Gene­ric selec­tors
Only exact hits
search in title
Search in content
Post Type Selec­tors

Posts rela­ted to

GDPR 32

Micro­soft Exchan­ge Ser­ver: Need for action for companies 

A few days ago it beca­me known that Micro­soft Exchan­ge email ser­vers were affec­ted by vul­nera­bi­li­ties (see e.g. the noti­fi­ca­ti­ons of the Ger­man BSI). In com­bi­na­ti­on, the­se vul­nera­bi­li­ties could be used for attacks, which appar­ent­ly took place wide­ly (Krebs on Secu­ri­ty): At least 30,000 orga­niz­a­ti­ons across the United

LfDI: Fine of EUR 1.24M against health insuran­ce com­pa­ny for sen­ding adver­ti­sing emails without consent 

The Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on Baden-Würt­tem­berg (LfDI) has impo­sed a fine of EUR 1.24 mil­li­on on a health insuran­ce com­pa­ny (AOK Baden-Würt­tem­berg) (see media release). The LfDI iden­ti­fied a vio­la­ti­on of the GDPR in the fact that AOK, in the years 2015 to 2019, in the con­text of sweepstakes

Spain: GDPR fine against lawyer 

The Spa­nish data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the,has impo­sed a fine of EUR 2 000 on a lawy­er (ori­gi­nal deci­si­on in Spa­nish; Ger­man ver­si­on via DeepL). The lawy­er had sum­mo­ned ten­ants of an apart­ment buil­ding in the cour­se of pro­ce­e­dings. In doing so, he used docu­ments on the rever­se side of which per­so­nal data of other ten­ants was

DSK: Mini­mum pro­tec­tion of per­so­nal data when recei­ving and sen­ding e‑mails

The Ger­man Data Pro­tec­tion Con­fe­rence (DSK) has published gui­d­ance on mea­su­res to pro­tect per­so­nal data when trans­mit­ted by email (dated March 13, 2020). It exp­lains pro­tec­ti­ve mea­su­res wit­hin the mea­ning of Art. 5(1)(f), 25 and 32 GDPR that data con­trol­lers, but also pro­ces­sors and “public email ser­vice pro­vi­ders” must take when sending

DPO Austria: Lack of dou­ble opt-in pro­ce­du­re as a bre­ach of GDPR 32 

In a deci­si­on dated Octo­ber 9, 2019 (DSB-D130.073/0008-DSB/2019), the Austri­an Data Pro­tec­tion Aut­ho­ri­ty (DPA) deter­mi­ned that accord­ing to Art. 32 of the GDPR (data secu­ri­ty), a dou­ble opt-in pro­ce­du­re is man­da­to­ry for regi­stra­ti­ons on an online dating plat­form. The regi­stra­ti­on and a limi­ted use of the plat­form was pos­si­ble without dou­ble opt-in: It is cor­rect that the

BfDI: Fine of EUR 9.5 mil­li­on against a tele­com provider 

The Ger­man Federal Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI) has fined tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­der 1&1 Tele­com GmbH EUR 9.55 mil­li­on. From the media release: the BfDI had beco­me awa­re that cal­lers to the company’s custo­mer ser­vice depart­ment, sim­ply by giving their names, had been

EDPB: Gui­de­li­nes on Pri­va­cy by Design and Pri­va­cy by Default (draft).

The Euro­pean Data Pro­tec­tion Board (EDSA) has published draft gui­de­li­nes on Pri­va­cy by Design and Pri­va­cy by Default as defi­ned in Arti­cle 25 of the GDPR (Gui­de­li­nes 4/2019 on Arti­cle 25 Data Pro­tec­tion by Design and by Default), dated Novem­ber 13, 2019. The draft is avail­ab­le for consultation

Tele­Trust: “Sta­te of the art” handout 

Der deut­sche Tele­TrusT – Bun­des­ver­band IT-Sicher­heit e.V. hat eine „Hand­rei­chung“ zum sog. Stand der Tech­nik ver­öf­fent­licht. Der Stand der Tech­nik wird in Art. 32 Abs. 1 DSGVO als eines von meh­re­ren Kri­te­ri­en erwähnt, die bei der Bestim­mung der Ange­mes­sen­heit tech­ni­scher und orga­ni­sa­to­ri­scher Mass­nah­men zu berücksichtigen