The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.Continue Reading CJEU rules on DPO conflicts of interest under the GDPR
Data Protection Officer
Belgian DPA fines company €50,000 for appointing DPO with conflicting role
By Cynthia O’Donoghue & Sarah O'Brien on
On 28 April 2020, the Belgian data protection authority (DPA) fined a company €50,000 for having appointed its head of compliance, risk and audit as its data protection officer (DPO). The DPA’s decision is only available in Dutch (here) and in French (here).
What was the breach?
The reason for the fine was not that the DPO had a second role, as this is permitted under article 38(6) of the General Data Protection Regulation (GDPR). The DPA issued the fine because it determined that the DPO’s second role required him to make decisions about the purposes and means of processing personal data, and the making of such decisions is a material conflict of interest, which is a breach of article 38(6) of the GDPR.Continue Reading Belgian DPA fines company €50,000 for appointing DPO with conflicting role
Article 29 Working Party issues guidance on data portability, DPOs and lead supervisory authorities
By Cynthia O’Donoghue & Curtis McCluskey on
As we enter 2017, 2018 doesn’t seem that far away…and with the new General Data Protection Regulation (GDPR) due to come into effect from 25 May 2018, organisations are running out of time to ensure compliance with the new data protection requirements. It is therefore not surprising that the Article 29 Working Party (“Working Party”) is already issuing guidance.
Here, we discuss the Working Party’s recent guidelines on:
Continue Reading Article 29 Working Party issues guidance on data portability, DPOs and lead supervisory authorities
Amendments to Poland’s Data Protection Law Ease the Rules on Data Exports and Data Protection Officers
By Kate Brimsted & Cynthia O’Donoghue on
The Polish Parliament passed the Facilitation of Business Activity Act (source in Polish) which significantly amends the existing Act on Personal Data Protection. The amendments come into force 1 January 2015.
The changes mean that the EU Commission’s approved Standard Contractual Clauses for data transfers (“SCCs”) and approved Binding Corporate Rules (“…
Poland’s Draft Data Protection Law To Alter the Rules for Data Transfer and Data Privacy Officers
By Cynthia O’Donoghue on
A draft of Poland’s new draft data protection law has been released and has the potential to significantly change the rules in Poland governing international data transfers and data privacy officers.
Under existing rules, Poland is an EU member state that does not currently recognise the Standard Contractual Clauses or Binding Corporate Rules (BCRs) as…
German Data Protection Authorities Set Minimum Competency and Independence Requirements for Data Protection Officers
This post was written by Nick Tyler and Moritz Wagner.
The German data protection authorities (DPAs) have recently passed a resolution setting minimum requirements for the competency and independence of company data protection officers (DPOs).
This initiative follows inspections carried out within companies that revealed a generally insufficient level of competency among DPOs, as…