makes privacy compliance
a competitive advantage
ABOUT
DATA PROTECTION LAWS have been with us for over 25 years, starting from the EU Directive in 1995. Now that the GDPR is in force and GDPR implementation is quickly moving forward, organizations around the world are continually assessing their compliance risks.PRIVINTELLIGENT SOLUTIONS:
- OFFERS a full range of data protection services, making the law easy to understand, focusing on implementation user experience (UX) and cost-effectiveness.
- HELPS operationalize privacy by providing guidance and supporting privacy compliance.
- MAINTAINS a continuous overview of the data privacy compliance project by allocating a dedicated project manager and using automation and IT tools (RPA, consent management, data subject requests).
- ENSURES customers meet privacy standards across the globe handles ongoing data privacy management and compliance taking the pressure off in-house legal teams.
- PROVIDES flexible fee arrangements and we are able to provide a lower cost structure to meet budget constraints.
PrivIntelligent collaborates internationally with House of Data Imperiali an Italian company, based in Milan, founded by lawyers and consultants with 30 years of experience in the field of privacy and data protection.
Its main business is to support national and international companies, operating in multiple industries, in the management and protection of personal data in compliance with EU and local regulations through a very concrete and operational approach in the application of the standard in business processes.
SERVICES
- Key Privacy Compliance Activities
- Awareness & Training
- Roadmap Guidance
- Enterprise-wide data protection training
- Client portal access
- Accountability & Assessment (Mindset)
- TOMs-Technical and Organizational Measures
- Data Privacy by design and by default
- Data Privacy Preliminary and Impact Assessment
- Risk based approach
- Awareness & Training
- Key Privacy Compliance Activities: Documentation
- Transparency (Data Subject Rights)
- Notices. Customers, Consumers and Employees.
- Online Privacy Statements.
- Data protection organizational model.
- Evidence of Compliance (Proof)
- Policies and Procedures.
- Record of Processing.
- Record of Data breaches.
- Vendor agreements.
- International data transfer strategy.
- Transparency (Data Subject Rights)
- Records Management
- Personal Data Inventories → Maintain & Update Records of Data Processing Activities (RPAs)
- Update Record (existing data mapping cards) with changes to existing Processing Activities (PAs) and additions of new PAs
- Cross-border Data Transfers
- Maintain Register of cross-border data transfers & list of third countries
- Maintain Records of the data transfer mechanisms used for cross-border data flows (e.g., standard contractual clauses, binding corporate rules)
- Manage Third Party Risk
- Maintain Register of third-party Data Processors
- Maintain Records of Data Processing Agreements with third parties
- Manage High Risk & DPIAs
- Maintain Register of DPIAs carried out & ongoing status
- Third Party Risk Management
- Manage Third Party Risk
- Review existing contractual arrangements
- Draft new Data Processing Agreements per own templates as needed
- Review Data Processing Agreements proposed by third party vendors
- Manage Cross-border Data Transfers – Flows
- Execute data transfer agreements as needed
- Manage Third Party Risk
- High Risk Management
- Assess High Risk
- Conduct High Risk Assessments for existing processing activities
- Conduct High Risk Assessments for new processing activities
- Perform Data Privacy Impact Assessments (DPIAs)
- Maintain Register of DPIAs carried out & ongoing status
- Conduct PIAs or DPIAs for existing processing activities
- Conduct PIAs or DPIAs for new processing activities
- Assess High Risk
Data Protection Officer Dedicated Service
Responsible for Data Protection Authority inquiries
Responsible for data subject’s requests
Compliance reviews
Advice on design/default thinking for new systems
Support continuous training mindset
- EU Representative Support Services to EU Affiliates
- Assist the designated EU Affiliate to create the Record of Processing Activities (RPA)
- Maintain & update the existing Record of Processing Activities (RPA) of the EU Affiliate
- EU Representative General Activities
- Be available to DPA / data subjects
- Receive, relay & respond to Supervisory Authorities and/or Data Subjects
- Notify contact details to DPA / data subjects
- Formal reporting on annual basis
Our custom-made tool helps you easily map your data across your organization, build an inventory of your processing activities, streamline privacy impact assessments and generate custom reports.
WHO WE SERVE
We know the industries we are working with.
We provide results by assessing specific business needs.
Pharmaceuticals 
Biotechnology
CROs
Educational foundations
Telecommunications
Consulting firms
Leisure & Entertainment industry
Academic InstitutionsOUR TEAM
NEWS
Standard contractual clauses for controllers and processors in the EU/EEA
In addition to SCCs for International Transfers, the EU Commission published the final version of the SCCs for data processing agreements under art. 28 GDPR for controllers and processors relationship.
New Standard Contractual Clauses (SCCs) adopted by the EU Commission.
The European Commission finally released the new version of the EU Standard Contractual Clauses under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA.
Dutch DPA imposes €525,000 fine for not having a GDPR representative
Enforcement action has taken by the Dutch Data Protection Authority against online platform which provides the personal details of people around the world, including in the EU, for failure to comply with the requirement to appoint a Representative in the Union for privacy purposes under art. 27 of GDPR.
Cloud Service Providers: French draft Code of Conduct
EDPB approved draft decision by the French Authority (CNIL) on code of conduct regarding the European Code of Conduct submitted by the Cloud Infrastructure Service Providers (‘CISPE’). The CISPE Code will contribute to the proper application of the GDPR considering the specific features of the cloud computing sector.
EDPB: Opinion on draft UK adequacy decision
The European Data Protection Board through its Opinion highlighted that many aspects of the UK framework are essentially equivalent to the GDPR, however outlined a number of areas that should be further assessed and/or monitored by the Commission. You can check the opinion 14/2021 by clicking on the title of this post.
On 30 March 2021, adequacy talks were concluded with South Korea. The European Commission will now proceed with launching the decision-making procedure to adopt the adequacy decision.
Italy: GDPR fine of €75,000 to the Ministry
The Italian data protection authority fined the Ministry of Economic Development for failing to appoint a DPO within a specific deadline and for the unlawful publication of the CVs of 5,000 managers on its website.
Health Data: European Commission Publishes Report on EU Member States’ Rules
The European Commission released a report on European Union Member States’ laws governing the processing of health data. It is quite clear from the report that regulatory complexity and a lack of legal certainty significantly hamper the use health data for valuable public health and scientific research initiatives in Europe. One element of a potential solution could be the adoption of health data codes of conduct under the framework of the GDPR.
European Commission: Draft UK adequacy decision on its way
On 19 February 2021, the European Commission published UK draft adequacy decision under the General Data Protection Regulation and the Data Protection Directive with Respect to Law Enforcement. The draft adequacy decision will now be reviewed by the European Data Protection Board that will deliver its opinion to the Commission and EU Member States representatives, as well as assuring that data flows can continue freely during this process, as agreed in the UK-EU Trade and Cooperation Agreement.
GDPR in health research: clarifications from EDPB
The European Data Protection Board provided its response to Commission with regard to health research issues. Some of the key points were about the legal basis for processing health data for scientific research, the further processing of previously collected health data, the notion of broad consent, transparency of data processing, anonymisation, pseudonymisation and safeguards, as well as points on the processing of special categories of data on a large scale.
EDPB and EDPS adopt joint opinions on Commission’s draft SCCs
Among others, the bodies highlighted that the Controller-Processor SCCs will have an EU-wide effect and thus requested amendments for more clarity re the roles and responsibilities; the scope of the SCCs; certain third-party beneficiary rights; certain obligations regarding onward transfers; the notification to the supervisory authority. In addition, they noted that the Third Country Transfer SCCs will replace the existing SCCs and needed to be updated to bring them in line with GDPR requirements and recent decision for Schrems II.
Spanish authority fines Bank €6M for consent & information failures
The fine related to violation of insufficient legal basis for data processing and information related obligations. In particular, the authority highlighted that the information provided in different documents and channels was not uniform; terminology included in privacy policy was imprecise, and information about the category of personal data processed, profiles made of users, as well as the exercise of rights and data retention periods, was insufficient.
France: CNIL fines Google €100M for cookie violations
After completion of an audit, which revealed that cookies (many of which were used for marketing purposes) were automatically placed on user equipment without affirmative action, French DPA imposed 2 fines totaling €100 million.
Contractual clauses between controllers & processors located in the EU
European Commission publishes draft clauses between EU controllers and processors under art. 28 GDPR. Clauses are currently open for public consultation and also await feedback from the European data protection authorities.
Progress report on draft ePrivacy Regulation
Presidency of the Council released its report on the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC and highlighted issues in relation to retention and the legal basis for processing of electronic communications metadata.
EU: EDPB adopts surveillance and supplementary transfer recommendations following Schrems II
The European Data Protection Board announced, on 11 November 2020, that it had adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as complementary recommendations on the European Essential Guarantees for surveillance measures. In particular, the EDPB outlined that both the Supplementary Transfer Measures Recommendations and the Surveillance Recommendations were adopted following the Court Justice of the European Union’s (‘CJEU’) judgment (Schrems case).You can read the Supplementary Transfer Measures Recommendations here and […]
EU: Commission launches public consultation on SCCs under Article 28 of GDPR
The European Commission launched, on 12 November 2020, a public consultation on its draft Implementing Decision on Standard Contractual Clauses between Controllers and Processors for the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 and its Annex.
EU: Presidency releases revised draft ePrivacy Regulation
The Presidency of the Council of the European Union released, on 4 November 2020, its revised text of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC. Among others, updates concern data retention & protection of end-users’ terminal equipment information. The Draft ePrivacy Regulation will be further discussed in the Working Party on Telecommunications and Information Society’s meeting of 11 November 2020.
Spain: AEPD releases tool for data breach notification
The purpose of the tool is to promote transparency and proactiveness and to assist data controllers in understanding whether they are obliged to notify affected data subjects if they have suffered a data breach.
FDPIC issues guidance on contact tracing
The Federal Data Protection and Information Commissioner (‘FDPIC’) provides guidance on collecting visitor data for contact tracing during the Coronavirus crisis. You can find the guidance in Italian here.
Switzerland: Revised FADP published in Federal Gazette
The revised Federal Act on Data Protection 1992 which was adopted by the Swiss Federal Assembly on 25 September 2020 was published, on 6 October 2020, in the Federal Gazette.
France: CNIL adopts final recommendations and amended guidelines on cookies and other trackers
The French data protection authority (‘CNIL’) announced, on 1 October 2020, that it had adopted, on 17 September 2020, its amended guidelines on cookies (‘the Amended Guidelines’) and its final recommendations on cookies (‘the Recommendations’), as well as publishing frequently asked questions (‘the FAQs’) and guidance on the evolution of rules on the same.
Parliament adopts revised Federal Data Protection Act
The Swiss Federal Assembly, announced on 25 September 2020, that it has adopted the revised version of the 28-year-old Federal Act on Data Protection 1992 (‘FADP’) with the Federal Data Protection and Information Commissioner (‘FDPIC’).
Final vote on the Swiss data protection regulation’s modernization
The Swiss Federal Act on Data Protection 1992 ('FDPA') is currently under revision. The aim of the revision is, primarily, to align the FDPA's standard of protection with the standard of protection offered by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). A final vote on the revised FDPA will take place on Friday, September 25 2020.