Italian #DPA lock down the risky #surveillance law that aim to have (biometric_identification+cctv+smart_image_analisys) to check public employees punch-in and punch-out.
This time DPA analyze implementing decree.
In october 2018 the DPA did the same on the draft of the main law
This time DPA analyze implementing decree.
In october 2018 the DPA did the same on the draft of the main law
The law is already in force (D.Lgs 56/2019) but it lacks of application rules.
The DPA is highlighting and pointing out all the issues related to the law itself ant to the application rules, that are conflicting with the #GDPR main #principles.
The DPA is highlighting and pointing out all the issues related to the law itself ant to the application rules, that are conflicting with the #GDPR main #principles.
Main issues are:
1) terms and #definitions don't match with GDPR definitions. they have to be lined up
2) principles of #Necessity & #Proportionality are completely unattended
3) the new biometric gates can't be #mandatory
4) #alternative gates should be available if needed
1) terms and #definitions don't match with GDPR definitions. they have to be lined up
2) principles of #Necessity & #Proportionality are completely unattended
3) the new biometric gates can't be #mandatory
4) #alternative gates should be available if needed
5) this kind of processing shall be #notified to the Commission (art. 88.3)
6) no rules on how to handle the #storage of hashed biometric data. Only the data subject can keep them. No copies, no storage, no databases.
7) no #safety requirements are detailed. they are needed
6) no rules on how to handle the #storage of hashed biometric data. Only the data subject can keep them. No copies, no storage, no databases.
7) no #safety requirements are detailed. they are needed
8) the #reliability of biometric gate is the main reason to implement it... so there is no need of a second gate based on smart-videosurveillance that is less accurate. The law ask for both with no logical or technical reason.
9) #visitors and other people data are processed too.
9) #visitors and other people data are processed too.
10) #privacynote should be mandatory given to data subject with all the needed informations.
11) data #retention timings should be clear and mandatory
12) #CCTV systems have to grant PbD features and settings
13) a full #DPIA should be done and then shared with DPA (hi risk).
11) data #retention timings should be clear and mandatory
12) #CCTV systems have to grant PbD features and settings
13) a full #DPIA should be done and then shared with DPA (hi risk).
14) the DPA ask to write data protection #agreements and to clarify roles and responsability with all the involved agencies (#controllers - #processors - #third party) . The DPA will help and will provide a General Application Order
• • •
Missing some Tweet in this thread? You can try to
force a refresh
