Want to see the software before you decide? Book a demo and we will show you how it works.

OnePartnerGroup var tidiga med visselblåsarfunktion

thumbnail_Onepartnergroup.png

Onepartnergroup.png

 OnePartnerGroup was early with GDPR and whistleblowing

GDPR står för General Data Protection Regulation och är en dataskyddsförordning utfärdad av EU. GDPR trädde i kraft 2018 och syftet är att stärka skyddet av EU-medborgares personuppgifter. Förordningens ikraftträdande innebär bland annat att det föregående EU-direktivet, som genom PUL implementerades i svensk lag, upphörde att gälla och därmed även PUL. En EU-förordning blir direkt tillämplig i alla EU-länder och behöver således inte implementeras genom ny nationell lagstiftning.

The GDPR stands for the General Data Protection Regulation. It was issued by the EU and entered into force in 2018. The purpose of the GDPR is to strengthen the protection of EU citizens' personal data. This means, among other things, that the previous EU directive, which was implemented in Swedish law through PUL, ceased to apply and thus also PUL. Since an EU regulation is directly applicable in all EU countries it does not need to be implemented through national legislation.

Som företag behöver ni uppfylla kraven som ställs i dataskyddsförordningen (GDPR). Det innebär bland annat att följa de grundläggande principerna, att se till att all behandling av personuppgifter har en rättslig grund och att informera de registrerade om hur ni behandlar deras personuppgifter.

As a company, you need to meet the requirements set out in the GDPR. This means, among other things, to follow the general principles, ensuring that all processing of personal data has a legal basis and informing the data subjects about how you process their personal data.

Om ett företag sedan tidigare lever upp till PUL är tröskeln inte lika hög för att uppnå kraven i GDPR. Dock är det en hel del nyheter som måste ses över och på ett lämpligt sätt implementeras i företagets rutiner, dokument, system och arbetssätt.

If a company already lives up to PUL, the threshold for achieving the requirements of the GDPR is not as high. However, there is a lot of things that needs to be reviewed and implemented in an appropriate way in the company's routines, documents, systems, and methods.

Om man bryter mot GDPR riskerar man omfattande sanktionsavgifter. Hur stora avgifter bedöms från fall till fall, men maxtaket är 20 miljoner euro eller fyra procent av verksamhetens globala årsomsättning, beroende på vilket belopp som är högst. Detta för att även kunna få de stora globala koncernerna att leva upp till bestämmelserna.

If you violate the GDPR, you can receive a large fine. How big is estimated case by case, but the maximum is 20 million Euros or four percent of the global annual revenues, whichever is the highest amount. This is to also be able to make the large global groups live up to the regulations.

Alla verksamheter som behandlar personuppgifter måste följa dataskyddsförordningen (GDPR). Den gäller för företag, föreningar, organisationer, myndigheter och (i vissa fall) privatpersoner.

All businesses that process personal data must comply with the GDPR. It applies to companies, associations, organizations, authorities, and (in some cases) natural persons.

GDPR anger två situationer då ett personuppgiftsbiträdesavtal behöver ingås. Första situationen rör när ett personuppgiftsbiträde behandlar personuppgifter åt den personuppgiftsansvariga. Den andra situationen rör när ett personuppgiftsbiträde anlitar ett underbiträde som ska utföra en specifik behandling, på den personuppgiftsansvarigas vägnar. I bägge situationerna behöver bindande biträdesavtal ingås.

GDPR states two situations where a data processing agreement needs to be entered into. The first situation concerns when a processor processes personal data for the controller. The second situation concerns when a processor hires a sub-processor to perform a specific processing, on behalf of the controller. In both situations, binding data processing agreements need to be entered into.

En personuppgift är en uppgift som kan användas för att identifiera en fysisk person. Till exempel personnummer, adress, namn, kontonummer osv. Men även flera uppgifter i kombination, som var för sig inte räcker för att identifiera en individ, anses vara personuppgifter.

Personal data is all data that can be used to identify a living person. For example, social security number, address, name, account number, etc. Also several data in combination, which individually is not enough to identify an individual, are considered personal data.

En personuppgiftsincident är en säkerhetsincident som leder till oavsiktlig eller olaglig förstöring, förlust eller ändring eller till obehörigt röjande av eller obehörig åtkomst till de personuppgifter som överförts, lagrats eller på annat sätt behandlats. Oavsett om det har skett oavsiktligt eller med avsikt är det personuppgiftsincidenter.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Ett dataskyddsombud (DSO) är en utsedd person, antingen internt eller externt, som har stor kunskap om dataskyddsförordningen och agerar kontaktperson både för Integritetsskyddsmyndigheten (IMY) och för de registrerade vars uppgifter behandlas. Kontakta oss på Qnister om du vill anlita ett externt dataskyddsombud.

A Data Protection Officer (DPO) is a designated person, either internally or externally, who has extensive knowledge of the GDPR and acts as a contact person both for Integritetsskyddsmyndigheten (IMY) and for the subjects whose data is processed. Contact Qnister if you want to hire an external Data Protection Officer.

Med behandling av en personuppgift avses i princip allt man kan göra med personuppgifterna. Det kan till exempel vara att samla in, lagra, flytta, radera eller skriva ut uppgifterna.

Processing is basically everything you can do with the personal data. This could be, for example, collecting, storing, moving, deleting, or printing the data.

Varje behandling av personuppgifter i er verksamhet måste ni stödja på någon av de rättsliga grunderna. Utan en rättslig grund är behandlingen av personuppgifter inte laglig. De sex rättsliga grunderna är:

*   Avtal med den registrerade
*   Rättslig förpliktelse
*   Intresseavvägning
*   Skydda grundläggande intresse
*   Uppgift av allmänt intresse eller myndighetsutövning
*   Samtycke

You must support any processing of personal data in your business on one of the legal basis. Without a legal basis, the processing of personal data is not legal. The six legal basis are:

*   A contract with the data subject
*   Legal obligation
*   Legitimate interest
*   Protect vital interests
*   Task of the public interest or in the exercise of official authority
*   Consent

Samtycke är en vanlig rättslig grund på vilken företag baserar sin behandling av personuppgifter. Det är dock viktigt att samtycket är giltigt. För det krävs att frågan om samtycke ska vara skild från övrig information (alltså inte gömd i något finstilt), den ska ställas på ett klart och begripligt språk anpassat efter den som ska ge sitt samtycke och det ska dessutom vara lika enkelt att återkalla samtycket vid ett senare tillfälle.

Consent is a common legal basis on which companies base their processing of personal data. However, it is important that the consent is valid. Being valid contains that the question of consent must be separate from other information (i.e. not hidden in other text), be set in a clear and comprehensible language adapted to the person who is to give their consent and it must also be just as easy to revoke the consent at a later date.

Ett personuppgiftsbiträde är den som för personuppgiftsansvariges räkning och enligt den personuppgiftsansvariges instruktioner behandlar personuppgifter. Det kan till exempel vara en leverantör av en molntjänst eller en extern IT-supportfunktion.

A data processor is the person who processes personal data on behalf of the personal data controller. It can for example be a provider of a cloud service or an external IT support function.

Känsliga personuppgifter omfattar uppgifter som är av särskilt känslig art. Det kan vara uppgifter om ras eller etniskt ursprung, sexuell läggning, religiös eller filosofisk övertygelse, politiska åsikter, medlemskap i fackförening, genetiska uppgifter eller uppgifter om hälsa som entydigt kan identifiera en person. Uppgifter om hälsa kan till exempel vara sjukfrånvaro, läkarbesök eller graviditet. Det är förbjudet att behandla känsliga personuppgifter om inte något undantag gäller, exempelvis att någon annan lag, till exempel inom arbetsrätten, ger stöd för behandlingen.

Sensitive personal data or special categories of personal data means data that is of a particularly sensitive nature. It can be data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation Information about health can be, for example, sick leave, doctor appointments and pregnancy. It is prohibited to process sensitive personal data unless an exception applies, e.g. that another law makes it mandatory, for example in labor law.

Den personuppgiftsansvarige är skyldig att vid personuppgiftsincident inom 72 timmar anmäla incidenten till Integritetsskyddsmyndigheten (IMY). Undantag från denna skyldighet gäller om det är osannolikt att incidenten medför en risk för fysiska personers rättigheter och friheter. Beslutet att inte anmäla måste då dokumenteras inför en eventuell kontroll.

The person responsible for personal data, the data controller, is obliged to report any personal data breach to the supervisory authority, in Sweden Integritetsskyddsmyndigheten (IMY), within 72 hours. The exception to this obligation is if it is unlikely that the data breach entails a risk to the rights and freedoms of the data subjects. The decision not to report must be documented, in case of an inspection.

En av de registrerades grundläggande rättigheter är rätten att få sina uppgifter raderade, eller med andra ord, ”bli bortglömd”. Om en registrerad begär att få sina personuppgifter raderade är utgångspunkten att ni ska radera dessa. Det finns dock några undantag när uppgifterna inte ska raderas. Undantagen blir ofta tillämpliga om den personuppgiftsansvariga är en myndighet eller utför en uppgift av allmänt intresse. Ni kan bland annat neka den registrerade radering om det är nödvändigt för att tillgodose andra viktiga rättigheter som till exempel rätten till yttrande- och informationsfrihet,  
för att uppfylla en rättslig förpliktelse eller för att kunna fastställa, göra gällande eller försvara rättsliga anspråk. Oavsett om ni ska radera uppgifterna eller har ett skäl att behålla dem, ska ni återkomma till den registrerade utan onödigt dröjsmål, det vill säga senast inom en månad efter att ni har fått begäran.

One of the fundamental rights of data subjects is the right to have their data deleted, or in other words, to be "forgotten". If a data subject makes a request of its’ personal data to be deleted, the main rule is that you must delete them. However, there are some exceptions when the data is not to be deleted. The exceptions often apply if the person responsible for personal data is an authority or performs a task of general interest. You can, among other things, refuse the data subject deletion if it is necessary to maintain other important rights, such as the rights to freedom of speech or information, to fulfill a legal obligation, or to be able to establish, assert or defend legal claims. Regardless of whether you delete the information or have a reason to keep it, you must reply to the data subject without undue delay, i.e. no later than one month after you have received the request.

Personuppgiftsansvarig är den som beslutar om att uppgifter ska samlas in samt till vilket ändamål de ska användas. I ett aktiebolag är det den juridiska personen, själva bolaget, som är personuppgiftsansvarig. Om det däremot handlar om en enskild firma eller en privatperson som hanterar uppgifter på ett sätt som faller inom ramarna för förordningen så är det den fysiska personen som är personuppgiftsansvarig.

The person responsible for personal data is the person who decides that data is to be collected and for what purpose it is to be used. It is usually a company or organization, but can in some cases be an individual. The person responsible for personal data is called a data controller.

The EU considers that the personal data of its citizens should be protected as far as possible, even outside the borders of the Union. Therefore, the law covers all processing of EU citizens' personal data, regardless of whether the company or organization carrying out the processing is located within the EU or not. An e-commerce in China aiming for EU citizen customers is thus covered by the GDPR in the same way as a company in Sweden.

Do you have any questions or want to book a demo? We are ready to guide you through the compliance jungle.

When a new employee at the company was given access to her email account, she discovered she had access to another employee´s inbox. Consequently, she had access to all emails received and sent by the other employee. The employee given the faulty access reported this to the AEPD. After an investigation, the AEPD concluded that the incident occurred because of a faulty configuration of the email account. Therefore, the AEPD found that the company had not implemented appropriate technical and organizational measures, which is a breach of the principle of integrity and confidentiality in the GDPR.

**Read more:** [**https://www.aepd.es/es/documento/ps-00581-2021.pdf**](https://www.aepd.es/es/documento/ps-00581-2021.pdf)

Sanktion på grund av bristande konfigurering av e-postkonto

Fine issued following faulty configuration of email account

On September 16, 2022, the Swedish Court of Appeals issued the judgement regarding the size of the penalty fee to Stockholms Stad in a case of several violations of the GDPR. The violations regarded deficiencies in a school platform. IMY appealed the decision of the Swedish Administrative Court (förvaltningsrätten) regarding a 3 million SEK sanction fee and demanded the upholding of IMY’s previous decision (4 million SEK sanction fee).

The deficiencies in the platform meant that it was possible for teachers and parents to access information that one should not have access to. The processing regarded several hundred thousand of people, the majority of whom were students and guardians.  The information included sensitive personal data as well as data with high protectional value, such as student reviews and confidential personal data. The violations were found to be of a serious nature and relatively long-lasting.

The Swedish Court of Appeal examined the presence of mitigating and aggravating circumstances. The court found that the fact that no previous violations had occurred was not to be considered as a mitigating factor, and that it therefore should not affect the size of the penalty fee. Neither the cooperation of the municipal council was to be viewed as a mitigating circumstance in this case since the cooperation did not reduce the occurred damages. Furthermore, the court found that the nature of the processing and the protectional value of the personal data amounts to high demands regarding the security of the system. The fact that it required a certain technical knowledge to exploit the deficiencies in the system was not considered to affect the degree of responsibility that the municipal council had as personal data controller. The court held that the violations in question justified a penalty fee of at least 4 million SEK. Therefore, the decision of IMY was upheld.

**Read more:** [Kammarrätten i Stockholms dom den 2022-09-16 i mål nr 7837-21](https://techlaw.se/wp-content/uploads/2022/09/KR7837-21.pdf)

Kammarrätten fastställer IMY:s beslut mot Stockholms stad

Court of Appeals upholds the decision of the Swedish Supervisory Authority

The investigation is based on a received complaint regarding the monitoring of bus drivers. The scope of the investigation is to overview Nobina’s compatibility of the key principles of the GDPR, the legal basis of the processing as well as the duty to inform the data subjects. As part of the investigation, IMY asks several questions that Nobina must answer as data controller. Nobina must, for example, answer whether the purpose with the processing could have been achieved with less invasive measures.

**Read more:** [**https://www.imy.se/tillsyner/nobina-europe-ab/**](https://www.imy.se/tillsyner/nobina-europe-ab/)

IMY inleder granskning av Nobinas övervakning av busschaufförer 

Swedish Supervisory Authority initiates review of Nobina’s monitoring of bus drivers 

On September 13th, a decision was published following the review by the Swedish Data Protection Authority (Integritetsskyddsmyndigheten or IMY) of the company Verifiera. Verifiera's business involves providing subscription services for a digital legal database, which includes, among other things, judgments in cases related to compulsory care due to mental health issues or substance abuse. Verifiera has what is called a "voluntary publication certificate," and one of the questions examined during the review was whether the processing of personal data was covered by constitutional protection.

As a general rule, the publication of material on the internet falls outside the scope of the Swedish Freedom of the Press Act (Yttrandefrihetsgrundlagen or YGL). This means that the General Data Protection Regulation (GDPR) is usually applicable. An exception to this rule exists through the possibility of applying for a publication certificate for databases, which provides a form of "voluntary constitutional protection" (1 chapter, section 4 of YGL). With such a publication certificate, protection is granted for expressions that occur by providing information from a database. In such cases, the GDPR does not apply to the processing of personal data to the extent that it would conflict with the YGL (see 1 chapter, section 7 of the Data Protection Act).

IMY examined whether Verifiera's data collection fell within the exception in YGL (1 chapter, section 20 of YGL), which allows for regulations prohibiting the publication of personal data, including health-related data. IMY stated that a comprehensive assessment should be made, taking into account factors such as the purpose of data collection, the type of data provided, and the search and compilation functions available.

IMY concluded that Verifiera's data collection involved a substantial gathering of legal judgments containing highly sensitive information. Furthermore, the data processing was described as having significant consequences for the data subjects, as one of the purposes of the data collection was for background checks, such as for recruitment purposes. Verifiera had not taken any measures to exclude, mask, or limit the ability to search for data that could be linked to specific individuals. IMY also emphasized that Verifiera's search service was far from the values that constitutional laws aim to protect.

IMY's assessment led to the conclusion that the exception in YGL (1 chapter, section 20 of YGL) applied to Verifiera's publication of judgments and decisions in psychiatric and LVM (care for the mentally ill) cases, and therefore, the processing was not constitutionally protected.

Due to the data collection not being considered constitutionally protected, the GDPR was declared to be applicable to Verifiera's processing of personal data insofar as it pertains to the publication of judgments and decisions in psychiatric and LVM cases. IMY further stated that the processing of sensitive personal data had violated Article 9 of the GDPR. Consequently, IMY issued a reprimand and ordered Verifiera to take measures to ensure that it is no longer possible to access information about an individual through a search if the searched person is mentioned in judgments or decisions related to psychiatric and LVM cases.

IMY utfärdar reprimand och föreläggande mot Verifiera

Swedish Supervisory Authority issues reprimand and order to Verifiera

Previously, the Austrian SA and others have disallowed the use of Google Analytics. The Italian SA started an investigation of the Italian company Caffeina Media S.r.l’s use of Google Analytics after a complaint from the interest group NOYB (None of Your Business). The SA found that visitors to the company’s website got their personal data transferred to the US without supplementary measures in addition to the Standard Contractual Clauses. Therefore, the SA concluded that American authorities could access the personal data. The company has got 90 days to make the use of Google Analytics compliant with the GDPR or otherwise the company’s use of Google Analytics will be prohibited.

**Read more:** [Italian SA bans use of Google Analytics: no adequate safeguards for data transfers from Caffeina Media S.r.l. to the U.S. | European Data Protection Board (europa.eu)](https://edpb.europa.eu/news/national-news/2022/italian-sa-bans-use-google-analytics-no-adequate-safeguards-data-transfers_en)

Italienska tillsynsmyndigheten förbjuder användandet av Google Analytics

Italian supervisory authority prohibits use of Google Analytics

By collecting images from websites, social media and videos, the Clearview AI company has created an image bank that they market as an image search engine. Using facial recognition, the search engine can find a person based on their photograph and a "biometric template", that is, a digital representation of a person's physical characteristics (the face in this case). Many data subjects in the image bank are unaware of this and of the possibility of identifying them using the biometric template. According to the CNIL, the processing lacks a legal basis as the company has not obtained consent from the data subjects and cannot be considered to have a legitimate interest in the processing. The CNIL attaches particular importance to the fact that the processing poses very serious risks to the data subjects' fundamental rights.

After Clearview AI did not stop processing the data after the CNIL called on them to do so, the CNIL has now decided to fine the company 20 million euros. The CNIL also announced that Clearview AI must cease all illegal collection and processing of French citizens' personal data. The company is given two months to delete all personal data already collected and for each day that passes these two months, the penalty fee is increased by 100,000 euros.

**Source:** [Facial recognition: 20 million euros penalty against CLEARVIEW AI | CNIL](https://www.cnil.fr/en/facial-recognition-20-million-euros-penalty-against-clearview-ai)

CNIL har utfärdat en sanktionsavgift på 20 miljoner euro mot Clearview AI 

CNIL has issued a penalty fine of 20 million euros against Clearview AI

For example, the new framework contains requirements that signals intelligence activities shall only be conducted with the aim of achieving established national security objectives and that they shall only be conducted when necessary to further an intelligence activity that has been confirmed and prioritised. These commitments have not yet been accepted as sufficient by the European Commission, which must consider if the commitments are enough to combat the problems which lead to the invalidation of Privacy Shield through Schrems II. The European Commission will now prepare a draft adequacy decision and then launch its adoption procedure.

**Source:** [Questions & Answers: EU-U.S. Data Privacy Framework (europa.eu)](https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045)

Biden undertecknar en presidentorder som ska möjliggöra datadelning mellan EU och USA

Biden signs an Executive Order to enable data sharing between the EU and the US

The Swedish Data Protection Authority (IMY) will now review Vklass' handling of the personal data breach in the learning platform, in Vklass’ role as a data processor. Questions addressed to Vklass are centered around the GDPR roles (controller and processor), the personal data breach and security measures.

**Source:** [tillsynsskrivelse-vklass.pdf (imy.se)](https://www.imy.se/globalassets/dokument/ovrigt/tillsynsskrivelse-vklass.pdf)

IMY inleder tillsyn av Vklass efter ett 60-tal anmälningar

IMY begins supervision of Vklass after about 60 reports

Cookies on websites are used to collect statistics and gain access to information that is stored on, for example, a user's mobile or computer. Data may be stored or retrieved provided that the user gives their consent and has access to clear and complete information about the purpose of the processing. PTS has chosen to review Swedbank, the Public Health Agency (_sv. Folkhälsomyndigheten_), the Swedish Consumer Agency (_sv. Konsumentverket_) and Tele2 in their first review but points out that reviews concerning other organisations will be initiated in the future. Initially, PTS has requested information from the supervised objects, which will then be reviewed.

**Source:** [PTS granskar om webbplatsinnehavare följer kakreglerna | PTS](https://www.pts.se/sv/nyheter/internet/2022/pts-granskar-om-webbplatsinnehavare-foljer-kakreglerna/)

PTS inleder granskning av efterlevnaden av kakregler

PTS is starting a review of compliance with cookie-rules

EDPB states that data controllers often provide users with various alternatives in cookie banners where the consent boxes are pre-ticked. EDPB’s taskforce emphasizes that such pre-ticked boxes do not lead to valid consent as this violates recital 32 in the GDPR.

In addition, the report deduces that data controllers inaccurately classifies cookies as “essential” even though these are not necessary to uphold the functionality of the website. The task force highlights the practical difficulties associated with establishing a general classification of cookies to determine which ones that are necessary due to the changing nature of cookies. Thus, this prevents the EDPB to create a reliable list of all necessary cookies. Moreover, the report discusses potential solutions where companies can use digital tools to scan their website and subsequently establish a list of the cookies used on the webpage. The taskforce argues that such list can lay the foundation for the company to prove which cookies that could be justified to be labelled as “essential”.

**Source:** https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

EDPB belyser brister i hanteringen av cookies i ny rapport

New report shines light on deficient cookie banners

The Court accentuates the importance of a DPO’s independence and concludes that the DPO must not participate in any decisions regarding the methods or objectives of the processing of personal data.

**Source:** https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

EU-domstolen tydliggör vad som bedöms vara intressekonflikt för dataskyddsombud

CJEU declares ruling on conflict of interests for DPOs

In 2022, IMY has changed its approach to become more focused on incoming complaints from data subjects. Consequently, IMY has investigated more complaints than the year before. As a result, the authority has concluded three times more supervisions in 2022 than in 2021. Five supervisions resulted in issued administrative fines, totaling 9 720 000 SEK.

In the annual report, Lena Lindgren Schelin, Director-General, states that data protection and cyber security goes hand in hand and that the need for this interrelation has strengthened due to the troubled international situation. Hence, the authority argues that everyone must participate and work actively with data protection.

Finally, the Director-General expresses an ambition to further accelerate the work of IMY considering the increased budgetary allocation. Hence, Lindgren Schelin hopes that the authority will shorten its administrative processing time as well as improve the organization’s efficiency.

**Source:** https://www.imy.se/globalassets/dokument/arsredovisningar/imy-arsredovisning-2022.pdf

 IMY avslutade tre gånger fler tillsynsärenden 2022 som året innan

Threefold increase in the number of concluded supervisions in 2022

GDPR

Nyheter

News

Artiklar

Articles

Qnister

Subscribe to our newsletter and get news, articles and offers straight to your inbox.

thumbnail_Kontakta oss personer i konferensrum.jpg

Kontakta oss personer i konferensrum.jpg

**The French data protection authority (CNIL) has fined the company Clearview AI 20 million euros due to their collection of over 20 billion images from web sites and social media platforms.**

IMY report shows inadequate treatment of DPOs

Insurance company sent sensitive data via unprotected e-mail

_**The European Data Protection Board (EDPB) has publicized a report about cookie banners on websites. Important conclusions from the publication include that companies unlawfully use pre-ticked boxes for consent and that cookies are labelled “essential” incorrectly.**_

**A recent ruling from The Court of Justice of the European Union (CJEU) has clarified that Data Protection Officers (DPO) can undertake other roles in the organization, as long as this does not lead to a conflict of interests.**

_**The Swedish Authority for Privacy Protection (IMY) has published its 2022 annual report where the authority points out significant increases in the number of processed complaints and terminated supervisions. IMY also stresses the connection between data protection and cyber security.**_

**On October 7, 2022, US President Joe Biden signed an Executive Order on enhancing safeguards for US signals intelligence activities. The Executive Order sets out the steps the US will take to implement its commitments under the EU-US Data Protection Framework.**

**The learning platform Vklass was recently affected by personal data breaches when someone downloaded students' and teachers' personal data from the platform.**

**The Swedish Post and Telecommunications Authority (PTS) will review whether a number of selected website owners comply with the rules on cookies on their websites.**

**The Spanish data protection authority (AEPD) has issued a fine of 3 000 euro to the Spanish company Estudios Europeos De Postgrado Y Empresa Sl. as a consequence of their failure to comply with the GDPR.**

**The Swedish Court of Appeals (kammarrätten) upholds the decision of the Swedish Supervisory Authority (IMY) regarding the size of a penalty fee to the Swedish municipality Stockholms Stad.**

**The Swedish Supervisory Authority (IMY) has started an investigation of Nobina’s personal data processing when monitoring bus drivers.**

**The General Data Protection Regulation (GDPR) has been found to be applicable to parts of Verifieras personal data processing despite the presence of a voluntary disclosure certificate. The data collection has not been deemed to be covered by constitutional protection, and the processing has taken place without a legal basis.**

**Another supervisory authority (SA) has struck down on the use of Google Analytics.**

Whistleblowing

Sanctions

Solutions

News and articles

Safety

Knowledge

References

About us

Contact us

Career

Book a demo

Software for GDPR

Whistleblowing software

Search in sanctions lists

Fördjupa dig inom visselblåsning, GDPR och håll dig uppdaterad på det senaste inom regelefterlevnad. 

Nyheter och artiklar

Learn more about whistleblowing, GDPR and sustainability and keep updated on the latest in regulatory compliance.