GDPR

Subscribe to GDPR RSS Feed

Anonymization of Personal Data with Focus on Traffic Data:  First Public Consultation Procedure by the Federal German Data Protection Office

On February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) initiated its first public consultation procedure on the anonymization of personal data, with a particular focus on providers of electronic communication services.  As the European Commission Communication in A European Strategy for Data recognized, anonymized data may be used … Continue Reading

Data Breach Enforcement in the UK and in the EU: Cross-Border Issues

Now that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they … Continue Reading

Absent Guidelines, Many Questions on Facilitating DSARs

At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection … Continue Reading

ICO Consults on the Processing of Criminal Convictions Personal Data

The ICO has recently launched a call for views on criminal convictions and offences data, or related security measures, under Article 10 of the GDPR. It is specifically consulting on market practice and understanding in this area. The Legal Framework The legal framework surrounding the collection and use of criminal convictions data is complex and … Continue Reading

Use of the Social Security Number in France

Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number. … Continue Reading

Thought Leaders In Privacy: An interview with Rosa Barcelo

Partner Rosa Barcelo sat down with OneTrust DataGuidance for their “Thought Leaders In Privacy” segment, to discuss major data privacy issues that have been a focus over the past year, as well as provide insights for organisations looking to comply with recent guidance issued by the CNIL and ICO, key points regarding proposed ePrivacy Regulations … Continue Reading

ICO Issues Fine Against National Retailer for Security Failings

 An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

Article 3(2) of the GDPR and the second criterion: Targeting criterion   Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move … Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the … Continue Reading

ICO Consults on Draft Subject Access Request Guidance

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February … Continue Reading

EU Webinar Series – DPIAs – What You Need to Know

On Thursday, November 7, we will host the second webinar of our EU Webinar Series, “DPIAs – What You Need To Know.” Data Protection Impact Assessments are required under the GDPR and are indented to help organizations identify data security risks. Many data protection authorities have issued guidelines on when and how to conduct a … Continue Reading

When is it ‘Necessary’ to Process Personal Data to Perform a Contract?

The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services. Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the … Continue Reading

Claims Against the CNIL’s Decision to Grant an Adaptation Period for Compliance on Cookie Consent Rules Dismissed

The French Council of State considers legal, the Commission Nationale de l’Informatique et des Libertés (CNIL), decision to engage in a consultation to define the new practical modalities of expression of consent in the matter of targeted advertising, and to grant a period of adaptation to the stakeholders. Context Pending the finalization of the new … Continue Reading

Cookie Guidance from the UK ICO

Many websites rely on implied consent to set cookies notwithstanding the fact that website cookies require the same opt-in consent as marketing emails.  The UK Information Commissioner’s Office (ICO) has made it clear in its new guidance that “opt-in”’ consent must be obtained to set non-essential cookies, such as analytics cookies. Our team has published … Continue Reading

Are DPOs the Best Solution?

On 30 April, Squire Patton Boggs and the Digital Policy Alliance held an event entitled “Data Governance Under the GDPR: Are DPOs the Best Solution?” The aim of the session was to explore different approaches to the management of tasks involved in data governance, data protection and compliance, and the advantages and disadvantages of having … Continue Reading

No More Games! The CNIL Publishes its 2018 and 2019 Activity Report

The CNIL blows the whistle for the end of the transition period.  For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient. 2019 Program Investigation program CNIL’s … Continue Reading

The Czech Republic: GDPR Adaptation Legislation Becomes Effective

On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation … Continue Reading

Understanding the Layered Approach to International Data Transfers Under GDPR

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries. Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. … Continue Reading

GDPR Enforcement: Portugal

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR. The hospital was fined for the following three violations of the GDPR: Breach of the … Continue Reading

Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46? Rules on international transfer under GDPR … Continue Reading

Data Subject Access Rights – and the Requirement to Issue a Copy of the Undergoing Processing

Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests. The Wording of Art. 15 para. 3 GDPR is Ambiguous As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle … Continue Reading
LexBlog