EU

Subscribe to EU RSS Feed

The European Commission is set to review the GDPR

It has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities. The EC … Continue Reading

Data Breach Enforcement in the UK and in the EU: Cross-Border Issues

Now that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they … Continue Reading

Public Consultation in France on the Transposition of the European Electronic Communications Code (Directive 2018/1972 of December 11, 2018)

The French government has launched a public consultation on the transposition of Directive (EU) 2018/1972 December 11, 2018, establishing the EU Electronic Communications Code (EECC), which must be transposed before December 21, 2020. What Is It About? The consultation concerns the draft modification of the French Postal Services and Electronic Communications (CPCE) and French Consumer … Continue Reading

Absent Guidelines, Many Questions on Facilitating DSARs

At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

Article 3(2) of the GDPR and the second criterion: Targeting criterion   Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the … Continue Reading

EU Webinar Series – DPIAs – What You Need to Know

On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.” Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a … Continue Reading

When is it ‘Necessary’ to Process Personal Data to Perform a Contract?

The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services. Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the … Continue Reading

The Planet49 Decision: Key Takeaways

On October 1 2019, the Court of Justice of the European Union (CJEU) issued its decision in the Planet49 case. The decision confirms much-anticipated and relevant principles regarding the use of consent for the processing of personal data and the use of cookies. Notably, it confirms that pre-ticked boxes do not constitute a legally valid consent, in … Continue Reading

European Commission Announces Provisional Agreement on Whistleblower Directive

In a press release published on March 12, 2019, the European Parliament and its member states reached a provisional agreement on new rules that will guarantee a high level of protection for whistleblowers who report breaches of EU law. The draft establishes a three-tier reporting system (that potentially allows the whistleblower to inform publicly or through media … Continue Reading

GDPR Enforcement: Portugal

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR. The hospital was fined for the following three violations of the GDPR: Breach of the … Continue Reading

What Does the New European Electronic Communications Code Mean for OTT’s?

As users increasingly use nontraditional modes of communication, such as social media and instant messaging applications, email and VoIP, in place of traditional telephone and data services, so too must privacy laws evolve. The European Electronic Communications Code, proposed on December 4, 2018, expands the definition of electronic communications services to include these “over-the-top services.” … Continue Reading

Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46? Rules on international transfer under GDPR … Continue Reading

EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR’s Article 3

The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3)  (“Draft Guidelines”). These are now subject to consultation until 18 January 2019. These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” … Continue Reading

Personal Data Breach Notification Obligations Arise from Various Sources, not Only the GDPR

Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk … Continue Reading

GDPR’s Impact on Advertising Practices

The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as … Continue Reading

EDPB Tries to Sort Out the DPIA Disaccord

Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.… Continue Reading

Procedure Launched for Japan and the European Union to Become the World’s Largest Area of Safe Data Transfers

What’s New? On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim … Continue Reading

GDPR is Now EEA Wide!

The General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July.  The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and … Continue Reading
LexBlog