GDPR Archives

Estonian Information System Authority publishes Report on Risks and Controls for AI and Machine Learning Systems

AI, Risk management | June 9, 2024

Estonia’s Information Systems Authority released a report titled “Risks and Controls for Artificial Intelligence and Machine Learning Systems”. The report covers the history and applications of AI, providing practical controls to mitigate risks. Key topics include use cases, explainability, regulatory trends such as the EU AI Act, legal roles of stakeholders under GDPR, deployment models, and risk assessment. Section 8 offers a practical quick reference guide for organizations, detailing steps for identifying threats, applicable laws, and selecting controls.

Estonian Information System Authority publishes Report on Risks and Controls for AI and Machine Learning Systems Read More »

Irish Data Protection Commission Published 2023 Annual Report

annual report, DPC | June 8, 2024

The Data Protection Commission (DPC) published its 2023 Annual Report, detailing significant actions and statistics. The DPC issued 19 decisions, resulting in €1.55 billion in fines, including €1.2 billion against Meta for data transfers to the US and €345 million against TikTok for child data processing violations. The report highlighted a 20% increase in new cases, totaling 11,200, and the DPC’s input on over 37 legislative proposals.

Irish Data Protection Commission Published 2023 Annual Report Read More »

EDPB Statement on Financial Data Access and Payments Package

EDPB, EU law | June 8, 2024

The European Data Protection Board (EDPB) adopted Statement 2/2024, addressing the European Commission’s proposals for Financial Data Access (FIDA), Payment Service Regulation (PSR), and Payment Service Directive (PSD3). The EDPB highlights the need for clear rules on recording and disclosing personal data, defines obligations for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), and emphasizes data protection, transparency, and minimization. Key recommendations include robust safeguards in transaction monitoring, defining ‘permission’ distinct from GDPR consent, and enhancing cooperation among supervisory authorities.

EDPB Statement on Financial Data Access and Payments Package Read More »

Latvian DVI Outlines Actions Post-DPO Appointment

DPO, GDPR | June 8, 2024

The Latvian Data State Inspectorate (DVI) issued guidelines for organizations after appointing a Data Protection Officer (DPO). The guidelines emphasize informing the DVI of the DPO’s contact details, notifying citizens, updating changes, and reporting terminations. The DPO can be either DVI-certified or a knowledgeable professional, appointed via employment or outsourcing. Ensuring DPO availability during absences is crucial for continuous data protection compliance.

Latvian DVI Outlines Actions Post-DPO Appointment Read More »

Advocate General Opinion on GDPR and Company Registers (Case C‑200/23)

EU law, GDPR, Right to deletion | June 8, 2024

Advocate General Medina addressed the interplay between EU data protection regulations and company law concerning the public disclosure of personal data in company registers. The case involves the refusal by Bulgaria’s Registration Agency to erase personal data from a company’s constitutive instrument, published in the commercial register. The AG emphasized that the agency must balance data protection rights with legal transparency obligations. The opinion underscored the need for procedural safeguards to protect personal data while ensuring necessary public access to company information.

Advocate General Opinion on GDPR and Company Registers (Case C‑200/23) Read More »