.g., personal details, payment information, browsing behaviour),
• How data is being used,
• Explain purposes of data collection and processing, and
• How customers can exercise their rights, such as requesting data deletion or correction.

It is important to regularly review and update one’s privacy notice in order to reflect any changes in data collection, processing, or legal regulations to maintain compliance.

Enhance security to protect customer information

With the rise of cyber attacks worldwide, protecting  personal data is an essential aspect of GDPR compliance for e-commerce businesses. Customers trust businesses with sensitive information, payment details, address, and browsing history. Implementing good data security measures will help reduce data breaches. Implementing strong data security measures reduces breaches, while a structured response plan ensures quick recovery and minimizes damage.

To minimize security risks, e-commerce businesses may implement:

• End-to-end encryption: Encrypting sensitive customer data both in transit at rest may prevent unauthorized  access. This ensures that unauthorized individuals cannot read the data, even if intercepted, without the correct encryption key. It could be a standard protocol for all online transactions.
• Multi-factor authentication (MFA): Access control may require additional verification steps, such as one-time passwords (OTP) or biometric authentication. This process will reduce unauthorized logins.
• Regular security audits: This could be conducted to identify vulnerabilities through routine system checks. These assessments may help prevent data leak and ensure GDPR compliance.
• Access control & monitoring: Role-based access control (RBAC) which restricts users based on predefined role, to ensure that only authorised personnel have access to sensitive personal data.

Investing in robust data security could create a security plan which protects customers and also ensures GDPR compliance in all operations.

Offer employees training

Employees are first in line of defence when talking about data protection. Regular comprehensive GDPR training is important for e-commerce businesses. Breaches occur due to human error, such as mishandling sensitive data or falling for phishing scams. The employer is responsible for ensuring that employees are well-trained on data protection and compliance requirements.

Businesses should provide ongoing training and workshops to regularly update the employees knowledge on data protection, evolving threats, and regulatory changes to raise awareness within the organization.

Establish data subject rights procedure

Under the GDPR, data subjects have rights, including access, erasure, rectification, and objection to control of their personal data.

E-commerce must have clear procedures on how to handle and respond to these requests efficiently. GDPR compliance requires a response within one month-delays or non compliance can lead to fines.

To ensure compliance, businesses may:

• Appoint a data protection officer (DPO) according to the European commission or an internal team with the guidance of a DPO to monitor compliance and data protection issues. “It is much easier and cost effective” to appoint an external DPO.
• Create a clear and accessible process for handling data subject requests, such as an email address or request form on the website.
• Implement automated tools to manage and track data subject requests within the required time frame.
• Keep records of all requests to demonstrate compliance if audited.

Review third-party agreements

E-commerce businesses sometimes utilize third-party vendors, such as payment processors, cloud storage providers, and marketing platforms, to handle customer data. Therefore, it’s crucial to ensure these vendors comply with data protection regulations to safeguard customer information and avoid potential risks.

Under the GDPR, having a data protection agreement with a third party vendor is required  to comply with data protection regulations if the vendor processes personal data on your behalf.

Here are steps that could be considered to manage risks associated with third-party vendors:

• Identify all third party vendors that process customer data and assess their data security measures.
• Ensure that all vendors handling personal data have existing supplier agreement, outlining responsibilities, security measures, and data processing activities.
• If a vendor transfers data outside the EU/EEA, ensure they follow GDPR requirements
• Regularly review vendor policies, conduct security audits, and ensure that the vendors comply with GDPR requirements.

Conclusion

By implementing these seven actionable steps, e-commerce can mitigate risk, protect customer data, avoid penalties, and build trust.

Hiring an external DPO officer in the absence of an internal data protection team or to advise and provide competent GDPR support to the internal DPO, will ensure  proper compliance in line with the GDPR, and gain a competitive advantage in the market.

The post Seven Actionable Steps to Achieve GDPR Compliance for E-Commerce Businesses appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

End-to-end algorithmic audit

The EDPB offers a non-binding auditing methodology for AI systems, specifically focused on impact assessment. A socio-technical, end-to-end algorithmic audit (E2EST/AA), should inspect a system in its actual implementation, processing activity and running context, looking at the specific data used and the data subjects impacted. It is designed to inspect algorithmic systems used in ranking, image recognition and natural language processing. An AI system may be composed of several algorithms, and an AI service or product may include several AI systems. 

It is also an iterative process of interaction between the auditors and the development teams. The method provides templates and instructions to guide such interaction, specifying the data inputs that are necessary for auditors to complete the assessment and validate results. In particular, one of them is ‘Model cards’ – documents designed to compile information about the training and testing of AI models, as well as the features and the motivations of a given dataset or algorithmic model. 

Vinted fine

The Lithuanian Data Protection Inspectorate VDAI imposed a 2,385,276 euro fine on Vinted, an online second-hand clothing trade and exchange platform. Violations concern transparency of information, notification and conditions for the data subject rights. VDAI investigated the 2021 and 2022 complaints from applicants forwarded by the French and Polish supervisory authorities regarding the company’s possible improper implementation of their requests for data deletion, (“right to be forgotten”), and the right to access data.

In response to the requests, the company stated that it would not take action because the individuals did not detail their requests following Art. 17 of the GDPR. It was also established that to ensure the platform’s and its users’ safety, the company applied “shadow blocking” without individuals knowing about such processing, (and thus unable to exercise other rights established by the GDPR and their remedies). In addition, the company did not take sufficient technical and organisational measures to ensure and to be able to demonstrate that it took, (or reasonably refused to take), steps regarding the right to access the data. 

Meta non-compliance under DMA

The European Commission stated Meta’s “Pay or Consent” advertising model failed to comply with the Digital Markets Act. The binary choice forces users to consent to the combination of their data and fails to provide them with a less personalised but equivalent version of Meta’s social networks. In response to regulatory changes in the EU, Meta introduced a binary offer whereby EU users have to choose between a subscription for a monthly fee to an ads-free version, or free-of-charge access with personalised ads.

The possible solution would be for users who do not consent to still get access to an equivalent service which uses less of their data. In case of non-compliance, the Commission can impose fines of up to 10% of the gatekeeper’s total worldwide turnover. Such fines can go up to 20% in the case of repeated infringement. The Commission is also empowered to adopt additional remedies such as obliging a gatekeeper to sell a business or parts of it or banning the gatekeeper from acquisitions of additional services.

Non-material damage under the GDPR

The CJEU has found that the damage caused by a personal data breach is not inherently less serious than a physical injury. In the related case, a data controller managed a trading application in which a data subject opened accounts and entered personal data to do so. In 2020, their data were seized by third parties whose identity and purposes remain unknown. 

An individual requesting compensation under the GDPR must prove not only that the infringement occurred but also that the violation caused them harm; this cannot be automatically assumed. In the event of identity theft, as in the above case, the data must have been misused by a third party. Also, determining the damages payable is up to the legal system of each Member State in each given context. 

Apple AI delayed in the EU

Apple decided to delay the release of three new AI features in Europe due to EU competition regulations requiring competing goods and services to be compatible with its devices. The company is concerned that to meet the interoperability requirements of the Digital Market Act, it may be required to make compromises to the integrity of its devices that endanger user privacy and data security. The features will debut in the US this autumn, but they won’t make it to Europe until 2025. 

More legal updates

US privacy legislation: On July 1, the Florida Digital Bill of Rights, Oregon Consumer Privacy Act, and Texas Data Security and Privacy Act entered into effect, joining California, Colorado, Connecticut, Virginia, and Utah. Among many things, they guarantee consumers rights to access, correct, delete, and opt out of the sale of their data concerning targeted advertising, and certain profiling. There are also provisions relating to data minimisation, children’s data, sensitive data consent, biometric data, and impact assessments. 

Foreign adversaries: On June 23,  the Protecting American’s Data from Foreign Adversaries Act of 2024 entered into effect. It makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals who reside in the US to North Korea, China, Russia, Iran or an entity controlled by those countries. Sensitive data includes government-issued identifiers, financial account numbers, biometric information, genetic information, precise geolocation information, and private communications.

Minors’ data: To safeguard children’s internet privacy, New York State established new laws. The SAFE For Kids Act defines operators that offer minors an “addictive feed” as a major component of their online or mobile service. Addictive feeds rely on the user’s past interactions, privacy or accessibility settings related to their device, content displayed or blocked by the user, private communication, search inquiries, chronological order etc. The other piece of legislation – the Child Data Protection Act governs, (GDPR-enhanced), processing obligations of relevant minors’ data by operators, processors and third parties. 

More official guidance

Messenger standardised audit: The EDPB offers the Standardised Messenger Audit initiative to inspect any messenger service used within businesses from a data protection perspective. It consists of two documents – the requirement catalogue and the audit methodology. The requirements within this catalogue are formulated in such a way so that a distinction is made between MUST, SHOULD and MAY requirements of the respective data protection principles. It is also closely based on the structure and outline of the GDPR.

Data processor: According to the Latvian data protection regulator, for an organisation to be considered a processor, it must meet two basic conditions – be a separate and independent organisation and process personal data on behalf of the controller. The organisation usually appoints a processor when it needs more knowledge, resources, etc. Finding such a processor would require a feasibility study: compliance of the set of security requirements chosen by the processor with the controller’s wishes and needs, reputation, and responsibility. Finally, the signing of the agreement indicates the readiness of both parties to cooperate. Further guidance can be read here.

Joint controllership: The Bavarian State Data Protection Commissioner publishes new guidance, (in German), on the legal concept where two or more controllers jointly determine the purposes and means of processing. The GDPR requires a clear allocation of responsibilities, including where a controller determines the purposes and means of processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. However, joint responsibility may still seem less “familiar” than the contractual data processing that has always been established. 

DPOs getting into small business

The Data Protection Officer is a profession that is increasingly represented in small enterprises, according to the French data protection regulator CNIL. The regulator came to such a conclusion after a joint survey of 3,625 DPO respondents in the country, including 2,842 internal, 366 shared and 417 external. Certain components, such the age distribution, territorialisation, and contract type, have stabilised, but certain responder characteristics have changed significantly between 2019 and 2024. 57% of respondents now work in structures with fewer than 250 employees, (+19% compared to 2019). Also, 91% are convinced of the social usefulness of the DPO’s function and profession for the protection of customers’, users’ and citizens’ personal data. 

Digital identity

The US NIST meanwhile has launched a collaborative project to adapt its digital identity guidelines to support public benefits programs, such as those designed to help beneficiaries pay for food, housing, medical and other basic living expenses. In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications.

However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, (and potential biases that disproportionately impact communities of colour and marginalized groups).

Enforcement decisions

Avanza Bank and Meta Pixel: Sweden’s privacy regulator fined Avanza Bank AB 1,3 mln euros for failing to implement security measures, leading to the unauthorised transfer of personal data of more than half a million data subjects to Meta by accidentally turning on two functions of the Meta Pixel analytics tool. The controller used Meta Pixel to measure the effectiveness of the bank’s Facebook advertising. Two new functions of the analytics tool, the Automatic Advanced Matching and the Automatic Events,(for the recognisable form fields and buttons used on the page), were activated by mistake. 

Avast browsing data: The US Federal Trade Commission will require Avast to pay 16,5 million dollars and prohibit the company from selling or licensing any web browsing data for advertising purposes. The FTC alleged that UK-based Avast Limited, via its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Car retail software: A cyber outage at a major retail software provider for automobile dealers delayed car sales throughout North America, (approx. 15,000 retail locations), the Guardian reports. CDK, which provides different kinds of software to car dealerships, proactively shut down most of its systems but is working to reinstate its services. 

Cloud banking security

In terms of data security, operational continuity, and regulatory compliance, outsourcing cloud services to outside providers entails serious risks, according to a new analysis by DLA Piper. One example is financial institutions that retain full operational responsibility even when they outsource critical services. This includes risk management, performance monitoring, and vendor selection. To that end, the EU has established two legal frameworks concerning the provision of cloud and ICT services, (DORA, NIS 2), complementing guidelines issued by the European Central Bank.  

Neuro data processing

In addition to privacy and data protection, fundamental rights such as human dignity and physical and mental integrity are jeopardised by certain uses of neuro data, states an EDPS analysis. The use of AI systems may also make technically possible exploitation of neuro data by private entities for workplace or commercial surveillance. Certain uses of neuro data pose unacceptable risks to fundamental rights and are likely unlawful under EU law. 

In other cases, mitigating techniques should always include impact assessments, data minimisation, transparency, accuracy, necessity and fairness of processing, local storage of raw data, efficient anonymisation for re-use and analysis, (eg, controlling specific aspects of a videogame, monitoring concentration in educational environments, managing chronic pain by modifying brain activity, etc).

The post Data protection digest 18 Jun – 2 Jul 2024: end-to-end algorithmic audit, DPOs for small business, Vinted fine appeared first on TechGDPR.

The EDPB audit tool can be installed directly from the source code or through pre-built releases. There is a version for easy installation on Linux, Windows, and MacOS machines. One can also download the official source code of the EDPB WAT tool rather than the pre-compiled application file. 

Capabilities of the EDPB Website Auditing Tool

With the tool, individuals are able to start new analyses of a website. There is the possibility to create multiple scenarios such as: 

• No cookies accepted; 
• Reject all;  
• Accept all; and
• Any other categorization of cookies available on the website for example:  performance, marketing, etc. 

For each of these scenarios, the cookies and external sources loaded are collected by the tool to form a report. The user of the tool is then able to test out different banner and consent box options. This allows for them to inspect how the user experience changes. In assessing various consent box options, the tool allows for easy verification that all the cookies are correctly categorized. This ensures that no non necessary cookie is loaded without permission from the user. 

By using the EDPB WAT, one is able to analyze different aspects of a website such as: 

• Which cookies are loaded for various consent scenarios; 
• Local storage that is being used; 
• Verifying the use of HTTPS or SSL to protect the flow of data to and from the website; 
• Traffic analysis to identify what requests are being made; 
• Identifying if any web forms on a website are being set with non-encrypted transmission to ensure that what could potentially be personal data is being sent securely; and 
• The presence of any web beacons. 

How to get started

The program can be installed through an application installer for Linux, Windows, and MacOS. One is also able to download the source code directly. For easy installation, using the pre-configured installers is recommended for simplicity. The EDPB also released official guidance to use in conjunction with the tool and that can be accessed here.

Testing out the EDPB WAT: An example

After installing EDPB WAT, one can easily test out the capabilities of the tool by requesting a specific URL for the tool to access. Consider the URL: website.com which is owned by CompX and has a cookie banner with “Accept All” and “Reject All” as the only two options for consent. 

Since there is a cookie banner present, there are three scenarios that we need to assess. 

1. Accept All → When the option to “Accept All” is chosen, review all of the scripts, resources and cookies that are loaded. 
2. Reject All → When the option to “Reject All” is chosen, it is important to review 
3. No consent given  → It is important to see if any cookies, resources or scripts are loaded even if one does not interact with the cookie banner.

The tool will then access that URL and data will be collected based on the consent option chosen. When assessing the website scenarios one can label each scenario as being: compliant, not compliant, or indeterminate. This ability also translates to the labeling of specific cookies that are set by a website as well. If website.com was found to be using third party advertising cookies when the option to Reject All is chosen, that would be in violation of the GDPR and ePrivacy directive. 

Regular use of this tool on one’s own website and other websites allows for an understanding of which technologies are used by competitors as well as potentially granting the upper hand in contract negotiations,  in order to  prove a higher level of compliance to EU regulations. The WAT tool also allows for the manual creation of a knowledge base for cookies which can be created over time through the assessment of various websites. 

Screenshot of EDPB Auditing Tool

How is the EDPB Website Auditing Tool helpful for businesses?

It is important to be aware of all of the resources used by a website in order to ensure compliance with the GDPR. This tool allows for a quick overview of what resources are called, and how these are placed, or utilized by a website. In order to maintain compliance with the GDPR, it is important to understand how a website might impact a visitor through potentially the setting of cookies, usage of local storage or calls to external resources. 

The performance of regular website audits by a business can help to ensure: 

• compliance with legal requirements such as the GDPR and the ePrivacy Directive; 
• a way of addressing potential unknown risks on a website such as unintentionally set cookies; 
• trust and transparency with website visitors; and 
• improved website performance. 

The EDPB WAT can be helpful to determine the current level of compliance for a website or an organization. It is important to remain cognizant of how a website changes over time. Through using this tool, a website owner can assess how the various technologies that make up the website impact the user e.g. WordPress, as the largest website content management system powering over 40% of websites on the Internet. Website developers might add plugins to their website that add cookies unknowingly. 

Through a quick scan using the EDPB WAT one is then able to easily find out about the oversight and fix the issue before it becomes a citable instance of noncompliance under the GDPR and/or ePrivacy Directive. 

How we use the EDPB Website Auditing Tool

TechGDPR performs website audits on behalf of organizations to analyze the current state of compliance for a website. With the release of this new tool by the EDPB, we will integrate the use of the EDPB WAT into the technical assessment methodology. By leveraging this tool, we at TechGDPR aim to enhance the effectiveness and efficiency of the website audit performed on behalf of our clients. When appointed as an organization’s DPO, TechGDPR performs annual website audits to work towards GDPR and/or ePrivacy compliance. Feel free to reach out to TechGDPR if you are interested in having an in-depth, independent audit carried out beyond the capabilities of the EDPB WAT tool. 

The post Improving GDPR compliance with the EDPB Website Auditing Tool appeared first on TechGDPR.

Legal processes and redress: EU Intelligent transport, Oracle and Salesforce court victory, discriminating AI in DC, privacy in Ukraine

The European Commission revised its Intelligent Transport Systems (ITS) Directive to advance smart mobility. The aim is to stimulate the faster deployment of new, intelligent services, by proposing that certain crucial road, travel and traffic data is made available in digital format. ITS applies information and communication technologies such as journey planners, eCall, and automated driving in transport. Since 2010, the ITS Directive has been the tool to ensure the coordinated deployment of such systems across the EU, based on European specifications and standards. The revision includes:

•  an extension in the Directive’s scope to multimodal information (apps to find and book journeys that combine public transport, shared car, or bike services),
• communication between vehicles and infrastructure to increase safety and mobility,
• the collection of crucial data and the provision of essential services such as real-time information services informing the driver about accidents or obstacles on the road,
• updated obligations under the GDPR, and in consultation with the EDPS, on the security of personal data and the need for controllers to comply with their obligations, 
• using anonymisation as one of the techniques for enhancing individuals’ privacy. Read the full text of the proposal here, and the Annex here.

A Court in the Netherlands says a billion euro claim against Oracle and Salesforce is not admissible. The Privacy Collective, (TPC),  foundation filed a lawsuit against tech giants in 2020 for violations of the GDPR. The two US-based companies reportedly collected data from at least 10 million Dutch internet users for advertising purposes, and created a personal profile of each web surfer that they could trade. TPC claimed 500 and 600 euros respectively per victim from Salesforce and Oracle. The latter is also said to have leaked data.  On the internet, TPC appealed to the public in a case under the Mass Damages in Collective Action Settlement Act. By clicking on an icon with the text ‘support with 1 click’, internet users were able to support the claim. The initiative received 75,000 statements.

According to the court, however, it is not possible to determine with these ‘likes’ whether the foundation really stands up for enough injured parties. No contact details are registered for the internet users who ‘clicked’. In addition, TPC is unable to maintain contact with its supporters, which is an important condition of the law. TPC is considering an appeal.

The use of artificial intelligence to determine access to credit and other important life opportunities has been targeted by the District of Columbia, Venable LLP reports. DC’s Attorney has introduced the “Stop Discrimination by Algorithms Act of 2021, which may be considered through January 1, 2023. The proposed legislation add civil rights protections to protect communities from alleged harm caused by algorithmic bias by:

• prohibiting using algorithms that produce biased and unfair results;
• performing annual audits, reporting the results and needed corrective steps;
• documenting how their algorithms are built, how the algorithms make determinations, and how all of the determinations are made;
• disclosing to all consumers about their use of algorithms to reach decisions, what personal information they collect, and how their algorithms use it to reach decisions;
• adverse action (if businesses make an unfavorable decision based on an algorithm, they must provide a more in-depth explanation);
• dispute and corrections opportunity to prevent negative decisions based on inaccurate personal information.

The bill would apply to individuals, legal entities, service providers that make or rely on algorithmic eligibility determinations or algorithmic information availability determinations. Read more about the coverage, key definitions and the enforcement of the Algorithms Act in the original publication.

In 2021 almost 4000 people applied to the Ukrainian Parliament’s Commissioner for Human Rights to protect their right to privacy, which is twice as many as last year. Individuals, (mostly legal professionals, representatives of human rights and public organizations, people with disabilities, etc), asked for the protection of their personal data in connection with:

•  activities of debt collection companies and macrofinancial institutions, and
•  publication of personal data in messengers, social networks and on the official websites of public authorities and local governments.

During the implementation of measures to repay overdue debt, collectors resort to insults and psychological pressure against debtors, but also members of their families, friends or acquaintances. For that reason, the law on consumer protection in settlement of overdue debts which came into force last year. At the same time, the draft law “On Personal Data Protection” and the draft Law “On the National Commission for Personal Data Protection and Access to Public Information” were registered in the Ukrainian Parliament. The legislators aim to implement both drafts within the next few months to be able to launch the data privacy reform by 2023 as part of the integration to the EU Digital Single Market, implementation of the EU-Ukraine Association Agreement, and the wider government digital agenda.

Official guidance: China’s automotive sector, employment data and asylum seekers fingerprints in the EU

China’s latest data protection implementation rules include new data guidance for the automotive industry, analyzed by Paul Hastings LLP. It became one of the first set of industry-focused implementation rules of the new Data Security Law, and the Personal Information Protection Law. The auto industry provisions elaborated on:

• Automotive Data, which included personal information data and important data involved in the process of automobile design, production, sales, maintenance, etc. 
• Automotive Data Processors – manufacturers, components and parts suppliers, software suppliers, dealers, maintenance organizations, and mobility service companies, ride-hailing and sharing services.
• Personal Information and sensitive personal information (eg, vehicle trajectory, driving habits, audio, video, images, biometric identification).
• Important Data (eg, geographical information, vehicle flow, personal information involving more than 100,000 subjects).

Key Principles in automotive data processing are:

• all automotive data must be processed inside vehicles unless it is absolutely necessary to send it out;
• unless a driver makes a specific selection otherwise, the default setting should be non-collection each time the driver drives the vehicle;
• the coverage and resolution of cameras and radars, among others, should be determined according to the requirements for data accuracy of the functions and services provided;
• principle of desensitization (data processors are required to apply anonymization and de-identification during processing, if possible).

The Gibraltar data protection authority published fresh guidance on data protection in the employment context, (in English). The document provides general guide on the legitimate expectations of employees with regards to the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations:

• The obligations of the employer of accountability and implementation of appropriate security measures to protect employee personal data.
• Recruitment and selection recommendations in relation to personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’. 
• Employment records and the responsibility of the employer to appropriately notify employees of the personal data processing activities. 
• Monitoring in the workplace.
• Remote working and the risks presented regarding the security of personal data. 
• Compatible, administrative infrastructure that allows adequate data protection.

Asylum seekers and migrants arrested at the EU’s external borders are required to give their fingerprints. This data is kept in the Eurodac file. The EU Agency for Fundamental Rights publishes, in collaboration with multiple data protection authorities, a guide intended to better inform people about the use made of their fingerprints, (now available in all EU languages). EU law requires giving the following information:

• it is an obligation to give fingerprints,
• ten digital fingerprints, the gender, the country fingerprinting, the place and date of the asylum application (if applicable). No other personal data is stored,
• in case more personal data is collected by the authorities, name or age, migrants should be informed about the importance of providing accurate data,
• the fingerprints are kept for 10 years, (if an asylum seeker), or for 18 months, (if an irregular migrant). After that data is automatically deleted,
• only competent asylum and immigration authorities can access the data,
• Indicate that the police and the Europol can access the data under strict conditions,
• communicate why fingerprints are collected and the person’s rights.

The information given must be concise, transparent, comprehensible and in an easily accessible format, written in clear and plain language, adapting to the needs of vulnerable persons, such as children. Where necessary the information should be provided orally in a language that the person understands. Also, a copy of the personal data collected is provided. This helps to exercise the right to access and the right to delete and correct the data.

Data breaches, investigations and enforcement actions: Slimpay, JP Morgan Securities, BBVA

French regulator CNIL sanctioned Slimpay with a fine of 180,000 euros for having insufficiently protected users’ personal data and not having informed them of a data breach. Slimpay offers recurring payment solutions to its customers. During 2015, it carried out an internal research project, during which it used the personal data contained in its databases. When the research project ended in 2016, the data remained stored on a server, without special security measures and was freely accessible from the Internet. It was not until 2020 that Slimpay became aware of the data breach, which affected approximately 12 mln people. Persons affected by the data breach are located in several countries of the EU, so cooperation was needed between the supervisory authorities of four countries – Germany, Spain, Italy and the Netherlands.

The US Securities and Exchange Commission, (SEC), announced that JP Morgan Securities agreed to pay 125 mln dollars to resolve charges that it failed to safeguard written communications of its employees. Its employees, including supervisors and managing directors, regularly used non-company messaging tools such as Facebook’s WhatsApp, text messages and personal email accounts to discuss company business. The company admitted that none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. The fine is the largest the SEC has ever leveled against a firm for record-keeping violations, beating the previous record of 15 mln, imposed on Morgan Stanley in 2006.

The Spanish data protection authority, the AEPD, fined Banco Bilbao Vizcaya Argentaria, (BBVA), 60,000 euros for insufficient legal basis for data processing. The claimant was receiving constant messages on his mobile phone from BBVA about defaults, appointments, etc. The claimant demanded deletion of the number, however it was not spotted in the client database. The investigation found that the text messages were an error on the part of the team in charge of carrying out functional tests of the tool designed to send notifications from the Bank to its clients. The team believed wrongly that said number did not exist or was not operational and therefore no one was going to receive such fictitious notices.

Audits: Oxford Health NHS Foundation Trust

The UK Information Commissioner’s Office published the Oxford Health NHS Foundation Trust data protection audit report. A major NHS health trust provides physical & mental health and social care for people of all ages in the UK. Its services are delivered at community centres, hospitals, clinics and people’s homes. With an overall reasonable assurance level, the executive summary proposes some areas of improvement : 

• The Trust’s Records of Processing Activity requires upgrading. The evidence provided was more of a data flow map and therefore is not fully in line with the requirements of Art. 30 of the UK GDPR. The requirements include having a record of the name and contact details of the data controller, description of the categories of individuals and recipients of personal data, retention schedules and a description of the technological and organisational security measures in place.
• The Trust has a Data Protection Officer in place who also holds other positions and responsibilities. The Trust needs to consider if these additional roles and responsibilities pose a conflict of interests or a demand on their time, which could impact on their duties as DPO. 
• There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs.
• There is a lack of specialised training for staff with data sharing roles and those that deal with children’s data.  
• There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the assurances that all ISAs include effective incident management procedures.

Big Tech: China’s low-carbon data clusters, Arsenal fan tokens, the death of Blackberry, racial bias on Airbnb, Zoom latest acquisition

China has approved plans to build four mega clusters of data centres in the country’s north and west with the aim of supporting the data needs of Beijing and major coastal cities. The move comes as energy-hungry data centres located in China’s east have found it difficult to expand due to limits imposed by local governments on electricity consumption. The four new locations can use their energy and environmental advantages (wind and solar). However, their distant locations have meant the centres have struggled to provide the near-instantaneous retrieval demanded by coastal clients with little tolerance for delays. Meanwhile, a new marine economy development plan encouraged major coastal cities such as Guangzhou, Shenzhen and Zhuhai to relocate high energy-consuming data centres to underwater locations to save energy used for cooling.

Britain’s advertising watchdog, the ASA, warned Arsenal FC on Wednesday over ads for its “fan tokens,” a type of cryptocurrency embraced by soccer clubs as coronavirus pummelled their revenues. ASA said ads posted on Arsenal’s website and on Facebook were misleading as they did not make clear the risk of trading crypto, potential tax implications or that the tokens are not regulated in the UK: “The tokens, which can be traded on exchanges like other cryptocurrencies, are prone to wild swings in price and often have little connection to on-field performance.” Fan tokens allow supporters of soccer and other sports clubs to vote on minor decisions such as songs played at matches after a goal is scored, or images used on social media. Arsenal believes that fan tokens were designed to boost participation by supporters, and were “materially different” to other cryptocurrencies used as a means of payment. More than 40 clubs from Europe to South America have launched fan tokens. The largest one, launched by Paris Saint-Germain, reportedly has a total value of 49 mln dollars, versus bitcoin’s 929 bln.

Legacy BlackBerry devices loose text, call, and data functionality on January 4th, the Verge reports. Whether on Wi-Fi or cellular, there’ll be no guarantee you can make phone calls, send text messages, use data, establish an SMS connection, or even call 911. The company has experienced a slow decline since its dominant era in the late 2000s, when its QWERTY keyboards and reputation for security gave it a 50% market share in the US, but its parent company has pivoted to selling cybersecurity software.

Airbnb announced that it’s changing the way guest profiles are displayed in its app, for Oregon residents only, the Verge reports. Airbnb hosts who are based in Oregon will now see a potential guest’s initials, rather than their full name, until after they’ve confirmed the booking request. The change aims to prevent racial discrimination among hosts, by stopping them from gleaning a guest’s race from their name. The announcement follows a voluntary settlement agreement that Airbnb reached in 2019 with three Portland-area women. A 2016 study also found that Airbnb guests with names that sounded Black were 16% less likely to have bookings confirmed than guests with names that sounded white.

Zoom gets bigger on virtual events with its latest acquisition, the CNET website reports. The videoconferencing company announced the acquisition of event solutions assets from Liminal. Due to the pandemic, events have increasingly gone online, demanding more from video teleconferencing apps like Zoom. Those apps have needed to expand the features of their products or rely on third-party services like the ones Liminal provided. Liminal offered apps like ZoomISO and ZoomOSC individual video outputs and enhanced sound controls. Liminal’s products will remain available through its site. However, as Zoom expands on those tools and builds something similar into the platform, there will no longer be a need for them as separate add-ons.

The post Weekly digest Dec 27 – Jan 2, 2022: Intelligent transport, Oracle and Salesforce court victory, the death of Blackberry, fan tokens appeared first on TechGDPR.