Implementation guide for CNIL cookie guidelines compliance. References the EUR 150M Google fine and EUR 60M Meta fine. Covers equal prominence accept/reject buttons, cookie wall prohibition, 6-month reconsent intervals, essential cookies exemption, and detailed CNIL Deliberation No. 2020-091 requirements.
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA) 2023 compliance. Covers lawful basis for processing, data subject rights, cross-border transfer mechanisms, Data Protection Compliance Organisation (DPCO) registration, mandatory DPIA filing, and breach notification. Keywords: NDPR, NDPA, Nigeria, NITDA, DPCO, Africa data protection, cross-border transfer.
Manages direct communication to affected data subjects following a personal data breach under GDPR Article 34 when the breach is likely to result in a high risk to their rights and freedoms. Covers the high risk threshold, required notification content per Art. 34(2), exemptions under Art. 34(3), and breach notification letter templates for five scenarios. Keywords: data subject notification, Article 34, high risk, breach communication, GDPR.
Technical enforcement of GDPR Article 5(1)(b) purpose limitation principle. Covers purpose-tagged data stores, access control per purpose, Article 6(4) compatibility assessment factors, and system design for preventing purpose creep. Includes purpose binding architecture and compatibility test implementation.
Executes breach notification under California Civil Code Section 1798.82 (California data breach notification law). Covers data elements triggering notification, timing requirements (most expedient time possible), AG notification for 500+ California residents, specific content and format requirements, and substitute notice provisions. Keywords: California, breach notification, Cal. Civ. Code 1798.82, attorney general, CCPA, data elements.
Delaware Personal Data Privacy Act (DPPA) compliance implementation. Covers consumer rights (access, correct, delete, portability, opt-out), controller obligations, processor requirements, sensitive data consent, universal opt-out recognition, DPIA requirements, and AG enforcement. Effective January 1, 2025, with no revenue threshold for applicability.
Implements HIPAA workforce training requirements under 45 CFR §164.530(b) (Privacy Rule) and 45 CFR §164.308(a)(5) (Security Rule). Covers initial onboarding training, periodic refresher cadence, role-based content differentiation, documentation of training completion, and sanction policy integration. Keywords: HIPAA training, workforce training, security awareness, privacy training, §164.530(b), §164.308(a)(5).
Implements HIPAA Privacy Rule requirements for research uses of protected health information under 45 CFR §164.512(i). Covers IRB and Privacy Board waivers of authorization, individual authorization for research, limited data set and data use agreements, preparatory to research provisions, and decedent research provisions. Keywords: HIPAA research, IRB waiver, Privacy Board, authorization, limited data set, preparatory research, de-identification, Common Rule.
Processes GDPR Article 16 right to rectification requests, covering verification of corrected data accuracy, notification to recipients under Article 19, timeline management, and completion of incomplete data. Activate for rectification, correction request, inaccurate data, Art. 16, data correction queries.
Implements email and internet monitoring compliance in the workplace per Barbulescu v Romania (ECHR Grand Chamber), EDPB guidance, and national labour law. Covers acceptable use policies, legitimate expectation of privacy, proportionality testing, and content vs metadata monitoring. Keywords: email monitoring, Barbulescu, workplace privacy, internet monitoring, acceptable use policy, ECHR, proportionality.
California consumer privacy rights workflow implementation under CCPA/CPRA. Covers right to know, delete, opt-out of sale/sharing, correct, and limit sensitive PI processing. Includes 45-day response timelines, identity verification procedures, and authorized agent handling.
Colorado Privacy Act (CPA) compliance implementation. Covers universal opt-out mechanism required since July 2024, profiling opt-out rights, sensitive data consent requirements, AG rulemaking under 4 CCR 904-3, and consumer rights framework. Effective July 1, 2023.
Implements compliance with South Africa's Protection of Personal Information Act (POPIA), Act No. 4 of 2013. Covers conditions for lawful processing, data subject rights, cross-border transfer restrictions, Information Regulator enforcement, and responsible party obligations. Keywords: POPIA, South Africa, Information Regulator, responsible party, operator, prior authorisation.
Guides the post-Schrems II Transfer Impact Assessment process following EDPB Recommendations 01/2020 six-step methodology. Covers destination country surveillance law assessment, European Essential Guarantees evaluation, and supplementary measures determination. Keywords: TIA, transfer impact assessment, Schrems II, EDPB recommendations, supplementary measures.
Assesses the GDPR Article 30(5) exemption for organisations under 250 employees. Covers the three exception conditions that negate the exemption: non-occasional processing, risk to data subject rights, and special category data processing. Activate for Art. 30(5), 250 employee exemption, small business RoPA, SME exemption, occasional processing.
Implementing the IAB Transparency and Consent Framework v2.2 for programmatic advertising consent management. Covers CMP registration, Global Vendor List integration, TC String encoding, publisher restrictions, and compliance validation.
Guides compliance with Brazil's Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018). Covers the 10 lawful bases under Art. 7, DPO appointment, ANPD enforcement, data subject rights under Arts. 17-22, and international transfer mechanisms. Keywords: LGPD, Brazil data protection, ANPD, lawful bases, data subject rights, international transfers.
Implements financial records retention requirements across EU directives (5-7 years), SOX Section 802 (7 years), MiFID II (5-7 years), tax records, payment data, and AML obligations under AMLD. Maps financial data categories to statutory retention periods with cross-jurisdictional reconciliation. Activate for financial retention, SOX records, MiFID retention, AML retention, tax record keeping queries.
Guides assessment and use of the EU-US Data Privacy Framework adequacy decision for transatlantic data transfers. Covers DPF self-certification with the Department of Commerce, DPF principles compliance, Data Protection Review Court, and annual EC review. Keywords: DPF, EU-US, adequacy, Privacy Shield, transatlantic transfers.
Assesses lawful basis for AI training data processing per EDPB April 2025 report on LLMs and general-purpose AI. Covers legitimate interest balancing tests, consent challenges for ML training, public dataset assessment, and web scraping lawfulness. Keywords: AI training data, lawful basis, EDPB LLM, legitimate interest, consent, web scraping.
Implements 42 CFR Part 2 protections for substance use disorder patient records. Covers written consent requirements stricter than HIPAA, re-disclosure prohibition, court order procedures, qualified service organization agreements, and 2024 amendments aligning Part 2 with HIPAA. Keywords: 42 CFR Part 2, substance use disorder, SUD records, re-disclosure, consent, Part 2 amendments.
Guides management of cross-border data transfers under Asia-Pacific regulatory frameworks including APEC CBPR, ASEAN Model Contractual Clauses, Japan APPI supplementary rules, South Korea PIPA provisions, and Thailand/Singapore PDPA mechanisms. Keywords: APEC CBPR, ASEAN MCCs, APPI, PIPA, PDPA, APAC transfers.
Maps the US federal privacy landscape including sectoral laws (HIPAA, GLBA, FERPA, COPPA, FCRA, ECPA, VPPA), FTC Section 5 enforcement, proposed federal comprehensive legislation, and the interaction between federal and state privacy regimes. Keywords: federal privacy, HIPAA, GLBA, FERPA, COPPA, FCRA, FTC, sectoral, preemption.
Implements data subject rights mechanisms for AI systems including right to explanation of AI decisions, contestation procedures, human review, model output correction, and training data access. Covers GDPR Arts. 15-22 and AI Act Art. 86. Keywords: data subject rights, AI explanation, contestation, human review, training data access, model correction.
