Stéphanie Faber

The French data protection authority, the CNIL, has published its annual report for 2021 (in French)  which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.

  1. Complaints, Investigations and Sanctions

Complaints

In 2021, the CNIL received

By amending the “Sapin II” law, France has become the fourth EU country to transpose the EU Whistleblower Directive as of 21 March 2022, following Denmark, Sweden and Portugal.

Sapin II introduced, in December 2016, mandatory whistleblowing schemes (amongst other things) for certain private and public sector organisations.

Scope

On 21 March 2022, France enacted

The UK’s Competition and Markets Authority (“CMA”), Information Commissioner’s Office (“ICO”) and Google have agreed legally binding commitments from Google on the development of its Privacy Sandbox proposals.

These proposals relate to the removal of third-party cookies – to be phased out by 2023 – in the Chrome browser and Chromium browser engine, which will

On February 15, 2022, the European Data Protection Board (“EDPB”) issued a press release announcing the launch of its first coordinated enforcement action, under the Coordinated Enforcement Framework (“CEF”) established in 2020 (see section 3 below). The initiative will focus on the use of Cloud based services by the public sector and will involve 22

The French data protection authority, the CNIL, has undertaken a long-term campaign to ensure the effectiveness of such its cookie rules under the moto: “refusing cookies should be as easy as accepting them”.

Its investigation and enforcement program started in October 2020, first based on the old 2013 version of the cookies rules

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.

The nPadlock and EU flagew SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”) and the old SCCs will be repealed three months after that date (“Date of Repeal”).

Continue Reading New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA – Adopted On the Eve of Publication

EU FlagThis continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.
Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

"Hot" ButtonSeveral important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.

Transfers of Personal Data to Third Countries

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).

The following documents have been published in relation to implementation of Schrems II.
Continue Reading Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data

EU FlagWe continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller.  See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here.   Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.

Part 3: Focus on Joint Controllers

What is new in the draft Guidelines?

The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.

What are the criteria for classification as joint controllers?


Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 3)