Enforcement cooperation repository / Document library

Find information provided by ICDPPC members or by networks of data protection/privacy authorities, including highlights of their activities in their jurisdictions. Search for the keyword of your choice, which could be the name of an authority you are interested in or a topic of interest.


Network or AuthorityResourceType of ResourceDescription of ResourceUpload date
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019NewsPress release (text)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019Enforcement ActionQ & A (for download)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Facebook Decision of 7 February 2019Enforcement ActionCase Summary (for download)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Preliminary assessment in Facebook proceeding of 19 Dec 2017NewsPress release (text)29/8/2019
Germany - Bundeskartellamt (Federal Cartel Office)Preliminary assessment in Facebook proceeding of 19 Dec 2017Enforcement ActionBackground Information (for download)29/8/2019
Catalan Data Protection AuthorityApplicable LawsRegulationThis section of the web includes national and international legislation, and the regulatory legislation of the APDCAT.29/8/2019
Catalan Data Protection AuthorityProvisions adopted by the APDCATRegulationThis section includes the Instruction 1/2009 of February on the processing of personal data using cameras for video surveillance purposes; Guidance regarding the publication of the ID number; Recommendation 1/2008 on the transmission by Internet of information containing personal data; Recommendation 1/2013 on the use of email in the work environment (both Recommendations available in English version), and the Audit report on the portals of transparency.29/8/2019
Catalan Data Protection AuthorityResolutions, opinions and reportsOtherLaw authorises APDCAT to exercise, among others, the function of resolving claims made by the persons concerned as regards their rights. This law also empowers the Authority to carry out inspections and impose penalties, as well as to issue authorisations for exemption from the duty of information in the collection of data and for the integral maintenance of certain data. APDCAT also attends to requests for information and enquiries made by citizens or entities that fall within its scope of action. This section includes Opinions and Resolutions regarding this function. It also includes the APDCAT reports in application of Transparency legislation.29/8/2019
Catalan Data Protection AuthorityGuidelinesGuidanceThis section includes Guidelines prepared by APDCAT: Guidelines regarding data protection impact assessment (DPIA)) (available in English); “GDPR Data Processor Guide”, prepared by the APDCAT in conjunction with the Spanish Data Protection Agency and the Basque Data Protection Agency (available in English); and “Guide to comply the obligation to inform according to the GDPR”, prepared in conjunction with the Spanish Data Protection Agency and the Basque Data Protection Agency.29/8/2019
Catalan Data Protection AuthorityEducation and children privacyGuidanceInformation about how children and young people can surf the internet without problems and how they should protect the personal information, including clear examples of the risk they run by posting personal information on the internet or passing it by mobile phone. It also includes the “Data Protection Guidelines for Schools” (English version), and some Guides addressed to children.29/8/2019
Catalan Data Protection AuthorityPress-releases (News)NewsIn this section of the Web you will find information regarding training activities, conferences, symposiums and Conferences organized or participated by the APDCAT.29/8/2019
Catalan Data Protection AuthoritySmart CitiesThis section includes, aware of the implication that the development of Smart Cities may have on the personal data and privacy rights, a Document for debate, a bibliography, and audio-visual materials to contribute to the debate regarding this issue.29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Annual report 2018Report29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Supervisory framework 2018-2019Report29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Hospital fined for insufficient internal protection of patient filesNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Letter on cookies and consentNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Almost 10.000 complaints filed at Dutch Data Protection AuthorityNews29/8/2019
Netherlands - Dutch Data Protection Authority (Autoriteit Persoonsgegevens, NL DPA)Uber fined by Dutch DPA for data breach (available in English)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement on Bundeskartellamt Facebook decision of 7 February 2019News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement “Federal Commissioner for Data Protection and Freedom of Information approves pursuant to Art. 46 (3) b GDPR a multilateral administrative arrangement concluded by ESMA and IOSCO on cross-border data transfers”, issued on 24th April 2019 (German)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement on “Mobile Payments – but not with my personal data”, issued on 5th February 2019 as press release 05/2019 (German language only)News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationPress release on “The First Anniversary of the GDPR - a Success with Potential for Further Growth”, issued on 25 May 2019News29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of InformationStatement of 26 April 2019 on Facebook-Cambridge-AnalyticaNews29/8/2019
Germany - Federal Commissioner for Data Protection and Freedom of Information“Hambach Declaration” on Artificial IntelligenceOther29/8/2019
Switzerland - Federal Data Protection and Information CommissionerGuide on digital processing in connection with elections and votingGuidanceGuide by the data protection authorities of the Confederation and the Cantons on the application of data procession laws to the digital processing in connection with elections and voting in Switzerland.29/8/2019
Switzerland - Federal Data Protection and Information CommissionerThe GDPR and its consequences for SwitzerlandRegulation29/8/2019
Switzerland - Federal Data Protection and Information CommissionerAnnual report 2018-2019Report29/8/2019
Gibraltar Regulatory AuthorityGlobal Privacy Enforcement Network Sweep 2018NewsPress release. On a yearly basis, the Gibraltar Regulatory Authority participates in the Global Privacy Enforcement Network’s (“GPEN”) annual intelligence gathering operation, called a “Sweep”. In 2018 the Sweep looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes. Locally, the GRA focussed on privacy accountability in the telecommunications sector. In short, the study looked at how organisations have taken responsibility for complying with data protection laws.29/8/2019
Gibraltar Regulatory AuthorityGuidance on the Information Commissioner’s Regulatory ActionGuidanceThis guidance note provides guidance on the regulatory action that the Information Commissioner may take under the Data Protection Act 2004 and the General Data Protection Regulation. In addition to this it provides information on how the Information Commissioner proposes to exercise his functions in connection with information notices, assessment notices, enforcement notices, and penalty notices.29/8/2019
Gibraltar Regulatory Authority2017/2018 Annual ReportReportThis Annual Report of the Gibraltar Regulatory Authority was prepared in accordance with Section 19 (1) of the Gibraltar Regulatory Act 2000 and covers the period 1st April 2017 to 31st March 2018. The Annual Report includes outcomes and decisions made by the Information Commissioner regarding investigations and data breaches and a section on the Gibraltar Regulatory Authority’s international participation in Data Protection related events and conferences. Please refer to pages 25 to 36 for a summary of the work done by the Information Rights Division of the Gibraltar Regulatory Authority. In particular, page 34 contains a summary of the enforcement action taken by the authority in the relevant financial year.29/8/2019
Gibraltar Regulatory AuthorityData Protection Act 2004RegulationWhen the Data Protection Act 2004 was implemented, it granted new rights to individuals regarding how their personal data are collected and used by both private and public sector bodies. In addition to this, those bodies are obliged to obey rules governing how they collect and use data. Amendments were made in 2018 in order to implement into the law of Gibraltar the General Data Protection Regulation. 29/8/2019
Gibraltar Regulatory AuthorityCommunications (Personal Data and Privacy) Regulations 2006RegulationIn Gibraltar, electronic direct marketing is regulated by the Data Protection Act 2004, the General Data Protection Regulation and the Communications (Personal Data and Privacy) Regulations 2006. In particular, in accordance with regulation 23 of the Privacy Regulations, direct marketing via electronic mail should only be conducted where an individual has given prior consent, unless the contact is with previous customers about similar products, and where an opt-out from marketing was provided to the individual when their details were collected. The Information Commissioner has enforcement powers under the Privacy Regulations.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Investigation into the use of data analytics in political campaigns
ReportICO’s report to the UK Parliament on its investigation into data analytics for political purposes, plus a further update report and associated materials.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Equifax Limited Monetary Penalty NoticeEnforcement ActionNotice confirming imposition of £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Smarthome Protection Limited Monetary Penalty NoticeEnforcement ActionNotice confirming imposition of £90,000 fine for making 118,000 unlawful marketing calls to people registered with the Telephone Preference Service (TPS) who wished to opt out of receiving such calls.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Update report into Adtech and real time biddingPolicy and Research?A report which clarifies the ICO’s views on Adtech, specifically the use of personal data in Real Time Bidding in the online advertising industry, and sets out the ICO’s intended next steps.29/8/2019
United Kingdom - Information Commissioner's Office (ICO)Security Outcomes guidanceGuidanceJoint security principles between the UK National Cyber Security Centre and the ICO.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Privacy Notice Generator for the private sectorToolThe Privacy Notice Generator (GAP) is a computer tool available on the INAI website, through which privacy notices can be made with the informative elements required by the standard. This tool is free of charge. With this tool, the Institute facilitates to the regulated subjects by the LFPDPPP, the fulfillment of its obligation to make available to the data subjects data privacy notices with the requirements demanded by the standard, on the other. It also helps the data subjects to have privacy notices that efficiently inform the main characteristics of the processing to which their personal data will be submitted, so that they can make accurate decisions regarding their personal information.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to comply with the principles and duties of the Federal Law on Protection of Personal Data Held by Private PartiesGuidanceIn July 2014, the compliance Guide for the principles and duties of the Federal Law on Protection of Personal Data Held by Private Parties was published. The purpose of this guide is to help and guide data controllers to: 1. Recognize the obligations in personal data protection established in the LFPDPPP, its Regulations and other related outcomes that are imposed to them. 2. Make a diagnosis of your organization to know how personal data (personal data flow) is processed and what is the current status of compliance with its obligations in the matter. 3. Know the minimum actions and controls that you must perform and establish to fulfill your obligations in the matter.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Corpus Iuris on personal data protectionToolThe Corpus Iuris project regarding Personal Data Protection arises within the Ibero-American Data Protection Network, with the aim of having a tool that allows a simple and systematized access to a large set of documents, standards and precedents that show the development that has had the protection of personal data as a human right, the degrees of progress that it has reached, as well as the areas that need to be reinforced, to continue developing, or, which represent new challenges in the matter. The Corpus Iuris tool regarding Personal Data Protection is composed of two sections: one dedicated to international documents and another to national documents of the different countries that constitute the Ibero-American Data Protection Network.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Generator of Privacy Notices for the Public SectorToolThe Generator of Privacy Notices for the Public Sector is a computer tool that allows public sector data controllers to issue their privacy notices in any of the modalities provided for in the General Law on Protection of Personal Data Held by Obligated Parties and the General Guidelines for the Protection of Personal Data for that sector, by systematizing the information in a dynamic questionnaire divided into sections, which include interactive support elements per question, so data controllers, without being specialists in the field, may be able to prepare their privacy notices based on the processing of personal data they perform, in an editable format .29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to Prevent Identity TheftGuidanceIt is intended for people to have information on how to protect their personal data and thus reduce the risk of being victims of this crime. The Guide to Prevent Identity Theft helps answer questions such as What is identity theft? How can identity theft may affect you? How your identity can be stolen? How to protect your identity? How to know if I have been a victim of identity theft? What should I do if my information was lost or exposed? What should I do if I have been a victim of identity theft? Where/ to whom should I go to? The Guide also includes: Ten useful tips to prevent identity theft; Real cases, and a self-assessment to identify how vulnerable each person is to identity theft.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Monsters onlineToolThis series is a multi-platform initiative (television series, interactive guides, online games, electronic books, among others), designed to support children, families and educators in the creation of good habits for safe (with protection of personal data and privacy) and helpful use of information and communication technologies. the transmission of the series Monsters in Network started on September 4, 2017, via Canal Once, Once Niños and on the YouTube Kids channel, as well as the YouTube channels of Sesame Street and INAI.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for Data SubjectsGuidanceThe Guide for Data Subjects aims to explain, in a simple way, to what is the right to the protection of personal data, why it is important to take care of your personal information, how they can exercise the right and to whom they can complain in case they consider that their right has not been respected. The above with the purpose of spreading the knowledge of this human right, so that people can exercise it in an informed way and when required in order to protect their interests. The Guide is divided into four volumes, in order to make consultation simpler. These volumes are: Volume 1. General Concepts of personal data protection; Volume 2. Guiding principles of personal data protection; Volume 3. The ARCO Rights; Volume 4. Personal data procedures according to the INAI.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines to keep your privacy and personal data safe in a digital environmentGuidanceThe Recommendations to keep your privacy and personal data safe in the digital environment (Recommendations for the digital environment or Recommendations), are intended to explain, in a clear and simple way, a series of practical tips on security settings, mobile applications and software in general (free or with cost), which are considered useful for users or holders of personal data to keep their privacy and personal data secure in the digital environment.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for the processing of biometric dataGuidanceGuide aimed to data controllers and data processors of the public and private sectors, who are currently seeking or processing biometric data through digital or automated means, in order for the processing to be carried out in accordance with the principles, duties and obligations established in the LFPDPPP (in Spanish) and the LGPDPPSO (in Spanish), as well as other applicable regulations29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Handbook on personal data security for MSMEs and small organizationsGuidanceThe handbook aims to provide data controllers and data processors who do not have technical knowledge in the field of security, a free and easy-to-understand document, that takes as a reference the main criteria and concepts of the Recommendations regarding security of personal data, issued by the INAI, for the identification and implementation of basic security controls for the protection of personal data.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide for the secure erasing of personal dataGuidanceThe Guide provides data controllers with the recommended methods and techniques for the safe disposal of personal data, which prevent unauthorized recovery and misuse. The Guide for Secure Erasing of Personal Data answers questions such as: What is secure erasure? Why is secure erasure important? What are the benefits of secure erasure? What methods do not securely erase personal data? How to safely erase personal data? And what is the most convenient secure erase method?29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Recommendations for handling personal data security incidentsGuidanceThe objective of the Recommendations for handling personal data security incidents is to describe the processes and controls recommended by the Institute to generate a security incident response plan, in particular to mitigate personal data security breaches. These recommendations will help and guide data controllers to: 1. Recognize the differences between alerts and security incidents; 2. Develop a plan to respond to security incidents, in accordance with international standards; 3. Use reference formats to document security incidents.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Minimum Criteria suggested for the contracting of Cloud Computing services that involve the processing of personal dataGuidanceThe document aims to establish minimum considerations to guide data controllers for the selection and hiring of cloud computing providers. The objective is that the infrastructure services, platforms and software of the so-called cloud computing offer the guarantees of a due processing of personal data, in order to comply with the obligations established by the regulations in the matter and avoid personal data breaches.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Breaches EvaluatorToolThe Breaches Evaluator is a tool that allows users (data controllers or obliged parties of the Federal Law on Protection of Personal Data Held by Private Parties and the General Law on Protection of Personal Data Held by Obligated Parties) to register and document existing and missing security measures that help them to minimize the occurrence and impact of personal data security breaches. The tool consists of a series of closed questions related to risks in the processing of personal data29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guiding document for the elaboration of the Protection of Personal Data ProgramGuidanceThis document guides those data controllers for developing a Personal Data Protection Program based on a management system that allows to provide the elements and activities of management, operation and control of the organization's processes. The foregoing, to systematically and continuously protect the personal data in their possession.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guiding document for the elaboration of the Protection of Personal Data Program (Annexes)GuidanceThe annexes are a compendium of ten documents that complement the guiding document for the elaboration of the Personal Data Protection Program. These documents identify the general actions, in addition to the specific ones that each administrative unit of the obligated parties will have to perform, to fulfill their obligations regarding personal data protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guide to implement a Personal Data Management SystemGuidanceThe Guide to implement a Personal Data Security Management System, is based on the Plan–Do–Check–Act cycle, because, through the execution of 9 actions for the security of personal data through a process of continuous improvement, an acceptable level of risk in the processing of personal information is achieved, depending on the model and objectives of the organization. This Guide consists of an exercise of precision, synthesis and harmonization of international standards and best practices in the field of personal data security.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Article 16, second paragraph of the Political Constitution of the United Mexican StatesRegulationIts purpose is to recognize the fundamental right to the protection of personal data in Mexico.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and its Additional Protocol regarding supervisory authorities and transborder data flows, made in Strasbourg, France, on January 28, 1981, aRegulationThey have the objective of guaranteeing, in the territory of each Party, to any natural person, regardless of their nationality or residence, the respect for their fundamental rights and freedoms, specifically their right to privacy with respect to the automated processing of personal data ("data protection").29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Law on Protection of Personal Data Held by Obligated PartiesRegulationIt seeks to establish the bases, principles and procedures to guarantee the right to the protection of personal data held by any authority, entity, body and agency of the Executive, Legislative and Judicial Powers, autonomous bodies, political parties and trusts and public funds in the federal, state and local sphere.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Guidelines for the Protection of Personal Data for the Public SectorRegulationThey intend to develop the provisions set forth in the General Law on Protection of Personal Data Held by Obligated Parties, particularly for the federal public sector.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General Guidelines for the National Institute for Transparency, Access to Information and Personal Data Protection to exercise the power of attractionRegulationThey are intended to recognize the elements that the Institute must assess in the exercise of its power of attraction over those reviews or appeals that are the original competence of the supervisory agencies of the federal entities, but for their interest and importance in the protection of personal data must know and resolve when approved by the majority of its Commissioners.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines that establish the parameters, modalities and procedures for the portability of personal dataRegulationIts objective is to establish the parameters that determine the assumptions that underlie a structured and commonly used format, as well as the technical standards, modalities and procedures for the transmission of personal data. This, in order to guarantee the exercise of the right to data portability referred to in article 57 of the General Law or those that correspond in Federal entities’ legislations on this matter.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General criteria for the implementation of compensatory measures in the public sector of the federal, state and municipal orderRegulationIts purpose is to establish the parameters through which any authority, agency, entity, body or agency of the Executive, Legislative and Judicial Powers, autonomous constitutional bodies, administrative courts, trusts and public funds, of the federal, state and municipal order, as well as political parties, may implement compensatory measures.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General administrative provisions for the preparation, presentation and evaluation of Data Protection Impact AssessmentRegulationThe objective is to establish the general framework applicable in the preparation, presentation and assessment of Data Protection Impact Assessment29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Federal Law on Protection of Personal Data Held by Private PartiesRegulationIt has the purpose of protecting personal data held by private parties, in order to regulate its legitimate, controlled and informed processing, to ensure the privacy and the right to informational self-determination of individuals.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Regulations to the Federal Law on the Protection of Personal Data Held by Private PartiesRegulationIts purpose is to regulate the provisions of the Federal Law on Protection of Personal Data Held by Private Parties.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Privacy Notice GuidelinesRegulationThey are intended to establish the content and scope of privacy notices, in terms of the provisions established in the Federal Law on Protection of Personal Data Held by Private Parties and in its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines for Procedures of Protection of Rights, Investigation and Verification, and SanctionsRegulationThey have the objective to develop, inform and specify the formalities that must be observed during the procedures for the protection of rights, verification and imposition of sanctions, in terms of the provisions set forth in the Federal Law on Protection of Personal Data Held by Private Parties and in its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Self-regulation Parameters regarding Personal Data ProtectionRegulationThey intend to establish rules, criteria and procedures for the correct development and implementation of the binding self-regulation schemes on personal data protection, referred to in articles 44 of the Federal Law on Protection of Personal Data Held by Private Parties and in articles 79, 80, 81, 82, 83, 84, 85 and 86 of its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)General criteria for the implementation of compensatory measures without the express authorization of the Federal Institute for Access to Information and Personal Data ProtectionRegulationIts purpose is to establish the general framework through which those data controllers can implement, without the express authorization of the Federal Institute for Access to Information and Data Protection, the compensatory measures of mass communication referred to in articles 18, last paragraph, of the Federal Law on Protection of Personal Data Held by Private Parties, and 32, first paragraph, of its Regulations.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Operation rules of the Registry of Binding Self-Regulation SchemesRegulationThe objective is to define and describe the operational aspects and necessary procedures for the operation of the Registry of Binding Self-Regulation Schemes on personal data protection set forth in Article 86 of the Regulations of the Federal Law on Protection of Personal Data Held by Private Parties and Chapter V of the Self-Regulation Parameters regarding Personal Data Protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Guidelines for the use of hyperlinks on a website of the National Institute for Transparency, Access to Information and Personal Data Protection, to publicize privacy notices through compensatory measuresRegulationThey intend to establish the criteria, conditions and procedure so that those data controllers can provide privacy notices through the implementation of compensatory measures through hyperlinks located on a website of the National Institute for Transparency, Access to Information and Personal Data Protection, in accordance with article 35, section IV, of the Regulations of the Federal Law on Protection of Personal Data Held by Private Parties and Seventeenth, section IV, of the General criteria for the implementation of compensatory measures without the express authorization of the Federal Institute for Access to Information and Personal Data Protection.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Classification of personal data of the Interbank CLABE”Enforcement ActionComplaint was filed against a financial institution, since it improperly provided the complainant´s standardized interbank key (CLABE), to a third party. Three fines were imposed which, in total, amounted to $ 17,495,400.00 Mexican pesos, for contravening the principles of responsibility and lawfulness and for breaching the duty of confidentiality, having delivered a document containing the complainant´s CLABE to a third party. In addition, the financial institution transferred personal data of patrimonial character, without obtaining the data subject´s expressed consent.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Higher fine imposed by the INAI”Enforcement ActionA complaint was received against a financial institution, since it signed an automobile credit agreement with the complainant, through which it obtained some personal data, including sensitive personal data related to health status of the data subject and of her spouse who was not part of the contract. This, without providing a privacy notice. After substantiating the procedure, it was determined to impose three fines: $ 4,787,591.00 Mexican pesos for treating personal data in violation of the principles of information, proportionality and legality; $ 9,272,100.00 Mexican pesos since the financial institution collected sensitive personal data from the spouse of the complainant without obtaining their express consent; and $ 8,673,900.00 Mexican pesos due to the fact that a sensitive database was maintained without justifying its existence.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Case “Access to clinical file”Enforcement ActionA procedure for imposing sanctions against a hospital was initiated because a data subject submitted a request for the protection of its rights. This, because the data controller did not respond to the data controller’s request for access to a certified copy of the entire clinical record which was generated when she was admitted to the Hospital for the birth of her son.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)INAI resolved a file regarding the illegal disclosure of a child's health conditionEnforcement ActionThe INAI received a complaint regarding the publication, in an electronic public access portal, of sensitive personal data of a minor (name associated with health condition for which she was treated as a beneficiary of medical expenses insurance contracted by the data controller). 29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)INAI resolved a file regarding a person who argues the illegal disclosure of their personal data in a WhatsApp groupEnforcement ActionThe INAI received a complaint regarding the disclosure of a personal data format collected by the human resources area of the obligated party thorough a private WhatsApp chat. In this regard, the guarantor body developed a prior investigation and the substantiation of the respective verification procedure regarding personal data protection, after which the improper dissemination of personal data was deemed accredited. It was resolved that the obligated party (data controller) breached the principle of legality; as well as the duties of confidentiality and security.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Processing of personal data of minors by a child care centerEnforcement ActionA complaint was received alleging a breach of the Federal Law on Protection of Personal Data Held by Private Parties. The breach involved the allegation that the data controller had published, on Facebook, photographs of minors, including the complainant´s son, without having obtained the complainant´s consent.29/8/2019
Mexico - National Institute for Transparency, Access to Information and Personal Data Protection (INAI)Disclosure of Personal Data on the InternetEnforcement ActionThis Institute noticed that the data controller allegedly disclosed, on the Internet, proof of residency and bank statements, which contain personal data including: as names, addresses and property data of third parties, without requiring any type of authentication for consultation, so which it is freely accessible. For this reason, an ex-officio verification procedure was initiated.29/8/2019
Australia - Office of the Australian Information CommissionerGuide to securing personal informationGuidance29/8/2019
Australia - Office of the Australian Information CommissionerGuide to securing personal informationGuidance29/8/2019
Australia - Office of the Australian Information CommissionerNDB 12 month insights reportReport29/8/2019
Australia - Office of the Australian Information CommissionerOAIC guide to regulatory actionOther29/8/2019
Australia - Office of the Australian Information CommissionerPIA e-learning toolOther29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of findings: Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia Facebook Enforcement ActionFindings from our investigation into Facebook’s practices surrounding the disclosure of personal information to apps, including those related to the Cambridge Analytica scandal. We found that Facebook did not obtain meaningful consent, had inadequate safeguards and demonstrated a lack of accountability for the personal information within their control.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of Findings: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information CommissionerEnforcement ActionAnalysis against Canadian and Australian privacy law of the privacy practices of AshleyMadison.com (a dating website operated by a relatively small Canadian based business) after a large global privacy breach in 2015. It covers the following topics: adequacy of security practices (including security governance), indefinite retention of personal information, charging of fees for deletion of personal information, adequacy of measures to ensure accuracy of personal information (in this case the actual identity of site users), and requirements for consent and transparency.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Report of Findings: Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal informationEnforcement ActionThis report includes analysis against Canadian privacy law of the privacy practices of Equifax Canada and Equifax Inc. (credit reporting agencies) after a large global data breach in 2017. It covers the following topics: adequacy of security practices (including governance, vulnerability management, and network segregation), indefinite retention of personal information, accountability and consent required for the flow of information between Equifax Canada and its parent Equifax Inc. (located outside of Canada), adequacy of post-breach remediation offered to affected individuals.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Gaming and personal information: playing with privacyGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Joint guidance with the Chief Electoral Officer on political parties to help political parties protect the personal information of CanadiansGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Cannabis GuidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Your privacy at airports and bordersGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Mandatory Breach reporting guidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Guidelines for obtaining meaningful consentGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Guidance on inappropriate data practicesGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Draft Position on Online ReputationGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Direct-to-consumer genetic testing guidanceGuidance29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Technology FactsheetsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Staying safe on social mediaGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Tips for using privacy settingsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Tips for creating and managing your passwordsGuidanceFact Sheets with quick tips and suggestions to easily implement online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Printable graphics with general guidance and advice for organisations and the publicGuidancePrintable graphics that include top tips to help the public understand their privacy rights. 29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy education for kidsGuidanceResources for both teachers and parents in terms of promoting privacy protection for children of various ages. This includes activity sheets, topics to talk about, quizzes and videos. It includes “house rule” suggestions for parents who wish to protect their children’s privacy in the home. It also focuses how teachers or parents can encourage online privacy on a daily basis.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Tips for Protecting Yourself OnlineGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Ways to Safeguard Your Mobile DeviceGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)The Internet of Things: 4 Steps for Reducing Your Privacy RiskGuidancePrintable information cards. Each of these information cards are targeted to the public, using quick tips and vibrant graphics.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)5 Tips for Raising a Privacy Concern with a BusinessGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Help Protect Kids’ Online PrivacyGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Know your privacy rightsGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)10 tips for protecting personal informationGuidancePrintable information cards with tips and advice on how individuals, children and Canadians in general, can protect their own privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Check and adjust your privacy settingsGuidanceThis video provides guidance on how Canadian’s can control their privacy settings online and lists advice on how to increase your privacy power. The video also discusses what privacy controls are available to individuals who are online.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Use strong passwordsGuidanceThis video explains the importance of, and tips for, making strong and hard to guess passwords in order to strengthen online privacy.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy powerful: Know how to access your personal informationGuidanceThis video provides guidance on how Canadians can access their personal information, and includes steps they can take to obtain access, as well as obligations of organizations and government institutions, and exemptions to access [as listed in the legislation].29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Be privacy proficient: Get meaningful consentGuidanceThis video provides guidance on how organizations must obtain meaningful consent prior to collecting personal information from individuals.29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy Tech-Know blogsPolicy and ResearchBlogs offer technology analysis and cover topics such as cryptography and public-key cryptography; and artificial intelligence. 29/8/2019
Canada - Office of the Privacy Commissioner of Canada (OPC)Privacy Enhancing Technologies – A Review of Tools and TechniquesPolicy and ResearchThis report discusses Privacy Enhancing Technologies that can help address risks to privacy that are becoming more apparent over time. This report touches on a variety of sub-topics, such as informed consent, data tracking, technical enforcement, and plans for progression using PET. 29/8/2019
Hong Kong - Privacy Commissioner for Personal DataHong Kong SAR and Korea signed MOU to foster Personal Data Privacy Protection (29 November 2002)News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataPCPD Signs Joint Declaration on Privacy Research, Education and Policy Co-operation in Asian Region (10 November 2016)News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataHong Kong and Singapore Sign MOU to Strengthen Cooperation in Personal Data Protection News29/8/2019
Hong Kong - Privacy Commissioner for Personal DataFindings in the investigation on a data breach of Cathay Pacific Airways affecting 9.4 million passengers worldwideEnforcement Action29/8/2019