April

The French data protection authority has published new guidelines on the security of personal data, with practical recommendations to help businesses implement appropriate measures to protect personal data in compliance with the GDPR.

Although the GDPR provides some guidance, CNIL (Commission Nationale de l'Informatique et des Libertés) - an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data) acknowledges that determination may be difficult for businesses that are unfamiliar with risk management methods in terms of data processing.

CNIL's recommendations are organized in 17 themes to advise organizations on how to comply and document their security obligations, but also as a practical tool for conducting privacy impact assessments.

Privacy legitimate interest might become difficult to manage in Italy following provisions introduced in the country's Budget Law.

The Budget Law provides that data controllers who process personal data through automated means or "new technologies" on the basis of legitimate interest need to notify and receive approval from theThe Italian Data Protection Authority (Garante per la protezione dei dati personali) . Yet, since the provision applies to data processing activities based on legitimate interest and performed through automated means and new technologies, this may introduce confusion, and may force some companies to introduce new versions of their privacy information notice to ensure complete compliance with the GDPR.
 

The Polish government is considering exempting small- and medium-sized businesses from having to comply with key requirements of the incoming GDPR, causing alarm among privacy advocates, members of the European Parliament and the country 's data protection authority.

The requirements that would be exempted for companies employing fewer than 250 people would include an obligation to tell people how long their data will be stored for and what their rights are regarding objections to processing, demands for rectification and deletion, access to their data, data portability, and the right to complain to the Polish DPA.