There have been some highly publicized privacy statement revisions. Here are some lessons we are discussing with clients:
•Regulators are putting a high value on transparency and they are looking specifically at privacy...more
The Office of the Data Protection Authority of the Bailiwick of Guernsey has issued concise guide on the definition of consent.
This is helpful not only for GDPR, but also for understanding and implementing consent under the...more
Please take note!
1.SchremsII and cross border transfers: Risk based, wherefore art thou? With the Google Analytics, Google Fonts, Amazon AWS, Google Workspace other cases, the SchremsII and DPA guidance is piling up....more
9/30/2022
/ Biometric Information Privacy Act ,
California Privacy Rights Act (CPRA) ,
Cookies ,
Cross Border Privacy Rules (CBPR) ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
EU ,
International Data Transfers ,
Privacy Laws ,
Schrems I & Schrems II
A few days before the Austria DSB decision, the European Data Protection Supervisor (EDPS) issued a decision on the use of Google Analytics by the European Parliament.
For Schrems II: EDPS says “if you don’t have any...more
If you use a U.S.-based sub processor (even for data processed in the EU), you lose, the German administrative court of Wiesbaden said in an interim decision.
No transfer. No worries. TIA anyway...more
The European Data Protection Board has issued draft guidelines on the interplay between Art 3.2 and Chapter V of GDPR. And they also have finally defined the term “transfer.”
Here are some key takeaways:...more
The European Data Protection Supervisor (EDPS) has issued an opinion on the European Union Agency for Cybersecurity’s (ENISA) use of the explicit consent derogation as a legal basis for cross border transfers to the US...more
Key practice takeaways from the Kişisel Verileri Koruma Kurumu (KVKK) Turkey EUR 195,000 fine against WhatsApp (which echoes the Data Protection Commission Ireland decision in many respects):.....more
Third country laws – more than meets the eye. In practice – problematic legislation in disguise. The European Data Protection Board has issued a “Transformers” style plan for assessing whether or not you can transfer...more
The UN Committee on the Rights of the Child has issued new recommendations on children’s rights in relation to the digital environment.
Key data protection takeaways:
The rights of every child must be respected,...more
First we take Sacramento, then we take Berlin: How do US data protection laws affect how you do business.
The webinar is aimed at in-house or outside counsel, as well as data protection and compliance officers. In this...more
4/28/2021
/ Adtech ,
Analytics ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Chief Compliance Officers ,
Consumer Privacy Rights ,
Cookies ,
COPPA ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Sellers ,
Do Not Sell ,
E-Commerce ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Fines ,
General Data Protection Regulation (GDPR) ,
Germany ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Multinationals ,
OEM ,
Personally Identifiable Information ,
Privacy Laws ,
Privacy Policy ,
State Privacy Laws ,
Suppliers ,
Third-Party Service Provider ,
Webinars
While we are all digesting (and lamenting) the European Data Protection Board's post-Schrems II Guidelines and cross-border transfer standard contractual clauses, the European Commission issued standard clauses that are meant...more
The Data Protection Authority for the German state of Baden-Württemberg has issued FAQs on the European Data Protection Board's (EDPB) Controller-Processor Guidelines.
Legal Concepts-
•Contractual clauses can represent...more
Key takeaways from my recent presentation titled “Service Providers v. Data Processors: What Should Your Agreement Address?” with Lexology and Exterra...more
France’s Data Processing Authority CNIL weighs in on Coronavirus and GDPR.
Employers should NOT:
•Collect in a systematic and generalized manner, or through individual inquiries and requests, information relating to the...more
The United Kingdom's Information Commissioner's Office has updated its guidance on Special Category Data (Article 9 General Data Protection Regulation). Key takeaways:
Genetic Data-
Genetic analysis that includes enough...more
The European Data Protection Board has issued long-awaited final guidelines for the extraterritorial application of the General Data Protection Regulation (GDPR).
Key changes:
(1) GDPR can apply extraterritorially to some...more
The European Data Protection Supervisor (EDPS) has issued guidance on the concepts of data controller and processor for European Union organizations. Though it covers EU institutions, the guidance contains many concepts that...more
11/14/2019
/ California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
EU ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Popular
The Information Commissioner of the Isle of Man has issued guidance on “accountability” under GDPR.
Key takeaways:
You need to develop, embed and maintain a culture of data protection in your processing activities, with...more
The Dutch DPA has issued guidance on the use of “legitimate interest” as a legal basis for processing data under GDPR.
Key takeaways on what constitutes “legitimate”:
The interest needs to be pursuant to a written or...more
Latin American Data Protection Authorities and the Spanish Data Protection Authority have issued a joint statement on data processing and Artificial Intelligence....more
The French Data Protection Authority CNIL has issued guidance on types of data processing for which a Data Protection Impact Assessment (DPIA) is not required under GDPR:
HR-related processing, not including profiling, for...more
The European Data Protection Board (EDPB) has issued final guidelines on the General Data Protection Resolution's (GDPR) legal basis of "Necessary for the Performance of a Contract" (Article 6(1)(b)....more
Who is responsible for putting a GDPR Article 28 Data Processing Agreement in place?
Dutch Data Protection Authority, Autoreitpersoonsgegevens, says: BOTH the data controller and the data processor....more
Click to accept – not always good enough, says the New Zealand Privacy Commissioner.
Companies need to be fully transparent about their data processing practices and take steps to ensure that this is conveyed to the...more