Blog overview

A new Update DPIA on Zoom videoconferencing services by Privacy Company shows that Zoom has mitigated all known data protection risks for Dutch Education customers.

The Dutch Strategic Supply Management IBM (SLM Rijk IBM en Red Hat) as executed by the Tax and Customs Administration (Belastingdienst) commissioned an umbrella DPIA to be executed by Privacy Company on the IBM Cloud Pak for Business Automation as a Service (CP4BAaaS).

To consent or not to consent? Consent is perhaps the most well-known legal basis for the processing of personal data. However, it is important to understand that consent may not always be the optimal or even the necessary choice.

This blog addresses the question whether an EU processor who is subject to the GDPR is allowed to process special categories of personal data on behalf of a controller outside of the EU who is not subject to the GDPR. 

Which motivational strategies can you use within your organisation to equip colleagues with the necessary knowledge about what privacy-friendly working means.‍ How do you motivate and encourage employees to work privacy-consciously?‍

The Dutch Data Protection Authority (AP) is going to take enforcement actions against cookies, but what are the actual rules?

In the previous blog we discussed whether your organisation needs to appoint a Data Protection Officer (“DPO”) pursuant to the GDPR. In this blog we discuss whether you are obliged to appoint a DPO based on national legislation, even though you might not be required to appoint a DPO directly under the GDPR.

When do you need to appoint a DPO? To help your organization, we have created a flowchart that can help you decide. 

The question whether your organization needs to appoint a Data Protection Officer (“DPO”) should not be left unanswered, because being obliged to appoint a DPO and not doing so would lead to a violation of the GDPR. This blog will help you get the right answer.

Commissioned by the strategic vendor management for Microsoft, Google and Amazon Web Services at the central Dutch government (SLM Rijk), Privacy Company investigated the data protection and data transfer risks of the use of three key cloud services from Amazon Web Services Inc.

2022 again saw plenty of news for the privacy professional: from the Pegasus scandal in the Israeli surveillance industry, to rulings by regulators on Google Analytics, to the commotion surrounding the data-hungry and mandatory apps for visitors of the Qatar World Cup – 2022 was an eventful year in the world of privacy.

Pseudonymisation and anonymisation are often confused. Both techniques are relevant within the context of the GDPR.

‍At Privacy Company, we clearly notice a change in the type of work we do for customers since the General Data Protection Regulation (GDPR) came into effect. Organisations have often implemented the obligations and are now putting more effort into maintaining the level achieved. These include setting up a "Plan-Do-Check-Act" cycle for privacy and data protection or performing a Data Protection Impact Assessment (DPIA) on a new system or service (Article 35 GDPR). This blogpost deals with the latter obligation, and in particular with the publication of a performed DPIA. We will tell you all the reasons to make a DPIA public with some tips on how best to do this!

If you want to know how a service affects human rights, you have to perform a 'HRIA', a Human Rights Impact Assessment. The Dutch central government has already developed its own model to analyse the human rights impact of an algorithm, the IAMA model. Using this model, Privacy Company performed such an analysis for the Ministry of the Interior and Kingdom Relations (BZK) on the government's use of Facebook Pages.

Commissioned by the Dutch Ministry of the Interior and Kingdom Relations, Privacy Company investigated the data protection risks of the government's use of Facebook Pages. Facebook has been renamed Meta Platform Inc. in January 2022. Meta also has other applications, such as WhatsApp and Instagram, but this blog is only about Facebook Pages.

A plan, a colleague, a customer, The Hague WTC, more colleagues, GDPR in action, more customers, Christmas celebration at home in the living room, privacy management software, privacy by design framework, booklet, picnic in the park, privacy implementations, e-learning, templates for trade association, illness, woes and lots of support.

With the use of automation growing across industries, recruitment hasn’t been an exception. Yet while elsewhere it may lead to more efficient services or greater security, it is hardly a treat to have your job application rejected by an algorithm. If this is the case, which rights of the data subjects are affected? NOYB’s complaint against Amazon, submitted to the Luxembourg National Commission for Data Protection (NCDP), provides answers.

Microsoft offers several analytical and reporting functionalities with its Office 365 products. Microsoft Teams comes with “a new analytics and reporting experience” - in the words of Microsoft itself. This blog discusses one specific report in the Teams admin center: the user activity reports.

In March, the Ukrainian government began using Clearview facial recognition. The technology is presumably applied to spot Russian operatives in Ukraine, as well as identify Ukrainian victims of war and fallen Russian soldiers. Some may say this is right – all if fair in love and war. But is it?

At the end of March, the European Commission and the Biden administration made a surprising announcement: They had reached an agreement in principle (link: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087) about the resurrection of Privacy Shield. The Privacy Shield mechanism, which enabled the international transfer of personal data from the EU to self-certified companies in the US, had been invalidated in 2020 by the European Court of Justice (ECJ), which found the protection of personal data in the US to be insufficient. The ECJ had previously invalidated Privacy Shield’s predecessor Safe Harbour for similar reasons. Will this third attempt fail where the previous two did not?

New DPIA for SURF and Dutch government on Zoom: all high risks solved

New DPIA for the Dutch government and universities on Microsoft Teams, OneDrive and SharePoint Online

Since the arrival ofthe General Data Protection Regulation (GDPR), organisations have put theregister of processings in order, written procedures and checklists, ensured transparent information for those involved and made an effort to raiseawareness of the major issue of 'privacy' among employees. And now?

Upcoming IAPP training sessions will be on 1 & 2 November (CIPP/E) and 3 & 4 November (CIPM). This session will be tough by Anouk and Erwin in English in the Mindspace Krausenstraße. We have planned a nice surprise in order to welcome back the training participants. Privacy Company is looking forward to training days

Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high data protection resulting from the use of Google Workspace for Education. These risks were identified in a DPIA conducted by Privacy Company for two universities.

Almost half of the political parties in the Netherlands used tracking cookies on their own websites, which they used to target potential voters elsewhere on the Internet (microtargeting). With such tracking cookies, the parties usually process special personal data. This is only permitted with the explicit consent of those involved. But this is not the case, research by Privacy Company shows.

When publishing the new Standard Contractual Clauses the European Commission (hereafter: Commission) did something remarkable. The Standard Contractual Clauses (SCCs) are meant to enable the transfer of personal data from the European Union (EU), Norway, Iceland, and Liechtenstein (European Economic Area, EEA), to a country outside the EEA that does not guarantee an adequate level of protection to the data. By agreeing on additional safeguards, the exporter and importer can still process the data safely in the recipient country. The Commission has now unexpectedly changed the definition of international transfers. It is no longer the case that every transfer of personal data to a system outside the EU/EEA is qualified as an international transfer. Rather, a transfer only qualifies as an international transfer if the personal data will no longer be directly protected by the GDPR in the recipient (third) country. The Commission states that organisations may only use the SCCs if the GDPR does not already apply to the importer in the third country anyway.