On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR). Background Firms regulated by the … Continue Reading
The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that … Continue Reading
With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear. As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the … Continue Reading
On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here). The current SCCs were adopted by the Commission before the GDPR came into force. The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will … Continue Reading
On 12 November 2020, the European Commission released its first draft set of clauses covering the Article 28 GDPR requirements, for consultation (available here). Article 28 of the GDPR governs the relationship between controllers and processors. In particular, Articles 28(3) and (4) outline the details that must be included in a data processing agreement between … Continue Reading
On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read … Continue Reading
On 11 November 2020, the European Data Protection Board (EDPB) released recommendations on supplementary measures for international transfers (here) and recommendations on the European Essential Guarantees for surveillance measures (here), following the Schrems II decision (see our previous blog here). As a result of the Schrems II decision, data exporters who use certain transfer mechanisms as an appropriate … Continue Reading
On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance). In a previous post available here, we covered what DSARs are and the principles areas of focus of … Continue Reading
On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here. As a quick reminder, the obligation to … Continue Reading
On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each … Continue Reading
In September 2020, the European Data Protection Board (EDPB) released new guidelines on the targeting of social media users (Guidelines) for consultation. Background The Guidelines address the privacy risks and legal issues that arise when social media services are used to direct specific messages to users based on particular criteria, such as the users’ perceived … Continue Reading
The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case … Continue Reading
Class actions are widely known for their popularity in the United States. These types of actions are now developing in the UK because of recent data breach litigations. In the UK, group litigation can arise in two different scenarios: Group Litigation Order (“GLO”) or representative actions. GLOs are orders given by the Courts to manage … Continue Reading
On 2 September 2020, the European Data Protection Board (‘EDPB’) published new guidelines on the concepts of controller and processor in the General Data Protection Regulation (‘GDPR’). These guidelines are open for public consultation until 19 October 2020. The new guidelines will replace the previous guidelines on the same concepts, which were issued by the … Continue Reading
The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations. The Accountability Framework consists of ten categories where the … Continue Reading
On 11 August 2020, the Court of Appeal published its decision challenging the High Court’s approval of South Wales Police’s (‘SWP’) use of CCTV facial recognition. We wrote about the High Court’s judgment in September last year, which can be viewed here. As a quick recap of the case, SWP used CCTV automated facial recognition … Continue Reading
Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable … Continue Reading
On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) … Continue Reading
On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in: Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation … Continue Reading
On 28 April 2020, the Belgian data protection authority (DPA) fined a company €50,000 for having appointed its head of compliance, risk and audit as its data protection officer (DPO). The DPA’s decision is only available in Dutch (here) and in French (here). What was the breach? The reason for the fine was not that the DPO had … Continue Reading
A Dutch court has held that a grandmother was in breach of the General Data Protection Regulation (GDPR) for posting pictures of her grandchildren on social media platforms without their parents’ consent and refusing to delete them after multiple requests. The GDPR does not apply to the processing of personal data by an individual “in … Continue Reading
The current outbreak of coronavirus disease (COVID-19) is causing the world to struggle. It is clear that coronavirus is a threat to all human beings. It has also become clear that coronavirus is a threat to the health of the world economy and businesses. On March 11, 2020 the World Health Organization (WHO) characterized the … Continue Reading
Since coming into effect in 2014, Singapore’s personal data protection law has been active enforcing the law since its passing. The law applies to all organizations operating in Singapore, regardless of their size and the nature of their business. Companies that employ personnel in Singapore must take note of how Singapore data protection law applies … Continue Reading
Modern businesses have a more global reach than ever before. Technology has fundamentally changed the way employees work, communicate and collaborate. While global connectivity offers businesses opportunities, it also creates substantial challenges when it comes to archiving communications. Earlier this month, we co-hosted a thought leadership event in New York City with Smarsh, a multinational … Continue Reading
