Stay up to date! Sign on to receive our fortnightly digest via email.

DORA application deadline

As the Digital Operational Resilience Act will apply from 17 January 2025, the European supervisors have called on financial entities and third-party providers to advance their preparations on the information and communication technology requirements. There are also important interfaces between DORA and the GDPR, in data protection experts’ opinion. Both regulations aim at ensuring data integrity, confidentiality and availability, such as notification of security incidents, risk management, technical and organisational measures, controls and audits. Furthermore, an integrated strategy that considers both data protection and IT security is needed to comply with both regulations. 

Third-country authorities and GDPR certification

The EDPB published guidelines on GDPR Art.48 about data transfers to third-country authorities. The sharing of data with the public authorities in other countries can help collect evidence in the case of a crime, check financial transactions, or approve new medications. The board clarifies how organisations, private and public, can best assess under which conditions they can lawfully respond to such requests. The Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors across Europe. GDPR certification helps organisations demonstrate their compliance with the law and helps people trust the product, service, process or system for which organisations process their data.

More legal updates

US restricted transfers: The Department of Justice has suggested restrictions on cross-border transfers of sensitive personal data to “countries of concern”. The regulation would, among other things, restrict data brokerage transactions that pose significant national security threats to China, Russia, Iran, North Korea, Cuba, and Venezuela, and limit some vendor, employment, and investment arrangements with nations of concern unless they fulfil specified security standards. 

Those adversaries can be interested in biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals’ political affiliations and leanings, hobbies, and interests. In this way, countries of concern can exploit their access to US government-related data or Americans’ bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, and political figures. 

Oregon and several other US states have recently advanced their privacy laws. For instance, the Oregon Consumer Privacy Act applies to all for-profit businesses immediately and to applicable charitable organisations as of 1 July 2025. It provides residents with an opt-out option to a business selling, profiling, and using targeted advertising with their personal information, obtaining a copy, editing any inaccuracies and deleting the personal and sensitive data a business has collected about them.

On January 1, 2025, five more states’ consumer privacy rights laws will take effect – Iowa, Delaware, New Hampshire, Nebraska, and New Jersey. 

Customer expectations about their data

The assessment of customer expectations regarding the processing of their data is an essential element in ensuring the lawfulness and transparency of data processing states the Latvian regulator. Reasonable expectations are what a customer, given their specific relationship with the organisation, types of data and available information, can naturally expect from the processing of their data. A practical approach to assessing expectations would be conducting surveys, interviews and focus group discussions, as well as consulting industry standards and previous experience. 

Internal procedures and training

Developing appropriate internal procedures and regular training also helps ensure employees know how to act in supporting the company’s compliance efforts. This may be especially useful when a business expands rapidly, hires new employees, and the number of clients also increases. If non-compliance is detected which could result in a violation of customer data processing and protection, the company, with the help of its data protection specialist, has to prepare an action plan, which may include:

• conducting internal audits, 
• reporting immediately to the responsible person, 
• reviewing and improving legal bases and purposes of processing,
• reviewing related documentation,
• corrective measures such as informing data subjects, etc. 

More from supervisory authorities

Machine learning and training data: America’s NIST continues its series of posts about privacy-preserving federated learning, (PPFL). Unlike traditional centralised learning, PPFL solutions prevent the organisation training the model from looking at the training data. Model training is, however, only a small part of the machine learning workflow. In practice, data scientists spend a lot of time on data preparation and cleaning, handling missing values, feature construction and selection. Challenges may result from poor-quality or maliciously crafted data to intentionally reduce the quality of the trained model. 

To know more about AI model training the Spanish regulator AEPD has recently discussed a use case: a single-neuron network determines whether a person is overweight vs a network, which allows for more complex classifications but equally can lead to ‘hallucinations’. From a data protection perspective, the question is to choose the one that is most appropriate to the context and purpose of the processing operation. For example, the chosen structure  requires such a quantity of data samples and such diversity that it is not possible to obtain them, or that it is not proportional or legitimate to collect them. In this way, the purpose could not be achieved from the design stage. 

Software developers: Italian regulator Garante approved the Code of Conduct which concerns the processing of personal data carried out by companies developing and producing management software. Such software, intended for companies, associations, professionals and public administrations, is used to fulfil tax and social security, welfare and management obligations, drafting financial statements, personnel management and corporate obligations, with a significant impact on aspects relating to the protection of personal data. 

Sky Italia telemarketing fine

The Italian regulator also fined Sky Italia over 840 thousand euros for numerous violations found during telemarketing activities and sending commercial communications. The company carried out marketing activities, by telephone and via SMS, in the absence of adequate checks on the obligations regarding information and consent. Sky did not consult the registration of the users contacted in the public register of oppositions before each promotional campaign.

Some of the users had been contacted based on consent acquired even before the GDPR came into full effect. The documentation of consents acquired from data supply companies also appeared unsuitable to unequivocally demonstrate the will of the interested parties, as Sky stored the details of the consents in editable Excel files. Furthermore, Sky relied on the consent to marketing automatically provided by users during registration on the website and mandatory to use the service offered.

More enforcement decisions

The Irish Data Protection Commission fines Meta 251 million euros. Investigations were launched following a personal data breach, which was reported by Meta in September 2018. It impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included the user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, groups of which a user was a member, and children’s personal data. The breach arose from the exploitation by unauthorized third parties of user tokens on Facebook.

CCTV: The Swedish data protection authority fined Granit Bostad Beritsholm AB due to unauthorized camera surveillance in an apartment building.  Previously there were cameras at three main entrances, at elevators and apartment doors, as well as in the basement corridor next to the storage room, laundry room and sauna. There were also several cameras in the garage, bicycle storage, garbage room, and at the back of the property.

The company now has to cease the camera surveillance of all places on the property except the garage. The camera signs must contain information about the company’s identity and contact information.

Prison sentence: A motor insurance worker, who led a team dealing with accident claims, has been handed a suspended prison sentence after an investigation by the UK Information Commissioner. The company reported to the regulator that it suspected an employee was unlawfully accessing its systems. The insurers became suspicious due to the higher-than-normal number of claims being processed. An internal investigation found he had featured in 160 of the claims, despite his role not involving the access of claims. The search of the suspect’s home also found he was sending personal data he had accessed by mobile phone to another person. 

AI impact assessment

The Future of Privacy Forum has prepared a detailed guide on how organisations can conduct AI impact assessments. Organisations typically take four common steps: a) initiating an AI impact assessment; b) gathering model and system information; c) assessing risks and benefits; and d) identifying and testing risk management strategies. There is also a trend within organisations to perform multiple assessments at different points in the AI lifecycle, as well as integrate AI impact assessments into existing risk management processes, including those around privacy.

Real-Time Bidding

America’s FTC announced a new enforcement action in which it alleged that the data broker Mobilewalla collected and retained sensitive location information from consumers, often without their consent, and shared those details with third parties to target advertisements. Most of the advertisements we see online often involve a process called “real-time bidding”, (RTB), where publishers, websites, apps, or other digital mediums with ad space to sell, auction off their empty ad space on exchange platforms, and advertisers can bid for that placement.

Big Tech

LinkedIn suspended AI training in Canada: The Privacy Commissioner welcomed the commitment from LinkedIn to pause training of AI models using the personal information from Canadian member accounts. While LinkedIn indicated that it believed that it had implemented its AI model in a privacy-protective manner, the company agreed to engage in discussions with the regulator to ensure that its practices are compliant with Canada’s federal private-sector privacy law. Recently LinkedIn also suspended AI training using UK and EU data. 

The European Data Protection Supervisor is examining the Commission’s compliance regarding the use of Microsoft 365. The Commission could have infringed several provisions of the data protection law for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU/EEA. In its decision of March 2024, the EDPS ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors, located in countries outside Europe not covered by an adequacy decision. There is also an ongoing court proceeding in the matter. 

AI development: The UK Information Commissioner is urging Generative AI developers to tell people how they’re using their data. This could involve providing accessible and specific information that enables people and publishers to understand what personal data has been collected. Without better transparency, it will be hard for people to exercise their information rights and for developers to use legitimate interests as their lawful basis. The Commissioner also encourages AI firms to get advice from the regulator through the Regulatory Sandbox and Innovation Advice services, as well as from other regulators through the DRCF AI & Digital Hub. 

The post Data protection digest 1 – 15 Dec 2024: DORA application deadline, new Meta fine, AI impact assessment appeared first on TechGDPR.

Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor’s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data?

With lots being said about the GDPR signalling death of sales and marketing as we know it, it’s hard to make sense of how much room remains for your organisation to call up an unsuspecting prospect in a compliant way. While you can’t avoid raising suspicion as to where the data subject’s number originated from, there is a wide spectrum of practices ranging from downright non-compliance data collection to the fully-fulfilled duty to inform. Though it is limiting to approach the Regulation with a single use case it remains the best way to avoid opening the floodgates to exceptions. For the purposes of this post, I’ll cite the following example:

Can personal data be sold and bought under the GDPR?

Inheriting personal data sets from a third party with no proper documentation (e.g.: legal basis for initial collection, records of the duty to inform being fulfilled by the initial controller, recorded consent or readily available consent matrix) is a liability for both the personal data broker and the purchaser. At the very least, records of processing activities should establish a trace of the transaction since personal data sold to a third party is a data transfer to a recipient. Additionally, your organisation will need to prove that subjects were informed this transfer would take place or that you informed them within a month of purchasing their personal data that your organisation now processes it. More on this further on. 

Failing to document what information was communicated and what legal base apply violates both the data protection principles of lawfulness and transparency and that of purpose limitation, exposing you to the heaviest of fines: 4% of annual turnover. If your organisation had purchased personal data from a third party source, don’t hide that information. Should your staff turn down a data subject request to know what the origin of that data is, make sure the staff has been trained to recognize the request as a genuine data subject request. Article 14.2.f) makes it compulsory for organisations to inform data subjects if requested as to the source of the data that was not collected from them directly.

The worst scenario on your call-center floor is for an agent to downplay that request and respond that the subject’s phone number was communicated by their line manager. You may need to review your processes, knowledge base and staff training as to how to handle data subject requests. You would be surprised how many people use built-in or third party app call recorders on their phones

While you can sell and purchase personal data, you have to be very clear about it. Unlike the CCPA, the GDPR does not make it a requirement to disclose that the data will be sold, instead it makes it a requirement to disclose who will be receiving it.

In that respect, the CCPA more explicitly acknowledges the commercial uses of personal data. It makes it a requirement to disclose such uses, to provide subjects to opt their data out of the sale. To that respect, it allows for slightly more traceability in the data supply chain than the GDPR does. Keep in mind that small print at the end of a 10-page privacy policy will not impress authorities. Requirements of concision and clarity can be found in Article 12.1.

Can our organisation cold call data subjects?

Yes, it can.

Central to data protection is your duty to inform. Fulfilling it puts your organisation in line with GDPR’s principle of lawfulness, fairness and transparency (GDPR Art.5.1).

It is likely that the applicable legal basis for processing personal data in your case is legitimate interest. Yet having determined an applicable legal base is not compliant unless the purpose and the legal base are formally communicated to the data subject.

Can data subjects refuse to be the target of your direct marketing?

Yes, under Article 21.1 of the GDPR, an individual has the Right to Object. While, typically this right designed to put the burden of proof on the controller that its processing of personal data is done in the controller’s legitimate interest, the data subject also has the right to outright object to the use of data for direct marketing. This means that your company will have to mark the personal contact data to prevent it from being used for that purpose. This is one of the only technical and organisational measures explicited in the GDPR. Apply it if the data is nonetheless required to serve other purposes such as the performance of a contract. Should the data serve no other purpose, the best practice principles of data minimization and purpose limitation dictate the complete deletion of the personal data.

As hinted above, do not expect the data subject to officially formulate a deletion or objection request via your data protection officer. Treat their request on the phone as officially as you can. Which naturally increases expectation on staff compliance training.

Must I perform my duty to inform during the call?

Where the CCPA does not makes it compulsory for organisations to disclose having transferred or sold their data unless the subject requests to know, the GDPR makes it a requirement to inform proactively about the transfer of personal data to a third party or recipient.

While a strict reading of the GDPR might lead you to believe that you should read your complete privacy policy on the phone, in reality the situation is not that extreme but needs to be broken down at little.

If, prior to the call, you have collected the contact information from the data subject, you will have already informed them, and collected consent (if such is your legal basis), on the purpose of processing. On the call itself, you might be inclined to remind the data subject of the legal base on which you are currently operating but there is no GDPR provision making this a requirement other than building trust and plain courtesy.

If you have not collected data from the data subject but amassed their contact details from a different source, or third party, then, you should inform data subjects of your full identity and contact details, what data you have collected, under what legal base(s) you have done so, what retention period governs that data processing and what rights the data subjects can exercise. GDPR. Art.14.3a) sets the duty to inform time frame to within a reasonable period after obtaining the personal data and no more than one month.

Should you place a call to the data subject before having informed them of the above, you should understandably be prepared to read this information out to them and facilitate the exercise of their data subject rights (GDPR Art.12).

A full list of elements your communication should include is available in Articles 12 to 14.

What if the data subject actually consents to their data being used when on call?

Technically, you could record the call to document consent but consent for that form of data collection -audio recording- would first be needed. Recording a call is nothing short of collecting biometric and personal data and, in many cases, transferring that data to servers or cloud services across the Atlantic. If your cloud provider is not listed under the EU-US / Swiss-US Privacy Shield and no other legal instrument allows for that transfer, the call recording would fail the compliance test on many levels.

A best practice often witnessed involves sending an opt-in email immediately after the call which recaps the essence of your phone conversation, what you agreed to share, the data the subject consented to disclosing and which were the purposes stated. You might want to consider including the date at which the conversation took place in the body of the text, i.e.: not relying on the email client’s automated time stamp.

Yes, your organisation can sell or purchase persona data and place cold calls.

The GDPR only prohibits both forms of personal data processing unless they are done unlawfully.
Unlawful data processing in the case of direct unsolicited marketing by phone is characterized by depriving data subjects of their rights, violating data protection principles of fairness, transparency and accountability, failing to inform them upon acquisition or collection of their data, depriving them of information when you first come in contact with a subject’s personal data and not supporting them in the exercise of their rights. If you have these items under control, you’re good to proceed with a fair degree of confidence in your compliance.

If you need help with reviewing your data protection practices, your data flows, your compliance documentation and call center staff or management training, get in touch.

TechGDPR specialises in digitised environments and products including AI, machine-to-machine / IoT transactions and Blockchain applications. We offer consulting packages, hourly support, staff training and workshops.

The post Personal data and cold calling under the GDPR appeared first on TechGDPR.