GDPR

Subscribe to GDPR RSS Feed

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

This continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous … Continue Reading

Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data

Several important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller … Continue Reading

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 3)

We continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller.  See our previous issues on the draft … Continue Reading

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 2)

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”).  This post focuses on the updates to the concept of controller. See our previous post regarding … Continue Reading

Complimentary Webinar – Essential Practices for Website Privacy Policies

Is your website privacy policy current?  Is it GDPR compliant?  Does it reference the EU-U.S. Privacy Shield?  Attend our Webinar, Essential Practices for Website Privacy Policies presented by Annette Demmel and Mareike Lucht. The takeaways from this session will include: The essential elements of a privacy notice, including how and when to inform Critical steps … Continue Reading

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 1)

This is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”).  Comments on the draft guidelines are due by 19 October 2020. Part 1: Focus on Processors On 7 September 2020, the EDPB published … Continue Reading

CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats

On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment.  In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have … Continue Reading

Complimentary Webinar: Privacy and Employee Surveys in Germany

Maintaining a positive and productive work environment helps retain valued employees and aids in recruiting new talent, ultimately saving costs and providing an advantage over competitors. To monitor employee satisfaction organizations are increasingly turning to conducting workplace surveys. On June 16, 2020 at 4:00p CEST  Annette Demmel and Tarek Hajj-Khalil of our Data Privacy & … Continue Reading

EasyJet Cyber-Attack: How to Avoid an Easy Hack

A cyber-attack on budget airline EasyJet that has resulted in the exposure of the email addresses and flight details of 9 million of its customers and the credit card details of 2,208 of them is a reminder to all of the vulnerabilities, risks and obligations in relation to personal data. Two years on from the … Continue Reading

A Timely Reminder: Maintain Data Security in the Face of the Pandemic

The ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate. Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources … Continue Reading

The European Commission is set to review the GDPR

It has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities. The EC … Continue Reading

Poland: Expected Enforcement Actions in 2020 and Beyond. Who Should Beware?

The reorganization of the Personal Data Protection Office (UODO), which took place in December 2019, warrants an assumption that 2020 will see increased activity from the supervisory authority. The UODO’s creation of three new departments indicates that the officers intend to specialize further to boost the efficiency of personal data protection inspections, in particular data … Continue Reading

Anonymization of Personal Data with Focus on Traffic Data:  First Public Consultation Procedure by the Federal German Data Protection Office

On February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) initiated its first public consultation procedure on the anonymization of personal data, with a particular focus on providers of electronic communication services.  As the European Commission Communication in A European Strategy for Data recognized, anonymized data may be used … Continue Reading

Data Breach Enforcement in the UK and in the EU: Cross-Border Issues

Now that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they … Continue Reading

Absent Guidelines, Many Questions on Facilitating DSARs

At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection … Continue Reading

ICO Consults on the Processing of Criminal Convictions Personal Data

The ICO has recently launched a call for views on criminal convictions and offences data, or related security measures, under Article 10 of the GDPR. It is specifically consulting on market practice and understanding in this area. The Legal Framework The legal framework surrounding the collection and use of criminal convictions data is complex and … Continue Reading

Use of the Social Security Number in France

Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number. … Continue Reading

Thought Leaders In Privacy: An interview with Rosa Barcelo

Partner Rosa Barcelo sat down with OneTrust DataGuidance for their “Thought Leaders In Privacy” segment, to discuss major data privacy issues that have been a focus over the past year, as well as provide insights for organisations looking to comply with recent guidance issued by the CNIL and ICO, key points regarding proposed ePrivacy Regulations … Continue Reading

ICO Issues Fine Against National Retailer for Security Failings

 An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

Article 3(2) of the GDPR and the second criterion: Targeting criterion   Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the … Continue Reading

ICO Consults on Draft Subject Access Request Guidance

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February … Continue Reading

EU Webinar Series – DPIAs – What You Need to Know

On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.” Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a … Continue Reading
LexBlog