GDPR READY WEEKLY NEWS – No 2, January 2019

News, articles, legislation and analysis, all about data protection and cybersecurity technologies

Guidelines: Specific rulings issued by the Hungarian data protection authority – During the last months the Hungarian Data Protection Authority (NAIH) released important opinions related to ID cards photocopying, newsletter subscriptions and general data transfers.

Analysis: Future of Privacy in 2019 according to Gartner Predicts – “Privacy requirements dramatically impact an organization’s strategy, purpose and methods for processing personal data”.

Trusted Services: ENISA about acceptance of eIDAS audits – ENISA has published a new report to explore the paths to global acceptance of the eIDAS auditing framework for trust service providers (TSPs) issuing qualified website authentication certificates (QWACs).

Data Breaches: Personal data of 40,000 temporary workers exposed on the Internet – As a result of a “human error”, the profiles of thousands of users of Mistertemp, an online temp agency, have been accessed online without protection.

International Transfers: Second Review of EU-US Privacy Shield Shows Improvements – On December 19th the European Commission publishes its report on the second annual review of the status of the EU-U.S. Privacy Shield.


Specific rulings issued by the Hungarian data protection authority

During the second part of 2018, the Hungarian Data Protection Authority (NAIH) issued important opinions on GDPR issues in the areas of photocopying ID cards, eDM subscriptions and general data transfers, which Hungarian-based companies and employers must include in their data processing operations.

According to an article published by, in the new NAIH opinions companies and employers are not allowed to copy personal documents like IDs or school diploma unless prescribed by law. NAIH argues that since most companies or employers are not in the position to check a document’s authenticity in official databases, keeping a copy of it is irrelevant. Also, NAIH decided that companies must carefully analyse how benefits offered by newsletter subscription could influence the voluntary nature of the newsletter “opt-in”.

For example, if a newsletter subscription is not mandatory to obtain access to a certain service, non-subscribers should have equal access to this newsletter service…

Relating the personal data transfers, according to NAIH, data controllers should name in their privacy notices the recipients the data transferred, and the purpose of the transfer, preferably in table format. For example, a travel agency, which organises trips to different destinations, should not list all the hotels it provides personal data to, since this information may differ from time to time.



Future of Privacy in 2019 according to Gartner Predicts

According to Gartner, security and risk management leaders must take note of the following predictions for privacy to ensure transparency and customer assurance.

By 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018 – Over the next two years, organizations that don’t revise data retention policies to reduce the overall data held, and by extension the data that is backed up, will face a huge sanction risk for noncompliance as well as the impacts associated with an eventual data breach.

By 2022, 75% of public blockchains will suffer “privacy poisoning”, inserted personal data that renders the blockchain noncompliant with privacy laws – Businesses looking to implement blockchain technology must determine whether the data being used is subject to any privacy laws. For example, public blockchains need an immutable data structure, meaning once data is recorded, it cannot easily be modified or deleted. Looking to the Privacy rights granted to individuals, the services based on public blockchain technologies are raising justified concerns because “by default” personal data can’t be replaced, anonymized or structurally deleted. Organizations that implement blockchain systems without managing privacy issues “by design” will risk storing personal data that can’t be deleted…

By 2023, over 25% of GDPR-driven proof-of-consent implementations will involve blockchain technology, up from less than 2% in 2018 – According to  Bart Willemsen, Senior Director Analyst at Gartner, “The application of blockchain to consent management is an emerging scenario at an early stage of experimentation.” Some organizations are already exploring the use of blockchain for consent management “because the potential immutability and tracking of orthodox blockchains could provide the necessary tracking and auditing required to comply with data protection and privacy legislation.”


Trust Services

ENISA about acceptance of eIDAS audits

The eIDAS Regulation sets up a framework to grant qualified status to an array of trust services (e.g. electronic signatures, seals etc.) aiming to enhance consumer trust in the digital environment. According to ENISA, qualified trust services undergo regular assessments by accredited bodies, overseen by national and EU authorities for the purpose of meeting requirements laid out in the eIDAS framework. Taking the viewpoint of a global audience, ENISA has published a new report to address aspects of conformity assessment in an effort to improve the global acceptance of eIDAS audits. Towards this goal, the report recommends to:

  • adopt a harmonised conformity assessment approach in the EU and promote it at the international level
  • promote and reference specific standards on the auditing of TSPs and conformity assessment

The report also carries out a review of concurring international auditing schemes for qualified TSPs and the accreditation of the respective CABs. Strategies largely based on improving existing European standards are also proposed for the purpose of fostering cooperation with browser vendors and thus improve better acceptance of eIDAS audits.


Data Breaches

Personal data of 40,000 temporary workers exposed on the Internet

As a result of a “human error”, the profiles of thousands of users of Mistertemp, an online temp agency, have been accessed online without protection.

According to an article published by Le Monde, tens of thousands of temporary employee profiles managed by temporary agency Mistertemp have been freely accessible for at least three weeks on the Internet, according to a computer security researcher. The personal data on display includes their identity, physical address, e-mail address and telephone numbers, and for some of them, their Social Security numbers.

One of the servers containing this information was poorly configured, becoming accessible to anyone who had his address, without any password. The length of time that this database has remained accessible to all-comers is difficult to determine.

A cybersecurity researcher discovered it on December 21st and the company removed this database from the Internet in January 9th. In the current state of its investigation, the company does not know when this information was made public. According to the company, no banking data or identity documents were exposed, the latter being stored in a different database.


International Transfers

Second Review of EU-US Privacy Shield Shows Improvements

In December 19th the European Commission publishes its report on the second annual review of the functioning of the EU-U.S. Privacy Shield.

The good news is the last report is better than the previous, showing that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S. The steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year’s report have improved the functioning of the framework.

The bad news is the Commission still expect the US authorities to nominate a permanent Ombudsperson to replace the one that is currently acting. 

The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. According to Andrus Ansip, Commission Vice-President for the Digital Single Market, “Today’s review shows that the Privacy Shield is generally a success. More than 3,850 companies have been certified, including companies like Google, Microsoft and IBM – along with many SMEs. This provides an operational ground to continuously improve and strengthen the way the Privacy Shield works. We now expect our American partners to nominate the Ombudsperson on a permanent basis so we can make sure that our EU-US relations in data protection are fully trustworthy.”

The second review took into account relevant developments in the U.S. legal system in the area of privacy. The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area. In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing.