The UK Information Commissioner's Office has announced its intention to issue a £183 million fine to British Airways, in respect of a personal data breach under the GDPR. The announcement has wide-ranging consequences for...more
7/10/2019
/ Administrative Proceedings ,
British Airways ,
Data Breach ,
Data Security ,
Enforcement Actions ,
Fines ,
General Data Protection Regulation (GDPR) ,
Penalties ,
Personally Identifiable Information ,
Popular ,
UK ICO
The European Data Protection Board ("EDPB") has published guidelines on the use of the certification mechanism under the GDPR. Certifications are intended to help businesses provide evidence of compliance with the GDPR. The...more
7/5/2019
/ Certifications ,
Compliance ,
Data Protection ,
Data Protection Authority ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Member State ,
New Guidance ,
Personal Data
EU data protection law contains a powerful tool called a Subject Access Request ("SAR") which allows an individual to obtain copies of data about themselves, on demand, within a tight timeframe, and at low cost. Satisfying...more
6/13/2019
/ Burden of Proof ,
Data Controller ,
Data Processors ,
Discovery Disputes ,
EU ,
Exemptions ,
General Data Protection Regulation (GDPR) ,
Journalism ,
Legal Professional Privilege ,
Personal Data ,
Subject Access Request (SAR) ,
UK ,
UK ICO
ad hoc clauses means a set of clauses for Cross-Border Data Transfers, which require prior approval by a DPA (see Chapter 13).
Adequacy Decision means a decision by the Commission to designate a third country as an...more
Why does this topic matter to organisations?
The GDPR is now the main instrument governing EU data protection law across all Member States. The Directive, which was almost 20 years old, has been repealed. However, the...more
4/27/2019
/ Breach Notification Rule ,
Compliance ,
Conflicts of Laws ,
e-Privacy Directive ,
EU ,
EU Directive ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
International Treaties ,
Member State ,
Mutual Legal Assistance Treaties (MLAT) ,
Personal Data ,
Personally Identifiable Information ,
Repeal
Why does this topic matter to organisations?
Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own...more
4/25/2019
/ Data Privacy ,
Data Protection ,
EU ,
EU Data Protection Laws ,
Freedom of Expression ,
General Data Protection Regulation (GDPR) ,
Harmonization Rules ,
International Data Transfers ,
Member State ,
Personal Data ,
Religious Institutions ,
Scientific Research
Why does this topic matter to organisations?
Whereas the remedies and sanctions available to DPAs under the Directive were comparatively low (generally subject to a maximum of less than €1 million per infringement, with...more
4/24/2019
/ Administrative Fines ,
Civil Liability ,
Criminal Sanctions ,
Damages ,
Data Breach ,
Data Processors ,
Data Protection ,
Data Protection Authority ,
Data Subjects Rights ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Policies and Procedures ,
Privacy Laws ,
Remedies ,
Risk Management ,
Sanctions ,
Statutory Violations
Why does this topic matter to organisations?
Under the Directive, organisations were obliged to deal with a separate DPA for each Member State whose laws apply to them. This meant that businesses faced a range of...more
4/24/2019
/ Consistency Mechanism ,
Cooperation ,
Court of Justice of the European Union (CJEU) ,
Data Protection ,
Data Protection Authority ,
Dispute Resolution ,
DPA ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Sharing ,
International Data Transfers ,
Member State ,
Multidistrict Litigation ,
Multinationals ,
One-Stop Shop ,
Personal Data
Why does this topic matter to organisations?
National Data Protection Authorities ("DPAs") are appointed to implement and enforce data protection law, and to offer guidance. As set out in Chapter 16, DPAs have significant...more
4/22/2019
/ Compliance ,
Data Protection ,
Data Protection Authority ,
Enforcement ,
Enforcement Authority ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Jurisdiction ,
Member State ,
One-Stop Shop ,
Personal Data ,
Personally Identifiable Information ,
Popular
Why does this topic matter to organisations?
In today's world, it is increasingly important to be able to move data freely to wherever those data are needed. However, the transfer of personal data to recipients outside the...more
4/20/2019
/ Adequacy Requirement ,
Binding Corporate Rules ,
Certifications ,
Cloud Service Providers (CSPs) ,
Code of Conduct ,
Consumer Rights Directive ,
Data Controller ,
Data Protection Authority ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
Human Resources Professionals ,
International Data Transfers ,
Jurisdiction ,
Model Clauses ,
Personal Data ,
Personally Identifiable Information ,
Public Interest ,
Technology Sector
Why does this topic matter to organisations?
A significant aspect of complying with EU data protection law is demonstrating compliance—making it evident to DPAs that an organisation is meeting its obligations. Three of the...more
4/18/2019
/ Code of Conduct ,
Compliance ,
Data Protection ,
Data Protection Officers (DPOs) ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
Impact Assessments ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information
Why does this topic matter to organisations?
Under the GDPR, the concept of a "processor" has not changed. Any entity that was a processor under the Directive likely continues to be a processor under the GDPR. However,...more
4/18/2019
/ Compliance ,
Confidentiality Policies ,
Data Breach ,
Data Controller ,
Data Processors ,
Data Protection ,
Data Protection Officers (DPOs) ,
Data Security ,
DPA ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Popular ,
Reporting Requirements
Why does this topic matter to organisations?
Each time an organisation processes personal data, it will do so as either a controller or a processor. These roles bear different responsibilities. Therefore, it is critically...more
4/16/2019
/ Compliance ,
Data Breach ,
Data Controller ,
Data Processors ,
Data Protection Officers (DPOs) ,
Data Security ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Liability ,
Notification Requirements ,
Personal Data ,
Personally Identifiable Information ,
Reporting Requirements
Why does this topic matter to organisations?
EU data protection law provides data subjects with a wide array of rights that can be enforced against organisations that process personal data. These rights may limit the...more
4/16/2019
/ Consumer Privacy Rights ,
Data Collection ,
Data Controller ,
Data Processors ,
Data Protection ,
Direct Marketing ,
Duty to Inform ,
Employee Training ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Portability ,
Privacy Policy ,
Rectification ,
Right of Access ,
Right to Be Forgotten ,
Right to Object ,
Right to Restrict ,
Time Restrictions ,
Transparency
Why does this topic matter to organisations?
Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. Each and every data processing activity requires a lawful...more
4/15/2019
/ Consent ,
Data Collection ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
Informed Consent ,
International Data Transfers ,
Opt-In ,
Personal Data ,
Personally Identifiable Information ,
Withdrawal
Why does this topic matter to organisations?
Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. If the controller does not have a lawful basis for a given...more
4/12/2019
/ Consent ,
Data Controller ,
Data Processing Rules ,
Data Processors ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Legitimate Business Interest ,
Member State ,
Personal Data ,
Personally Identifiable Information
Why does this topic matter to organisations?
The GDPR does not necessarily apply to every organisation in the world. It applies to all organisations that are established in the EU. However, for organisations established...more
4/12/2019
/ Compliance ,
Data Protection ,
EU ,
EU Data Protection Laws ,
Extraterritoriality Rules ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
Personal Data ,
Personally Identifiable Information ,
Risk Assessment ,
Risk Management
Why does this topic matter to organisations?
Understanding the subject matter and the scope of EU data protection law is fundamental to determining whether this law applies to an organisation’s business activities. In...more
Overview of key issues -
The GDPR raises a number of key issues that organisations should consider, including the following...more
4/11/2019
/ Breach Notification Rule ,
Compliance ,
Consent ,
Data Processors ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
Data Protection Officers (DPOs) ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Popular
Directive 95/46/EC -
Prior to the GDPR, the EU's data protection regime was governed by the Directive. The Directive (as with all EU Directives) did not apply automatically, and had to be transposed into the national laws...more
The Dutch Data Protection Authority (the "Dutch DPA") has issued guidance stating that so-called "cookie walls" are not compliant with the General Data Protection Regulation (the "GDPR"). The guidance is not legally binding,...more
4/5/2019
/ Austria ,
Belgium ,
Consent ,
Cookies ,
Data Protection Authority ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
Netherlands ,
Popular ,
UK ICO ,
Website Accessibility ,
Websites
Why does this topic matter to organisations?
The Data Protection Principles provide the conditions on which an organisation is permitted to process personal data. If an organisation cannot satisfy the Data Protection...more
Why does this topic matter to organisations?
The defined terms set out in this Chapter are of critical importance to understanding how EU data protection law applies to an organisation. For example, the question of whether...more
4/3/2019
/ Consent ,
Data Breach ,
Data Controller ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information
On 29 March 2019, the UK will formally leave the EU unless an extension, or a negotiated solution, is agreed between the UK and the European Commission. There is currently no agreement regarding the UK's status from a data...more
1/31/2019
/ BCRs ,
Compliance ,
Consent ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Model Contracts ,
No-Deal Brexit ,
Personal Data ,
UK ,
UK Brexit ,
UK ICO
The European Commission and the Personal Information Protection Commission of Japan have agreed mutual adequacy decisions regarding the transfer of personal data. This is a significant development, and allows businesses to...more
1/31/2019
/ Adequacy Requirement ,
Bilateral Agreements ,
EU ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Japan ,
Mutual Recognition Agreement ,
Personal Data ,
Privacy Laws ,
Reciprocity Rules