The Data Protection and Digital Information Bill (the Bill) has dropped out of the news since the government’s controversial late
On 1 March 2024, the ICO published guidance on sharing information in mental health emergencies at work. The guidance aims
Pay or consent models are causing a stir both in the UK and the EU. The ICO has launched a
On 13 February 2024 the European Parliament approved the text of the AI Act (the Act) by majority vote. The
The ICO has launched the second chapter of its AI consultation series this month. This chapter focuses on how the
The ICO has produced some detailed guidance on data protection in content moderation. The guidance doesn’t place additional obligations on
On 13 February the ICO approved the Legal Services Operational Privacy Certification Scheme (LOCS) which is designed to “assist legal
The ICO has issued a reprimand to South Tees Hospital NHS Trust in relation to failures to appropriately deal with
On 28 February 2024 the EDPB launched its coordinated enforcement framework action for 2024. This year the action will focus
Late last month the ICO issued an enforcement notice ordering Serco Leisure to stop using facial recognition and fingerprint scanning
The guidance, which we commented on in the September 2023 DPO Digest, has now been finalised. The guidance covers key
EDPB provides clarification on “main establishment” The EDPB has issued some guidance on the meaning of “main establishment” for the
You may have seen headlines last year about Meta, the owner of Facebook, being fined €1.2bn in relation to a
Under Article 30 of the GDPR controllers and processors of personal data must document their processing activities; this is known
You’re faced with a data breach. What should you do? There are a number of steps which organisations need to
The GDPR provides individuals with a number of rights in relation to how their personal data is collected and processed
Non-compliance with data protection laws can cause significant issues for an organisation but what are the key risks? Regulators can
If you need help navigating your way through technical data protection terms, look no further. We have created a list
It is worth noting that the ICO’s enforcement action in relation to direct marketing continues unabated, making up seemingly the
In yet another installment of the Italian DPA’s case against ChatGPT, on 29 January 2024 the Italian DPA notified breaches
The Information Commissioner’s Office (ICO) is launching a series of consultations on generative AI, a type of artificial intelligence that
The ICO has advised that it has had a positive response to the letters it issued to 53 of the
The ICO has issued a blog post with practical tips for app developers on how to comply with their data
The European Commission has confirmed that 11 of the 16 current adequacy decisions have been reviewed and will remain in
This case review looks at a selection of one-stop-shop decisions which relate to security of processing and data breach notification/communication.
The UK Government has published a proposed code of practice on cyber governance and called for views on the same.
The CNIL has recently issued two significant fines in relation to infringements by Amazon and Yahoo. On 18 January 2024,
The EDPB has published a report on strengthening the role of the DPO, which is based on a coordinated investigation
In March 2023, the UK Government published a white paper on “AI regulation: a pro-innovation approach” (AI White Paper), which
The Data Protection and Journalism code is a statutory code of practice under the Data Protection Act 2018 (DPA 2018).
The ICO has published an updated opinion on age assurance for the Children’s code to reflect updated practices. The updated
On 14 December 2023, the CJEU issued judgment in the case of VB v Natsionalna agentsia za prihodite. The case
Not often a high billing topic in the list of ICO enforcements, but one which has been the subject of
X (formerly Twitter) is facing challenges to its privacy practices from a couple of sources. The EU commission has commenced
The ICO has now released its UK addendum to the EU BCRs with accompanying guidance. The guidance walks through the
A cross-party group of nearly 30 parliamentarians have written to the ICO to voice their concerns about the expansion of
In 2022 the European Commission proposed a regulation to “unleash the full potential of health data”. The Council of the
In early October 2023, the EU Commission asked the EDPB to review a “cookie pledge initiative” prepared by the Commission,
The ICO has responded to the updated Data Protection and Digital Information Bill (the Bill), in particular, the Government’s late-stage
On 7 December 2023, the CJEU issued judgment in the case of C-634/21|SCHUFA Holding (Scoring). SCHUFA is a company which
The ICO has published two new pieces of draft guidance for consultation. The guidance relates to: Keeping employment records –
In late November 2023, the Council of the EU adopted the final text of the Data Act. Agreement now having
The NCSC has expanded its guidance on cloud computing with a section on how to “lift and shift” i.e. “replicating
The Cyber Solidarity Act (Solidarity Act) has moved a step further to becoming a reality. In early December the European
The DCMS has published its Online Advertising Task Force plan which sets out how the task force will work with
The National Cyber Security Centre reports that 18 countries are to endorse guidelines on AI security developed by the UK
The Guardian reports that the European Consumer Group BEUC have filed a complaint with the EU’s network of consumer protection
The bill had its second reading in the House of Lords on 19 December 2023. A number of issues were
The ICO have, unsurprisingly, applied for permission to appeal the decision by the First Tier Tribunal (Information Rights) reported in
The ICO has launched a “make a subject access request” service on its website. The service allows individuals to generate
There have been several recent ICO reprimands issued in relation to security failings which had some similar themes. In the
The ICO has amended its guidance on Transfer Risk Assessments to acknowledge that it is reasonable and proportionate to rely
This guidance acknowledges the progression from tracking individuals with cookies to the use of newer technologies, aiming “to provide a
On 8 December 2023 the Council of the EU (the Council) announced that the Council and the European Parliament had
It has been reported in the press that 28 countries including the US, UK, China and the EU have signed
On 27 October 2023, the EDPB adopted an urgent binding decision giving the Irish Data Protection Commission two weeks to
The NCSC has produced guidance on a couple of “hot” cyber topics. The guidance on ransomware gives an overview of
It has been reported by a number of sources that China has proposed new rules in relation to data transfer.
The EU General Court has ruled against an application by a French MEP aimed at halting the implementation of the
The ICO has released guidance to retailers on processing personal data to tackle shoplifting. This guidance has been issued following
The First-tier Tribunal of the UK General Regulatory Chamber has overturned an enforcement notice and a £7.5 million fine which
On 24 October 2023 the European Data Protection Supervisor (EDPS) published its final recommendations for the Proposal for a Regulation
The ICO has issued guidance on managing workers’ health data in accordance with data protection law. The guidance is divided
The ICO has issued draft guidance on fining for consultation. The guidance explains: the legal framework that gives the Information
The ICO has issued a preliminary enforcement notice against Snap Inc and Snap Group (together Snap) in relation to
On 18 September 2023 the District Court of the Northern District of California (San Jose Division) granted a preliminary injunction
The European Commission has released a report which aims to help those who need to address the cybersecurity requirement under
The EDPB has published guidelines on Article 37 of the LED for consultation. The guidance relates to the application of
The ICO will be launching its new approach to UK BCRs this month. The ICO will be issuing a new
The ICO has warned public authorities that they should not be sharing original source spreadsheets in response to Freedom of
The ICO has issued guidance relating to sharing information to protect children in an effort to reassure people that data
The ICO has reiterated its position in relation to organisations who do not allow individuals to reject all cookies on
The Online Safety Bill (the Bill) has now passed all parliamentary debates and is ready to become law. It is
After a period of consultation, and in response to rapidly changing work practices following the Covid pandemic, the ICO has
On 15 September 2023, the Irish Data Protection Commission (DPC) issued a decision notice against TikTok Technology Limited (TikTok), including
The UK-US Data Bridge, which is an extension of the US/EU Data Privacy Framework (DPF) was announced on 21 September
The EU Data Governance Act (the Act) is now applicable after a 15-month grace period since the Act entered into
The ICO have stated their interest in two topics this month. In response to an article published by Which on
The ICO has issued “phase 1” draft guidance on biometric data for public consultation. The guidance covers: what biometric data
The EDPS has issued opinions on the following legislative proposals: The proposal for a Regulation on a financial data access
In late July 2023 the Irish Data Protection Commission (Irish DPC) published the results of its inquiry into Airbnb Ireland’s
The ICO and Ofcom have published a joint report (which they commissioned) into measuring the accuracy levels achievable by different
On 1 September 2023 the new Swiss Federal Act on Data Protection came into force. On their SME portal the
Together with eleven other data protection authorities, the ICO has released a joint statement in relation to data scraping and
Continuing a theme from last month’s digest (see “Question of the month – Help! We have used To/CC rather than
The ICO and CMA have issued a joint report which outlines their concerns that design practices being used by websites
Data protection compliance can sometimes be seen as a blocker for organisations trying to do the right thing for their
As usual, things have been busy in Meta’s world with the following developments in the last few weeks: They have
The Cyber Resilience Act is currently making its way through the European legislative process. It is under consideration by the
Providers of Information Society Services (which according to the ICO include most for-profit online services), even if they run an
The CJEU has recently ruled on a matter where an individual (who worked for and was a customer of a
NHS Lanarkshire (the Trust) have been issued with a reprimand in relation to sharing patients’ personal data on WhatsApp. In
The UK has determined as of 7 July 2023 that law enforcement authorities can send personal data to their counterparts
The EDPB has produced a note answering some questions about how the new Data Privacy Framework works. This can be
There have been a couple of recent reprimands issued by the ICO in situations where individuals’ email addresses were inadvertently
The ICO has responded to concern about banks sharing personal information with the media following the complaint raised by Nigel
The ICO has issued new guidance on Privacy Enhancing Technologies (PETs). The guidance is split into two parts, the first
The French data protection authority, the CNIL, has imposed a €40 million fine on CRITEO, one of the leading players
The AI Act has taken a step closer to becoming a reality, with the European Parliament adopting their negotiating position
In May this year, the ICO published new guidance for employers on responding to subject access requests (SARs). The new
It has been reported in the press this week that the government has “privately admitted” that the Data Protection and
On 10 July 2023, the EU Commission adopted an adequacy decision in favour of the US. The decision extends to
The European Parliament and the Council of Europe have now reached political agreement on the EU Data Act (Act). All
The EDPB has issued guidance on how fines under the GDPR are calculated. Whilst it may not be your first
The European Commission has proposed a new regulation to streamline the management of cross-border enforcement of the GDPR. DPAs have
Irish Data Protection Commission (DPC), issues a record fine against Meta Platforms Ireland Limited (Meta).
In late 2022, the Government announced its intention, as part of Brexit, to remove EU laws from the statute books.
On 16 May 2023, the French data protection authority, Commission Nationale Informatique & Libertés (the CNIL) published an action plan detailing how it will investigate the privacy issues posed by AI systems.
On 11 May 2023 the European Parliament adopted a resolution against an EU adequacy decision on the grounds of the United States (US) Data Privacy Framework (Framework) in its current form.
The EDPB has produced a guide for small businesses on how to comply with the EU GDPR.
Examination of what constitutes a “copy” of personal data under Article 15(3) EU GDPR, whether this extends to a copy of, extracts of or even entire documents or extracts from data bases?
Earlier this year the Court of Justice of the European Union (CJEU) weighed in on the question of disclosing the recipients of personal data in the context of data subject access requests.
On 8 June, the US and UK announced their intention to create a data bridge between the US and the UK.
On 4 May, the CJEU passed down judgment in the case of UI v Österreichische Post AG, a matter originally brought before the Austrian courts.
The UK has applied to join the Global Cross Border Privacy Rules Forum (CBPRF). Read more here about the objectives of the forum.
Let us guide you on if the provision of information required by a regulator ever be direct marketing.
The guidance covers the aim and overall structure of the right, general considerations in respect of assessing the request, the scope of the right, how to provide access and the limits and restrictions on the rights. We will look in more detail at the guidance in upcoming digests.
Last month the ICO issued a fine of £12.5 million to TikTok.
The European Commission has proposed an EU Cyber Solidarity Act aimed at improving “preparedness, detection and response to cybersecurity incidents across the EU.
The EDPB has updated its guidance on personal data breaches to address the question of notification of breaches by controllers who are not established in the EU.
On 22 March Capita was the victim of a cyber incident which primarily targeted “access to internal applications”.
There has been a significant amount of activity in the US in relation to privacy recently.
Eight states have now enacted comprehensive privacy laws.
Read the Privacy Law & Business UK Report May 2023 where we discuss the Gormsen case.
Generative AI has been a topic of increasing interest, we’ll explore how systems such as ChatGPT, impact data protection.
In January 2023, after a significant and turbulent investigation, the Irish Data Protection Commission (Irish DPC) fined Meta Platforms Ireland Ltd. (Meta Ireland) €390m (£340m) for its activities in relation to Facebook and Instagram.
New sets of guidance published by EDPB offers Guidelines on the interplay between the application of Art. 3 and the provisions on international transfers as per Chapter V GDPR.
Earlier this year, WhatsApp was hit with another (albeit much smaller) fine, this time in relation to the legal basis it uses for some of its processing activities.
The recent decision of the First Tier Tribunal (Information Rights) (the Tribunal) has addressed several interesting points of general application in relation to using legitimate interests as a basis for direct marketing processing and the standard of privacy information which needs to be provided by organisations
Let us help you navigate direct marketing by electronic mail.
The ICO has created a new hub for direct marketing which has several pieces of guidance as well as FAQs and checklists to assist organisations with direct marketing.
The EDPB’s verdict on the draft adequacy decision (the EU-US Data Privacy Framework or DPF) has arrived.
The EDPB commissioned a task force, consisting of several supervisory authorities in response to complaints raised by NYOB, the non-profit privacy organisation, about how cookie banners operate.
UK Information Commissioner, John Edwards gave a keynote speech at the National Association of Data Protection Officers’ Annual Conference in relation to the ICO’s new approach to regulatory action.
The Department for Culture, Media and Sport (DCMS) and National Cyber Security Centre have collaborated to produce a voluntary code of practice for app store operators and developers.
The English High Court has recently given a ruling in relation to damages for personal data breach claims.
Read the Privacy Law & Business UK Report January 2023 to discover the new suite of guidance from the ICO to directing marketing by electronic mail.
On 19 October 2022 the ICO fined Interserve Group Ltd £4.4 million in relation to contraventions of Article 5)1)(f) and Article 32 of the GDPR which occurred between 18 March 2019 and 1 December 2020.
Read the latest guidance and FAQs from the ICO relating to AI and personal data.
We set out the key steps which you should consider when embarking on a data sharing project.
The latest report by the European Union Agency for Cybersecurity gives an overview of the cyber security threat landscape.
Updated guidance from the ICO on international transfers, including a new section specifically relating to Transfer Risk Assessments.
In its first independent adequacy regulation made by the UK since leaving the European Union, exports are expected to increase to South Korea.
Following an investigation by the Daily Mail, a referral was made to the ICO regarding Easylife’s telephone marketing practices.
ICO intends to fine Tik Tok for its failure to protect the privacy and data of children using the platform.
We explore how the Retained EU Law Bill provides new powers to the Government and its impact on data protection.
Ensure you comply with appropriate technical and organisational security measures to protect personal data.
Data protection is a fluid terrain. Data protection legislation and the approach by regulators are constantly changing, so it is vital to stay up to date. In this resource library, you’ll find some expert insight and information to help you navigate a path of compliance.
All items are available to download as pdf files. To view a document, please ensure you have installed Adobe Acrobat Reader on your device.
Please complete the fields below to stay up-to-date with the latest HelloDPO news or send us a query.
Our experience speaks for itself, with global powerhouse brands, tech giants at the forefront of the data processing industry, rapid growth health tech start-ups, forward-thinking financial institutions, a challenger dating app, fashion giants, one of the largest entertainment and record label conglomerates in the world, shopping meccas, national broadcasters, the UK’s biggest free streaming service, and numerous Legal 500 firms all choosing HelloDPO as their trusted Data Protection Advisory Partner.
We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.
Website developed by Bowler Hat
