online advertising transparency GDPR

Online advertising transparency through ‘Types’ tools

‘Types’, online advertising transparency project funded by the EU Commission, promises that it will enhance the transparency inside the online advertising environment, improve the trust of consumers to the industry and finally contribute to its growth.

online advertising transparency GDPR

Online advertising generates a substantial revenue that enables the creation of numerous employment positions, as well as the support of fundamental internet services, such as social media and search engines. However, lack of consumer trust towards online advertising, especially in relation to the information collected and the techniques used for processing personal data, leads to the widespread adoption of ad blocking mechanisms.

The aforementioned targets are bound to be achieved by the development of a series of “easy to install” and “easy to use” tools:

  • Web-browser plug-in for privacy violation detection and safeguarding,
  • Proxy for privacy violation detection and safeguarding,
  • Data valuation tools
  • Privacy preserving data broker

The tools belonging to “Types” project will provide safeguards to the user so that no personal data are collected without consent. The user will be able to detect any unlawful use of their data and locate the infringer. The tools will also contribute to the understanding of individuals regarding the operation of  the online advertising system and the value of personal data. In other words, “Types” is intended not only to educate personal data subjects  about their rights stemming from the GDPR, but also to assist directly in the implementation of the regulation.

Apart from the apparent benefits enjoyed by the user, the project would also entail benefits and competitive advantages for over the top service providers (OTT SPs), such as Facebook and Google. “Types” recommend that OTT SPs adopt the new tools and share with the user the way that their data is being processed moving towards a more transparent approach. It is believe that the user may not proceed to a general blocking of advertising content but rater control and select the information disclosed resulting in increase of the amount of collected data.

Do you require assistance preparing your online business for GDPR and manage your data protection obligations once GDPR becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

vasiliki antoniadou WP29 guidelines on adequacy of data protection by third countries

WP29 Guidelines on adequacy of data protection by third countries

According to the GDPR provisions, the transfer of personal data to countries outside the EU or international organisations is permitted only under the requirement that their legal framework satisfies an adequate level of data protection. Our Blog Editor Vasiliki Antoniadou explains WP29 Guidelines on adequacy of data protection by third countries under GDPR.

vasiliki antoniadou WP29 guidelines on adequacy of data protection by third countries

The existence or not of adequacy of the legal rules and their effectiveness is decided by the EU Commission in a binding manner after receiving the advise of the European Data Protection Board (EDPB).

Adequate level of data protection

The Article 29 Working Party clarifies that it is not required that the EU legislation is copied point by point, but rather that the level of data protection is essentially equivalent to that introduced in the EU. In particular, in order for the data transfer to be lawful the third country or international organisation should implement specific and enforceable provisions that conform with the core data protection principles present in the GDPR and the EU Charter of Fundamental rights. WP29 Guidelines on adequacy of data protection by third countries are therefore based on these principles rather than exact rules.

General data protection principles

The core data protection principles in the EU legal system that are fundamental for an adequate level of data protection have been identified by  WP29 Guidelines on adequacy of data protection by third countries as below:

    • Basic data protection concepts such as “personal data”, “data controller”, “data processor”, “sensitive data”.
    • Legitimate grounds for lawful and fair data processing such as provisions in national law, the consent of the data subject or performance of a contract.
    • The purpose limitation principle according to which data processing is conducted for a specific purpose and data’s use should be compatible with that purpose.
    • The data quality principle, which guaranties accurate and up to date data, as well as the proportionality principle, pursuant to which the data should be relevant and non-excessive to the purpose of processing.
    • The data retention principle, that stipulates that data should not be kept longer than necessary for the purposes of processing.
    • The security and confidentiality principle, that requires appropriate technical or organisational measures in order to ensure protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
    • The transparency principle, according to which the data subjects should be informed in a clear and transparent about the particulars of the data processing such as its purpose, the identity of the controller and the rights available to them.
    • The right of access, rectification, erasure and objection, which enables the individual to obtain relevant information, correct or erase inaccurate data and object on legitimate grounds to the data processing.
    • Restrictions on onward transfers, meaning that further data transfers should not be permitted unless the further recipient fulfils the criterium of the adequate level of data protection.

It should be noted that additional content principles must apply on special categories of data, direct marketing and automated decision making and profiling.

Do you require assistance preparing for GDPR and manage your data protection obligations once GDPR becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

GDPR consent data protection officer

GDPR consent explained by WP29

GDPR consent requirements, one of the most difficult GDPR areas for businesses to comply with, have been further explained by Article 29 Working Party. This is our choice of highlights from the new GDPR Consent Guidelines.

GDPR consent data protection officer

Imbalance of power does not in all cases preclude valid GDPR consent

Although cases of consent by employee to employer are generally viewed with suspicion by WP29, EU’s top body for data protection clarifies some cases of such consent may be coercion-free. In some cases that do not essentially affect employment relations, employers may be able to offer meaningful, non-punitive alternatives to employees who do not give consent (e.g. alternative desk space of equal quality to people who refuse to consent to being shown on the camera).

Conditionality affecting GDPR consent

In order for GDPR consent to be valid, the provision of the service provided by the business should not be “conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.  This does not fully exclude the possibility of obtaining a valid consent at the point of contracting. However, where consent is refused, the alternative service provided should be “genuinely equivalent” including in terms of “no further costs”.

Layout of a valid GDPR consent

GDPR consent rule prohibits hiding consent in other ‘Terms and Conditions’. But this does not prohibit layered notices as such, especially if one considers ‘small screens’ or otherwise limited space to accommodate information.

Do you require assistance preparing for GDPR and manage your data protection obligations once GDPR becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.