ICO publishes its Code of age appropriate design for services aimed at or used by children

ICO age appropriate data protection code

The ICO have now published their final version of their Age Appropriate Design Code of Practice for Online Services. The Code is a statutory one in the sense the ICO are obliged by law to produce it. In terms of enforcement action, the ICO could use the Code against any applicable service, if they do not …

Read moreICO publishes its Code of age appropriate design for services aimed at or used by children

DSG Retail Ltd fined £500k under DPA1998 for security failings

ICO fine for POS security failings

DSG Retail Ltd (who trade as Currys PC World and Dixons) have been fined by the ICO £500k for a number of serious data security failings which led to malware scraping credit card details from POS systems in their stores and unlawful access to customer database records. The infringement happened pre-GDPR so the ICO has …

Read moreDSG Retail Ltd fined £500k under DPA1998 for security failings

ICO consults on draft direct marketing code of practice

digital marketing compliance

On 8th January 2020 the Information Commissioner’s Office (ICO) launched a consultation on their draft direct marketing code of practice. The Code itself will replace the existing direct marketing code and guidance around the application of the Privacy and Electronic Communications Regulations (PECR) which set the rules on marketing consent and how GDPR’s new rules …

Read moreICO consults on draft direct marketing code of practice

Pharmacy receives ICO’s first GDPR fine (£275k)

pharmacy recives first ico gdpr fine

A pharmacy in London has become the first organisation to receive a GDPR fine in the UK from the Information Commissioner’s Office (ICO). The fine of £275,000 relates to security failings in the pharmacy’s data practices after the ICO was tipped off by the MRHA (Medicines and Healthcare products Regulatory Agency) who were conducting their …

Read morePharmacy receives ICO’s first GDPR fine (£275k)

Model clauses for EU-US transfers provide sufficient protections says non-binding decision

EU Court GDPR

If you’ve followed the challenges of EU data protection legislation by privacy activist Max Schrems, you’ll have heard about his most recent challenge that the use of the EU standard contract clauses (which allow, by legal contract, for non-EU transfers of data) are not adequate in protecting EU Facebook data, when that data is transferred …

Read moreModel clauses for EU-US transfers provide sufficient protections says non-binding decision

German data protection regulator issues €9.5m fine for security failings

GDPR verify identity

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has issued 1&1 Telecom with a €9,550,000 fine for security failings (English translation) in its customer services department. BfDI found that 1&1 had not put in place appropriate organisational and technical measures (Article 32 of GDPR) to ensure customer data was protected after it discovered …

Read moreGerman data protection regulator issues €9.5m fine for security failings

Did you think the ePrivacy Regulation was dead? Think again

eprivacy regulation back

Back in the months leading upto GDPRmaggedon there was talk of a new ePrivacy Regulation that would replace PECR in the UK and streamline cookie and electronic marketing rules (along with some other stuff) and that this would come into force at the same time of GDPR, making a tidy transition to a new GDPR …

Read moreDid you think the ePrivacy Regulation was dead? Think again

ICO publishes new guidance on special category data

GDPR special category data

The ICO have published new guidance on the the processing of special category data. Special category data is data considered to be more sensitive and therefore requiring extra protection. This includes data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (when used for ID purposes), …

Read moreICO publishes new guidance on special category data

Third EU review of Privacy Shield confirms continued adequacy

EU US Privacy Shield

The EU-US Privacy Shield decision was adopted in 2016. It protects the personal data rights of EU citizens when their data is processed by US organisations that have signed up to the scheme. This is one of the ways that data can flow outside the EU to the US (the other being via standard contract clauses) …

Read moreThird EU review of Privacy Shield confirms continued adequacy