{"id":9918,"date":"2024-12-18T10:37:58","date_gmt":"2024-12-18T09:37:58","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=9918"},"modified":"2024-12-18T14:20:13","modified_gmt":"2024-12-18T13:20:13","slug":"data-protection-digest-18122024-dora-application-deadline-new-meta-fine-ai-impact-assessment","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-18122024-dora-application-deadline-new-meta-fine-ai-impact-assessment\/","title":{"rendered":"Data protection digest 1 – 15 Dec 2024: DORA application deadline, new Meta fine, AI impact assessment"},"content":{"rendered":"\n

In this issue, we explore the DORA application<\/strong> deadline and its interference with the GDPR; how to conduct an AI impact assessment <\/strong>or integrate it into your existing privacy risk management processes; what constitutes US-restricted data transfe<\/strong>r to countries of concern; and what expectations customers have about their data; a Real-Time Bidding <\/strong>explainer; a Sky Italia<\/strong> telemarketing fine; and a new Meta<\/strong> privacy violation.<\/strong><\/em><\/p>\n\n\n\n

Stay up to date! Sign on to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

DORA application<\/strong> deadline<\/h4>\n\n\n\n

<\/strong>As the Digital Operational Resilience Act will apply from 17 January 2025, the European supervisors have called on financial entities and third-party providers<\/a> to advance their preparations on the information and communication technology requirements<\/a>. There are also important interfaces between DORA and the GDPR, in data protection experts’ opinion. Both regulations aim at ensuring data integrity, confidentiality and availability<\/a>, such as notification of security incidents, risk management, technical and organisational measures, controls and audits. Furthermore, an integrated strategy that considers both data protection and IT security is needed to comply with both regulations. <\/p>\n\n\n\n

Third-country authorities<\/strong> and GDPR certification<\/h4>\n\n\n\n

The EDPB published guidelines on GDPR Art.48<\/a> about data transfers to third-country authorities. The sharing of data with the public authorities in other countries can help collect evidence in the case of a crime, check financial transactions, or approve new medications. The board clarifies how organisations, private and public, can best assess under which conditions they can lawfully respond to such requests. The Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors across Europe. GDPR certification<\/a> helps organisations demonstrate their compliance with the law and helps people trust the product, service, process or system for which organisations process their data.<\/p>\n\n\n\n

More legal updates<\/h4>\n\n\n\n
\"DORA<\/figure>
\n

<\/p>\n\n\n\n

US restricted transfers: <\/strong>The Department of Justice has suggested restrictions on cross-border transfers of sensitive personal data to “countries of concern”<\/a>. The regulation would, among other things, restrict data brokerage transactions that pose significant national security threats to China, Russia, Iran, North Korea, Cuba, and Venezuela, and limit some vendor, employment, and investment arrangements with nations of concern unless they fulfil specified security standards. <\/p>\n<\/div><\/div>\n\n\n\n

Those adversaries can be interested in biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals\u2019 political affiliations<\/a> and leanings, hobbies, and interests. In this way, countries of concern can exploit their access to US government-related data or Americans\u2019 bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, and political figures. <\/p>\n\n\n\n

Oregon and several other US states <\/strong>have recently advanced their privacy laws. <\/strong>For instance, the Oregon Consumer Privacy Act<\/a> applies to all for-profit businesses immediately and to applicable charitable organisations as of 1 July 2025. It provides residents with an opt-out option to a business selling, profiling, and using targeted advertising with their personal information, obtaining a copy, editing any inaccuracies and deleting the personal and sensitive data a business has collected about them.<\/p>\n\n\n\n

On January 1, 2025, five more states\u2019 consumer privacy rights laws will take effect – Iowa, Delaware, New Hampshire, Nebraska, and New Jersey<\/a>. <\/p>\n\n\n\n

Customer expectations about their data<\/strong><\/h4>\n\n\n\n

The assessment of customer expectations regarding the processing of their data is an essential element in ensuring the lawfulness and transparency of data processing states the Latvian regulator. Reasonable expectations are what a customer, given their specific relationship with the organisation, types of data and available information, can naturally expect from the processing of their data. A practical approach to assessing expectations would be conducting surveys, interviews and focus group discussions, as well as consulting industry standards and previous experience<\/a>. <\/p>\n\n\n\n

Internal procedures and training<\/strong><\/h4>\n\n\n\n
\n

<\/p>\n\n\n\n

Developing appropriate internal procedures and regular training also helps ensure employees know how to act in supporting the company’s compliance efforts. This may be especially useful when a business expands rapidly, hires new employees, and the number of clients also increases. If non-compliance is detected which could result in a violation of customer data processing and protection<\/a>, the company, with the help of its data protection specialist<\/a>, has to prepare an action plan, which may include:<\/p>\n<\/div>

\"DORA<\/figure><\/div>\n\n\n\n