The job applicant at the center of a German GDPR case decided in June was seeking an administrative position at the law school (see 2510100030).
GDPR
The General Data Protection Regulation (GDPR) is the European Union’s landmark privacy law governing how organizations collect, process and protect personal data. In effect since 2018 it applies to any entity handling EU residents’ information regardless of where the company is based and imposes strict requirements around consent, transparency, data minimization and user rights. GDPR enforcement has led to billions in fines against global companies setting a high bar for compliance frameworks worldwide and influencing privacy legislation in the U.S. and other regions.
French DPA CNIL will host a GDPR Day on Dec. 9 in Nantes, it announced Monday. Aimed at professionals, academics and students, the event will focus on updates in data protection, tools for data protection officers, CNIL audits and cybersecurity.
Most changes to the U.K.'s data protection regime will ease data flows between the U.K. and EU, but some should be clarified and monitored, the European Data Protection Board (EDPB) said Monday.
Whether age-gating measures truly protect children online or just raise other legal concerns is unclear, speakers said during Hogan Lovells' The Data Chronicles podcast Thursday, which focused on age assurance in the U.S. and U.K.
European DPAs will focus their next coordinated enforcement action on compliance with the GDPR's transparency and information requirements, the European Data Protection Board (EDPB) announced Tuesday. The push will launch in 2026.
There’s no substitute for openness, clear communication and specificity where privacy regulation is concerned, Orrick lawyer Christian Schroder wrote, as was demonstrated by rulings in Germany in June involving GDPR regulations. In addition, the rulings showed that an organization gathering data from public sources about a job candidate could put it out of compliance, though that might not force the hiring of a wronged candidate, Schroder said in a blog post this week.
The European Court of Justice (ECJ) decision last month on the meaning of pseudonymized data has sparked a wave of legal comment because DPAs are split over how possible it is for third parties to retrieve personal information from such data, Hogan Lovells privacy lawyer Etienne Drouard said in an interview.
OneTrust agrees that businesses shouldn't set and forget privacy compliance tools, amid increased scrutiny from regulators, said Ojas Rege, general manager of privacy and data governance. In an interview with Privacy Daily, Rege also said that a great amount of enforcement action is happening behind the scenes, without becoming public. In addition, the OneTrust official warned that “AI amplifies every single privacy and data governance gap you have in your organization.”
As part of an effort to facilitate GDPR compliance and bolster consistency, the European Data Protection Board (EDPB) and the European Commission issued their first joint guidelines Thursday, emphasizing areas of agreement between GDPR and the Digital Markets Act (DMA).
A U.S.-based company that scraps the web for images of people and sells them to clients tells Privacy Daily it will appeal a Wednesday decision from a U.K. panel that ruled its activities violate its citizens' privacy.