DPAs examined so-called wearables
The BayLDA participated in a nationwide audit of several German DPAs (together with six other supervisory authorities) and tested so-called "wearables". Focus of this audit were both fitness tracker and smart watches with health functions. In addition, the manufacturers' apps were examined in a technical analysis. The result of this audit: no device completely complies with data protection requirements.
Internet of Things: International audit results
This year the BayLDA participated in the annual international data protection action of the Global Privacy Enforcement Network (GPEN) - the so called International Sweep Week. The focus of the audit was on the Internet of Things. The result of this years audit has now be published. The press releases and a presentation of the detailed results can be downloaded below.
Decision of the Duesseldorfer Kreis regarding the continued validity of consent
The Duesseldorfer Kreis informs in the decision from 13./14. September 2016 about the continued validity of consent under the GPDR, as long as they comply with the terms of the GPRR. The decision can be downloaded below.
Thomas Kranig remains president
With effect from 1st August 2011, the BayLDA was established as an independent Data Protection Authority (DPA) for the non-public sector in Bavaria by changing the Bavarian Data Protection Act. The first president of this new DPA was choosen by the Bavarian State Government for the statutory term of five years: Thomas Kranig, who has been a judge with the Administrative Court in Ansbach. Now, the Bavarian State Government decided Thomas Kranig to entrust after his first term for another five years to be president of the Bavarian DPA. Therefore the Bavarian State Minister of the Interior, Joachim Herrmann, handed the certificate of appointment to the President of BayLDA for a further term of five years.
EU-US Privacy Shield adopted
On 12th July 2016 the European Commission adopted the EU-U.S. Privacy Shield. According to the Press Release of the European Commission on 12 July 2016 the US companies will be able to certify with the Commerce Department starting 1st August 2016. By doing so the US companies submit themselves to follow the rules of the EU-US Privacy Shield and gain the possibility to obtain personal data from Europe on the grounds of this framework. Based on this framework personal data from the EU can be transmitted to certified US companies (provided that also the remaining legal demands for a transmission of personal data are fulfilled.)
More information can be found in the section "International data processing".
External service providers in Bavarian hospitals
The two Bavarian DPAs (BayLDA and BayLfD) announced a guideline for hospitals for carrying out processing on behalf of external service providers. The guideline provides recommendations how to comply with the very strict Bavarian Hospital Act. However, the guideline emerged mainly through practical experiences of BayLDA and BayLfD audits and advisory activities from the last years. Both DPAs are planning data protection audits at hospitals and there external service providers for the second half of the year. The guideline can be downloaded below.
Checklist for mobile apps published
The BayLDA has published a checklist for investigating apps regarding technical data protection requirements. This checklist should support app-developers in designing new mobile applications compliant to the data protection requirements. In addition to that the paper may be helpful to implement new concepts such as Privacy by Design and Privacy by Default.
The app checklist of BayLDA developed mainly from practical experiences of BayLDA audits and best practice approaches from the private sector during the last years. The document was written in accordance with the guideline on the privacy requirements of app developers and app providers - that paper can be found on our website, too. The app checklist can be downloaded below.
EU-US Privacy Shield: Opinion from the Article 29 Working Party
The Article 29 Working Party has published an opinion and a press release about the EU-U.S. Privacy Shield. As a conclusion, the Article 29 Working Party has urged the European Commission to react to these concerns and provide further amendments accordingly in order to ensure an adequate level of protection by means of the Privacy Shield. Further information can be found in the section "International data processing".
The Internet of Things - BayLDA participates in the International Sweep Week
This year the BayLDA participates in the annual international data protection action of the Global Privacy Enforcement Network (GPEN) - the so called International Sweep Week. The focus of this years' audit is on the Internet of Things. Objects of the everyday life are increasingly technically upgraded, networkable an thus more integrated into the owner's digital life. The BayLDA is going to get granular on some smart devices - from toys, fitness trackers, networked cars to common household appliances. The result of this years' audit will first be reported to the organizers of GPEN - the supervisory authority of the United Kingdom. After that the BayLDA will publish its own results in detail. Meanwhile, the BayLDA will act in case of detected deficiencies within its jurisdiction to remedy these deficits.
The press release can be downloaded below.
Guideline for consent forms published
Companies, freelancers and other organisations are often faced with the question of how consent forms (e.g. in use of data for marketing, in a data transmission between group enterprises, etc.) can be defined and formulated to be legally compliant under the focus of data protection. Under the coordination of the Data Protection Authority of Bavaria for the Private Sector (BayLDA) the DPAs in Germany have now published a national coordinated guideline for this topic, which can be downloaded below.
Automobile: Common declaration of VDA and DPAs
Modern vehicles require many data for the functioning of the electronic components, e.g. as ABS, ESP, airbags etc. Lots of these data (like speed, braking, and steering movements) can be associated directly to the driver, for example after a crash or while a repair in a car workshop. Online applications, which enable the vehicle to receive current traffic and service information, are a new dimension of data processing. In order to ensure for sufficient data protection and security, the Data Protection Authorities have developed in dialogue with the association of automobile (VDA) a joint statement on data protection aspects in networked and non-networked vehicles as a first step.
The statement can be downloaded below.
Be smart about finding a match online
Together with the Data Protection Authorities of Baden-Wuerttemberg, Berlin and Hamburg, the BayLDA conducted an auditing of online dating websites (please see: Press release dated 24th of June 2015). 21 websites have been inspected German-wide. Among these 21 websites, 10 have been audited by the BayLDA. All of these 10 websites offer their services throughout Germany. For the first time, independent Federal State Data Protection Authorities have created a single auditing approach, coordinated their efforts and they have reviewed their findings during a conference.
From the BayLDA's point of view, it is very positive to note that each operator was very serious about answering our questions, complying with their obligation to provide information. Therefore, some of the answers spanned over 50 pages. Most of the websites did have a data protection officer. Furthermore, the website operators did focus on data protection issues setting up their services and conducting their businesses. Based on their answers, employees are regularly trained regarding data protection issues and data secrecy. This means that the requirements for handling personal data are - on a formal level - fulfilled.
However, issues have been identified regarding technical aspects of data security, handling requests by a data subject to provide certain information, drafting data protection clauses, manners to identify a user and accessing the content of communications. Now, as far as the BayLDA did reveal such problems, the respective operators are informed. They are requested to fix these issues - as long as they have not done so themselves in the course of the audit.
Further information regarding the findings are included in our press release.
Children's Online Privacy Protection - results of a worldwide audit
A commissioned collection of personal data without a proper contract can be expensive
Costumer's Data with regard to a Mergers & Aquistion Deal - A problem of Data Protection
Personal data of consumers are often very valuable, especially in order to contact someone with a personalized sales promotion. If a company ceases operations, it regularly tries to sale valuable assets to another company via an asset deal. In a similar situation, an insolvency administrator tries to sell consumer's personal data. This information is often enough the only still valuable asset of a company being bankrupt.
However, two Bavarian companies needed to realize that one needs to be very careful in that regard. The BayLDA issued a penalty in the range of a 5 digits figure against two companies. Executing an asset deal, the buyer and the seller engaged in the unlawful transfer of consumer email addresses of an online shop. Therefore, both companies got fined. "With regard to asset deals, personal data is sold violating data protection laws. In order to raise awareness, we will continue to fine similar actions." said Thomas Kranig, President of the BayLDA.
With regard to the unlawful transfer of personal data, both companies, the buyer and the seller, are a "controller" in accordance with German Data Protection laws. Therefore, they are both responsible in accordance with the relevant provisions. The seller is "transferring" personal data, while the buyer is "collecting" it. Both acts, the unlawful transfer as well as the unlawful collection of personal data, are constituting administrative offences. Depending on the circumstances of each individual case, a fine might be up to 300.000 Euro.
Advertisement - What's allowed and what's not?
Companies, associations and freelancers have a legitimate interest to advertise for their goods and services. However, they need to act in accordance with Data Protection Laws and the Act Against Unfair Competition. In that regard, requirements differ significantly regarding telephone, email, SMS and postal advertisements.
On one hand, postal advertisements are generally lawful, as long as there is no specific objection. On the other hand, advertisement targeting consumers via telephone, email and SMS are very often only lawful, if there is a specific consent. The BayLDA has compiled a new 4-page guide with regard to the legal framework. Advertising companies and citizens are able to quickly inform themselves in order to act in accordance with the relevant Data Protection Laws.
Further information can be found via the 14-page document (General Advice by the Data Protection Authorities on Collecting, Processing and Using Personal Data with regard to Advertisements). This document has been published by the BayLDA. It outlines the opinion shared by all German Data Protection Authorities.
Citizens, who think that advertisements have been violating their fundamental right of privacy, e.g. by violating a specific objection against receiving advertisements, may contact the BayLDA. The unlawful use of an email address and/or a telephone number are constituting administrative offences. Depending on the circumstances of each individual case, a fine might be up to 300.000 Euro.
Love in the Digital Age - BayLDA is examining Dating Website