Blog overview

Information security and privacy go hand in hand. Both are necessary to keep your organisation and information safe and to ensure that you comply with laws and regulations. That is why PuraSec and Privacy Company are moving forward together in a joint venture. From now on, these two Dutch companies will offer a complete package of services for all your privacy and security questions.

In this blog, we discuss how Privacy Officers at Privacy Company help organisations find the right balance to contribute to the success of the organisation.

Is your organisation compliant with the new AI literacy requirements? In this blog we explore a subject that highlights the importance of AI literacy: AI hallucinations.

The CJEU ruling in Case T-557/20, SRB v EDPS, makes pseudonymisation relative to the data recipient, creating compliance uncertainties. Data may become anonymized for certain recipients, losing GDPR protection. This blog explores the implications for your organization and how to address them.

Extraterritorial fines, the introduction of the AI Act, and discussions on digital sovereignty are only some of the hot topics of 2024. Already forgot what happened last year? This blog will catch you up on the defining moments in data protection of 2024.

In a world where artificial intelligence (AI) is increasingly shaping our work and daily lives, AI literacy is becoming an essential skill. How can you or your organisation become AI-literate?

Ten years of pushing limits, breaking barriers and setting new privacy standards with a wonderful team, clients and partners. Frank Koppejan looks back and ahead on an incredible journey.

In light of the recent fine imposed on Clearview AI by the Dutch Data Protection Authority, this blog post discusses the extraterritorial scope of the GDPR and the difficulty of enforcing the GDPR extraterritorially.

It is not only in Europe that regulators are strict about the use of biometric data in facial recognition software. Recently, the state of Texas in the US secured the largest settlement ($1.4 billion). Namely, Meta had deployed facial recognition software that unlawfully captured and used biometric data of more than a million Texas citizens.

Google has developed a new privacyfriendly version of the Chrome operating system and Chrome browser for the Dutch education sector. According to new verification research by Privacy Company, Dutch schools can (continue to) use Chromebooks in a GDPR-compliant way, if they use this new version, and take the recommended measures.

New research from Privacy Company for SURF and SIVON shows that the Dutch education sector can (continue) to use Google Workspace for Education, if schools and universities take the recommended measures. Google has taken the agreed measures to mitigate the known high data protection risks.

Privacy Nexus is the privacy management software developed by Privacy Company. We asked Frank Koppejan how a consultancy firm came to develop its own software.

Welcoming new faces into your organization is essential, right? So, laptop and mobile phone? Check. Access to online onboarding? Of course. As a responsible employer, you want to ensure new employees feel warmly received, perhaps with a small gift upon entry. However, amidst the hustle and bustle of regulatory tasks, we sometimes forget something crucial: privacy and information security.

A new Update DPIA on Zoom videoconferencing services by Privacy Company shows that Zoom has mitigated all known data protection risks for Dutch Education customers.

The Dutch Strategic Supply Management IBM (SLM Rijk IBM en Red Hat) as executed by the Tax and Customs Administration (Belastingdienst) commissioned an umbrella DPIA to be executed by Privacy Company on the IBM Cloud Pak for Business Automation as a Service (CP4BAaaS).

To consent or not to consent? Consent is perhaps the most well-known legal basis for the processing of personal data. However, it is important to understand that consent may not always be the optimal or even the necessary choice.

This blog addresses the question whether an EU processor who is subject to the GDPR is allowed to process special categories of personal data on behalf of a controller outside of the EU who is not subject to the GDPR. 

The Dutch Data Protection Authority (AP) is going to take enforcement actions against cookies, but what are the actual rules?

Which motivational strategies can you use within your organisation to equip colleagues with the necessary knowledge about what privacy-friendly working means.‍ How do you motivate and encourage employees to work privacy-consciously?‍

In the previous blog we discussed whether your organisation needs to appoint a Data Protection Officer (“DPO”) pursuant to the GDPR. In this blog we discuss whether you are obliged to appoint a DPO based on national legislation, even though you might not be required to appoint a DPO directly under the GDPR.

When do you need to appoint a DPO? To help your organization, we have created a flowchart that can help you decide. 

The question whether your organization needs to appoint a Data Protection Officer (“DPO”) should not be left unanswered, because being obliged to appoint a DPO and not doing so would lead to a violation of the GDPR. This blog will help you get the right answer.

Commissioned by the strategic vendor management for Microsoft, Google and Amazon Web Services at the central Dutch government (SLM Rijk), Privacy Company investigated the data protection and data transfer risks of the use of three key cloud services from Amazon Web Services Inc.

Pseudonymisation and anonymisation are often confused. Both techniques are relevant within the context of the GDPR.

2022 again saw plenty of news for the privacy professional: from the Pegasus scandal in the Israeli surveillance industry, to rulings by regulators on Google Analytics, to the commotion surrounding the data-hungry and mandatory apps for visitors of the Qatar World Cup – 2022 was an eventful year in the world of privacy.

‍At Privacy Company, we clearly notice a change in the type of work we do for customers since the General Data Protection Regulation (GDPR) came into effect. Organisations have often implemented the obligations and are now putting more effort into maintaining the level achieved. These include setting up a "Plan-Do-Check-Act" cycle for privacy and data protection or performing a Data Protection Impact Assessment (DPIA) on a new system or service (Article 35 GDPR). This blogpost deals with the latter obligation, and in particular with the publication of a performed DPIA. We will tell you all the reasons to make a DPIA public with some tips on how best to do this!

Commissioned by the Dutch Ministry of the Interior and Kingdom Relations, Privacy Company investigated the data protection risks of the government's use of Facebook Pages. Facebook has been renamed Meta Platform Inc. in January 2022. Meta also has other applications, such as WhatsApp and Instagram, but this blog is only about Facebook Pages.