In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries. Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. … Continue Reading
A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR. The hospital was fined for the following three violations of the GDPR: Breach of the … Continue Reading
The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here. Japan’s data protection authority, the … Continue Reading
Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46? Rules on international transfer under GDPR … Continue Reading
Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests. The Wording of Art. 15 para. 3 GDPR is Ambiguous As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle … Continue Reading
The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3) (“Draft Guidelines”). These are now subject to consultation until 18 January 2019. These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” … Continue Reading
Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.… Continue Reading
The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as … Continue Reading
Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.… Continue Reading
Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs.… Continue Reading
What’s New? On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim … Continue Reading
The General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July. The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and … Continue Reading
The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of biometric data. The processing of biometric data for the purpose of “uniquely identifying a natural person” is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing “necessary … Continue Reading
The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the … Continue Reading
Regulators across Europe, have recorded a sharp increase in the number of data-related complaints and data breach notifications since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has radically reshaped how businesses can collect, use and store personal information. As a result of the new and expanded rights … Continue Reading
The final countdown has started, there are a few days left before GDPR takes effect on Friday 25 May 2018. What are you doing about compliance? If you need assistance, in the EU or outside the EU, for your GDPR compliance program do not hesitate to contact a member of our global Data Protection … Continue Reading
Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers … Continue Reading
“Are we prepared for the GDPR?” Not nearly as many companies as should be are asking themselves this question. As such, we have prepared this short post for those that are barely or not at all prepared for General Data Protection Regulation (GDPR) compliance – as 25 May 2018, the day GDPR will enter into … Continue Reading
The obligation on controllers to pay a fee will remain in place following the implementation of the General Data Protection Regulation, the GDPR, on 25 May 2018. The fees act as the main source of funding for the UK’s data protection supervisory authority, the Information Commissioner’s Office (the ‘ICO’). The Government, which has a statutory … Continue Reading
What is CCTV? CCTV means closed-circuit television, also known as video surveillance. Video surveillance systems monitors the behavior, activities, or other changing information, usually, of people from a distance by means of electronic equipment. Video surveillance can include anything from closed circuit television or automatic number-plate recognition systems, to any other system for recording, storing, … Continue Reading
As 2018 picks up steam from its start, we are beginning to see traction in relation to various new regional data privacy and cybersecurity laws. Many of the provisions seem designed to enable countries to seek an EU Adequacy Finding, which is akin to the Privacy Shield provisions between the EU and the US. This … Continue Reading
Happy New Year! With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant. Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear. The Article … Continue Reading
On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations. The following are some of the noticeable change brought by the draft law with respect … Continue Reading
