A Blueprint for Efficient SRRs: Mastering Your Subject Rights Workflow
On February 27 2025, the Court of Justice of the European Union (CJEU) delivered a judgment in CK v Dun & Bradstreet (Case C-203/22). This judgment clarifies the GDPR provisions regarding the right of access to personal...more
On 22 December 2023, the EU published Regulation (EU) 2023/2854, the Data Act, in the Official Journal of the EU. The Data Act is a new regulation providing harmonised rules on access to data, switching cloud providers and...more
As many employers will be aware, data subject access requests (DSARs) can take up a significant amount of business resources and are a common tactic used by disgruntled employees. A recent decision from the Court of Justice...more
Organisations must provide individuals with information on the specific recipients of their data upon request. The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the...more
Both the EU and UK GDPR grant data subjects rights in relation to their personal data. Article 15 gives data subjects the right to access their personal data and increasingly, data subjects are exercising this right by...more
The Advocate General (AG) Pikamäe of the Court of Justice of the European Union (CJEU) issued his opinions in three cases concerning the credit rating agency SCHUFA Holding AG (SCHUFA) on 16 March 2023....more
We’re now approaching the five-year anniversary of the General Data Protection Regulation (GDPR) taking full effect. In the run-up to 2018 and the period afterwards, there were many predictions about the likely direction of...more
Data is what makes the modern business world go around. But as the amount of data that organizations collect and process grows, so, too, do concerns about data security and how organizations respond to DSARs. These...more
The UK government is proposing to amend its data privacy regime to make it easier for employers to comply with its requirements. The main points that would impact employers (if implemented) are that it would be easier to...more
On January 18, 2022, the European Data Protection Board (the "EDPB") issued the Guidelines 01/2022 on data subject rights - Right of access (the "Draft Guidelines"), laying out its interpretation of Article 15 GDPR on the...more
Selected Developments in U.S. Law - SEC Proposed Rule Will Require Private Funds to Report Certain Cyber Events On January 26, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance hedge fund...more
The “right of access” recognized by art.15 GDPR is one of the most fervently exercised rights by individuals. Nowadays, where companies tend to amass considerable amounts of information and carry out data processing...more
On January 28, 2022, the European Data Protection Board (“EDPB”) published draft regulatory guidelines (“draft guidance”) on the right of data subjects to have access to their personal data under the EU General Data...more
UK employers have just about got used to the idea of GDPR, but the government has launched a consultation on reforms to the data protection regime....more
In the last few years, data privacy laws and regulations have been big news. Much of the coverage—including one of our recent blog posts—concerned website compliance. Companies scrambled to post notices and forms on their...more
Employees may have a claim against their employers for access to information about all personal data processed by the employers pursuant to Article 15 (3), Sentence 1, of Regulation (EU) 2016/679 (General Data Protection...more
If you are responsible for handling data subject requests made pursuant to the EU General Data Protection Regulation or verified consumer requests made pursuant to the California Consumer Privacy Act, chances are you have...more
No. Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information. As a result, businesses that field rights...more
In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when...more
For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a...more
The COVID-19 virus outbreak poses serious challenges to businesses operating globally, including in Europe. In response to the outbreak, governments worldwide are taking increasingly severe measures to fight the pandemic, and...more
As organizations prepare for January 1, 2020 – the California Consumer Privacy Act (CCPA) commencement day – there are a number of nuances of the legislation that companies must navigate. The one I am hearing the most about...more
When the General Data Protection Regulation (GDPR) went into effect on 25 May 2018, it eliminated the cost barrier for an individual to submit a Data Subject Access Request (DSAR), potentially increasing the burden on...more
Do I have to disclose documents with confidential internal correspondence, and comments from my staff as part of a GDPR data subject access request? The Court of The Hague says “Yes, you do.”...more
The CCPA requires that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted. In order to access or delete...more