Tsaaro Weekly Privacy Newsletter
10th June, 2022
10th June, 2022
The Right to be forgotten under GDPR
The General Data Protection Regulation (GDPR) provides the citizens of the European Union with the Right to be forgotten under Article 17 of the GDPR. Article 17 states that data subjects shall have the right to retain and ensure the erasure of personal data relating to them without any unnecessary delay and the data controller must oblige to such requests. If the right is applicable then the period of undue delay allowed to the data controllers is a 30 day period. It is also the duty of the Data controller to ensure that the person requesting data erasure is the data subject himself and not somebody else.
In what cases is the right to be forgotten applicable?
Article 17 is applicable on the following cases:- The personal data collected is no longer required by the organisation for the purpose it was collected for.
- The individual from whom the data was collected is being used to carry out and withdraw their consent.
- An organisation relying on legitimate interests such as the need for collecting personal data, and if the individual objects to the same and if there is no bigger legitimate interest for the same.
- An organisation processing personal data for marketing and the individual objects to the same.
- An organisation processing personal data by unlawful means.
- An organisation deleting personal data in order to comply with the laws or a legal ruling.
- When an organisation princesses a child’s personal data.
In what cases can the right to be forgotten be overridden?
There are some exceptions to the right to be forgotten i.e when the company can override an individual’s right to be forgotten, they are:- If the data is being used to implement the right of freedom of expression and information.
- If the data is being used for legal compliance reasons or to follow any judicial ruling.
- If the data is being used to promote an act of public interest or when it is beyond the authority of an organisation.
- If the collection is used to promote public health interests. The collected data serves public interest in terms of scientific, historical research purposes or to support statistical data and in situations where any hindrance in the supply of the data would lead to the termination of the task.
- If the data is being used for settling legal defence in the court of law and for the exercise of any other legal claims that may arise.
How does an organisation process a right to be forgotten request?
Some organisations may charge a small reasonable fee to process the request. Organisations may even deny the request for erasure with an appropriate reason. How an organisation is to process depends on many factors, the organisation has to be compliant with the laws and justify the reasons accordingly. This right is only applicable to the data which is already stored by the organization and not on the data which the organisation will collect in the future.Tsaaro Weekly Privacy Newsletter
10th June, 2022
10th June, 2022
The Right to be forgotten under GDPR
The General Data Protection Regulation (GDPR) provides the citizens of the European Union with the Right to be forgotten under Article 17 of the GDPR. Article 17 states that data subjects shall have the right to retain and ensure the erasure of personal data relating to them without any unnecessary delay and the data controller must oblige to such requests. If the right is applicable then the period of undue delay allowed to the data controllers is a 30 day period. It is also the duty of the Data controller to ensure that the person requesting data erasure is the data subject himself and not somebody else.
In what cases is the right to be forgotten applicable?
Article 17 is applicable on the following cases:- The personal data collected is no longer required by the organisation for the purpose it was collected for.
- The individual from whom the data was collected is being used to carry out and withdraw their consent.
- An organisation relying on legitimate interests such as the need for collecting personal data, and if the individual objects to the same and if there is no bigger legitimate interest for the same.
- An organisation processing personal data for marketing and the individual objects to the same.
- An organisation processing personal data by unlawful means.
- An organisation deleting personal data in order to comply with the laws or a legal ruling.
- When an organisation princesses a child’s personal data.
In what cases can the right to be forgotten be overridden?
There are some exceptions to the right to be forgotten i.e when the company can override an individual’s right to be forgotten, they are:- If the data is being used to implement the right of freedom of expression and information.
- If the data is being used for legal compliance reasons or to follow any judicial ruling.
- If the data is being used to promote an act of public interest or when it is beyond the authority of an organisation.
- If the collection is used to promote public health interests. The collected data serves public interest in terms of scientific, historical research purposes or to support statistical data and in situations where any hindrance in the supply of the data would lead to the termination of the task.
- If the data is being used for settling legal defence in the court of law and for the exercise of any other legal claims that may arise.
How does an organisation process a right to be forgotten request?
Some organisations may charge a small reasonable fee to process the request. Organisations may even deny the request for erasure with an appropriate reason. How an organisation is to process depends on many factors, the organisation has to be compliant with the laws and justify the reasons accordingly. This right is only applicable to the data which is already stored by the organization and not on the data which the organisation will collect in the future.Major Privacy Updates of the Week
MyEasyDocs Exposed PII of Thousands of Students
vpnMentor’s research team discovered a data breach in a Microsoft Azure cloud account belonging to the company Myeasydocs. Myeasydocs is an online platform that allows people to submit documents for verification to banks, universities, law enforcement agencies, and much more. The breach they discovered was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.
MyEasyDocs Exposed PII of Thousands of Students
vpnMentor’s research team discovered a data breach in a Microsoft Azure cloud account belonging to the company Myeasydocs. Myeasydocs is an online platform that allows people to submit documents for verification to banks, universities, law enforcement agencies, and much more. The breach they discovered was connected to an Israeli URL owned by a company that appeared to facilitate Indian students submitting documents to educational institutes in Israel and India. As a result, over 50,000 current and former students of the universities were exposed to a wide range of online frauds and attacks.
Europol provided SWIFT financial system data to CIA
Europol has been providing data from the European SWIFT financial transaction system to the US Department of the Treasury since 2009. Official reports to US Congress reveal copies of the data were then sent to the US Central Intelligence Agency from 2016. The CIA published documents on the data sets at the request of US Senators, stating that it used the data to search for terrorists and other purposes, which are prohibited under the agreement.
Europol provided SWIFT financial system data to CIA
Europol has been providing data from the European SWIFT financial transaction system to the US Department of the Treasury since 2009. Official reports to US Congress reveal copies of the data were then sent to the US Central Intelligence Agency from 2016. The CIA published documents on the data sets at the request of US Senators, stating that it used the data to search for terrorists and other purposes, which are prohibited under the agreement.
Sebi Tweaks AMCs’ Cyber Security And Resilience Framework For Investor Protection
The Sebi, on June 9, came out with a circular on cybersecurity and cyber resilience framework for AMCs. This will, however, come into effect a month later, on July 15, 2022. The new circular mandates every AMC to report any incident of cyberattack within six hours of detection to Sebi, the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), if applicable. Sebi said in the circular that those mutual fund houses whose computer and other systems are identified as protected by the NCIIPC shall also report to them apart besides reporting to just Sebi and Cert-In. According to the guidelines, the AMCs will also in their quarterly report mention their experience about cyberattacks, threats, hacks, and other incidents.
Sebi Tweaks AMCs’ Cyber Security And Resilience Framework For Investor Protection
The Sebi, on June 9, came out with a circular on cybersecurity and cyber resilience framework for AMCs. This will, however, come into effect a month later, on July 15, 2022. The new circular mandates every AMC to report any incident of cyberattack within six hours of detection to Sebi, the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), if applicable. Sebi said in the circular that those mutual fund houses whose computer and other systems are identified as protected by the NCIIPC shall also report to them apart besides reporting to just Sebi and Cert-In. According to the guidelines, the AMCs will also in their quarterly report mention their experience about cyberattacks, threats, hacks, and other incidents.
Costa Rica’s public health agency hit by ransomware
All computer systems on the network of Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them. the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica’s government if a ransom wasn’t paid. This month, another band of extortionists has attacked the nation.
Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica’s Social Security system, and also struck the country’s public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.
Costa Rica’s public health agency hit by ransomware
All computer systems on the network of Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them. the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica’s government if a ransom wasn’t paid. This month, another band of extortionists has attacked the nation.
Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica’s Social Security system, and also struck the country’s public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.
Zero-day flaw in Atlassian Confluence exploited
Software firm Atlassian released emergency patches for its popular Confluence Server and Data Center products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild. The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed. Users are urged to apply patches published by Atlassian
Zero-day flaw in Atlassian Confluence exploited
Software firm Atlassian released emergency patches for its popular Confluence Server and Data Center products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild. The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed. Users are urged to apply patches published by Atlassian
WEEKLY PRIVACY NEWSLETTER
Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!
*By clicking on subscribe, I agree to receive communications from Tsaaro