The ICO (the UK privacy regulator) has published draft guidance on the right of individuals under the GDPR to access their data. Key takeaways include: An acknowledgement that subject access requests can be burdensome, with a requirement to ‘make extensive efforts’ to locate and retrieve information and confirmation that a significant burden does not make … Read more
The Information Commissioner’s Office in the UK (ICO) has announced an investigation into the use of facial recognition technology following a string of high profile uses. Prior to the results of this investigation, companies using facial recognition technology should: undertake a balancing test to ensure proportionality in the use of such technology, acknowledging its intrusiveness; … Read more
A recent test DSAR has demonstrated companies’ differing approaches to DSAR compliance Despite the DSAR being made by a third party on behalf of the data subject, it is clear companies are uncertain regarding when or how they should ask for ID verification ICO guidance urges data controllers to be satisfied that any third party … Read more
Following on from the ICO’s recent admission around its cookie consent mechanism (for further details see our previous post here), the ICO website was down for a period of time at the end of last week. But now it is back and with a new and “improved” cookie consent mechanism (see here). Read more
The GDPR came into effect almost a year ago on the 25 May 2018. As the most significant reform of data protection law in Europe for over 20 years, the legislation raised expectations of a cultural shift in attitude to data privacy. A year on from the fanfare of implementation, this bulletin looks at key … Read more
On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach. Permission was granted on all grounds of appeal and the Supreme Court will … Read more
Last week the Personal Data Protection Office (“UODO“) in Poland issued a €220,000 fine to a digital marketing company for breaching its obligations under Article 14 of the GDPR (i.e. to provide a privacy notice to individuals). The decision has some important practical implications for organisations, including that: the collection of publicly-available information from the … Read more
The revelations surrounding Cambridge Analytica’s use of personal data and involvement with the Vote Leave campaign raised serious questions about the use of personal data in the EU referendum campaign and more widely by technology companies in general. The subsequent investigation by the Digital, Culture, Media and Sport Select Committee (the “DCMS Select Committee“) has … Read more
The German competition authority, the Federal Cartel Office (“FCO“) last week announced the results of its investigation into Facebook for a novel abuse of dominance involving consent for its data collection. Whilst the full decision is not yet public, the FCO has published a background paper here. In short, the FCO found that Facebook had … Read more
