Tag Archives: GDPR

Four months until GDPR: Which EU countries are ready? How relevant are these laws?

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter, … Continue Reading

Article 29 Working Party releases guidelines on transparency under the GDPR

On 11 December 2017, the Article 29 Working Party (Art 29 WP) published its draft guidance on transparency. The guidelines are open for consultation until 23 January 2018. The Art 29 WP analyse the elements of transparency required by the General Data Protection Regulation (GDPR). They also provide further details on the information that data … Continue Reading

Article 29 Working Party publishes updated guidance on adequacy referential

On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice … Continue Reading

Article 29 Working Party releases guidelines on consent under the GDPR

On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and … Continue Reading

Article 29 Working Party issues new guidelines for Binding Corporate Rules

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are: (i) Working … Continue Reading

Pre-Christmas Update on the ePrivacy Regulation

The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at … Continue Reading

ENISA publishes report on recommendations for data protection certification mechanisms under the GDPR

On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”). The Report provides … Continue Reading

Article 29 Working Party publishes guidelines on automated individual decision making and profiling.

On 17 October 2017, the Article 29 Working Party (“Art 29 WP”) published draft guidelines on automated individual decision-making and profiling (“Guidelines”). In the Guidelines, the Art 29 WP states that profiling and automated decision making can be useful for individuals and organisations by delivering increased efficiencies and resource savings, whilst recognising that they may … Continue Reading

Article 29 Data Protection Working Party Publishes Final Guidelines on Data Protection Impact Assessments

Background On 4 October 2017, the Article 29 Working Party (“WP29”) released its final guidelines on Data Protection Impact Assessments (“DPIA”), which were initially proposed in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) provides that the controller shall carry out an assessment of the impact of the envisaged … Continue Reading

European Court of Justice provides guidance on “tasks carried out in the public interest.”

On 27 September 2017, the European Court of Justice (“ECJ”) handed down its preliminary ruling to the Supreme Court of the Slovak Republic (“Supreme Court”) regarding the interpretation of “a task carried out in the public interest” as a legitimate basis for processing personal data under Article 7(e) of the Data Protection Directive (95/46/EC) (“Directive”) … Continue Reading

EDPS releases recommendations on ePrivacy Regulation – Still a long way to go

We are only eight months away from the new EU data protection regime entering into force. In addition to the General Data Protection Regulation (“GDPR”), which includes the general data protection provisions, the ePrivacy Regulation shall provide specific rules for electronic communications. However, the legislative process of the ePrivacy Regulation is still in its early … Continue Reading

ICO publishes draft guidance on contracts and liabilities under the GDPR

The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation,with responses due by 10 October 2017. The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under … Continue Reading

Updated Draft of ePrivacy Regulation: Still Hampering Innovation

On 8 September 2017, the European Council published its first revisions (“Revised Draft”) to the draft EU ePrivacy Regulation (version COM(2017) 10 of 10 January 2017, “ePrivacy Regulation”). The Revised Draft is based on the discussions held in previous meetings of the European Union’s Working Party for Telecommunications and Information Society (“WP TELE”), and on comments … Continue Reading

Draft of the Data Protection Bill Published by the UK Government

On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill will incorporate the General Data Protection Regulation (EU) 2016/679 into UK law. While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist … Continue Reading

ICO sets the record straight on data breach reporting under the GDPR

The latest in the series of blogs from the UK Information Commissioner’s Office (ICO) looks at some of the myths around data breach reporting under the General Data Protection Regulation (GDPR). Given the misleading press stories on this topic, the ICO’s blog should provide some welcome clarification for concerned businesses as they prepare to comply … Continue Reading

First judgment on GDPR by German administrative court

The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it … Continue Reading

Government announces proposals for a new Data Protection Bill

The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK. The Bill … Continue Reading

Europe Explores Data Ownership

Machine-generated data is a hot commodity, but who owns this information? As more and more valuable data are generated, should there be legislation to establish ownership and, potentially, access rights? The European Commission conducted a public consultation, “Building a European Data Economy,” to find out. The consultation addressed key factors, such as the question to … Continue Reading

Fines under GDPR – German DPAs provide guidance

The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently … Continue Reading

House of Lords publishes report on Brexit and the EU Data Protection Package

The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally. The Report looks at … Continue Reading

House of Commons publishes briefing paper on Brexit and data protection

The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”). The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data … Continue Reading

Article 29 Working Party releases detailed opinion on data processing in the workplace

The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”). The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the … Continue Reading

Bavarian DPA has released GDPR implementation audit questionnaire

The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German. Content of the Questionnaire The Questionnaire includes questions on six topics: Structure and responsibility in the company • For example, is there awareness … Continue Reading

ICO publishes International Strategy

The Information Commissioner’s Office (“ICO”) has released its International Strategy 2017-2021  (“Strategy”). The Strategy supports its Information Rights Strategic Plan, which we reported on earlier this year. The first part of the Strategy refers to the challenges and priorities for the next five years, particularly in light of changes brought about by the General Data … Continue Reading
LexBlog