Report on Supply Chain Compliance 3, no. 5 (March 5, 2020)
On Feb. 3, Facebook Inc. informed the Irish Data Protection Commission (DPC) that it would be rolling out a new dating service Feb. 14. The DPC was concerned about lack of information regarding the service and the fact that Facebook had not conducted a data protection impact assessment in order to assess any risks.
The Irish DPC authorized the early morning inspection in order to gain access to that information and perhaps to send a message to other data controllers that springing a new service on the DPC is probably not a good idea. Article 58 of the GDPR grants DPC considerable power, including the ability to:
-
Order the controller, processor or Data Protection representative to provide any information it requires for the performance of its tasks;
-
Carry out data protection audits;
-
Obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
-
Obtain access to any premises of the controller and the processor, including access to any data processing equipment and means (this can include equipment like servers);
-
Order the controller or processor to bring processing operations into compliance with the provisions of GDPR; and
-
Impose a temporary or permanent ban on processing.[1]
According to the Irish DPC, Facebook Ireland has since postponed the rollout of the new dating service.[2]
[View source.]
