This Week in Privacy: 12 April 2021
April 12, 2021
EU: EDPB and EDPS adopt joint opinion on Digital Green Certificate proposals
The European Data Protection Board and the European Data Protection Supervisor released a joint opinion on the European Commission's proposals for a Digital Green Certificate.
The joint opinion outlines that the use of Digital Green Certificates must not result in the direct, or indirect, discrimination of individuals and must be fully in line with the fundamental principles of necessity, proportionality and effectiveness. Furthermore, the EDPB and the EDPS highlighted that the proposal should contain appropriate safeguards and expressly state that any access to, and subsequent use of, individuals' data by EU Member States is not permitted once the pandemic has ended.
The joint opinion also includes a number of recommendations for further clarifications, including in relation to the categories of data concerned, the identification of data controllers and data processors, data storage periods, and data transfers.
South Africa: Regulator addresses countdown to POPIA compliance
The Information Regulator released a statement in which it marked 100 days till the deadline for compliance with the Protection of Personal Information Act ahead of its entry into force on 1 July 2021.
In particular, the Regulator outlined that it would be prioritising the following:
- consideration of applications for approval of codes of conducts;
- consideration of applications for prior authorisation;
- finalising the guidance note on exclusions and exemptions from POPIA;
- finalising the template for notification of security compromises in terms of Section 22 of POPIA; and
- finalising the guidance note on processing of personal information across borders.
The Regulator will also be prioritising public comments on its recent draft guidelines on the registration of information officers.
Brazil: Government issues guide on LGPD requirements for IT contracts
The Government of Brazil published its Guide on Requirements and Obligations regarding Information Security and Privacy, taking into account the requirements of the LGPD.
The guidance is intended for public institutions, however, may also be useful for other organisations, and sets out a general security and privacy framework for IT contracts, which includes topics such as: information security policies; methodologies for operational business continuity and contingency; security of corporate networks; cryptographic controls; logging security events and incidents; and responsibilities of contracted parties.