Lithuanian Data Protection Inspectorate’s rules on the implementation of data subject rights

The State Data Protection Inspectorate of Lithuania has published rules on data subject rights implementation under the GDPR previsions. Companies, institutions, other organizations and individuals which process personal data for business-related purposes will now have a tool to interpret their duties on the enforcement of data subject rights. The main aim of the publication is to help data controllers in the protection of personal data collected and processed in the context of business and professional activities. The rules include clarifications on the exercise of data access and correction rights, on the erasure of data, on the limitations to data processing, on data portability, on the denial of consent to data processing and other related rights. An Annex to the rules provides additional information on the measures to implement the rules.

The original document containing the rules is available here (in Lithuanian language)

The press release of the Lithuanian Inspectorate (in Lithuanian language) is available here:

German BfDI publishes its report on freedom of information

On July 11 Andrea Voßhoff,  the German Federal Commissioner for Data Protection and Freedom of Information, of published her report on the implementation of the freedom of information in Germany. This Activity Report is the 6th of its genre and refers to the period 2016 and 2017. In this period, Federal Authorities received a total of 21,805 applications for access to official information under the Federal Government's Freedom of Information Act exceeding the applications received during 2014/2015. According to the Federal Commissioner, this increase in the number of applications clearly shows that the right to access information has now become a tool for the exercise of citizens’ rights transparency.

Find the Annex to the BfDI press release for the 6th Activity Report on freedom of information here:

The Activity Report for the years 2016-2017 is available here:

UK ICO to fine Facebook with £500,000 for two breaches of the Data Protection Act 1998

A £500,000 fine might be imposed on Facebook by the UK Information Commissioner’s Office (ICO) for the Cambridge Analytica scandal. Facebook founder Mark Zuckerberg revealed that the unauthorised misuse of data of 50 million Facebook users has grown to an amount of 87 million. According to the ICO investigation, Facebook contravened UK privacy laws by failing to safeguard people’s information and by lacking transparency on the collection of personal data by third parties. The ICO proceeding is still ongoing and  Facebook will soon respond to the allegations with the submission of a memoire. eOn the Facebook – Cambridge Analytica scandal both the  CIA and the FBI have announced their own reports twhich will be submitted by the end of July.

Cambridge Analytica scandal is mentioned at page 14 of the ICO report issued on July 11

European Parliament Threatens Suspension of Privacy Shield

On July 5, the European Parliament adopted a non-binding resolution recommending the suspension of the EU-U.S. Privacy Shield as an approved framework for transferring personal data from the EU to the U.S. if the U.S. is not fully compliant with the program by September 1, 2018.

The Privacy Shield is an agreement between the U.S. and EU allowing businesses to transfer personal data to the U.S. from the EU in compliance with EU data protection requirements. The Privacy Shield is necessary because the European Commission has previously determined that the United States’ existing privacy laws do not provide an adequate level of data protection as required by EU data protection laws. The inadequacy determination notwithstanding, the Privacy Shield is one of several approved and lawful bases for transferring data between the U.S. and the EU. Without one of these lawful bases, the European Parliament has determined that data transfers between the U.S. and EU are not sufficiently protected and violate EU and member-state laws.

Find out more on this topic here

Italian’s Personal Data Protection Authority presents the Report on the activities carried out in 2017

On July 10, the Italian’s Personal Data Protection Authority presented the Report on its activities carried out in 2017. The Report contains an analysis on the implementation of privacy legislation in Italy. Additionally, it contains prospects towards which the Authority intends to move with the aim of ensuring a more effective protection of personal data and of providing responses to the challenges posed by new economic models based on data exploitation and the increased need to protect people's fundamental rights. Among the main actions undertaken by the Authority in 2017, are the consolidation of the protection of personal data through transparency and the fight against cyberbullying. In particular, the latter has been developed fostering measures and procedures for the removal of offensive content from the web and allowing the activation of a timely intervention network. The application of the EU GDPR is described in details in the Report. It is worth noting that the Italian DPA has consistently worked with peer EU Authorities in the elaboration of important guidelines. Concerning its supervisory activities, the Authority lists the investigations on a number of dossiers and on data breaches. Conclusively, the Report elaborates on the need for transparency of the Public Administration procedures and in the health sector. The Italian DPA celebrates its twentieth year of activity in 2018.

The report is available, in Italian language, here