Photo of Asélle Ibraimova

Four years ago, the General Data Protection Regulation (“GDPR”) came into force in the EU. Since then, the GDPR has had a domino effect, as many countries in the world have used it as a model to shape their own rules on the handling of personal data. Given the rapid changes in data protection legislation around the world, legal and compliance teams of multinational organisations are under pressure to keep up with such developments as they continuously adapt their compliance programs in response.

Continue Reading The fourth anniversary of the GDPR: How the GDPR has had a domino effect

As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts to the new templates. There are some deadlines to be aware of, which you will find in the ‘key dates to note’ section below.

The main agreements that organisations will need to focus on as part of their transition programme are:

  • template agreements with customers and vendors on processing personal data;
  • existing agreements with customers and vendors; and
  • existing agreements within the group companies.


Continue Reading Time to change to the new EU and UK Standard Contractual Clauses (SCCs)

The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Continue Reading So you have got BCRs? You may still need to use the new EU SCCs

Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.

The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.

In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.

Continue Reading New guidelines on personal data breach notifications

On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).

Continue Reading South Korea granted adequacy decision

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas:

  1. IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
  2. Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
  3. Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.

The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”.
Continue Reading The ICO approves the first UK GDPR certification schemes

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)

Continue Reading Tune in for the latest updates on our Tech Law Talks podcast

The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved by the European Commission as providing adequacy. The Recommendations also contain various supplementary measures that can be used if the transfer tools an organisation has selected does provide an equivalent level of protection to that offered under the GDPR and individual’s rights and freedoms under the EU Charter of Fundamental Rights. The Recommendations contain practical guidance where there is “problematic legislation” in an importing country such that public and governmental authorities would be able to access individuals’’ personal data.

The EDPB published draft recommendations for public consultation in November 2020. There are some key changes between the draft and the final Recommendations.  The final draft places a particular focus on the specific circumstances of the transfer in the data transfer assessment. It also calls organisations to review not only laws but also practices of a third country’s surveillance measures by public authorities. The final Recommendations also emphasise that use of the GDPR derogations are meant to be an exception to rule barring transfers of personal data from the EEA to third countries not otherwise deemed adequate.

The Recommendations emphasize that it is the obligation of both data exporters and data importers to ensure the level of protection set by the EU laws when they transfer data to third countries. To comply with the accountability principle under the GDPR, controllers or processors acting as data exporters must ensure that data importers collaborate with them in ensuring protection travels with the data and jointly monitor the measures taken are effective in achieving that aim.
Continue Reading EDPB adopts final recommendations on Supplementary Measures nearly a year after the CJEU’s Schrems II ruling

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
Continue Reading European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months