Since the GDPR came into force in May 2018, data privacy compliance has become increasingly relevant during M&A transactions throughout the EU. A buyer may ultimately be responsible for the historical data protection law breaches of the target business and for picking-up the costs of dealing with any data security breaches that occurred pre-completion of … Continue Reading
Wednesday 2 December 2020 Noon – 12:30 p.m. GMT As reported on this Blog, on 12 November 2020, the European Commission published a draft decision and draft standard contractual clauses for the transfer of personal data to third countries. Once approved, organisations that rely on SCCs for transfers will have a one-year grace period to … Continue Reading
This continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous … Continue Reading
Several important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller … Continue Reading
We continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller. See our previous issues on the draft … Continue Reading
This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”). This post focuses on the updates to the concept of controller. See our previous post regarding … Continue Reading
Is your website privacy policy current? Is it GDPR compliant? Does it reference the EU-U.S. Privacy Shield? Attend our Webinar, Essential Practices for Website Privacy Policies presented by Annette Demmel and Mareike Lucht. The takeaways from this session will include: The essential elements of a privacy notice, including how and when to inform Critical steps … Continue Reading
This is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”). Comments on the draft guidelines are due by 19 October 2020. Part 1: Focus on Processors On 7 September 2020, the EDPB published … Continue Reading
A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers … Continue Reading
On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have … Continue Reading
Maintaining a positive and productive work environment helps retain valued employees and aids in recruiting new talent, ultimately saving costs and providing an advantage over competitors. To monitor employee satisfaction organizations are increasingly turning to conducting workplace surveys. On June 16, 2020 at 4:00p CEST Annette Demmel and Tarek Hajj-Khalil of our Data Privacy & … Continue Reading
A cyber-attack on budget airline EasyJet that has resulted in the exposure of the email addresses and flight details of 9 million of its customers and the credit card details of 2,208 of them is a reminder to all of the vulnerabilities, risks and obligations in relation to personal data. Two years on from the … Continue Reading
The ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate. Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources … Continue Reading
It has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities. The EC … Continue Reading
The reorganization of the Personal Data Protection Office (UODO), which took place in December 2019, warrants an assumption that 2020 will see increased activity from the supervisory authority. The UODO’s creation of three new departments indicates that the officers intend to specialize further to boost the efficiency of personal data protection inspections, in particular data … Continue Reading
On February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) initiated its first public consultation procedure on the anonymization of personal data, with a particular focus on providers of electronic communication services. As the European Commission Communication in A European Strategy for Data recognized, anonymized data may be used … Continue Reading
Now that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they … Continue Reading
At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection … Continue Reading
The ICO has recently launched a call for views on criminal convictions and offences data, or related security measures, under Article 10 of the GDPR. It is specifically consulting on market practice and understanding in this area. The Legal Framework The legal framework surrounding the collection and use of criminal convictions data is complex and … Continue Reading
Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number. … Continue Reading
Partner Rosa Barcelo sat down with OneTrust DataGuidance for their “Thought Leaders In Privacy” segment, to discuss major data privacy issues that have been a focus over the past year, as well as provide insights for organisations looking to comply with recent guidance issued by the CNIL and ICO, key points regarding proposed ePrivacy Regulations … Continue Reading
An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the … Continue Reading
Article 3(2) of the GDPR and the second criterion: Targeting criterion Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). Our first post in this series examined the “Establishment” criterion. In this post, we will move … Continue Reading
The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the … Continue Reading