The Belgian Data Protection Authority (DPA) found a controller in violation of GDPR Article 5(1) for failing to promptly deactivate a former employee’s mailbox. The DPA ruled that the mailbox should have been deactivated on the employee’s last work day, with an auto-reply in place for up to three months in exceptional cases. The former employee had requested access to their data after termination but received no response, prompting a complaint to the DPA.
The DPA held that the controller breached GDPR principles by failing to deactivate the mailbox and failing to inform the employee in advance. The DPA also found a lack of legal basis for processing the email address after termination, but recognized that the controller could potentially justify the processing of the data subject’s personal data post-termination under Article 6(1)(f) GDPR. However, the DPA emphasized the absence of evidence indicating that the controller informed the data subject of this legal basis. Consequently, the processing occurred against the data subject’s expectations. Therefore, the DPA concluded that no legal basis existed for the processing of the email address after contract termination, resulting in a violation of Article 6(1) GDPR by the controller.
A warning was issued to the controller for not closing the mailbox on time, and the controller was ordered to respond to the access request within 30 days.
***
France’s supervisory authority (CNIL) published an updated guidance on data security.
The guide has been structured into 5 parts to facilitate navigation between its 25 sheets. 5 new sheets have been created. They mainly include content that the CNIL has already published elsewhere on:
- cloud computing ;
- mobile applications;
- artificial intelligence (AI);
- application programming interfaces (APIs);
- data security management.
Current practices, such as the use of personal equipment in a professional environment (BYOD), have enriched the existing sheets.
***
The international association of privacy professional (IAPP) has updated its global adequacy map.
According to the official press release, this “infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards. An “adequate” designation describes instances where a third country has been assessed as providing data privacy standards that are sufficiently comparable to those of the assessing jurisdiction. These unilateral determinations permit the free flow of personal data, without the parties to the transfer being required to implement further safeguards or obtain further authorizations. In some jurisdictions the capabilities go by alternative legislative terms – such as “equivalence,” “comparable,” and “sufficiently similar” – and in some jurisdictions more colloquial terminology is used such as “whitelists” and “data bridges.”
***
The 12th Digital Dialogue between the European Union and Brazil, held in Brasilia on March 20th, strengthened their collaboration in digital cooperation. With a focus on inclusive digital transformation, sustainable growth, and innovation, the dialogue addressed challenges in a rapidly evolving digital landscape while emphasizing shared values of democracy, human rights, and sustainable development.
Key agreements included cooperation on connectivity projects in underserved areas, advancement of 5G and 6G technologies, and support for High-Performance Computing centers. Additionally, both parties committed to information exchange on semiconductor supply chains, technical interoperability of digital signature systems, and discussions on data protection and regulatory frameworks for data, artificial intelligence, and platforms. Co-chaired by officials from both sides, the dialogue underscored continued cooperation, with the next meeting planned for 2025.
Comments are closed.