Search results

The purpose of this paper is to examine the relationship between the legal obligation of European libraries to ensure the transparent personal data processing and respect for user privacy. This paper will examine how libraries use privacy notices on websites to communicate with patrons about the processing of personal data and in what manner have libraries been guided by applicable transparency guidelines.

The method used is the analysis of privacy policies and other privacy documents found on the websites of national libraries. The analysis sample includes documents of 45 European national libraries, 28 out of those being national libraries of European Union (EU) Member States. The elements for this analysis are derived from the mandatory elements of the General Data Protection Regulation and the recommendations of the WP29/EDPB Transparency Guidelines.

The findings suggest that European national libraries largely adhere to EU data protection standards. In total, 60% libraries use a separate privacy page, and 53% of the EU Member State national libraries websites managed to comply with publishing all necessary data protection information in a way recommended by the Guidelines, compared to 47% of non-Member State national libraries.

The research contributes to the understanding of the importance of the principle of transparency and its operationalization.

This chapter analyzes the compliance of some category of Open Data in Politics with EU General Data Protection Regulation (GDPR) requirements. After clarifying the legal basis of this framework, with specific attention to the processing procedures that conform to the legitimate interests pursued by the data controller, including open data licenses or anonymization techniques, that can result in partial application of the GDPR, but there is no generic guarantee, and, as a consequence, an appropriate process of analysis and management of risks is required.

The purpose of this paper is to assess such processing of personal data for identification purposes from the point of view of the principle of data minimisation, as set out in the EU’s General Data Protection Regulation (GDPR) and examine whether the processing of personal data for these purposes can be considered proportionate, i.e. whether it is performed for the purposes defined and only as much as is necessary.

In this paper, the authors discuss and present the relevant legal regulation and examine the goals and implementation of such regulation in Lithuania. This paper also examines the conditions for the lawful processing of personal data and their application for the above-mentioned purposes.

This paper addresses the problem that, on the one hand, financial institutions must comply with the objectives of collecting as much personal data as possible under the AML Directive (this practice is supported by the supervisory authority, the Bank of Lithuania), and, on the other hand, they must comply with the principle of data minimisation established by the GDPR.

Financial institutions process large amounts of personal data. These data are processed for different purposes. One of the purposes of processing personal data is (or may be) related to the prevention of money laundering and terrorist financing. In implementing the Know Your Customer principle and the relevant legal framework derived from the EU AML Directive, financial institutions collect various data, including projected account turnovers, account holders' relatives involved in politics, etc.

Media users daily exchange personal data for “free” personalised media. Is this a fair trade, or user “exploitation”? Do personalisation benefits outweigh privacy risks?

This study surveyed experts in three consecutive online rounds (e-Delphi). The authors explored personal data processing value for media, personalisation relevance, benefits and risks for users. The authors scrutinised the value-exchange between media and users and determined whether media communicate transparently, or use “dark patterns” to obtain more personal data.

Communication to users must be clear, correct and concise (prevent user deception). Experts disagree on “payment” with personal data for “free” personalised media. This study discerned obstacles and solutions to substantially balance the interests of media and users (fair value exchange). Personal data processing must be transparent, profitable to media and users. Media can agree “sector-wide” on personalisation transparency. Fair, secure and transparent information disclosure to media is possible through shared responsibility and effort.

This study’s innovative contribution is threefold: Firstly, focus on professional stakeholders’ opinion in the value network. Secondly, recommendations to clearly communicate personalised media value, benefits and risks to users. This allows media to create codes of conduct that increase user trust. Thirdly, expanding literature explaining how media realise personal data value, deal with stakeholder interests and position themselves in the data processing debate. This research improves understanding of personal data value, processing benefits and potential risks in a regional context and European regulatory framework.

Involvement of children in research on different aspects of children's rights, including research on violence against children, is continuously increasing, as is the interest in participatory approaches (European Agency for Fundamental Rights [FRA], 2014; Larsson et al., 2018; UN Committee on the Rights of the Child, 2011). Svevo-Cianci et al. (2011) noted that ‘as researchers commit to learning from community members, including children and adolescents themselves, it has become more clear that an understanding of the lived reality and definition of violence for children in their individual communities, is essential to envision and implement effective child protection’ (p. 985).

In this chapter, the legislative context regarding children's rights to be heard and participate is initially discussed; currently applied age requirements for children to acquire rights across the countries of the European Union (EU) are briefly presented; and children's potential roles and relevant provisions for their participation in social research are explored. The last part is dedicated to the presentation and discussion of the General Data Protection Regulation (GDPR; Regulation [EU] 2016/679, 2016) – specifically, children's personal data–related recitals and articles; the importance of the definition of a legal basis for personal data processing according to the GDPR, including consent; and the necessary information to be provided to children before their data are processed.

The paper posits that a solution for businesses to use privacy-friendly data repositories for its customers’ data is to change from the traditional centralized repository to a trusted, decentralized data repository. Blockchain is a technology that provides such a data repository. However, the European Union’s General Data Protection Regulation (GDPR) assumed a centralized data repository, and it is commonly argued that blockchain technology is not usable. This paper aims to posit a framework for adopting a blockchain that follows the GDPR.

The paper uses the Levy and Ellis’ narrative review of literature methodology, which is based on constructivist theory posited by Lincoln and Guba. Using five information systems and computer science databases, the researchers searched for studies using the keywords GDPR and blockchain, using a forward and backward search technique. The search identified a corpus of 416 candidate studies, from which the researchers applied pre-established criteria to select 39 studies. The researchers mined this corpus for concepts, which they clustered into themes. Using the accepted computer science practice of privacy by design, the researchers combined the clustered themes into the paper’s posited framework.

The paper posits a framework that provides architectural tactics for designing a blockchain that follows GDPR to enhance privacy. The framework explicitly addresses the challenges of GDPR compliance using the unimagined decentralized storage of personal data. The framework addresses the blockchain–GDPR tension by establishing trust between a business and its customers vis-à-vis storing customers’ data. The trust is established through blockchain’s capability of providing the customer with private keys and control over their data, e.g. processing and access.

The paper provides a framework that demonstrates that blockchain technology can be designed for use in GDPR compliant solutions. In using the framework, a blockchain-based solution provides the ability to audit and monitor privacy measures, demonstrates a legal justification for processing activities, incorporates a data privacy policy, provides a map for data processing and ensures security and privacy awareness among all actors. The research is limited to a focus on blockchain–GDPR compliance; however, future research is needed to investigate the use of the framework in specific domains.

The paper posits a framework that identifies the strategies and tactics necessary for GDPR compliance. Practitioners need to compliment the framework with rigorous privacy risk management, i.e. conducting a privacy risk analysis, identifying strategies and tactics to address such risks and preparing a privacy impact assessment that enhances accountability and transparency of a blockchain.

With the increasingly strategic use of data by businesses and the contravening growth of data privacy regulation, alternative technologies could provide businesses with a means to nurture trust with its customers regarding collected data. However, it is commonly assumed that the decentralized approach of blockchain technology cannot be applied to this business need. This paper posits a framework that enables a blockchain to be designed that follows the GDPR; thereby, providing an alternative for businesses to collect customers’ data while ensuring the customers’ trust.

This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.

This study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.

The findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.

This paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

Purpose: This chapter sets out to lay out and analyse the effectiveness of the General Data Protection Regulation (GDPR), a recently established European Union (EU) regulation, in the local insurance industry.

Methodology: This was done through a systematic literature review to determine what has already been done and then a survey as a primary research tool to gather information. The survey was aimed at clients and employees of insurance entities.

Findings: The general results are that effectiveness can be segmented into different factors and vary regarding the respondents’ confidence. Other findings include that the GDPR has increased costs, and its expectations are unclear. These findings suggest that although the GDPR was influential in the insurance market, some issues about this regulation still exist.

Conclusions: GDPR fulfils its purposes; however, the implementation process of this regulation can be facilitated if better guidelines are issued for entities to follow to understand its expectations better and follow the law and fulfil its purposes most efficiently.

Practical implications: These conclusions imply that the GDPR can be improved in the future. Overall, as a regulation, it is suitable for the different member states of the EU, including small states like Malta.

General Data Protection Regulation (GDPR) of the European Union (EU) was passed to protect data privacy. Though the GDPR intended to address issues related to data privacy in the EU, it created an extra-territorial effect through Articles 3, 45 and 46. Extra-territorial effect refers to the application or the effect of local laws and regulations in another country. Lawmakers around the globe passed or intensified their efforts to pass laws to have personal data privacy covered so that they meet the adequacy requirement under Articles 45–46 of GDPR while providing comprehensive legislation locally. This study aims to analyze the Malaysian and Saudi Arabian legislation on health data privacy and their adequacy in meeting GDPR data privacy protection requirements.

The research used a systematic literature review, legal content analysis and comparative analysis to critically analyze the health data protection in Malaysia and Saudi Arabia in comparison with GDPR and to see the adequacy of health data protection that could meet the requirement of EU data transfer requirement.

The finding suggested that the private sector is better regulated in Malaysia than the public sector. Saudi Arabia has some general laws to cover health data privacy in both public and private sector organizations until the newly passed data protection law is implemented in 2024. The finding also suggested that the Personal Data Protection Act 2010 of Malaysia and the Personal Data Protection Law 2022 of Saudi Arabia could be considered “adequate” under GDPR.

The research would be able to identify the key principles that could identify the adequacy of the laws about health data in Malaysia and Saudi Arabia as there is a dearth of literature in this area. This will help to propose suggestions to improve the laws concerning health data protection so that various stakeholders can benefit from it.

The financial services industries is facing a number of important legal developments. The most publicised of these is the coming into force on 1st March, 2000 of the new Data Protection Act 1998. This is going to have a profound impact on the way in which businesses process personal data. It will, for the first time ever, apply to personal data stored in certain manual files and it will also regulate trans‐border data flows and restrict the processing of a special category of sensitive personal data. Information is the lifeblood of any business. There is no doubt that this Act is going to regulate the flow of that information and all its uses. Other developments in the pipeline include the proposed European Union Directive on the distance selling of financial services to consumers and the various legislative provisions which are being put in place to deal with the huge surge in on‐line transactions.