In a previous post we discussed the status, in general, of ‘disease risk’ genetic data, and we saw that it is generally going to be health data. Now, suppose we do not know the identity of the data subject: we only have DNA sequencing data; is that personal data? It seems that under GDPR the answer is in the affirmative (and in future we’ll discuss other laws, which answer in the negative). Moreover, WP29 Opinion 216 states (section 2.2.2) that “removing directly identifying

On June 6, 2020 the Spanish data protection authority, the AEPD (Agencia Española de Protección de Datos), published a fine imposed on Telefonica Moviles España, S.A.U. – a telecom provider. This case is likely to be of particular interest to many service-oriented organizations. Briefly what happened is this: the complainant was a customer of the telco; a fraudster called the telco pretending to be the complainant, and ordered several phone lines installed, at the complainant

DISCLAIMER: same as on other blog posts. This isn't legal advice. This isn't even advice... Session replay data is information about how you browse on a given website. It could include scrolling, touching, mouse movements, clicks, and anything you type. This includes what you type into a form, even if you don’t ever click “submit”. There are a number of third-party web-analytics providers who record session replay data – collecting data on every keystroke, cursor movement, an

DISCLAIMER: same as on other blog posts. This isn't legal advice. This isn't even advice... Prior to GDPR’s going into force in May 2018, English football powerhouse Manchester United asked its fans to opt-in to Man United continuing to hold their email addresses and other personal details and using them to enable the fans to stay up to date with news and promotions. To make sure that fans were even more likely to consent, Man United offered those fans who opted in 20% off

DISCLAIMER: SEE AT THE END OF THIS BLOG.... We've been asked about a tricky situation: when a data subject makes a request for data, but employees at our client have added personal remarks, sometimes derogatory or uncouth, to the data subjects' file. Here's how we can approach that: GDPR Article 15 states that "The data subject shall have the right to obtain from the controller… access to the personal data" that the controller has on that data subject. On the face of it, if a