CoC for Cloud Service Providers is now underway

It’s been announced last week that the EU Data Protection Code of Conduct (CoC) for Cloud Service Providers is now underway. Designed as a safeguard for the international data transfers under the GDPR Article 46(2) in a post-‘Schrems II’ world, the CoC might become an interesting one by itself. At the same time, it still … Continue reading CoC for Cloud Service Providers is now underway

Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

Allocating roles within a group of different actors might often become very difficult, in particular when drawing a line between joint decisions and separate ones gets tricky. Say that a parent company offers its subsidiaries to use a new uniform online platform for the processing of orders placed by customers entering into a supply contract … Continue reading Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

Three things you should NOT do when working with data transfers in a post-‘Schrems II’ world (video)

Organizing your data transfers to 3rd countries in a post-'Schrems II' world might become a truly daunting task. But what should definitely be avoided? Learn from this short video. https://youtu.be/8dz7bYicWU0

International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below). Just take a deeper look … Continue reading International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

It's been more than two weeks since CJEU announced its 'Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, - even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued … Continue reading Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries. EEGG provides non-binding assessment by expert contributors worldwide of compliance with 'European Essential Guaranties' (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of … Continue reading European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

DPAs’ guidances to survive in the post-‘Schrems II’ world

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called 'Schrems II' case. The IAPP will aim to update the register on an ongoing basis. The link is below: https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/ While privacy pros advise to seek to put in … Continue reading DPAs’ guidances to survive in the post-‘Schrems II’ world

Ambiguous status of SCC under the ‘Schrems II’ decision

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC. Arguments against Privacy Shield has changed little since the 'Schrems I' decision that invalidated Safe Harbour - governmental intrusion, lack of proportionality, ineffective role of ombudsperson. What is really new is that a … Continue reading Ambiguous status of SCC under the ‘Schrems II’ decision

On a crucial importance of TOMs under GDPR Article 32

DPA of Baden-Württemberg (Germany) fined a health insurance company 1'240'000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent.  The fine is quite high, especially given that there have been some mitigating factors in this case: not too many data subjects … Continue reading On a crucial importance of TOMs under GDPR Article 32

Tiktok moves under control of Irish DPC

From 29 July 2020 onwards, Tiktok Ireland will control the data of all users in the EEA and Switzerland. Nothing specific, just another smart move of a non-EEA company (parental company Tiktok Inc incorporated in the US) in an attempt to use one-stop-shop mechanism via its EEA subsidiaries. Except for one thing. The recent French … Continue reading Tiktok moves under control of Irish DPC