Enforcement cooperation repository / Document library

Find information provided by the Global Privacy Assembly members or by networks of data protection/privacy authorities, including highlights of their activities in their jurisdictions. Search for the keyword of your choice, which could be the name of an authority you are interested in or a topic of interest.


Network or AuthorityResourceType of ResourceDescription of ResourceUpload date
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019NewsPress release (text)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019Enforcement ActionQ & A (for download)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019Enforcement ActionCase Summary (for download)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Preliminary assessment in Facebook proceeding of 19 Dec 2017NewsPress release (text)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Preliminary assessment in Facebook proceeding of 19 Dec 2017Enforcement ActionBackground Information (for download)29/8/2019
Catalan Data Protection AuthorityApplicable LawsRegulationThis section of the web includes national and international legislation, and the regulatory legislation of the APDCAT.29/8/2019
Catalan Data Protection AuthorityProvisions adopted by the APDCATRegulationThis section includes the Instruction 1/2009 of February on the processing of personal data using cameras for video surveillance purposes; Guidance regarding the publication of the ID number; Recommendation 1/2008 on the transmission by Internet of information containing personal data; Recommendation 1/2013 on the use of email in the work environment (both Recommendations available in English version), and the Audit report on the portals of transparency.29/8/2019
Catalan Data Protection AuthorityResolutions, opinions and reportsOtherLaw authorises APDCAT to exercise, among others, the function of resolving claims made by the persons concerned as regards their rights. This law also empowers the Authority to carry out inspections and impose penalties, as well as to issue authorisations for exemption from the duty of information in the collection of data and for the integral maintenance of certain data. APDCAT also attends to requests for information and enquiries made by citizens or entities that fall within its scope of action. This section includes Opinions and Resolutions regarding this function. It also includes the APDCAT reports in application of Transparency legislation.29/8/2019
Catalan Data Protection AuthorityGuidelinesGuidanceThis section includes Guidelines prepared by APDCAT: Guidelines regarding data protection impact assessment (DPIA)) (available in English); “GDPR Data Processor Guide”, prepared by the APDCAT in conjunction with the Spanish Data Protection Agency and the Basque Data Protection Agency (available in English); and “Guide to comply the obligation to inform according to the GDPR”, prepared in conjunction with the Spanish Data Protection Agency and the Basque Data Protection Agency.29/8/2019
Catalan Data Protection AuthorityEducation and children privacyGuidanceInformation about how children and young people can surf the internet without problems and how they should protect the personal information, including clear examples of the risk they run by posting personal information on the internet or passing it by mobile phone. It also includes the “Data Protection Guidelines for Schools” (English version), and some Guides addressed to children.29/8/2019
Catalan Data Protection AuthorityPress-releases (News)NewsIn this section of the Web you will find information regarding training activities, conferences, symposiums and Conferences organized or participated by the APDCAT.29/8/2019
Catalan Data Protection AuthoritySmart CitiesThis section includes, aware of the implication that the development of Smart Cities may have on the personal data and privacy rights, a Document for debate, a bibliography, and audio-visual materials to contribute to the debate regarding this issue.29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Annual report 2018Report29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Supervisory framework 2018-2019Report29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Hospital fined for insufficient internal protection of patient filesNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Letter on cookies and consentNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Almost 10.000 complaints filed at Dutch Data Protection AuthorityNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Uber fined by Dutch DPA for data breach (available in English)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement on Bundeskartellamt Facebook decision of 7 February 2019News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement “Federal Commissioner for Data Protection and Freedom of Information approves pursuant to Art. 46 (3) b GDPR a multilateral administrative arrangement concluded by ESMA and IOSCO on cross-border data transfers”, issued on 24th April 2019 (German)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement on “Mobile Payments – but not with my personal data”, issued on 5th February 2019 as press release 05/2019 (German language only)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationPress release on “The First Anniversary of the GDPR - a Success with Potential for Further Growth”, issued on 25 May 2019News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement of 26 April 2019 on Facebook-Cambridge-AnalyticaNews29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of Information“Hambach Declaration” on Artificial IntelligenceOther29/8/2019
Switzerland - Federal Data Protection and Information CommissionerGuide on digital processing in connection with elections and votingGuidanceGuide by the data protection authorities of the Confederation and the Cantons on the application of data procession laws to the digital processing in connection with elections and voting in Switzerland.29/8/2019
Switzerland - Federal Data Protection and Information CommissionerThe GDPR and its consequences for SwitzerlandRegulation29/8/2019
Switzerland - Federal Data Protection and Information CommissionerAnnual report 2018-2019Report29/8/2019
Gibraltar Regulatory AuthorityGlobal Privacy Enforcement Network Sweep 2018NewsPress release. On a yearly basis, the Gibraltar Regulatory Authority participates in the Global Privacy Enforcement Network’s (“GPEN”) annual intelligence gathering operation, called a “Sweep”. In 2018 the Sweep looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes. Locally, the GRA focussed on privacy accountability in the telecommunications sector. In short, the study looked at how organisations have taken responsibility for complying with data protection laws.29/8/2019
Gibraltar Regulatory AuthorityGuidance on the Information Commissioner’s Regulatory ActionGuidanceThis guidance note provides guidance on the regulatory action that the Information Commissioner may take under the Data Protection Act 2004 and the General Data Protection Regulation. In addition to this it provides information on how the Information Commissioner proposes to exercise his functions in connection with information notices, assessment notices, enforcement notices, and penalty notices.29/8/2019
Gibraltar Regulatory Authority2017/2018 Annual ReportReportThis Annual Report of the Gibraltar Regulatory Authority was prepared in accordance with Section 19 (1) of the Gibraltar Regulatory Act 2000 and covers the period 1st April 2017 to 31st March 2018. The Annual Report includes outcomes and decisions made by the Information Commissioner regarding investigations and data breaches and a section on the Gibraltar Regulatory Authority’s international participation in Data Protection related events and conferences. Please refer to pages 25 to 36 for a summary of the work done by the Information Rights Division of the Gibraltar Regulatory Authority. In particular, page 34 contains a summary of the enforcement action taken by the authority in the relevant financial year.29/8/2019
Gibraltar Regulatory AuthorityData Protection Act 2004RegulationWhen the Data Protection Act 2004 was implemented, it granted new rights to individuals regarding how their personal data are collected and used by both private and public sector bodies. In addition to this, those bodies are obliged to obey rules governing how they collect and use data. Amendments were made in 2018 in order to implement into the law of Gibraltar the General Data Protection Regulation. 29/8/2019
Gibraltar Regulatory AuthorityCommunications (Personal Data and Privacy) Regulations 2006RegulationIn Gibraltar, electronic direct marketing is regulated by the Data Protection Act 2004, the General Data Protection Regulation and the Communications (Personal Data and Privacy) Regulations 2006. In particular, in accordance with regulation 23 of the Privacy Regulations, direct marketing via electronic mail should only be conducted where an individual has given prior consent, unless the contact is with previous customers about similar products, and where an opt-out from marketing was provided to the individual when their details were collected. The Information Commissioner has enforcement powers under the Privacy Regulations.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Investigation into data protection compliance in the direct marketing data broking sectorInvestigation ReportA report on the ICO’s investigation into the offline marketing services of the data broker industry, including key findings and action taken.03/02/2020
United Kingdom - Information Commissioner's Office (ICO)Experian enforcement noticeEnforcement NoticeNotice compelling Experian to make changes to how it handles personal data within its direct marketing services.03/02/2020
United Kingdom - Information Commissioner's Office (ICO)Investigation into the use of data analytics in political campaigns
ReportICO’s report to the UK Parliament on its investigation into data analytics for political purposes, plus a further update report and associated materials.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Equifax Limited Monetary Penalty NoticeEnforcement ActionNotice confirming imposition of £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Smarthome Protection Limited Monetary Penalty NoticeEnforcement ActionNotice confirming imposition of £90,000 fine for making 118,000 unlawful marketing calls to people registered with the Telephone Preference Service (TPS) who wished to opt out of receiving such calls.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Update report into Adtech and real time biddingPolicy and Research?A report which clarifies the ICO’s views on Adtech, specifically the use of personal data in Real Time Bidding in the online advertising industry, and sets out the ICO’s intended next steps.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Security Outcomes guidanceGuidanceJoint security principles between the UK National Cyber Security Centre and the ICO.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Explaining Decisions Made with AIGuidanceThis co-badged guidance by the ICO and The Alan Turing Institute aims to give organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. 25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Guidance on AI and Data ProtectionGuidanceThis guidance covers what we think is best practice for data protection-compliant AI, as well as how we interpret data protection law as it applies to AI systems that process personal data.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)ICO investigation into how the police use facial recognition technology in public placesReportICO investigation into the use of live facial recognition (LFR) technology by law enforcement in England and Wales.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Mobile phone data extraction by police forces in England and WalesReportICO investigation into the process known as Mobile Phone Extraction (MPE), used by police forces when conducting criminal investigations in England and Wales.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Joint statement on global privacy expectations of Video Teleconferencing companies OtherAn open letter to companies providing Video Teleconferencing (VTC) services, written by a subset of the global privacy regulatory community, with responsibility for protecting the privacy rights of citizens across the world.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)ICO – OAIC Memorandum of UnderstandingOtherA Memorandum of Understanding (MoU) between the UK Information Commissioner’s Office and the Office of the Australian Information Commissioner.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)ICO Annual Report 2019-20ReportThe UK ICO’s Annual Report and Financial Statements 2019-20. The report is split into three sections, covering our Performance report, our Accountability report, and our Financial statements.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Regulatory Priorities 2020-21 InfographicOtherPriorities during COVID-19 and beyond – 2020-21.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Regulatory Sandbox Final Report – JISCReportA summary of Jisc’s participation in the ICO’s Regulatory Sandbox Beta (June 2020).25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Regulatory Sandbox Final Report – Heathrow Airport LtdReportA summary of Heathrow Airport’s participation in the ICO’s Regulatory Sandbox Beta (June 2020).25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Monetary Penalty Notice – Doorstep DispensareeEnforcement ActionA penalty notice issued by the ICO to Doorstep Dispensaree Limited under s.155 of the Data Protection Act 2018.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Monetary Penalty Notice – Cathay PacificEnforcement ActionA monetary penalty issued by the ICO to Cathay Pacific under s.55A of the Data Protection Act 2018.25/08/2020
United Kingdom - Information Commissioner's Office (ICO)Monetary Penalty Notice – DSG RetailEnforcement ActionA monetary penalty issued by the ICO to DSG Retail Limited under s.55A of the Data Protection Act 2018.25/08/2020
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Privacy Notice Generator for the private sectorToolThe Privacy Notice Generator (GAP) is a computer tool available on the INAI website, through which privacy notices can be made with the informative elements required by the standard. This tool is free of charge. With this tool, the Institute facilitates to the regulated subjects by the LFPDPPP, the fulfillment of its obligation to make available to the data subjects data privacy notices with the requirements demanded by the standard, on the other. It also helps the data subjects to have privacy notices that efficiently inform the main characteristics of the processing to which their personal data will be submitted, so that they can make accurate decisions regarding their personal information.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to comply with the principles and duties of the Federal Law on Protection of Personal Data Held by Private PartiesGuidanceIn July 2014, the compliance Guide for the principles and duties of the Federal Law on Protection of Personal Data Held by Private Parties was published. The purpose of this guide is to help and guide data controllers to: 1. Recognize the obligations in personal data protection established in the LFPDPPP, its Regulations and other related outcomes that are imposed to them. 2. Make a diagnosis of your organization to know how personal data (personal data flow) is processed and what is the current status of compliance with its obligations in the matter. 3. Know the minimum actions and controls that you must perform and establish to fulfill your obligations in the matter.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Corpus Iuris on personal data protectionToolThe Corpus Iuris project regarding Personal Data Protection arises within the Ibero-American Data Protection Network, with the aim of having a tool that allows a simple and systematized access to a large set of documents, standards and precedents that show the development that has had the protection of personal data as a human right, the degrees of progress that it has reached, as well as the areas that need to be reinforced, to continue developing, or, which represent new challenges in the matter. The Corpus Iuris tool regarding Personal Data Protection is composed of two sections: one dedicated to international documents and another to national documents of the different countries that constitute the Ibero-American Data Protection Network.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Generator of Privacy Notices for the Public SectorToolThe Generator of Privacy Notices for the Public Sector is a computer tool that allows public sector data controllers to issue their privacy notices in any of the modalities provided for in the General Law on Protection of Personal Data Held by Obligated Parties and the General Guidelines for the Protection of Personal Data for that sector, by systematizing the information in a dynamic questionnaire divided into sections, which include interactive support elements per question, so data controllers, without being specialists in the field, may be able to prepare their privacy notices based on the processing of personal data they perform, in an editable format .29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to Prevent Identity TheftGuidanceIt is intended for people to have information on how to protect their personal data and thus reduce the risk of being victims of this crime. The Guide to Prevent Identity Theft helps answer questions such as What is identity theft? How can identity theft may affect you? How your identity can be stolen? How to protect your identity? How to know if I have been a victim of identity theft? What should I do if my information was lost or exposed? What should I do if I have been a victim of identity theft? Where/ to whom should I go to? The Guide also includes: Ten useful tips to prevent identity theft; Real cases, and a self-assessment to identify how vulnerable each person is to identity theft.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Monsters onlineToolThis series is a multi-platform initiative (television series, interactive guides, online games, electronic books, among others), designed to support children, families and educators in the creation of good habits for safe (with protection of personal data and privacy) and helpful use of information and communication technologies. the transmission of the series Monsters in Network started on September 4, 2017, via Canal Once, Once Niños and on the YouTube Kids channel, as well as the YouTube channels of Sesame Street and INAI.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for Data SubjectsGuidanceThe Guide for Data Subjects aims to explain, in a simple way, to what is the right to the protection of personal data, why it is important to take care of your personal information, how they can exercise the right and to whom they can complain in case they consider that their right has not been respected. The above with the purpose of spreading the knowledge of this human right, so that people can exercise it in an informed way and when required in order to protect their interests. The Guide is divided into four volumes, in order to make consultation simpler. These volumes are: Volume 1. General Concepts of personal data protection; Volume 2. Guiding principles of personal data protection; Volume 3. The ARCO Rights; Volume 4. Personal data procedures according to the INAI.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines to keep your privacy and personal data safe in a digital environmentGuidanceThe Recommendations to keep your privacy and personal data safe in the digital environment (Recommendations for the digital environment or Recommendations), are intended to explain, in a clear and simple way, a series of practical tips on security settings, mobile applications and software in general (free or with cost), which are considered useful for users or holders of personal data to keep their privacy and personal data secure in the digital environment.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for the processing of biometric dataGuidanceGuide aimed to data controllers and data processors of the public and private sectors, who are currently seeking or processing biometric data through digital or automated means, in order for the processing to be carried out in accordance with the principles, duties and obligations established in the LFPDPPP (in Spanish) and the LGPDPPSO (in Spanish), as well as other applicable regulations29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Handbook on personal data security for MSMEs and small organizationsGuidanceThe handbook aims to provide data controllers and data processors who do not have technical knowledge in the field of security, a free and easy-to-understand document, that takes as a reference the main criteria and concepts of the Recommendations regarding security of personal data, issued by the INAI, for the identification and implementation of basic security controls for the protection of personal data.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for the secure erasing of personal dataGuidanceThe Guide provides data controllers with the recommended methods and techniques for the safe disposal of personal data, which prevent unauthorized recovery and misuse. The Guide for Secure Erasing of Personal Data answers questions such as: What is secure erasure? Why is secure erasure important? What are the benefits of secure erasure? What methods do not securely erase personal data? How to safely erase personal data? And what is the most convenient secure erase method?29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Recommendations for handling personal data security incidentsGuidanceThe objective of the Recommendations for handling personal data security incidents is to describe the processes and controls recommended by the Institute to generate a security incident response plan, in particular to mitigate personal data security breaches. These recommendations will help and guide data controllers to: 1. Recognize the differences between alerts and security incidents; 2. Develop a plan to respond to security incidents, in accordance with international standards; 3. Use reference formats to document security incidents.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Minimum Criteria suggested for the contracting of Cloud Computing services that involve the processing of personal dataGuidanceThe document aims to establish minimum considerations to guide data controllers for the selection and hiring of cloud computing providers. The objective is that the infrastructure services, platforms and software of the so-called cloud computing offer the guarantees of a due processing of personal data, in order to comply with the obligations established by the regulations in the matter and avoid personal data breaches.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Breaches EvaluatorToolThe Breaches Evaluator is a tool that allows users (data controllers or obliged parties of the Federal Law on Protection of Personal Data Held by Private Parties and the General Law on Protection of Personal Data Held by Obligated Parties) to register and document existing and missing security measures that help them to minimize the occurrence and impact of personal data security breaches. The tool consists of a series of closed questions related to risks in the processing of personal data29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guiding document for the elaboration of the Protection of Personal Data ProgramGuidanceThis document guides those data controllers for developing a Personal Data Protection Program based on a management system that allows to provide the elements and activities of management, operation and control of the organization's processes. The foregoing, to systematically and continuously protect the personal data in their possession.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guiding document for the elaboration of the Protection of Personal Data Program (Annexes)GuidanceThe annexes are a compendium of ten documents that complement the guiding document for the elaboration of the Personal Data Protection Program. These documents identify the general actions, in addition to the specific ones that each administrative unit of the obligated parties will have to perform, to fulfill their obligations regarding personal data protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to implement a Personal Data Management SystemGuidanceThe Guide to implement a Personal Data Security Management System, is based on the Plan–Do–Check–Act cycle, because, through the execution of 9 actions for the security of personal data through a process of continuous improvement, an acceptable level of risk in the processing of personal information is achieved, depending on the model and objectives of the organization. This Guide consists of an exercise of precision, synthesis and harmonization of international standards and best practices in the field of personal data security.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Article 16, second paragraph of the Political Constitution of the United Mexican StatesRegulationIts purpose is to recognize the fundamental right to the protection of personal data in Mexico.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and its Additional Protocol regarding supervisory authorities and transborder data flows, made in Strasbourg, France, on January 28, 1981, aRegulationThey have the objective of guaranteeing, in the territory of each Party, to any natural person, regardless of their nationality or residence, the respect for their fundamental rights and freedoms, specifically their right to privacy with respect to the automated processing of personal data ("data protection").29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Law on Protection of Personal Data Held by Obligated PartiesRegulationIt seeks to establish the bases, principles and procedures to guarantee the right to the protection of personal data held by any authority, entity, body and agency of the Executive, Legislative and Judicial Powers, autonomous bodies, political parties and trusts and public funds in the federal, state and local sphere.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Guidelines for the Protection of Personal Data for the Public SectorRegulationThey intend to develop the provisions set forth in the General Law on Protection of Personal Data Held by Obligated Parties, particularly for the federal public sector.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Guidelines for the National Institute for Transparency, Access to Information and Personal Data Protection to exercise the power of attractionRegulationThey are intended to recognize the elements that the Institute must assess in the exercise of its power of attraction over those reviews or appeals that are the original competence of the supervisory agencies of the federal entities, but for their interest and importance in the protection of personal data must know and resolve when approved by the majority of its Commissioners.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines that establish the parameters, modalities and procedures for the portability of personal dataRegulationIts objective is to establish the parameters that determine the assumptions that underlie a structured and commonly used format, as well as the technical standards, modalities and procedures for the transmission of personal data. This, in order to guarantee the exercise of the right to data portability referred to in article 57 of the General Law or those that correspond in Federal entities’ legislations on this matter.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General criteria for the implementation of compensatory measures in the public sector of the federal, state and municipal orderRegulationIts purpose is to establish the parameters through which any authority, agency, entity, body or agency of the Executive, Legislative and Judicial Powers, autonomous constitutional bodies, administrative courts, trusts and public funds, of the federal, state and municipal order, as well as political parties, may implement compensatory measures.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General administrative provisions for the preparation, presentation and evaluation of Data Protection Impact AssessmentRegulationThe objective is to establish the general framework applicable in the preparation, presentation and assessment of Data Protection Impact Assessment29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Federal Law on Protection of Personal Data Held by Private PartiesRegulationIt has the purpose of protecting personal data held by private parties, in order to regulate its legitimate, controlled and informed processing, to ensure the privacy and the right to informational self-determination of individuals.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Regulations to the Federal Law on the Protection of Personal Data Held by Private PartiesRegulationIts purpose is to regulate the provisions of the Federal Law on Protection of Personal Data Held by Private Parties.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Privacy Notice GuidelinesRegulationThey are intended to establish the content and scope of privacy notices, in terms of the provisions established in the Federal Law on Protection of Personal Data Held by Private Parties and in its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines for Procedures of Protection of Rights, Investigation and Verification, and SanctionsRegulationThey have the objective to develop, inform and specify the formalities that must be observed during the procedures for the protection of rights, verification and imposition of sanctions, in terms of the provisions set forth in the Federal Law on Protection of Personal Data Held by Private Parties and in its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Self-regulation Parameters regarding Personal Data ProtectionRegulationThey intend to establish rules, criteria and procedures for the correct development and implementation of the binding self-regulation schemes on personal data protection, referred to in articles 44 of the Federal Law on Protection of Personal Data Held by Private Parties and in articles 79, 80, 81, 82, 83, 84, 85 and 86 of its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General criteria for the implementation of compensatory measures without the express authorization of the Federal Institute for Access to Information and Personal Data ProtectionRegulationIts purpose is to establish the general framework through which those data controllers can implement, without the express authorization of the Federal Institute for Access to Information and Data Protection, the compensatory measures of mass communication referred to in articles 18, last paragraph, of the Federal Law on Protection of Personal Data Held by Private Parties, and 32, first paragraph, of its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Operation rules of the Registry of Binding Self-Regulation SchemesRegulationThe objective is to define and describe the operational aspects and necessary procedures for the operation of the Registry of Binding Self-Regulation Schemes on personal data protection set forth in Article 86 of the Regulations of the Federal Law on Protection of Personal Data Held by Private Parties and Chapter V of the Self-Regulation Parameters regarding Personal Data Protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines for the use of hyperlinks on a website of the National Institute for Transparency, Access to Information and Personal Data Protection, to publicize privacy notices through compensatory measuresRegulationThey intend to establish the criteria, conditions and procedure so that those data controllers can provide privacy notices through the implementation of compensatory measures through hyperlinks located on a website of the National Institute for Transparency, Access to Information and Personal Data Protection, in accordance with article 35, section IV, of the Regulations of the Federal Law on Protection of Personal Data Held by Private Parties and Seventeenth, section IV, of the General criteria for the implementation of compensatory measures without the express authorization of the Federal Institute for Access to Information and Personal Data Protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Classification of personal data of the Interbank CLABE”Enforcement ActionComplaint was filed against a financial institution, since it improperly provided the complainant´s standardized interbank key (CLABE), to a third party. Three fines were imposed which, in total, amounted to $ 17,495,400.00 Mexican pesos, for contravening the principles of responsibility and lawfulness and for breaching the duty of confidentiality, having delivered a document containing the complainant´s CLABE to a third party. In addition, the financial institution transferred personal data of patrimonial character, without obtaining the data subject´s expressed consent.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Higher fine imposed by the INAI”Enforcement ActionA complaint was received against a financial institution, since it signed an automobile credit agreement with the complainant, through which it obtained some personal data, including sensitive personal data related to health status of the data subject and of her spouse who was not part of the contract. This, without providing a privacy notice. After substantiating the procedure, it was determined to impose three fines: $ 4,787,591.00 Mexican pesos for treating personal data in violation of the principles of information, proportionality and legality; $ 9,272,100.00 Mexican pesos since the financial institution collected sensitive personal data from the spouse of the complainant without obtaining their express consent; and $ 8,673,900.00 Mexican pesos due to the fact that a sensitive database was maintained without justifying its existence.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Access to clinical file”Enforcement ActionA procedure for imposing sanctions against a hospital was initiated because a data subject submitted a request for the protection of its rights. This, because the data controller did not respond to the data controller’s request for access to a certified copy of the entire clinical record which was generated when she was admitted to the Hospital for the birth of her son.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)INAI resolved a file regarding the illegal disclosure of a child's health conditionEnforcement ActionThe INAI received a complaint regarding the publication, in an electronic public access portal, of sensitive personal data of a minor (name associated with health condition for which she was treated as a beneficiary of medical expenses insurance contracted by the data controller). 29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)INAI resolved a file regarding a person who argues the illegal disclosure of their personal data in a WhatsApp groupEnforcement ActionThe INAI received a complaint regarding the disclosure of a personal data format collected by the human resources area of the obligated party thorough a private WhatsApp chat. In this regard, the guarantor body developed a prior investigation and the substantiation of the respective verification procedure regarding personal data protection, after which the improper dissemination of personal data was deemed accredited. It was resolved that the obligated party (data controller) breached the principle of legality; as well as the duties of confidentiality and security.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Processing of personal data of minors by a child care centerEnforcement ActionA complaint was received alleging a breach of the Federal Law on Protection of Personal Data Held by Private Parties. The breach involved the allegation that the data controller had published, on Facebook, photographs of minors, including the complainant´s son, without having obtained the complainant´s consent.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Disclosure of Personal Data on the InternetEnforcement ActionThis Institute noticed that the data controller allegedly disclosed, on the Internet, proof of residency and bank statements, which contain personal data including: as names, addresses and property data of third parties, without requiring any type of authentication for consultation, so which it is freely accessible. For this reason, an ex-officio verification procedure was initiated.29/8/2019
Australia - Office of the Australian Information CommissionerGuide to securing personal informationGuidance29/8/2019
Australia - Office of the Australian Information CommissionerGuide to securing personal informationGuidance29/8/2019
Australia - Office of the Australian Information CommissionerNDB 12 month insights reportReport29/8/2019
Australia - Office of the Australian Information CommissionerOAIC guide to regulatory actionOther29/8/2019
Australia - Office of the Australian Information CommissionerPIA e-learning toolOther29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of findings: Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia Facebook Enforcement ActionFindings from our investigation into Facebook’s practices surrounding the disclosure of personal information to apps, including those related to the Cambridge Analytica scandal. We found that Facebook did not obtain meaningful consent, had inadequate safeguards and demonstrated a lack of accountability for the personal information within their control.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of Findings: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information CommissionerEnforcement ActionAnalysis against Canadian and Australian privacy law of the privacy practices of AshleyMadison.com (a dating website operated by a relatively small Canadian based business) after a large global privacy breach in 2015. It covers the following topics: adequacy of security practices (including security governance), indefinite retention of personal information, charging of fees for deletion of personal information, adequacy of measures to ensure accuracy of personal information (in this case the actual identity of site users), and requirements for consent and transparency.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of Findings: Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal informationEnforcement ActionThis report includes analysis against Canadian privacy law of the privacy practices of Equifax Canada and Equifax Inc. (credit reporting agencies) after a large global data breach in 2017. It covers the following topics: adequacy of security practices (including governance, vulnerability management, and network segregation), indefinite retention of personal information, accountability and consent required for the flow of information between Equifax Canada and its parent Equifax Inc. (located outside of Canada), adequacy of post-breach remediation offered to affected individuals.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Gaming and personal information: playing with privacyGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Joint guidance with the Chief Electoral Officer on political parties to help political parties protect the personal information of CanadiansGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Cannabis GuidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Your privacy at airports and bordersGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Mandatory Breach reporting guidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Guidelines for obtaining meaningful consentGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Guidance on inappropriate data practicesGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Draft Position on Online ReputationGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Direct-to-consumer genetic testing guidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Technology FactsheetsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Staying safe on social mediaGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Tips for using privacy settingsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Tips for creating and managing your passwordsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Printable graphics with general guidance and advice for organisations and the publicGuidancePrintable graphics that include top tips to help the public understand their privacy rights. 29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy education for kidsGuidanceResources for both teachers and parents in terms of promoting privacy protection for children of various ages. This includes activity sheets, topics to talk about, quizzes and videos. It includes “house rule” suggestions for parents who wish to protect their children’s privacy in the home. It also focuses how teachers or parents can encourage online privacy on a daily basis.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Tips for Protecting Yourself OnlineGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Ways to Safeguard Your Mobile DeviceGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)The Internet of Things: 4 Steps for Reducing Your Privacy RiskGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Tips for Raising a Privacy Concern with a BusinessGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Help Protect Kids’ Online PrivacyGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Know your privacy rightsGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)10 tips for protecting personal informationGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Check and adjust your privacy settingsGuidanceThis video provides guidance on how Canadian’s can control their privacy settings online and lists advice on how to increase your privacy power. The video also discusses what privacy controls are available to individuals who are online.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Use strong passwordsGuidanceThis video explains the importance of, and tips for, making strong and hard to guess passwords in order to strengthen online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Know how to access your personal informationGuidanceThis video provides guidance on how Canadians can access their personal information, and includes steps they can take to obtain access, as well as obligations of organizations and government institutions, and exemptions to access [as listed in the legislation].29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy proficient: Get meaningful consentGuidanceThis video provides guidance on how organizations must obtain meaningful consent prior to collecting personal information from individuals.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy Tech-Know blogsPolicy and ResearchBlogs offer technology analysis and cover topics such as cryptography and public-key cryptography; and artificial intelligence. 29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy Enhancing Technologies – A Review of Tools and TechniquesPolicy and ResearchThis report discusses Privacy Enhancing Technologies that can help address risks to privacy that are becoming more apparent over time. This report touches on a variety of sub-topics, such as informed consent, data tracking, technical enforcement, and plans for progression using PET. 29/8/2019
Hong Kong - Privacy Commissioner for Personal DataHong Kong SAR and Korea signed MOU to foster Personal Data Privacy Protection (29 November 2002)News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataPCPD Signs Joint Declaration on Privacy Research, Education and Policy Co-operation in Asian Region (10 November 2016)News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataHong Kong and Singapore Sign MOU to Strengthen Cooperation in Personal Data Protection News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataFindings in the investigation on a data breach of Cathay Pacific Airways affecting 9.4 million passengers worldwideEnforcement Action29/8/2019
OIACGuide to Securing Personal Information/GuideThis ‘Guide to Securing Personal Information’ (Guide) provides guidance on the reasonable steps entities are required to take under the Privacy Act 1988 (Cth) (Privacy Act) to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure.5/11/2021
OAICNotifiable Data Breaches Report: July–December 2020ReportThe Office of the Australian Information Commissioner (OAIC) periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 July to 31 December 2020.5/11/2021
OAICOAIC guide to privacy regulatory actionGuideThe Guide to Privacy Regulatory Action sets out a detailed explanation of particular privacy regulatory powers, looking at the legislative framework and purpose of the power, and the procedural steps the Office of the Australian Information Commissioner will take in the exercise of the regulatory power.5/11/2021
OAICPIA e-learning toolE-learning toolOffice of the Australian Information Commissioner’s (OAIC) eLearning course on conducting a privacy impact assessment (PIA).5/11/2021
APECCross Border Privacy Enforcement ArrangementPrivacy Enforcement ArrangementThe APEC Cross-border Privacy Enforcement Arrangement (CPEA) creates a framework for regional cooperation in the enforcement of Privacy Laws. Any Privacy Enforcement Authority (PE Authority) in an APEC economy may participate.5/11/2021
PCPDThe Privacy Commissioner for Personal Data, Hong Kong, China and United Kingdom Information Commissioner Signed MOUPress ReleaseThe Privacy Commissioner for Personal Data, Hong Kong, China and the United Kingdom Information Commissioner signed a Memorandum of Understanding on 29 July 2020, demonstrating that the two authorities would work together where necessary when our citizens’ data is at risk.5/11/2021
PCPDInstant Messaging App Changed its Terms of Service and Privacy Policy – The Privacy Commissioner Appealed to Users to Carefully Consider the New TermsPress ReleaseThe Privacy Commissioner for Personal Data, Hong Kong, China noted that WhatsApp had announced in January 2021 changes to its Terms of Service and Privacy Policy and appealed to WhatsApp to take four suggested actions.5/11/2021
PCPDThe Privacy Commissioner Welcomes WhatsApp’s Acceptance of Suggestions to Provide Alternatives to UsersPress ReleaseThe Privacy Commissioner for Personal Data, Hong Kong, China welcomed WhatsApp’s acceptance of suggestions in May 2021 to provide practical alternatives to users who do not agree to the new Terms of Service and Privacy Policy.5/11/2021
GRA PrivacyGibraltar General Data Protection Regulation and Data Protection Act 2004DP LegislationGibraltar’s data protection law consists of both the Gibraltar General Data Protection Regulation and the Data Protection Act 2004.5/11/2021
GRA PrivacyGuidance on the Information Commissioner’s Regulatory ActionRegulatory ActionThis guidance note provides guidance on the regulatory action that the Information Commissioner may take under the Data Protection Act 2004 and the Gibraltar General Data Protection Regulation, including information on how the Information Commissioner proposes to exercise his functions in connection with information notices; assessment notices; enforcement notices; and penalty notices.5/11/2021
GRA PrivacyInvestigations undertaken by the Information CommissionerInvestigations, Breach Notifications and EnforcementAs part of his duties, the Information Commissioner conducts investigations on the application of data protection law in Gibraltar. Investigations may be as a result of information obtained that provokes compliance concerns, a complaint lodged or information/complaint referred by another data protection authority or other public authority. Investigations are also undertaken into breach notifications received, with appropriate action taken where necessary and appropriate. The following links provide tables listing the investigations conducted by the Information Commissioner since 25th May 2018. Within the table there are short summaries relating to each referenced investigation. These include details of whether the Information Commissioner took any enforcement action.5/11/2021
ADGMADGM enacts its new Data Protection Regulations 2021Press releasePress release (text). ADGM enacts its new Data Protection Regulations 2021 and Mr Sami Mohammed is appointed Commissioner of Data Protection.5/11/2021
Norwegian DPABasaren Drift AS finedPress releaseThe Norwegian Data Protection Authority has fined Basaren Drift AS EUR 20,000 (NOK 200,000) for a GDPR violation. The case relates to CCTV surveillance of restaurant premises.5/11/2021
Norwegian DPAMunicipality of Asker finedPress releaseThe Norwegian Data Protection Authority has fined Asker municipality EUR 100,000 (NOK 1,000,000). The Municipality was fined for publishing confidential personal data and National Identity Numbers (NID) on its website.5/11/2021
Norwegian DPAMiljø- og Kvalitetsledelse AS finedPress releaseThe Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.5/11/2021
Norwegian DPADragefossen AS fined/Press releaseThe Norwegian Data Protection Agency has fined the power company Dragefossen AS EUR 15,000 (NOK 150,000). The fine was imposed after the company put the city centre of Rognan under CCTV surveillance and live-streamed the images without legal basis.5/11/2021
Norwegian DPAÅlesund municipality fined for use of StravaPress releaseThe Norwegian Data Protection Authority has fined Ålesund municipality EUR 5,000 (NOK 50,000) for its use of the fitness app Strava.5/11/2021
Norwegian DPAFined for illegal forwarding of e-mailPress releaseA business has been fined EUR 25,000 (NOK 250,000) for illegal forwarding of an employee's e-mails. The name of the business has been withheld from public disclosure to protect the identities of its employees.5/11/2021
Norwegian DPANorwegian DPA issues fine to Cyberbook ASPress releaseThe Norwegian Data Protection Authority has fined Cyberbook AS EUR 20 000 (NOK 200,000) for unlawfully setting up the automatic forwarding of a former employee’s e-mails.5/11/2021
Norwegian DPANorwegian DPA issues fine for forwarding e-mailPress releaseThe Norwegian Data Protection Authority has fined an organization EUR 40 000 (NOK 400,000) for unlawfully setting up automatic forwarding of an employee’s e-mails.5/11/2021
Norwegian DPANorwegian DPA issues fine to Aquateknikk ASPress releaseThe Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.5/11/2021
Norwegian DPANorwegian DPA issues fine to Coop FinnmarkPress releaseThe Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark AS. The case concerns unlawful distribution of a camera recording from a shop.5/11/2021
Norwegian DPANorwegian DPA issues fine to Gveik ASPress releaseThe Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.5/11/2021
Norwegian DPANorwegian DPA issues fine to Lindstrand Trading ASPress releaseThe Norwegian Data Protection Authority has decided to issue a fine of EUR 10 000 (NOK 100,000) to Lindstrand Trading AS for conducting a total of four credit ratings of individuals and sole proprietorships without a legal basis.5/11/2021
Norwegian DPANorwegian DPA issues reprimand to Telenor for inadequate protection of personal dataPress releaseThe Norwegian Data Protection Authority have issued a reprimand to Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian Data Protection Authority.5/11/2021
Norwegian DPANorwegian DPA issues fine to Municipality of Indre ØstfoldPress releaseThe Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.5/11/2021
Norwegian DPAAdministrative fine to Customs directoratePress releaseThe Norwegian Data Protection Authority has given the Norwegian Customs a final decision on an administrative fine of NOK 400,000. The fine has been adjusted downwards in relation to the notice given in 2019. The case concerns the collection and use of information from cameras without legal basis.5/11/2021
Norwegian DPAAdministrative fine to Østfold HF HospitalPress releaseThe Norwegian Data Protection Authority has decided on an administrative fee of NOK 750,000 to Østfold HF Hospital. The background is that in the period 2013-2019, the hospital stored report extracts from patient records outside the safe zone. The case started with a notice of personal data breach from the hospital.5/11/2021
Norwegian DPAGuidance to Vigilo regarding applicable obligationsPress releaseEarlier this autumn, the Norwegian Data Protection Authority decided on an administrative fee for Bergen municipality because personal information in the communication system between school and home was not adequately secured. We have now given guidance to Vigilo that they too must take responsibility for the communication failure between the company and the municipality.5/11/2021
Norwegian DPAFinal decision, administrative fine for Rælingen municipalityPress releaseThe Norwegian Data Protection Authority has imposed an administrative fine of 500 000 NOK (EUR 47,500) to Rælingen Municipality. The fine is imposed after data concerning health of children in with special needs was processed using the digital learning platform Showbie.5/11/2021
Norwegian DPAAdministrative fine imposed on the Municipality of Oslo, the Education AgencyPress releaseIn October 2019, a fine of € 120 000 was imposed on the Municipality of Oslo, the Education Agency, as a result of poor security of processing in the ‘Skolemelding’ mobile app. The app is used for communication between school employees, parents and pupils.5/11/2021
Philippines National Privacy CommissionInvestigation into the Possible Data Privacy Violations Committed by the website LISENSYA.INFOIN RE: LISENSYA.INFO Initiated as an Independent NPC Investigation into the Possible Data Privacy Violations Committed by the website LISENSYA.INFO.5/11/2021
Philippines National Privacy CommissionInitiated as an Independent NPC Investigation into the Possible Data Privacy Violations Committed by the website LISENSYA.INFOIN RE: LISENSYA.INFO Initiated as an Independent NPC Investigation into the Possible Data Privacy Violations Committed by the website LISENSYA.INFO.5/11/2021
Philippines National Privacy CommissionGRAB PHILIPPINES’ [1] ROLL-OUT OF THE PASSENGERSELFIE VERIFICATION; [2] PILOT TEST OF THE IN-VEHICLE AUDIO RECORDING; AND [3] PILOT TEST OF THE IN-VEHICLE VIDEO RECORDINGIN RE: GRAB PHILIPPINES’ [1] ROLL-OUT OF THE PASSENGERSELFIE VERIFICATION; [2] PILOT TEST OF THE IN-VEHICLE AUDIO RECORDING; AND [3] PILOT TEST OF THE IN-VEHICLE VIDEO RECORDING5/11/2021
Philippines National Privacy CommissionJBD vs JI and VVV5/11/2021
Philippines National Privacy CommissionFAT vs XXX5/11/2021
Philippines National Privacy CommissionBGM vs IPP5/11/2021
Philippines National Privacy CommissionN RE: FLIOPERATING ABCONLINE LENDING APPLICATION5/11/2021
Philippines National Privacy CommissionECA vs XXX5/11/2021
Philippines National Privacy CommissionRBD vs FCASH Global Lending5/11/2021
URCDPGuidelines for the processing of personal images in the framework of the vaccination campaign against COVID-19GuidelinesThe massive attendance of the population to vaccination posts, and the eventual waiting in public areas can expose people to the capture of their personal image by the media or even individuals. In this sense, the documents provides information to the press and people in general for the processing of the images of people in compliance with the regulations on personal data protection.5/11/2021
URCDPWeb forms: good practices in personal data protectionGuidelinesQuality databases are essential for organizations, as it allows improving the quality of the relationship between people and the organization, as well as facilitating its internal processes, improving its efficiency. On many occasions, these databases are fed by information that is collected in digital forms. For this reason, the URCDP gathered ten good practices aimed especially at public organizations, so that they can create and distribute web forms that collect personal data. The document includes recommendations on the choice of systems, authentication mechanisms, management of the collected data, its conservation and impact assessment. In addition, reference is made to the importance of the participation of the Personal Data Protection Officer in the generation of the forms, as well as the inclusion of clauses that include the conditions of data processing, so that people can exercise their rights in the digital world.5/11/2021
URCDPRecommendations for the processing of personal data in the framework of teleworkingGuidelinesTeleworking is a form of work carried out in a location far from a central office or production facilities that separates the person from personal contact with colleagues who are at the office.This modality is based on tools that allow meetings to distance, its recording and storage, the exchange of files, the use of the cloud, with an exponential increase in the processing of personal information through the internet.5/11/2021
URCDPContact Tracing in Mobile Applications: Recommendations to Protect Personal DataGuidelinesEl Consejo Ejecutivo de la URCDP emitió la Resolución N° 35/020, de 9 de junio de 2020, con recomendaciones para utilizar los sistemas de rastreo de contacto de las aplicaciones móviles durante la emergencia sanitaria en cumplimiento de la normativa sobre protección de datos personales.5/11/2021
URCDPRecommendations for temperature control in the national health emergency situation/GuidelinesThe health emergency declared by Decree No. 93/020, of March 13, 2020, and derived from the coronavirus pandemic (COVID-19), has generated in multiple actors the need to use various techniques to safeguard health and safety of people, and of society in general. In this framework, the use of personal information is achieved by regulations that recognize the right to the Protection of Personal Data as a fundamental right. For this reason, it is imperative to make a responsible use of said information, trying to reach a balance with other rights.5/11/2021
URCDPRecommendations for the processing of personal data in the face of the national health emergency situationGuidelinesIn the framework of the health emergency caused by the spread of the COVID-19 coronavirus, the URCDP prepared a document with the aim of guiding those in charge and responsible for the use and handling of personal data. The document contains information on the requirements for the treatment of sensitive data, who are the legitimate subjects for the treatment of health data, consent of the owner, general principles of Personal Data Protection and links of interest on the national legal framework in force in matter, among others. Likewise, the text reminds that the use of personal information is achieved by rules that recognize the right to the Protection of Personal Data as a fundamental right and encourages the responsible use of such information.5/11/2021
URCDPDecree No. 64/020, regulating the new provisions on Personal Data ProtectionDecreeThe decree regulates articles 37 to 40 of Law No. 19.670. It establishes a new territorial scope of Law N ° 18.331 on the Protection of Personal Data, modifies the principle of responsibility, incorporates the principle of "accountability", imposes a new regime of communication of security breaches that involve personal data and creates the figure of the Data Protection delegate for certain types of processing.5/11/2021
URDCPResolutions, opinions and reports 2019Opinions, Resolutions and ReportsThe URCDP resolves claims made by the persons, makes recommendations and impose penalties. This document includes Opinions, Resolutions and Reports by the Unit in the year 2019.5/11/2021
Bundeskartellamt (Federal Cartel Office)Proceeding against Google based on new rules for large digital players (Section 19a GWB) – Bundeskartellamt examines Google's significance for competition across markets and its data processing termsPress releaseProceeding against Google based on new rules for large digital players (Section 19a GWB) – Bundeskartellamt examines Google's significance for competition across markets and its data processing terms.5/11/2021
Bundeskartellamt (Federal Cartel Office)Proceedings against Amazon based on new rules for large digital companies (Section 19a GWB)Press releaseProceedings against Amazon based on new rules for large digital companies.5/11/2021
Bundeskartellamt (Federal Cartel Office)First proceeding based on new rules for digital companies – Bundeskartellamt also assesses new Section 19a GWB in its Facebook/Oculus casePress releaseFirst proceeding based on new rules for digital companies5/11/2021
Bundeskartellamt (Federal Cartel Office)Proceeding against Apple based on new rules for large digital companies (Section 19a(1) GWB) – Bundeskartellamt examines Apple’s significance for competition across marketsPress releaseProceeding against Apple based on new rules for large digital companies.5/11/2021
GPAEnforcement Cooperation Handbook (English) Enforcement Cooperation Handbook (English)5/11/2021
GPAEnforcement Cooperation Handbook (French)Enforcement Cooperation Handbook (French)5/11/2021
Norway DPADecision to fine Odin Flissenter ASDecisionThe Norwegian Data Protection Authority has issued Odin Flissenter AS (Tile distributor) an administrative fine of EUR 13 905 (NOK 150 000) for performing a credit check of a sole proprietorship without having a lawful basis for the processing.5/11/2021
Norway DPADecision to fine Bergen municipalityDecisionThe Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.5/11/2021
Norway DPADecision to fine The Norwegian Public Roads AdministrationDecisionThe Norwegian Data Protection Authority has issued the Norwegian Public Roads Administration a fine of 37,400 EUR (400 000 NOK) for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days.5/11/2021
Norway DPAIntention to issue € 10 million fine to Grindr LLC | DatatilsynetPress ReleaseAdTech - The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent.27/03/2022
Norway DPAPress release: Intent to issue € 2,5 million fine to Disqus IncPress ReleaseAdTech - The Norwegian Data Protection Authority has notified Disqus Inc. (Disqus) that we intend to issue an administrative fine of NOK 25 000 000 for not complying with the GDPR rules on accountability, lawfulness, and transparency27/03/2022
Hong Kong- Privacy Commissioner for Personal Data Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps Guidance NoteAdTech – This Guidance aims to highlight those risks and provide practical advice that will help to mitigate the risks associated with social media.27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Policy position on online behavioural advertising

Policy PositionAdTech - The following policy position addresses the application of the Personal Information Protection and Electronic Documents Act’s (PIPEDA) to the collection and use of data about individuals’ web activities by means of such technology as cookies, web beacons, supercookies, zombie cookies, device data, for the purposes of online behavioural advertising (OBA) only. 27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Online Behavioural Advertising (OBA)
Follow Up Research Project

ReportAdTech - A report prepared by the Technology Analysis Branch of the Office of the Privacy Commissioner of Canada27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Online Behavioural Advertising
Putting a Normative Framework Around a Business Model

Conference notesAdTech - Remarks at the 20th Annual Advertising and Marketing Law Conference27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Guidelines on privacy and online behavioural advertisingGuidanceAdTech - The following guidelines were developed to help the various types of organizations involved in online behavioural advertising ensure that their practices are fair, transparent and in compliance with PIPEDA.27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Online behavioural advertising in briefGuidanceAdTech - Online behavioural advertising in brief27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Frequently Asked Questions about online behavioural advertisingFAQsAdTech - Frequently Asked Questions about online behavioural advertising27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Web tracking with cookiesGuidanceAdTech - Guidance on web tracking with cookies27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Frequently Asked Questions about Cookies FAQsAdTech - Frequently Asked Questions about Cookies27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud ComputingReportAdTech - The following report on the consultations summarizes what we heard both during the consultations and in the responses to our published draft report, what we think, and where we would like to focus our future work.27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Investigation of Nexopedia Report of FindingsAdTech - A complaint against Nexopia.com Inc. (Nexopia or the “website”) by individuals from the Public Interest Advocacy Centre (PIAC or the “complainants”) comprised 19 allegations ranging over six distinct issues.27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Investigation of Facebook Report of FindingsAdTech - Report of Findings into the Complaint Filed by the
Canadian Internet Policy and Public Interest Clinic (CIPPIC)
against Facebook Inc.
Under the Personal Information Protection and Electronic Documents Act
by Elizabeth Denham
Assistant Privacy Commissioner of Canada
27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Investigation of Facebook Report of FindingsAdTech - No evidence Facebook shares personal information with other sites via social plug-ins, investigation finds27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of MicrosoftReport of FindingsAdTech - Microsoft to obtain opt-in consent, enhance transparency for Windows 10 privacy settings27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Investigation of Apple Report of FindingsAdTech - Apple called upon to provide greater clarity on its use and disclosure of unique device identifiers for targeted advertising27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of BellReport of FindingsAdTech - Results of Commissioner Initiated Investigation into Bell’s Relevant Ads Program27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of Ganz IncReport of FindingsAdTech - Investigation into the personal information handling practices of Ganz Inc.27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of AggregateIQ Data Services Ltd.Report of FindingsAdTech - Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of GoogleReport of FindingsAdTech - Use of sensitive health information for targeting of Google ads raises privacy concerns27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC) Investigation of PositiveSingles.comReport of FindingsAdTech - Canadian adware developer Wajam Internet Technologies Inc. breaches multiple provisions of PIPEDA27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of Wajam Internet Technologies Inc.Report of FindingsAdTech - Profiles on PositiveSingles.com dating website turn up on other affiliated dating websites27/03/2022
Canada Office of the Privacy Commissioner of Canada (OPC)Investigation of an airline companyCase SummaryAdTech - Customer complains about airline's use of "cookies" on its Web site27/03/2022
Jersey Office of the Information CommissionerWhat is a Cookie?GuidanceAdTech – Cookie guidance for organisatons in Jersey27/03/2022
United Kingdom – Information Commissioner’s OfficeUpdate report into adtech real time biddingReportAdTech - Report on ICO’s investigation into AdTech/RTB setting out our findings and clarifying our views.27/03/2022
United Kingdom – Information Commissioner’s OfficeAdtech market research reportReportAdTech - Report setting our findings of public survey and fieldwork to better understand people’s awareness and perceptions of online advertising.27/03/2022