Shift from a territory-based to jurisdiction-based approach to international data transfers.

Shift from a territory-based to jurisdiction-based approach to international data transfers. The European Commission’s draft decision implementing renewed SCCs (‘draft') seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to 'the transfer of personal data from a controller or processor subject to Regulation … Continue reading Shift from a territory-based to jurisdiction-based approach to international data transfers.

The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation

The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation.  And this is to briefly share 3 key thoughts and conclusions from the Guidelines which might seem to be not so obvious at first sight. 1. Be sure to understand not only literal and … Continue reading The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation

7 practical takeaways from the EDPB Guidelines 07/2020 (by Herbert Smith Freehills)

I remember myself criticising new EDPB Guidelines 07/2020 for obvious mistakes in choosing an approach for giving explanations: https://virtualshadows.wordpress.com/2020/09/13/do-new-guidelines-07-2020-on-the-concepts-of-controller-and-processor-in-the-gdpr-guidelines-really-help-to-identify-joint-controllership/ Today I came across an article from Herbert Smith Freehills (see the link below) and, ironically, found the same thought I had a month ago: "the guidelines do not appear to add much clarity with respect to the … Continue reading 7 practical takeaways from the EDPB Guidelines 07/2020 (by Herbert Smith Freehills)

Swedish DPA has updated its guidance for employment sector.

Swedish DPA #datainspektionen has updated its guidance as to how personal data should be processed in employment relationships. The information is primarily addressed to employers in both the private and public sectors. It can also help workers, job seekers, trade unions and trade associations. Original text is in Swedish but can be easily translated into English via … Continue reading Swedish DPA has updated its guidance for employment sector.

CNIL partners with Order of Chartered Accountants to help SME to improve their compliance with the GDPR.

While many transnational companies continue to feel headache after 'Schrems II' hit in July, the problem for SMEs looks simpler and more trivial: they seem to be unable to meet even more general and clear data protection requirements without external help. This can return us to early talks (they are sometimes heard now, though) that … Continue reading CNIL partners with Order of Chartered Accountants to help SME to improve their compliance with the GDPR.

CoC for Cloud Service Providers is now underway

It’s been announced last week that the EU Data Protection Code of Conduct (CoC) for Cloud Service Providers is now underway. Designed as a safeguard for the international data transfers under the GDPR Article 46(2) in a post-‘Schrems II’ world, the CoC might become an interesting one by itself. At the same time, it still … Continue reading CoC for Cloud Service Providers is now underway

Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

Allocating roles within a group of different actors might often become very difficult, in particular when drawing a line between joint decisions and separate ones gets tricky. Say that a parent company offers its subsidiaries to use a new uniform online platform for the processing of orders placed by customers entering into a supply contract … Continue reading Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

Three things you should NOT do when working with data transfers in a post-‘Schrems II’ world (video)

Organizing your data transfers to 3rd countries in a post-'Schrems II' world might become a truly daunting task. But what should definitely be avoided? Learn from this short video. https://youtu.be/8dz7bYicWU0

International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below). Just take a deeper look … Continue reading International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

It's been more than two weeks since CJEU announced its 'Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, - even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued … Continue reading Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.