Following the release of its 2015 Annual Report in April, the CNIL (the French data protection authority) last month published its annual inspection program for 2016. Some of its key focusses for the next year include video surveillance and profiling. The focus on profiling comes at an important time as we march ever closer to the May 2018 implementation date of the GDPR, which itself has an increased focus on profiling compared to its predecessor. May also saw an unusual decision from the Garante (the Italian data protection authority) on video surveillance, with the granting of an authorisation to use "smart" video surveillance in a production plant which included permission to put in place a retention period in excess of the maximum periods set out the Garante's guidelines on video surveillance.

In the midst of discussions on the future of EU-US data transfers and the ongoing search for an adequate replacement for Safe Harbor, the ODPC (the Office of the Data Protection Commissioner, the Irish Data Protection Commissioner) has injected further uncertainty into the mix with its challenge over the adequacy of EU model clauses as a mechanism for protecting personal data transferred from the EU to the US. Although there is unlikely to be quick decision on the validity of the EU model clauses, it certainly adds another layer of complexity to an already complicated picture.

In April the OPDC also announced its focus on the Internet of Things in this year's Global Privacy Enforcement Network global privacy sweep. As such, organisations making use of smart devices that process personal data should ensure their practices are compliant as this focus is likely to lead to increased enforcement action against those that are not. And whilst we are on the subject of ODPC enforcement action, April also saw a slightly unusual step taken by the ODPC in its punishment of Littlewoods Ireland and The Irish Times, who both avoided criminal convictions despite breaching the E-Privacy Regulations by opting instead to donate to charity.

Last month also saw several data protection authorities across Europe start their preparation for the implementation of the GDPR with the AEPD (the Agencia Española de Proteccion de Datos, the Spanish data protection authority) releasing a guidance document setting out 12 questions which should serve as a useful starting point for organisations in Spain when investigating the steps required to become compliant with the GDPR and the Datainspektionen (the Swedish data protection authority) issuing some guidance for GDPR compliance.

And finally, this month's edition also sees our first story from Serbia, where we examine the frameworks and rules around the collection and processing of sensitive health in data in Serbia.