Yes. The GDPR anticipates that a company may process personal data as long as one (or more) of six lawful purposes applies. One of those lawful purposes relates to the collection of personal data about a person as part of...more
Maybe. “Salting” refers to the insertion of a random value (e.g., a number or a letter) into personal data before that data is hashed. Whether personal information that has undergone salting and hashing is still...more
Maybe. Hashing refers to the process of using an algorithm to transform data of any size into a unique fixed sized output (e.g., combination of numbers). ...more
Companies use different names to describe the document that discloses their practices in relation to the collection, use, and disclosure of personal information including: “Privacy Notice,” “Privacy Policy,” “Information...more
No. Although Article 30 of the GDPR states that companies must “maintain a record” of their processing activities, the provision contains an exemption for small businesses. Specifically, it states that if a company employs...more
It is not clear at this point whether joint and several liability attaches to the actions of joint controllers. The GDPR states that a data subject “may exercise his or her rights under this Regulation in respect of and...more
The CCPA requires that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted. In order to access or delete...more
On 9 July 2019, the Court of Justice of the European Union (CJEU) in Luxembourg heard a case brought by privacy-rights activist Max Schrems (C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam...more
The term “personal information” is defined within the CCPA in a similar, but not identical, manner to the term “personal data” within the GDPR. The following provides a side-by-side comparison of the two terms...more
The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in...more
In this Series 2 of our FAQs regarding the California Consumer Privacy Act (“CCPA”), we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the...more
Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the...more
The implementation of the European Union (EU)’s General Data Protection Regulation (GDPR) has raised a number of questions as to how best to approach cross-border discovery. Friction between legal holds and the “right of...more
On November 23, the European Data Protection Board (“EDPB”) - the gathering of all European Union (EU) data protection authorities - adopted new draft guidelines on territorial scope of the GDPR. The EDPB was previously known...more
The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to...more
On May 25, 2018, at the effective date of the General Data Protection Regulation (“GDPR”), the European Data Protection Board (“EDPB”) adopted its “Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679”...more
The European Data Protection Board (“EDPB“) has published a letter sent to the European Parliament in relation to the revised Payment Services Directive ((EU) 2015/2366) (“PSD2“)....more
The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to...more
JONES DAY CYBERSECURITY, PRIVACY & DATA PROTECTION ATTORNEY SPOTLIGHT: Richard Martinez - Europe's new General Data Protection Regulation ("GDPR") is driving an evolution in corporate privacy practices globally. As...more
On June 12, 2018, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) passed a resolution calling on the European Commission to suspend the EU-U.S. Privacy Shield unless the U.S. fully...more
Less than one week after replacing the now defunct Article 29 Working Party (WP29), the European Data Protection Board (EDPB) has adopted new guidelines on the EU General Data Protection Regulation (GDPR) and issued a...more
Data protection authorities set out guidelines for the application of the new EU General Data Protection Regulation - The European Data Protection Board (EDPB) is the joint coordination body of the EU data protection...more
The GDPR entered into force on May 25, 2018. One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to...more