{"id":9197,"date":"2024-09-18T11:35:20","date_gmt":"2024-09-18T09:35:20","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=9197"},"modified":"2024-09-18T13:45:05","modified_gmt":"2024-09-18T11:45:05","slug":"data-protection-digest-18092024-new-sccs-initiative-data-asset-deals-probabilistic-method-and-gdpr","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-18092024-new-sccs-initiative-data-asset-deals-probabilistic-method-and-gdpr\/","title":{"rendered":"Data protection digest 2 – 16 Sep 2024: New SCCs initiative, data asset deals, probabilistic method and GDPR"},"content":{"rendered":"\n

In this digest we look at the perception of the term privacy in the digital era, data protection measures when concluding \u201casset deals\u201d, the new SCCs initiative for international transfers from the EU, the probability method and data accuracy, and much more.<\/em><\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

New SCCs initiative<\/strong><\/h4>\n\n\n\n

The European Commission started work on new SCCs for data transfer to third-country data importers, (controllers and processors), subject to the GDPR<\/a>. They will complement the existing clauses for data transfers to third-country importers not subject to the GDPR. Adopted in 2021, the latest set of SCC does not work for importers whose processing operations are subject to the GDPR under Art. 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR<\/a>.  Despite the Commission’s call for action three years ago, SCCs for those specific cases were not introduced, leaving organisations in legal uncertainty, (see Uber’s latest fine<\/a>). <\/p>\n\n\n\n

The adoption of the new SCCs is planned for the second quarter of 2025. <\/p>\n\n\n\n

Australia privacy reinforcement<\/strong><\/h4>\n\n\n\n
\"New<\/figure>
\n

<\/p>\n\n\n\n

The parliament introduced and held its first reading on the amendments to the privacy legislation<\/a> to introduce a range of measures, including expanding the Information Commissioner\u2019s powers, facilitating information sharing in emergencies or following eligible data breaches, requiring the development of a Children\u2019s Online Privacy Code, providing protections for overseas data transfers, introducing new civil penalties and criminal offences, (for a practice known as \u2018doxxing\u2019)<\/a>, and increasing transparency about automated decisions. <\/p>\n<\/div><\/div>\n\n\n\n

Data disclosure on a party to the contract<\/strong><\/h4>\n\n\n\n

<\/strong>The CJEU meanwhile explains the lawfulness of personal data processing in the performance of a contract,  to which the data subject is a party<\/a>. The case relates to a request of a partner seeking to obtain the contact details of other partners, (parties to the contract), with indirect shareholdings in an investment fund through a trust company. <\/p>\n\n\n\n

The CJEU ruled that disclosure would be justified only if the main subject matter of the contract could not be achieved if that processing were not to occur<\/a>. If such processing is also necessary for legitimate interests pursued by a controller or third party, it should be strictly necessary to achieve that purpose. While there is a legal obligation for a data controller, it should be foreseeable for those persons subject to disclosure, that the disclosure is proportionate, and meets an objective of public interest.<\/p>\n\n\n\n

Dark patterns advisory<\/strong><\/h4>\n\n\n\n
\"New<\/figure>
\n

<\/p>\n\n\n\n

The California Privacy Protection Agency issued an enforcement advisory on user interfaces that subvert or impair a consumer\u2019s autonomy, leading to a privacy-averse practice. Businesses should adopt clear and understandable language and offer consumers symmetrical choices<\/a> to avoid impairing and interfering with consumers\u2019 ability to make their choices. <\/p>\n<\/div><\/div>\n\n\n\n

More official guidance<\/h4>\n\n\n\n

Asset deals and data protection: <\/strong>The sale of a company can generally be carried out in two ways, either by transferring shares or by transferring assets and\/or economic goods, explains the German Data Protection Conference. While the data processing in the context of a “share deal” is possible without any problems, apart from audit procedures,<\/a> since only the shares in a company are transferred, the company otherwise continues unchanged as a data controller; the transmission of personal data in the context of an “asset deal” requires a differentiated approach in terms of data protection law<\/a>. Read the methodology of the latter case in the original paper (in German).<\/p>\n\n\n\n

\"\"<\/figure>
\n

<\/p>\n\n\n\n

How do you identify a person by phone? <\/strong>The common way is by asking to provide several personal details, such as their first name,  email address, username, etc. In this case, the more data is requested, the more likely it is to identify the person accurately, and at the same time, the greater the intrusion into the person’s privacy. Therefore, the organisation must observe proportionality in its activities. <\/p>\n<\/div><\/div>\n\n\n\n

A better practice would be using a key: a password previously agreed upon by both parties chosen by the customer<\/a>, or more sophisticated tools such as a secure electronic signature generator, explains the Latvian regulator.   <\/p>\n\n\n\n

Data subject notification upon a breach: <\/strong>People who are victims of a data breach often receive insufficient information from a data controller on what exactly happened, when and what information was leaked, and what they can do themselves to reduce the risks, states the Dutch regulator. Also, warning emails, even if sent within a legal time frame, sometimes lack an alarming title or introduction, with the risk that the recipient may simply not read the message. You can examine some recommendations, and sample notification texts, (in Dutch), here<\/a>. <\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n