Privacy Company Blogs

Since the arrival ofthe General Data Protection Regulation (GDPR), organisations have put theregister of processings in order, written procedures and checklists, ensured transparent information for those involved and made an effort to raiseawareness of the major issue of 'privacy' among employees. And now?

Upcoming IAPP training sessions will be on 1 & 2 November (CIPP/E) and 3 & 4 November (CIPM). This session will be tough by Anouk and Erwin in English in the Mindspace Krausenstraße. We have planned a nice surprise in order to welcome back the training participants. Privacy Company is looking forward to training days

Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high data protection resulting from the use of Google Workspace for Education. These risks were identified in a DPIA conducted by Privacy Company for two universities.

Almost half of the political parties in the Netherlands used tracking cookies on their own websites, which they used to target potential voters elsewhere on the Internet (microtargeting). With such tracking cookies, the parties usually process special personal data. This is only permitted with the explicit consent of those involved. But this is not the case, research by Privacy Company shows.

When publishing the new Standard Contractual Clauses the European Commission (hereafter: Commission) did something remarkable. The Standard Contractual Clauses (SCCs) are meant to enable the transfer of personal data from the European Union (EU), Norway, Iceland, and Liechtenstein (European Economic Area, EEA), to a country outside the EEA that does not guarantee an adequate level of protection to the data. By agreeing on additional safeguards, the exporter and importer can still process the data safely in the recipient country. The Commission has now unexpectedly changed the definition of international transfers. It is no longer the case that every transfer of personal data to a system outside the EU/EEA is qualified as an international transfer. Rather, a transfer only qualifies as an international transfer if the personal data will no longer be directly protected by the GDPR in the recipient (third) country. The Commission states that organisations may only use the SCCs if the GDPR does not already apply to the importer in the third country anyway.

Just before the third anniversary of the GDPR, the Data Protection Authorities in the EU (united in the EDPB) have approved two codes of conduct for cloud providers, see opinions 16/2021 and 17/2021. The CISPE Code of Conduct (for cloud infrastructure providers) and the EU Cloud Code (for all types of cloud providers) could, in theory, provide an enormous privacy boost. But unfortunately, the agreed rules are of little consequence. The Cloud Code does not offer a solution for the major privacy risks for European customers of(mainly) US American cloud providers, when it comes to purpose limitation,transparency, legal ground and data minimisation. The Code of Conduct thus somewhat resembles the promises of the food industry to for example reduce the added sugars and salts in prepared food. The Global Food Research Program of the University of North Carolina pointedly summarises this as ‘Industry Self-Regulation: Empty Pledges’.

Commissioned by the Ministry of Justice and Security, Privacy Company investigated the privacy risks of G Suite Enterprise, with work and communication apps such as Gmail, Chat, Meet, Forms, Docs and Slides. Meanwhile, Google has renamed these services into Google Workspace.

Mid February 2021 Brussels took a step forward in the process to modernise the existing rules on cookies, spam and the confidentiality of digital communications. After more than 2.5 years of haggling, the representatives of the EU Member States have reached a compromise on the new ePrivacy Regulation. But this does not yet mean that there is a new law in Europe.

Due to the Brexit, companies cannot make use of their UK office as their European point of contact for privacy affairs anymore. In absence of another base inside the EEA, those companies are required to designate a GDPR Representative from December 31, 2020 onwards.

On 16 July 2020, the European Court of Justice declared the Privacy Shield invalid. The protection of rights and freedoms of European citizens is therefore not sufficiently guaranteed. The Standard Contract Provisions (SCC) for the transfer of personal data to third countries remain valid.

On behalf of the Ministry of Justice and Security, Privacy Company has analysed the data protection risks of the use of Microsoft's corporate Intune service. We identified five low data protection risks. With the Ministry's permission we are publishing the findings about Intune in this blog.

On behalf of the Ministry of Justice and Security, Privacy Company conducted a repeat assessment of the privacy risks of the browser version of Microsoft Office 365, and the Office apps for iOS and android mobile phones. We identified six high, and three low data protection risks. With the Ministry's permission we are publishing the findings of the DPIA in this blog.

Functioning as a local contact point, the Representative facilitates smooth communication between the organisation, supervisory authorities and data subjects. However, in case of a data breach, who should exactly report the breach and who should communicate with data subjects still seems to be open for interpretation.

Privacy Company has sent an open letter to European Commissioner Didier Reynders with ten proposals to make compliance with the GDPR easier. Some of these suggestions correspond to the proposals of the joint German data protection authorities and the Dutch government. The GDPR works well, but we see opportunities to improve the effectiveness of supervision and to strengthen support for compliance with the privacy rules. This blog is also available in Dutch.

The Dutch Ministry of Justice and Security has issued a European tender for the performance of Data Protection Impact Assessments (DPIAs) on software and cloud services. We are proud to announce that the tender has been awarded to Privacy Company!

Microsoft will improve its privacy terms worldwide. From the beginning of next year, improved privacy terms will apply, which according to Microsoft are based, among other things, on the conditions that the Dutch government negotiated for its employees this spring.

‍Every German organisation offering its services online must display an imprint on their website. This applies if the website pursues a commercial interest, e.g. operates an online shop, but also if services or journalistic content are offered via the website. This is even the case if the website solely places advertisement – as a result, even a private blog with advertising banners on the site must have an imprint. This is because customers who buy goods or services over the internet should have the possibility of being able to turn directly to the right contact person in case of an issue.

With the possibility of a hard Brexit, it is now high time to take measures to ensure that your data remain protected when they are processed or stored in the UK. This blog describes five ways to continue to comply with the GDPR.

In the first half of 2018, the second Payment Service Directive came into force (PSD2), and few months later the General Data Protection Regulation became applicable (the GDPR) Within this article the relationship between PSD2 and the GDPR is discussed, as well as the way in which fintech business activity affects processing of personal data of users of payment services.

Over one hundred representatives of public institutions all over Europe gathered in The Hague on 29 August 2019 for the first EU Software and Cloud Suppliers Customer Council meeting. They discussed plans for keeping control over the digital infrastructures provided by hyperscale cloud suppliers like Amazon, Google and Microsoft. The council’s aim is to collectively create standard terms and conditions that hyperscale providers must accept in collaborative procurements of cloud and software services.

Article 28(8) of the General Data Protection Regulation (GDPR) sets the option for national supervisory authority to issue the standard contractual clauses for the matters regarding data processing agreements between data controllers and data processors. In the event a supervisory authority decides to undertake such a task, it is required to compile a draft of the decision on the adoption of standard contractual clauses, and thereupon notify the European Data Protection Board (EDPB) on the fact. Subsequently, the EDPB provides its opinion on the matter. The purpose of this opinion is to contribute to a harmonised approach regarding cross border processing or processing that might affect the free flow of personal data and the consistent application of the GDPR.

‍If you take a look at the 10 steps that the Dutch Data Protection Authority has drawn up to help organisations prepare for the GDPR, creating awareness is the number one step. This is understandable, because it is crucial to create awareness among employees if you, as an organisation, want to get a grip on the subject – and not only what this subject encompasses, but also what it means for your organisation. In this blog post, I will explain how you can tackle such an “awareness campaign”!

‍On behalf of the Dutch Ministry of Justice and Security, Privacy Company has investigated the privacy risks related to the use of Microsoft Windows 10 Enterprise, Office 365 ProPlus and Office Online, as well as the mobile Office apps. With the Ministry’s permission, we are publishing two blog posts about our findings: this log blog post as well as a short blog post. For questions about the research, please contact SLM Rijk (Strategisch Leveranciersmanagement Microsoft Rijk), which can be contacted via the Ministry of Justice’s press spokesperson, +31 (0)70 370 73 45.

‍On behalf of the Dutch Ministry of Justice and Security, Privacy Company has investigated the privacy risks related to the use of Microsoft Windows 10 Enterprise, Office 365 ProPlus and Office Online, as well as the mobile Office apps. With the Ministry’s permission, we are publishing two blog posts about our findings: this short blog post as well as a long blog post. For questions about the research, please contact SLM Rijk (Strategisch Leveranciersmanagement Microsoft Rijk), which can be contacted via the Ministry of Justice’s press spokesperson, +31 (0)70 370 73 45.

‍After Facebook announced Libra as a new cryptocurrency, many discussions started regarding definition of a blockchain and various regulatory obstacles for cryptocurrencies. This article gives perspective on regulatory definition of blockchain technologies and regulatory challenges when it comes to personal data protection.

‍At Privacy Company, we clearly notice a change in the type of work we do for customers since the General Data Protection Regulation (GDPR) came into effect. Organisations have often implemented the obligations and are now putting more effort into maintaining the level achieved. These include setting up a "Plan-Do-Check-Act" cycle for privacy and data protection or performing a Data Protection Impact Assessment (DPIA) on a new system or service (Article 35 GDPR). This blogpost deals with the latter obligation, and in particular with the publication of a performed DPIA. We will tell you all the reasons to make a DPIA public with some tips on how best to do this!

"We are 100% compliant”, we sometimes hear - even though describing what this means in theory is a big task, and achieving it in practice is even more difficult. Thinking that you are 100% compliant can be a pitfall, because acting in accordance with the applicable privacy laws and regulations is a continuous process and not a one-off procedure.

In close partnership with the world's largest association of privacy experts, the International Association of Privacy Professionals (IAPP), Privacy Company will offer data protection training and certifications in German and English starting in May 2019.

According to the Dutch Data Protection Authority (DPA), the tracking of people in (semi) public areas via their mobile device - or wifi tracking - is in very few cases allowed under strict conditions (Dutch). The MAC address of a device is processed within the WiFi tracking technology. A MAC address is a personal data at the time this is combined with other (personal) data that can be traced to a person. This traceability is possible via the observed location data of the mobile phone. This involves processing personal data and the General Data Protection Regulation (GDPR) applies. The previous blog post addressed the question of what conditions the GDPR imposes on organisations for carrying out WiFi tracking. This blog explains how organisations should take privacy into account when designing tracking techniques, such as WiFi tracking, based on the principle of Privacy by Design.

‍The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published its first newsletter for Data Protection Officers (DPOs) on the 31st of January. The newsletter briefly discusses a misunderstanding regarding the Data Protection Officer (hereinafter: DPO).

On the 23rd of January, the European Committee determined the adequacy decision with Japan. This means that Japan has an equivalent level of personal data protection as under the General Data Protection Regulation (GDPR). An equivalent data protection level does not mean that it is an equal level of data protection as under the GDPR. The basic principle is that the standards used by the relevant country ensure a sufficient level of protection of personal data.

Many of you might still remember the days where the only way of accessing the data of your organisation was through devices supplied by the organisation itself or through fixed workstations in the office. However, today more and more of this data actually resides in a ‘digital cloud’ and is accessed via an employee’s own device. Because it’s easy; shifting from on-premises platforms to cloud-based file-sharing. And in addition to just being easy, this approach offers a lot of benefits. By keeping data in a cloud, and off devices, an organisation limits the potential of a data breach in the scenario a device is lost or stolen. And when good access management is in place, access to data can easily be blocked. Additionally, it gives employees freedom. Freedom to use their devices in the way that they please. The enormous benefits of this kind of freedom would hardly be necessary to explain.

‍As the volume and complexity of data processings is becoming ever more challenging in today’s data-driven world, privacy management software offers the ideal solution. Because by automating privacy management activities, you should be able to mitigate risk, build accountability, and aim ongoing compliance. It's development, however, doesn't stand still. And, as it increasingly makes the lives of privacy professionals easier, many seem to wonder: 'what else does it hold in store for me?'

In December 2018, the Dutch Data Protection Authority clarified that counting the number of visitors in (semi) public areas using tracking technologies is only permitted under very strict conditions (in Dutch). As a result of this report, a number of municipalities have temporarily suspended WiFi tracking in the city centre. A tracking company has also announced that it will stop offering WiFi tracking as a service. Early January, a municipality tracking visitors via WiFi picked up this practice again.We explain why the General Data Protection Regulation (GDPR) applies to WiFi tracking, what this has to do with the roles of Controller and Processor, and on which grounds organisations can appeal if they want to use WiFi tracking.

Privacy Nexus is an easy-to-use data protection management software that helps companies make data protection efficient and simple. Our Software-as-a-Service (Saas) is continuously developed and improved by our in-house developers. In January, we unlocked the following features:

‍While the general impression among organisations is that the GDPR has had a slow start since it coming into effect on May 25, 2018, it seems like several European Data Protection Authorities have been having some fines in the making: Tech giant Google was hit this week with a recordsetting fine of 50 million Euros for GDPR violations related to user consent.

What is the greatest risk of privacy incidents in the workplace? The human! Lost USB sticks, unauthorized viewing of files, or sending an e-mail incorrectly are part of the daily routine of organisations. Fortunately, privacy awareness is therefore high on the agendas of Privacy Officers and DPOs. Unfortunately, people often mistakenly think too easily about it. Privacy awareness is about realizing behavioral change, and that is a complex challenge. In this blog you will find an explanation of how you can use your privacy awareness to steer initiatives towards behavioural change.

The French data protection authority (CNIL) has announced that it has imposed a record fine of € 50 million on Google for violating the GDPR today.

Privacy Company recently celebrated its fourth anniversary. From a rough idea to a company with international presence and more than forty fantastic people. In this blog I will share four of my key learning points.

‍Many Dutch websites have not set up Google Analytics in a privacy-friendly way and therefore violate the law by tracking users without consent. This is evident from a quick inspection that I have done on cookies on 11,309 Dutch websites. This shows that 3,186 websites with Google Analytics have linked these cookies to the Google Doubleclick advertising network. As a result, website visitors can receive targeted advertisements outside of the website. And that is only allowed if the visitors have given separate consent for this.

‍On behalf of the Ministry of Security and Justice, Privacy Company carried out a DPIA on DPIA on Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR). With permission of the Ministry, we publish this blog about the findings.

The free and open web is a place full of opportuities, but also a place full of real challenges. That is why Tim Berners-Lee launched the campaign “Contract for the Web”

Two-factor authentication, or 2FA as it is commonly abbreviated, is a basic log-in procedure that is based on two factors. Hence the name. One factor can be a username and password.

On the 13th of October, Privacy Company celebrated its four year anniversary

For many businesses and organisations, spreadsheet software is the starting point for privacy management. It’s an application that easily lets you organise, analyse and store data in tabular form, it’s been around since the late 80’s and there are numerous tutorials to help you master it. But while spreadsheet software such as Excel might be a great place to start your privacy management, it does have its limits. So here’s four signs that spreadsheet software might no longer be the right tool for your privacy management.

In Privacy Nexus, you can use the new Incidents & Data Breaches module, specially designed for privacy and security professionals who deal with this in daily practice. With the module, you can easily and quickly meet the strict requirements that are set for the registration of data leaks in an organization.

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article. Today, the blog post is discussing the principles of Privacy by Design & Default and the obligation to create a register of processing activities!

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article.

In strong partnership with the renowned law firm BDV Legal, Privacy Company Croatia will from now on deliver the practical and qualitive services our customers appreciate so much. From the Zagreb office, we are able to assist clients in the neighbouring countries of Slovenia, Serbia, Montenegro, and Bosnia and Herzegovina, thus bringing broader presence to the region. For Privacy Company, this step marks an important moment in its approach to become a leading European provider of privacy services.

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article.

On the 18th of June, Transvision B.V. in Capelle aan den IJssel, Netherlands, received the first Privacy Maturity Certificate by Privacy Company. Independent testing by auditors of Accoris Audit Services B.V. has shown that Transvision handles personal data responsibly. With the quality mark, Transvision can now also make this visible to its customers and suppliers and distinguish itself in the area of privacy.

The General Data Protection Regulation (GDPR) contains a number of new obligations compared to the previous legislation. Since May 25, 2018, organizations have to ensure they comply with these requirements. An important question is: how?

The General Data Protection Regulation describes a number of roles in the data processing process, including the role of Data Protection Officer. The Data Protection Officer is also referred to as the DPO. A DPO is an internal or external supervisor of compliance with the privacy ordinance within an organisation. This blog post addresses the question of when the GDPR really does require a DPO.

Good news! Since the end of May, Facebook offers a data processing agreement for its advertising service Custom Audiences! But is the use of this service now privacy proof, and may organisations now use this service without the consent of their customers and visitors? Unfortunately, the answer is not yet clear.

Yes, I do. Anyone who wants to have sex with someone in Sweden needs explicit permission since July 2017. Proceeding without an explicit "yes, I do" can quickly lead into legal trouble.

In the blog series The 7 biggest misunderstandings about the GDPR, we settle the 7 most common misunderstandings. This week we are dealing with covenants.

Officially, the GDPR speaks of a Data Protection Impact Assessment (DPIA). However, PIA and DPIA are used interchangeably, although PIA is the best known abbreviation.

The Data Protection Officer (DPO) is often mentioned in the same breath when talking about the General Data Protection Regulation (GDPR). The GDPR stipulates that the appointment of a DPO is compulsory in some cases, but it is a misunderstanding that a DPO is compulsory for all companies. It is also not true that a DPO is only mandatory for large organisations. In this blog you will find out everything about the DPO.

In the blog series The 7 biggest misunderstandings about the GDPR, we settle the 7 most common misunderstandings. This week we are dealing with the register of processing operations.

In the blog series "The 7 biggest misunderstandings about the GDPR" we settle the 7 most frequently heard misunderstandings. The last blog post explained that the General Data Protection Regulation (GDPR) applies to the processing of personal data. But when we talk about pseudonymised data, many people think that the GDPR does not apply. This is a misunderstanding.

In the blog series "The 7 biggest misunderstandings about the GDPR" we settle the 7 most frequently heard misunderstandings. One of the key concepts in the General Data Protection Regulation (GDPR) is ‘personal data’. There are often misunderstandings about this concept. It is not only about names, but also about privacy-sensitive information. In this blog we explain what a personal data is.

There are still many myths and fairytales about the GDPR. In this blog series we deal with the 7 most frequently heard misunderstandings.

Carolin wrote a guest article on the EU Money Laundering Directive for the German publication Netzpolitik.org. Click here to get to the article.

If you process personal data as an organisation, it is often mandatory under the General Data Protection Regulation (GDPR) to keep a record of processing activities. A misunderstanding that exists among a lot of people is that the obligation of a record of processing activities only applies to bigger companies. This is not true. Also smaller organisations need to comply with this obligation.

On 1 January 2020, in California, USA, the new California Consumer Privacy Act (CCPA) enters into force. This law obliges large businesses to offer an opt-out to their users for the selling of personal information to third parties. But what does 'selling' mean? To whom does the law apply, should businesses in Europe care?