An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the … Continue Reading
Article 3(2) of the GDPR and the second criterion: Targeting criterion Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). Our first post in this series examined the “Establishment” criterion. In this post, we will move … Continue Reading
The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the … Continue Reading
The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February … Continue Reading
On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.” Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a … Continue Reading
On Tuesday, October 29, we will host the first webinar of our EU Webinar Series, “The Latest on EU Cookie Rules and Tracking Walls.” Topics will include: The impact of the GDPR on the cookie consent requirement The recent guidelines issued by the EU data protection authorities on cookie rules The recent case law and … Continue Reading
The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services. Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the … Continue Reading
The French Council of State considers legal, the Commission Nationale de l’Informatique et des Libertés (CNIL), decision to engage in a consultation to define the new practical modalities of expression of consent in the matter of targeted advertising, and to grant a period of adaptation to the stakeholders. Context Pending the finalization of the new … Continue Reading
Many websites rely on implied consent to set cookies notwithstanding the fact that website cookies require the same opt-in consent as marketing emails. The UK Information Commissioner’s Office (ICO) has made it clear in its new guidance that “opt-in”’ consent must be obtained to set non-essential cookies, such as analytics cookies. Our team has published … Continue Reading
On 30 April, Squire Patton Boggs and the Digital Policy Alliance held an event entitled “Data Governance Under the GDPR: Are DPOs the Best Solution?” The aim of the session was to explore different approaches to the management of tasks involved in data governance, data protection and compliance, and the advantages and disadvantages of having … Continue Reading
The CNIL blows the whistle for the end of the transition period. For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient. 2019 Program Investigation program CNIL’s … Continue Reading
On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation … Continue Reading
The European Data Protection Board (EDPB) has published draft guidelines on the “processing of personal data under the contractual legal basis in the context of the provision of online services to data subjects”. These guidelines are currently open to consultation.… Continue Reading
In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries. Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. … Continue Reading
A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR. The hospital was fined for the following three violations of the GDPR: Breach of the … Continue Reading
The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here. Japan’s data protection authority, the … Continue Reading
Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46? Rules on international transfer under GDPR … Continue Reading
Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests. The Wording of Art. 15 para. 3 GDPR is Ambiguous As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle … Continue Reading
The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3) (“Draft Guidelines”). These are now subject to consultation until 18 January 2019. These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” … Continue Reading
Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.… Continue Reading
The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as … Continue Reading
Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.… Continue Reading
Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs.… Continue Reading
