Photo of Katalina Bateman

On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance).

In a previous post available here, we covered what DSARs are and the principles areas of focus of the draft guidance.

So, what has changed? Overall, the Guidance provides more in-depth advice and further examples to help organisations understand how they can meet Article 15 of the General Data Protection Regulation (GDPR) requirements in handling DSARs.

There are, however, three particular areas of note, where the ICO provided further explanation.
Continue Reading ICO releases updated guidance on data subjects’ right of access

Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
Continue Reading GDPR vs. U.S. discovery: The conflict continues

The Information Commissioner’s Office (ICO) has updated its guidance on access requests and whether such requests are manifestly unfounded or excessive, providing further clarification to the definitions in the guidance and on how data controllers should respond to such requests. We summarise the key points below.


A data subject has rights under the Data Protection Act 2018 to send requests to the data controller pertaining to their personal data, for example: the right of access (section 45), right to rectification (section 46), right to erasure or restriction of processing (section 47) and requests relating to automated decision-making (section 50).

On the other hand, if a data controller finds requests to be “manifestly unfounded or excessive”, it may refuse to act or charge a reasonable fee for the requests, under section 53. The importance of how the data controller makes this decision has now been considered by the ICO.


The ICO has given further clarification to the meaning of section 53, as summarised below:
Continue Reading Responding to requests: the ICO considers manifestly unfounded and excessive requests


In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and

On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in:

  • Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation of a code of conduct monitoring body under article 41 of the General Data Protection Regulation (GDPR)
  • The Czech Republic, Germany, and Ireland, on the approval of the requirements for accreditation of a certification body under article 43(3) of the GDPR

Continue Reading EDPB publishes opinions on draft decisions of Data Protection Authorities on the accreditation of certification bodies and code of conduct monitoring bodies

On 4 May 2020, the European Data Protection Board (EDPB) adopted an updated set of guidelines on consent (Guidelines) under the General Data Protection Regulation (GDPR). These updates were made to the original guidelines published by the Article 29 Working Party on 10 April 2018, which the EDPB endorsed at its first plenary meeting on 25 May 2018.

As a reminder, when a controller relies on consent as its lawful basis for processing personal data, or is required to obtain consent prior to the use of cookies, such consent must be freely given, specific, informed and an unambiguous indication of an individual’s wishes, in order to be valid. Although the original guidelines provided an in-depth analysis of each of these concepts, the EDPB felt that two specific areas required further clarification:

  • The validity of an individual’s consent to the use of cookies when access to a website’s service or functionality is conditioned on that individual giving such consent (i.e., the use of a ‘cookie wall’)
  • The validity of an individual’s consent to the use of cookies when such consent is given by the individual by scrolling through a website

Consequently, the Guidelines now include updates to the sections entitled “Conditionality” and “Unambiguous indication of wishes”, which clarify these areas.Continue Reading EDPB updates consent guidance to clarify its position on consent to the use of cookies

On 13th May, the European Commission’s eHealth Network published its interoperability guidelines for approved contact tracing mobile applications in the EU, guiding developers when designing and implementing applications and backend solutions to ensure efficient tracing of cross-border infection chains. These guidelines serve as a follow-up action to their previously published ‘Common EU Toolbox for Member States’ on mobile applications to support contact tracing in the EU’s fight against COVID-19 on 15th April.

Why are interoperable apps considered important in the fight again COVID-19? It is almost inevitable that in today’s day and age we would look to technology to be part of the solution. The hope is that interoperable apps will facilitate the tracing of cross-border infection chains, which is particularly valuable for cross-border workers, tourism, business trips and neighbouring countries.
Continue Reading The Commission’s eHealth Network looks to develop the interoperability framework for contact tracing apps

All businesses are concerned with whether their revenue and custom will continue during a crisis.

When their services (more importantly those involving technology) depend on the use of third party suppliers, businesses should also think about their own ability to deliver.

Questions that business managers will be agonising over during a crisis include:

Will our

Since March 11, when the World Health Organization (WHO) officially categorised the coronavirus disease (COVID-19) as a pandemic, it has become clear that the world is immensely struggling with the outbreak. It has even led to a massive slowdown in economic activity, causing volatility and turbulence in the financial markets. Therefore, apart from being a


On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?Continue Reading The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?