The AEPD launched a tool

The AEPD launched a tool to aid data controllers in determining whether they need to communicate a data security breach.

The AEPD launched a tool to aid data controllers in quickly determining whether or not it is necessary to communicate a data security breach to affected data subjects.


On October 22nd 2020, the Spanish DPA (AEPD) reported that it had published a tool to aid data controllers in making decisions regarding whether or not they need to communicate a personal data security breach to affected data subjects. The GDPR dictates that the parties responsible for handling personal data must communicate data security breaches, without delay, to data subjects whose security may be at risk as a result of the data security breach. Article 34(1) of the GDPR states “When the personal data breach is likely to result in a high risk to the rights and freedom of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”


This free tool is easy to use and is intended to promote transparency and proactive responsibility among data controllers.


This new resource, coined “Comunica-Brecha RGPD” is meant to foster transparency and proactive responsibility among data controllers. It involves an exercise that allows affected data subjects to know when their rights and freedoms may be at risk, allowing them to take appropriate measures to safeguard their information. This tool is free, easy to use and consists of a short form in which details are collected. Based on the information entered in the form, this tool can indicate whether there may be the risk of a data security breach. Depending on the information submitted, the tool produces one of three possible results; that high risk is perceived and data subjects need to be notified of a security breach, that such communication is unnecessary, or that the level of risk could not be determined. This data, though entered into the form is not stored in any instance, and the Spanish DPA is not informed of the details entered. 


While this tool is very useful, it is not meant to replace the work conducted by data protection officers.


This tool is not intended in any way to replace the necessary risk assessments conducted by data protection officers, as they would also be able to determine the details of the personal data processed, the characteristics of the data subjects, the circumstances of the data breach, and all the other factors that would go into an accurate risk assessment. The use of this tool however, can help responsible parties communicate data breaches to the affected parties in a timely manner, independent of their obligation to notify the appropriate supervisory authority. 


Would you make use of a tool like this?


Do you know how to deal with data breaches? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling personal data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Hungarian DPA fined Forbes

Hungarian DPA fined Forbes for GDPR violation.

Hungarian DPA fined Forbes for failing to carry out a legitimate interest assessment in relation to two of their publications and to inform data subjects in advance about the results.


The Hungarian DPA came to a decision this July, to fine Forbes for violating various articles of the GDPR with regard to two of the company’s publications. The EDPB recently reported that in relation to both printed and online versions of the Forbes publication in September 2019 and in January 2020, one containing the largest family undertakings, and the other, the 50 richest Hungarians, the Publisher violated the GDPR. In addition, the Authority accused Forbes of failing to provide adequate information to the Complainants about all the essential circumstances of data processing, and of their rights to object to the processing of their personal data. 


The company infringed on several sections of the GDPR in releasing those publications.


In both of the DPA’s decisions, No. NAIH/2020/1154/9 of 23 July 2020, and No. NAIH/2020/838/2 of 23 July 2020, Forbes was found to have been in infringement of Article 6(1)(f) of the GDPR. This article states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”


In failing to inform the Complainants of their option to exercise their rights, Forbes infringed on Articles 5(1)(a), 5(2), 12(1) and 12(4), as well as Articles 14, 15 and 21(4) of the GDPR. The relevant sections of Article 5 of the GDPR calls for personal data to be processed lawfully, fairly and in a transparent manner, and that the controller is in fact responsible for, and must be able to demonstrate compliance with the aforementioned requirements. Article 12 outlines the fact that the controller must take appropriate measures to provide any relevant information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It also mentions that if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay of the reasons why, within no more than one month of receipt of the data subject’s request. Articles 14 and 15 speak to the right of the data subject, to obtain from the controller, confirmation as to whether or not their personal data is being processed and to obtain access to information on the personal data being processed, and also clear information on where this data has been obtained, together with other relevant elements around the processing. In this instance, Forbes also denied the data subjects the right to object to the publishing of this personal data, by neglecting to inform them and gain their consent, which violates Article 21.

The Hungarian DPA fined Forbes and gave the company several orders for corrective action.


The Hungarian DPA imposed a fine of 5,600 € for one of the infringements and 7,000 € for the other. The company was also ordered to undertake several corrective actions. Forbes was ordered to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights. The company will also need to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions, and to carry out the interest assessment including the second 

individual interest assessment following the objection in accordance with the legal regulations 

and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis.


The Authority is not opposed to “rich lists” but maintains that they must be done in accordance with the GDPR and preferably with minimal information released on data subjects. 


When the Hungarian DPA arrived at its position on the matter, it also did not decide that lists of businessmen and companies should never be made in this form of Fashion. Forbes may compile lists, on the basis of business data that is accessible to the public, however the publication of those lists is subject to the requirements of the GDPR, and the publisher as controller has to comply with these stringent requirements. The general practice in the Hungarian market, of which the authority approves is that the various rich lists or publications listing the richest Hungarians, did not in all cases include the name of the data subject, but rather initials and minimal information instead of presenting the activities of the data subject. The publishing of this personal data should follow the well grounded objection by the data subject.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Age Appropriate Design Code

Age Appropriate Design Code will come into force in less than a month.

Age Appropriate Design Code will come into force September 2nd 2020, and will be ushered in by a 12-month transition period allowing online services time to conform.

The Age Appropriate Design Code which we had initially reported on back in January when the final version of this code was first introduced, has now completed the parliamentary process, and was recently issued by the ICO to come into force on 2nd September 2020. This code of to practice for online services finalised 15 standards laid in Parliament in January of this year. Under section 123 (1) of the Data Protection Act 2018, the Information Commissioner was required to prepare this code which contains guidance on what is considered appropriate on standards of age appropriate design of relevant information society services, which are likely to be accessed by children. 

The Age Appropriate Design Code is a statutory code of practice, providing built in protection for children online.

This code is the first of its kind, is considered, by the Information Commissioner, necessary and achievable, and is expected to make a difference. The Commissioner believes that companies will want to conform with the standards, to demonstrate their commitment to always acting in the best interests of the child. This code, although not expected to replace parental control, should increase confidence in the safety of children, as they surf the internet. The 15 principles of this code are flexible, and are not laws, but rather a statutory code of practice which provides built in protection for children spending time online, ensuring that their best interests are the primary consideration when developing and designing online services. 

The Code lays out 15 Standards, ensuring children’s best interest.

  • The best interests of the child;

The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.

  • Data protection impact assessments;

 Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.

  • Age appropriate application;

 Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.

  • Transparency;

The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.

  • Detrimental use of data;

Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.

  • Policies and community standards;

 Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).

  • Default settings;

 Settings must be ‘high privacy’ by default (unless you can demonstrate a convincing reason for a different default setting, taking account of the best interests of the child).

  • Data minimisation;

 Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.

  • Data sharing;

 Do not disclose children’s data unless you can demonstrate a convincing reason to do so, taking account of the best interests of the child.

  • Geolocation;

Geolocation options should be off by default (unless you can demonstrate a convincing reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.

  • Parental controls;

If you provide parental controls, the child should be given age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, you should provide an obvious sign to the child when they are being monitored.

  • Profiling;

Switch all options which use profiling ‘off’ by default (unless you can demonstrate a convincing reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if there are appropriate measures in place to protect the child from any harmful effects (particularly, content that is detrimental to their health or wellbeing).

  • Nudge techniques

 There should be no use of nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.

  • Connected toys and devices

 If your company provides a connected toy or device, you should ensure that you include effective tools to enable conformance to this code.

  • Online tools. 

 Provide prominent and accessible tools which will help children exercise their data protection rights and report concerns.

The code will apply to any product or service likely to be accessed by children, and not just those aimed at children.

The standards laid out in this code applies to any company or institution providing products or services (including apps, programmes, websites, games or community environments, and connected toys or devices with or without a screen) not just aimed at children, but likely to be accessed by children, and which process personal data in the UK. Due to increasing concern about the position of children in the modern digital world and in the wider society, the general consensus in the UK and internationally is that more needs to be done to create a safe space for them to learn, explore, and play online. The purpose of this code is not to protect children from the digital world but to protect them within that space. The code takes account of the standards and principles set out in the UNCRC, and sets out specific protections for children’s personal data in compliance with the GDPR.

This code, which comes into effect next month, must support children’s rights.

This code is due to come into effect on September 2nd, 2020 as announced by the ICO this week. That date will begin the 12 month transitionary period, during which companies are expected to take steps towards full compliance, ensuring that all principles are considered and that their services use children’s data in ways that support the following rights of the child;

  • Freedom of expression.
  • Freedom of thought, conscience and religion.
  • Freedom of association.
  • Privacy.
  • Access information from the media (with appropriate protection from information and material injurious to their well-being).
  • Play and engage in recreational activities appropriate to their age.
  • Protection from economic, sexual or other forms of exploitation. 

Failure to conform to these standards could result in assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). As a result, data protection impact assessments are suggested to ensure compliance.

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Aphaia provides GDPR adaptation consultancy services and CCPA compliance, including EU AI Ethics assessments. Contact us today.

legaledge GDPR DPO

DPO-legal counsel collaboration is essential. So we recommend LegalEdge

DPO-legal counsel collaboration is essential. That is why the Aphaia DPO team is always happy to work with in-house counsel from LegalEdge, whose COO Helen Goldberg and CEO Donna Sewell use this blog post to ask: ‘Are you spending too much (or too little!) on your legals?’ 

legaledge GDPR DPO

Part of scaling-up and growing your business means increasing your ops team to get better processes in place that help increase revenue, whilst managing and protecting assets and risk. But many companies still either over-pay or wing-it when it comes to one function: legal. They either:

  1. use the corporate lawyer who did a great job on their last funding round but doesn’t know how to prioritise and manage work for fast-growth companies with limited budgets, OR
  2. buy templates, fill in the blanks, and hope it doesn’t go wrong, as the team juggle legal with their day job.

Legal is often low on the to-do list. Until something bad happens. Contracts with customers and partners get stuck. An ex-employee causes problems. A customer stops paying. At that stage it’s too late, so an expensive specialist is parachuted in to try to fix the problem.

Do you get an ROI from that? Undoubtedly not.

So, what’s the alternative?  How do you avoid wasting management time and money dealing with crises?  How do you get legal to grow up with the rest of the business and provide an ROI?

  1. Think differently. Good legal support should be part of your ops team, not treated as an expensive afterthought.  Get the right resource in place that’s proactive, not reactive, and knows your type of business. And set the tone from the top that legal is important and valued. Having someone who’s worked in a business like yours is critical.  They can help work out what to worry about and what’s not important. And what to spend. As well as what tech can help. It’s a practical commercial approach that needs the right skill set.
  2. Have a strategy and budget for legal. That will help drive revenues and protect and make the most of your assets (whilst minimising nasty surprises). It will also help prepare for big milestones, like attracting investment, going into new markets, offering new products and services. As with anything, if you get the right resources (people and tech) in place they will do this for you AND manage the budget.
  3. Look at processes.The right processes should make it easier for you to do business. If contracts aren’t closed out quickly and effectively your sales cycle slows and revenue growth stops. And bad / unprofitable deals cost money and management time. Do your team know what they can negotiate, and what they should escalate?  Do they know what’s got to be delivered under key contracts? Who’s responsible for what and what the risks are if not? A good in-house lawyer will get the right processes in place for all of this.

LegalEdge has innovated and re-engineered the way lawyers work to ensure you get an ROI from legal services. We have a team of experienced in-house lawyers, all of whom have worked in businesses like yours, using tried and tested documents, processes and tech. Our innovative way of working also means you get the benefit of the associated cost savings, so we can make your legal budget stretch further. We’re more than a one-off out-sourced service, we’re an extension of your management team, providing a longer-term cost-effective, practical and business-focused service.

As experienced outsourced Data Protection Officers (DPO), Aphaia recommends our brilliant in-house counsel partners LegalEdge to complement our work.