non-for-profit

Data protection digest 17 – 31 Oct 2024: clinical research service providers, non-for-profit, commercially available AI

Non-for-Profit

Updated privacy guidance for not-for-profit has been released by the Office of the Australian Information Commissioner. It includes a discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. For instance, when entering into arrangements with third parties, your non-for-profit should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your non-for-profit and the wider community, (donors, volunteers, and people who engage with the sector as clients and staff). It is important to read the terms of your agreement carefully, conduct periodic reviews, and ensure the third party deletes any personal information at the end of the contract term. 

Stay up to date! Sign on to receive our fortnightly digest via email.

Consent management in Germany

On 17 October the Bundestag approved the regulation that introduces recognised consent management services to manage decisions made by end users regarding consent or non-consent to a digital service provider, thus relieving them of some of the burden, (of individual decisions that have to be made with cookie consent banners). The integration of recognised consent management services by providers of digital services is voluntary. It now has to be approved by the government and officially published to come into effect. The original regulation, (in German), can be read here.

Clinical research organisations (CROs)

non-for-profit

The French CNIL has approved a Code of Conduct intended for clinical research organisations and other service providers ,(CROs), who act as processors on behalf of sponsors. It brings an operational dimension to the requirements of the GDPR. It is supported by the non-for-profit European Clinical Research Federation (EUCROF) and is mandatory for those who adhere to it

Among the services offered by CROs that may be covered by the code are the design of the protocol, the selection and contracting with the investigator centers, the collection and hosting of data, their analysis and the production of reports, or archiving or technical support services.

Other legal updates

NIS2 directive takes effect: New regulations to improve the cybersecurity of the EU’s vital networks and entities, (“NIS2”), should have been incorporated into national legislation by the October 17 deadline. According to a DLA Piper analysis, although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, the majority of EU countries do not yet have the relevant implementing legislation and necessary guidelines for organisations in place. 

Sanction lists: The Swedish IMY has drawn up new regulations that make it permissible for certain companies to handle personal data about violations of the law without seeking permission from the regulator when, among other things, checking their customers against various sanction lists. In particular, companies that operate in the financial sector as well as in the security and defence market may need to check their customers, suppliers and employees, to comply with international export restrictions, and against money laundering and the financing of terrorism.  

Lawful collection of criminal records: The Danish data protection authority investigated Parken Services A/S’ procedures for obtaining information in the recruitment process. In particular, it obtains copies of passports and criminal records from applicants. The regulator found this processing lawful taking into account the special circumstances that apply to Parken Services A/S as an employer, including the very large number of people employed by the company, and the very special risk profile associated with a company servicing large sporting and entertainment events, especially concerning terrorism and crime

Worker transfers data to private account without permission

An Ius Laboris law blog post analyses the recent case in the Netherlands where an employee was dismissed because he sent 791 documents from his employer’s server to his personal Dropbox account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated that employees could not make copies of the employer’s data or store information from the employer in personal locations.

Additionally, the employer had recently sent an email to all employees reminding them that they were not allowed to take any documents or property from the employer with them at the end of their contract. Read more discoveries of the case in the original publication

Commercially available AI

The Office of the Australian Information Commissioner has also issued new AI guidance. AI products should not be used simply because they are available, it says. Robust privacy governance and safeguards are essential for businesses to gain any advantage from AI and build trust and confidence in the community. Similarly, during AI model training, it must be carefully considered whether this will involve the collection, storage, use or disclosure of personal information, either by design or through an overly broad collection of data for training. Do this early in the process to help mitigate any privacy risks. Personal information is a broad category, and the risk of data re-identification needs to be considered. 

More official guidance

Mobile apps design: Apps often ask for permissions that they don’t need to function properly, (geolocation, contacts, camera or mic). It is recommended to accept only those strictly necessary for the function of the service. Apps also collect data about your behaviour, such as which web pages you visit, how long you spend in an app, or which features you use most often. This information may be used for ad personalisation, but you can limit or disable it in the privacy settings of your account. It is also recommended to use temporary accounts or alternate email addresses that are not linked to sensitive data

Learning environments: The Estonian regulator emphasized the obligation of educational institutions and their learning environments to maintain the appropriate technical and organisational measures. This includes reviewing the documents and personal data entered into online environments and their retention periods, creating a system for monitoring data retention periods and deleting data at the end of a period, and ensuring that employees are informed of data protection conditions. 

It is also important that the data can be partially deleted so that it does not prevent the further processing of other data, (eg, making the data non-personal and storing it for archiving, scientific and historical research or statistical purposes). 

Work emails backup: The Italian Garante fined a company 80,000 euros for carrying out backups during the employment relationship. The complaint was filed by a commercial agent who realised that the company, during their collaboration, used software to back up emails, preserving both their contents and access logs to the emails and the company management system. The information collected was then used by the company in litigation. This also allowed the company to reconstruct the collaborator’s activity, thus incurring a form of control prohibited by the workers’ statute.

Receive our digest by email

Sign up to receive our digest by email every 2 weeks

More enforcement decisions

LinkedIn fine: The Irish Data Protection Commission fined LinkedIn Ireland 310 million euros. The inquiry examined LinkedIn’s processing of personal data for behavioural analysis and targeted advertising of users who have created LinkedIn profiles. LinkedIn did not validly rely on consent to process third-party data of its members for behavioural analysis and targeted advertising. Similar validity issues applied to the legitimate interest and contractual processing of first-party personal data. 

Health data breach: The New York Attorney General secured 2.25 million dollars from a health care provider AENT for failing to protect the medical data of 200,000 New York patients. AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions. As a result, those vendors did not install critical security software updates promptly, adequately log and monitor network activity, properly encrypt consumers’ private information before and after any attacks, utilise multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program. Finally, AENT’s data storage devices continued to host unprotected private information months after two ransomware incidents occurred. Read more insights on massive health data breaches in the US here.

Pinterest: Privacy advocacy group NOYB filed a complaint against the social media platform Pinterest, including its visual mood board used for finding ideas and inspiration. Advertisers, on the other hand, use the platform to push their products to consumers. Pinterest’s business model is also based on personalised advertising and the associated user tracking. The platform allegedly uses people’s data without asking for their consent.

Pinterest claims to have a legitimate interest and enables tracking by default

Data security

Ransomware: In 2023, there were more ransomware attacks in the Netherlands than previously. The AP counted at least 178 successful attacks. The number of affected organisations runs into hundreds. Millions of people’s data were affected, from emails and phone numbers to copies of passports, bank account numbers, and passwords. The AP notes that while cybercriminals sometimes target one specific company in a certain sector, they also regularly attack IT suppliers that manage data on behalf of a range of companies from all sectors. 

Google Analytics: The Saxony Data Protection Commissioner discovered the illegal use of Google Analytics on 2,300 out of the 30,000 websites it examined, (compliance improved significantly throughout the inspections). Data was collected without the visitors having previously consented to the setting of analytics cookies and/or the establishment of server connections to Google Analytics. A significant number of consent banners often did not do what the settings promised users. Services were executed and cookies were set even though the settings indicated “off”. Many of the website administrators were unaware of this. 

Mobile surveillance: The Krebs-on-Security law blog reports on a recent ad data surveillance case. The Delaware-based Atlas Data Privacy Corp. invoked a lawsuit against Babel Street, a technology company that allows customers to use a real-time finder at and around nearly any location on a map of the world, and view a time-lapse history of all mobile devices seen coming in and out of the specified area.

Babel Street consumes location data and other identifying information, (built into all Google Android and Apple mobile devices), that is collected by many websites and makes this available to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user, the analysis states. 

Do you need support on data protection, privacy or GDPR? TechGDPR can help.

Request your free consultation

Tags

Show more +