{"id":9541,"date":"2024-11-02T12:05:22","date_gmt":"2024-11-02T11:05:22","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=9541"},"modified":"2025-07-08T13:55:31","modified_gmt":"2025-07-08T11:55:31","slug":"data-protection-digest-2112024-clinical-research-service-providers-non-for-profit-commercially-available-ai","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-2112024-clinical-research-service-providers-non-for-profit-commercially-available-ai\/","title":{"rendered":"Data protection digest 17 – 31 Oct 2024: clinical research service providers, non-for-profit, commercially available AI"},"content":{"rendered":"\n

Non-for-Profit<\/strong><\/h4>\n\n\n\n

Updated privacy guidance for not-for-profit has been released by the Office of the Australian Information Commissioner. It includes a discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors.\u00a0For instance, when entering into arrangements with third parties, your non-for-profit should take reasonable steps to ensure that the third party\u2019s privacy practices meet the expectations of both your non-for-profit and the wider community<\/a>, (donors, volunteers, and people who engage with the sector as clients and staff). It is important to read the terms of your agreement carefully, conduct periodic reviews, and ensure the third party deletes any personal information<\/a> at the end of the contract term.\u00a0<\/p>\n\n\n\n

Stay up to date! Sign on to receive our fortnightly digest via email.<\/em><\/a><\/p>\n\n\n\n

Consent management in Germany<\/strong><\/h4>\n\n\n\n

On 17 October the Bundestag approved the regulation that introduces recognised consent management services<\/a> to manage decisions made by end users regarding consent or non-consent to a digital service provider, thus relieving them of some of the burden, (of individual decisions that have to be made with cookie consent banners). The integration of recognised consent management services by providers of digital services is voluntary. It now has to be approved by the government and officially published to come into effect. The original regulation, (in German), can be read here<\/a>.<\/p>\n\n\n\n

Clinical research organisations (CROs)<\/h4>\n\n\n\n
\"non-for-profit\"<\/figure>
\n

<\/p>\n\n\n\n

The French CNIL has approved a Code of Conduct intended for clinical research organisations and other service providers ,(CROs), who act as processors on behalf of sponsors. It brings an operational dimension to the requirements of the GDPR. It is supported by the non-for-profit European Clinical Research Federation (EUCROF) and is mandatory for those who adhere to it<\/a>.\u00a0<\/p>\n<\/div><\/div>\n\n\n\n

Among the services<\/a> offered by CROs that may be covered by the code are the design of the protocol, the selection and contracting with the investigator centers, the collection and hosting of data, their analysis and the production of reports, or archiving or technical support services.<\/p>\n\n\n\n

Other legal updates<\/h4>\n\n\n\n

NIS2 directive takes effect: <\/strong>New regulations to improve the cybersecurity of the EU’s vital networks and entities, (\u201cNIS2\u201d), should have been incorporated into national legislation by the October 17<\/a> deadline. According to a DLA Piper analysis, although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, the majority of EU countries do not yet have<\/a> the relevant implementing legislation and necessary guidelines for organisations in place. <\/p>\n\n\n\n

Sanction lists: <\/strong>The Swedish IMY has drawn up new regulations that make it permissible for certain companies to handle personal data about violations of the law without seeking permission from the regulator when, among other things, checking their customers against various sanction lists<\/a>. In particular, companies that operate in the financial sector as well as in the security and defence market may need to check their customers, suppliers and employees, to comply with international export restrictions, and against money laundering and the financing of terrorism.\u00a0\u00a0<\/p>\n\n\n\n

Lawful collection of criminal records: <\/strong>The Danish data protection authority investigated Parken Services A\/S’ procedures for obtaining information in the recruitment process. In particular, it obtains copies of passports and criminal records from applicants. The regulator found this processing lawful taking into account the special circumstances that apply to Parken Services A\/S as an employer, including the very large number of people employed by the company, and the very special risk profile associated with a company servicing large sporting and entertainment events, especially concerning terrorism and crime<\/a>.\u00a0<\/p>\n\n\n\n

Worker transfers data to private account without permission<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

An Ius Laboris law blog post analyses the recent case in the Netherlands where an employee was dismissed because he sent 791 documents from his employer\u2019s server to his personal Dropbox<\/a> account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated that employees could not make copies of the employer\u2019s data or store information from the employer in personal locations. <\/p>\n<\/div><\/div>\n\n\n\n

Additionally, the employer had recently sent an email to all employees reminding them that they were\u202fnot\u202fallowed to take any documents or property from the employer with them at the end of their contract. Read more discoveries of the case in the original publication<\/a>.\u00a0<\/p>\n\n\n\n

Commercially available AI<\/strong><\/h4>\n\n\n\n

The Office of the Australian Information Commissioner has also issued new AI guidance. AI products should not be used simply because they are available<\/a>, it says. Robust privacy governance and safeguards are essential for businesses to gain any advantage from AI and build trust and confidence in the community. Similarly, during AI model training, it must be carefully considered whether this will involve the collection, storage, use or disclosure of personal information, either by design or through an overly broad collection of data for training<\/a>. Do this early in the process to help mitigate any privacy risks. Personal information is a broad category, and the risk of data re-identification needs to be considered.\u00a0<\/p>\n\n\n\n

More official guidance<\/h4>\n\n\n\n

Mobile apps design: <\/strong>Apps often ask for permissions that they don’t need to function properly, (geolocation, contacts, camera or mic). It is recommended to accept only those strictly necessary for the function of the service. Apps also collect data about your behaviour, such as which web pages you visit, how long you spend in an app, or which features you use most often. This information may be used for ad personalisation<\/a>, but you can limit or disable it in the privacy settings of your account. It is also recommended to use temporary accounts or alternate email addresses that are not linked to sensitive data<\/a>.\u00a0<\/p>\n\n\n\n

\"\"<\/figure>
\n

<\/p>\n\n\n\n

Learning environments: <\/strong>The Estonian regulator emphasized the obligation of educational institutions and their learning environments to maintain the appropriate technical and organisational measures. This includes reviewing the documents and personal data entered into online environments and their retention periods, creating a system for monitoring data retention periods and deleting data at the end of a period, and ensuring that employees are informed of data protection conditions.\u00a0<\/p>\n<\/div><\/div>\n\n\n\n

It is also important that the data can be partially deleted so that it does not prevent the further processing of other data, (eg, making the data non-personal<\/a> and storing it for archiving, scientific and historical research or statistical purposes).\u00a0<\/p>\n\n\n\n

Work emails backup: <\/strong>The Italian Garante fined a company 80,000 euros for carrying out backups during the employment relationship<\/a>. The complaint was filed by a commercial agent who realised that the company, during their collaboration, used software to back up emails, preserving both their contents and access logs to the emails and the company management system. The information collected was then used by the company in litigation. This also allowed the company to reconstruct the collaborator’s activity, thus incurring a form of control prohibited by the workers’ statute.<\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n