Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.

The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.

Continue Reading

ICO Consults on Draft Subject Access Request Guidance

Padlock and EU flag

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February 2020.

Importantly, the ICO recognises some of the issues that businesses are facing in relation to DSARs, in that the guidance:

  • Explains when a request may be considered complex. The guidance states that a large volume of data may add (emphasis is ours) to the complexity of a request, but notes that the volume of data alone is not a reason by itself to consider a DSAR complex;
  • Provides greater clarity on what a business can take into consideration when it is considering the monetary value of a fee. For example, photocopying and printing are generally valid administration costs, but a business cannot charge for the time taken to deal with the request;
  • Includes a section on what businesses should do when a request involves information about another identifiable individual. It provides further guidance on the DPA exception relating to third-party data; and
  • Contains some practical guidance about the DPA exceptions, such as negotiations and management information.

Whilst this is a valuable update from the ICO, which might provide some helpful additional information, it should be noted that it is only a draft for consultation. The ICO is seeking views from stakeholders and the public about the proposed guidance. In particular, it wishes to understand what specific issues businesses have faced in responding to DSARs since the GDPR was implemented in May 2018. If you are interested in responding, please use this link.


ABA Hosts CCPA Webinar

On December 4, 2019, Squire Patton Boggs partner, Elliot Golding and colleagues Joanne Charles (Microsoft) and Courtney Manzel (Volkswagen Group of America) will present a webinar – The Final California Consumer Privacy Act: What Are Your Obligations?  The webinar will address:

  • Scope and applicability (e.g., what companies, data and processes will be impacted);
  • Key requirements (e.g., privacy statement, individual rights [know, deletion, sale opt out, nondiscrimination], etc.);
  • Suggested steps to build a CCPA compliance program efficiently and effectively;
  • Practical tips to manage risk and leverage existing compliance processes (including GDPR) where possible.

Attendees may register here.

ICO Wants to Hear Your Views on the Design of its New Accountability Toolkit

In an October 28, 2019 blog post, Director for Regulatory Assurance, Ian Hulme, announced that the UK Information Commissioner’s Office (“ICO”) is developing a new ‘accountability toolkit’ which it plans to launch next year. The aim of the toolkit will be to support organisations in demonstrating their compliance with the ‘accountability principle’ under the GDPR[1]. It will enable organisations to understand the ICO’s expectations and to take responsibility for designing their own accountability programs. The ICO wants the toolkit to be ‘user-led’ and, as a result, it believes that gathering the views of organisations is essential.

The ICO seeks the views of a wide range of organisations in different sectors on matters such as their current practices relating to accountability and how the ICO could support them in the development of their own accountability programs.

Any thoughts on the development of the accountability toolkit can be provided on the ICO’s dedicated consultation page or provided by email to accountability.ico.org.uk. The consultation closes at 17:00 on 9 December 2019.

Mr. Hulme made it clear that compliance with the accountability obligation is about “putting data protection at the heart” of all personal data processing. It includes being “crystal clear” about data protection responsibilities throughout the organisation, data protection being a “boardroom issue” and not just the responsibility of the Data Protection Officer, managing risk pro-actively and being transparent to people about the processing of their personal data. He recognised that many organisations are working hard to get this right and stated that the ICO is keen to support those efforts, in light of the substantial work and culture change that can be required.

The consultation page lists a number of measures which the ICO says could enable organisations to demonstrate their compliance with the accountability principle, including implementing data protection policies, taking a data protection by design and default approach, reporting data breaches where required and carrying out data protection impact assessments.

Please contact our Data Privacy & Cybersecurity team members for assistance with GDPR compliance, including putting in place measures to fulfil your organisation’s accountability obligation.

[1] This is a specific obligation under Article 5(2) of the GDPR (EU General Data Protection Regulation 2016/679)

Ransomware Attacks – Why it Should Matter to Your Business

Gone are the days when ransomware attacks inflicted the unlucky few.  Today, all companies and organizations are susceptible to attack, no matter their size or industry.  In a client alert, our Data Breach Response team discusses the rising trends in ransomware attacks, the implications of becoming a victim, and what you can do to protect your business or organization.

I’m a Financial Institution – What Do I Need to Do Under the CCPA?

This post is part of our series highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at the CCPA, please see prior posts from members of our Data Privacy & Cybersecurity  regarding applicability, gap assessments, and the recent amendments. Stay tuned for further posts in this series.


Since the CCPA was enacted in June 2018, financial institutions have been considering whether and how the new law will apply to them. The CCPA provisions include certain exemptions for personal information (“PI”) that is regulated pursuant to the Gramm-Leach-Bliley Act (“GLBA”) [1], the California Financial Information Privacy Act (“CalFIPA”) [2] or the Fair Credit Reporting Act (“FCRA”). These exemptions are not absolute, however, and almost all financial institutions collect and use various types of PI that is not regulated by GLBA, CalFIPA or the FCRA. Financial institutions should therefore carefully consider their exposure to the CCPA. This post provides an overview of the recent amendments to the CCPA that bear on financial services and examines the overall impact. Continue Reading

EU Webinar Series – DPIAs – What You Need to Know

Padlock and EU flag

On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.”

Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a DPIA.

Partner Annette Demmel and associate Mareike Lucht of our Data Privacy & Cybersecurity Practice, will explain DPIA guidelines, including:

  • Actors in a DPIA process
  • When to perform a DPIA and planning
  • What method to use
  • How to conduct a DPIA
  • Implement the results

This webinar will go live 4:00 p.m. CET, 3:00 p.m. GMT, 10:00 a.m. EST and 7:00 a.m. PST.

Register here. A recording of the webinar will be sent to registrants.

EU Webinar Series – EU Cookie Rules and Tracking Walls

On Tuesday, October 29, we will host the first webinar of our EU Webinar Series, “The Latest on EU Cookie Rules and Tracking Walls.”

Topics will include:

  • The impact of the GDPR on the cookie consent requirement
  • The recent guidelines issued by the EU data protection authorities on cookie rules
  • The recent case law and its impact on business practices around cookies

Padlock and EU flag

The discussion will be led by Rosa Barcelo, the European chair of our Data Privacy & Cybersecurity Practice, who joined us last October from the European Commission, after having led the Commission’s legislative efforts on the draft e-Privacy Regulation. Rosa will be joined by and Asel Ibraimova, an associate in our London office, who has advised extensively on cookie requirements.

The webinar will go live at 5:00 p.m. CET, 4:00 p.m. GMT, 12:00 p.m. EDT, 9:00 a.m. PDT.

Register here.

When is it ‘Necessary’ to Process Personal Data to Perform a Contract?

The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services.

Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the extent that the processing is:

  • Necessary for the performance of a contract to which the data subject is a party; or
  • In order to take steps at the request of the data subject prior to entering into a contract.

The Guidelines outline the elements of lawful processing under Article 6(1)(b) and focus in particular on the concept of ‘necessity’. They begin by examining the interaction between this lawful basis and other obligations under the GDPR. Continue Reading