ICO draft right of access guidance

ICO launches consultation on draft right of access guidance

From now until February 12, 2020, the ICO will facilitate a public consultation on draft right of access guidance.

Over a year and a half ago, the GDPR was officially implemented within the EU and UK with an aim of giving greater control to individuals over their personal data. Article 15 of the GDPR specifically zones in on an individuals right of access to information collected about them from a data controller. Understanding the vital importance of this right towards the overall mandate of the GDPR and the UKs Data Protection Act 2018, the ICO has now drafted a more detailed guidance on the right of access and the obligations of controllers. Last week, the ICO officially launched a consultation on the draft guidance in order to gain feedback from stakeholders and the public. This consultation closes on February 12, 2020.

What is the Right of Access?

According to Article 15.1 of the GDPR

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:


the purposes of the processing;


the categories of personal data concerned;


the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;


where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;


the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;


the right to lodge a complaint with a supervisory authority;


where the personal data are not collected from the data subject, any available information as to their source;


the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences ofsuch processing for the data subject.

More simply put, the ICO explains that the right of access gives individuals the right to obtain a copy of their personal data from a data controller, as well as other supplementary information.

Overview of ICOs draft right of access guidance

The ICO draft right of access guidance provides data controllers with insight on how to prepare for the right of access as well we how recognize and respond to a subject access request (SAR). It offers strategies related to the retrieval of relevant information and how to subsequently supply this information to the requester.  Refusal of requests, exemptions, special cases, health data, education data and social work data are also expounded on in this thorough draft guidance from the ICO.

Does your company collect personal data during the course of your operations? If yes, has your firm taken active steps towards honouring an individuals right of access? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  

eprivacy regulation draft

ePrivacy Regulation Draft to be updated and presented at next EU Presidency

A revamped draft ePrivacy Regulation is expected to be presented at next Presidency of the EU.

Last week, Aphaia reported on the  newsoriginally presented by the European Digital Rights (EDRi)that EU states had rejected the draft ePrivacy Regulation. Understandably, this shocking outcome had spurred EU wide concern. The head of policy at the EDRi had forcefully admonished that the EUs inability to date to ensure strong privacy protections in the ePrivacy Regulation is a step backwards for the EU.Today, it seems that fears that the recent rejection would result in a permanent withdrawal of draft ePrivacy regulation can now be laid to rest. Three days ago (on December 3), Internal Market Commissioner Thierry Breton announced that the European Commission will present a revised ePrivacy proposal as part of the forthcoming Croatian Presidency of the EU.

Well have to put a new proposal on the table because I definitely think that everybody wants to do something, but obviously you are not in agreement,an Euractiv article quotes Breton as he appeared in front of the Transport, Telecommunications and Energy Council. So, I propose, that, for the next presidency, we will put on the table a new proposal obviously matching all your concerns and interests, because I really think that regarding our fellow citizens, there is an urgent need to move forward.

The revamped ePrivacy Regulation is expected to offer regulations for internet phone and message services like Skype and WhatsApp. The existing 2002 ePrivacy and Electronic Directivewhich the proposed new ePrivacy regulation is expected to replaceoffers strict privacy protection only to text messages and voice calls provided by traditional telecoms.

Privacy rules should be the same across EU, but not at any price. We trust the final ePrivacy Regulation draft will properly protect citizens’ electronic privacy rights and, at the same time, it will not be a game changer”. Cristina Contero Almagro, Partner in Aphaia.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR and ePrivacyadaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  

Nevada Internet privacy

Nevada enacts internet privacy act

Internet Privacy Act becomes law in US state of Nevada.

On Oct 1st 2019, Nevada enacted the Senate Bill 220. This bill, also referred to as An Act relating to internet privacycame into effect some three months before the much anticipated January 1, 2020 compliance deadline of  California Consumer Protection Act.

According to the bill document, the adopted SB220 prohibit  an operator of an internet website or online service which collects certain information from consumers in the state of Nevada from making any sale of certain information about a consumer if so directed by the consumer. Essentially this bills centres on a consumers right to opt-out.

In order to facilitate consumer opt-out, the bill mandates that internet or online service operators establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale” of covered information collected about the consumer.

Saleis defined by the bill as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.

Meanwhile covered information is expounded to be any data which is gathered and maintained in accessible form by an operator via website of online service including:

1. A first and last name

2. A home or other physical address which includes the name of a street and the name of a city or town

3. An electronic mail address

4. A telephone number

5. A social security number

6. An identifier that allows a specific person to be contacted either physically or online.

7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable

Who must comply with  SB220?

The bill establishes operators as a person who:

(a) Owns  or  operates  an  Internet  website  or  online  service  for commercial purposes;

(b) Collects and maintains covered information from consumers  who  reside  in  this  State  and  use  or  visit  the  Internet  website or online service; and

(c)Purposefully    directs    its    activities    toward    this    State, consummates some transaction with this State or a resident thereof, [or] purposefully   avails   itself   of   the   privilege   of   conducting activities in  this  State or  otherwise engages in  any  activity  that constitutes   sufficient   nexus   with   this   State   to   satisfy   the requirements of the United States Constitution.

Consequences of Non compliance with SB220

The bill authorizes the Attorney General to seek a temporary or permanent injunction or a civil penalty not exceeding $5000 for each violation.

Does your company conduct business with residents of Nevada and/or California? Have the necessary steps been taken to ensure compliance including the set up of designated request address? Aphaia provides both GDPR, CCPA and SB220 adaptation services, including data protection impact assessments and Data Protection Officer outsourcing.

EDPB Guidelines

EDPB Guidelines on Data Protection by Design and by Default

The European Data Protection Board (EDPB) adopted draft guidelines on data protection by design and by default according to article 25 GDPR.

Did you struggle with the decision of turning the settings on or off by default when you created your company App? Do you normally feel tempted to gather more data than necessary from your customers? These all are issues related to data protection by design and by default. EDPB has launched their guidelines in order to help data controllers to properly implement data protection by design and by default when processing personal data.

What does it mean ‘data protection by design’?

Article 25 (1) GDPR states that, taking into account the current progress in technology, “[…] the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

This implies that data protection by design is ultimately an approach that ensures the controller considers privacy and data protection concerns from the very first phase of designing any system, service, product, app or process and also throughout the lifecycle.

What does it mean ‘data protection by default’?

As covered by Article 25 (2) GDPR,The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.

In a nutshell, data protection by default requires controllers to ensure they only process the data that is necessary to achieve their specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.

What steps should I take?

Data protection by design

The EDPB points out that effectiveness is the key, that is why there are no general measures imposed on controllers. You may be wondering: how will we know what to do then? Well, the GDPR defers to data controllers own discretion, which involves that any measure is valid as long as it is suitable to protect these principles. Therefore, what data controllers need to do is ensuring that they are able to demonstrate that they have implemented dedicated measures and that they have integrated specific safeguards that are necessary and appropriate to secure the rights and freedoms of data subjects. In order to achieve this goal, the EDPB deems relevant running a risk analysis considering the nature, scope, context and purposes of processing. This risk analysis and all linked processing operations should be re-evaluated through regular reviews and assessments.

Based on our experience, Aphaia recommends to make sure the DPO is always involved in a timely manner from the very first stage of development, either it is a whole app or system or just a single new feature, because their assistance will help to widely reduce any undesired issues in the future.

Early consideration of data protection by design and by default is crucial for a successful implementation, also from a cost-benefit perspective, as it could be challenging and costly to make changes to plans that have already been made and processing operations that have already been designed.

Data protection by default

The controller is required to predetermine for which specified, explicit and legitimate purposes the personal data is collected and processed. This obligation applies to the following elements: amount of personal data collected, the extent of their processing, the period of their storageand their accessibility.

The main concept to consider when it comes to data protection by default is necessity. All the elements above should be kept to the minimum and limited to what is necessary for each specific purpose.

One should note that failing at implementing data protection by default has already triggered several fines under the GDPR. For example, the Berlin Commissioner for Data Protection and Freedom of Information recentlyissued a fine of around 14.5 million euros against a Real Estate company for using an archive system for storage of personal data of tenants that did not provide the possibility of removing the data that was no longer necessary.According to EDPB guidelines: “If personal data is not needed after its first processing, then it shall by default be deleted or anonymized. Any retention should be objectively justifiable and demonstrable by the data controller in an accountable way.

How can I operationalize data protection by design and by default?

EDPB guidelines provide some examples in order to help controllers to put into practice data protection by design and by default, sorted by specific principles. We have summarized them in the following table:

GDPR principle

Key design and default elements


Clarity, semantics, accessibility, context, relevance, universal design, comprehension, multi-channel


Relevance, differentiation, specific purpose, necessity, autonomy, consent withdrawal, balancing of interest, predetermination, cessation, adjustment, default configuration, allocation of responsibility


Autonomy, interaction, expectation, non-discrimination, non-exploitation, consumer choice, power balance, respect for the rights and freedoms, ethics, truthfulness, human intervention, fair algorithms

Purpose limitation

Predetermination, specificity, purpose orientation, necessity, compatibility, limited further processing, review, technical limitations of reuse

Data minimisation

Data avoidance, relevance, necessity, limitation, aggregation, pseudonymization, anonymization and deletion, data flow, state of the art.


Data source, degree of accuracy, measurable accurate, verification, erasure/rectification, accumulated errors, access, continued accuracy, up to date, data design

Storage limitation

Deletion, automation, storage criteria, enforcement of retention policies, effectiveness of anonymization/deletion, disclose rationale, data flow, backups/logs

Integrity and confidentiality

Information security management system, risk analysis, resilience, access management.

Do you need assistance with data protection by design and by default? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.