Report on Supply Chain Compliance 3, no. 5 (March 5, 2020)
On Feb. 3, Facebook Inc. informed the Irish Data Protection Commission (DPC) that it would be rolling out a new dating service Feb. 14. The DPC was concerned about lack of information regarding the service and the fact that Facebook had not conducted a data protection impact assessment in order to assess any risks.
The Irish DPC authorized the early morning inspection in order to gain access to that information and perhaps to send a message to other data controllers that springing a new service on the DPC is probably not a good idea. Article 58 of the GDPR grants DPC considerable power, including the ability to:
Order the controller, processor or Data Protection representative to provide any information it requires for the performance of its tasks;
Carry out data protection audits;
Obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
Obtain access to any premises of the controller and the processor, including access to any data processing equipment and means (this can include equipment like servers);
Order the controller or processor to bring processing operations into compliance with the provisions of GDPR; and
Impose a temporary or permanent ban on processing.
According to the Irish DPC, Facebook Ireland has since postponed the rollout of the new dating service.