EU FlagIt has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities.

The EC is currently in the “roadmap” phase of the process. A roadmap aims to inform citizens and stakeholders about the EC’s work. One element of the roadmap is to gather feedback from citizens and stakeholders, and the opportunity to provide such feedback opened on 2 April 2020. The closing date for feedback is 29 April 2020. There is a 4000 character limit on the feedback function, but word documents can be uploaded where they contain research or other findings that support the feedback being provided. This feedback will be used to further develop and finesse the review. There are specific rules for providing feedback, which are linked here. Continue Reading The European Commission is set to review the GDPR

Article 3(2) of the GDPR and the second criterion: Targeting criterion

 

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.

Two Types of Targeting Activities Relating to Data Subjects in the EU

Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.

Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required

There are two important issues in this respect:

  • Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
  • It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.

Continue Reading Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.

The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.

Continue Reading Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The Cyberspace Administration of China (the “CAC”) launched a public consultation on the draft Administrative Measures on Data Security (the “Draft Measures”) on May 28, 2019. This consultation falls in the middle of the publication of the drafts for two other data protection rules, namely the Measures for Security Assessment for Cross-border Transfer of Personal Information and the Measures for Cybersecurity Review.

Together, these three measures will implement a significant portion of the Cyber Security Law (the “CSL”) and become the first set of binding laws focused solely on data protection, adopting certain rules from the non-binding Personal Information Security Specification. The Draft Measures were published just over a year after the General Data Protection Regulation (the “GDPR”) came into effect in the EU and certain similarities between the two regimes are apparent. Continue Reading China’s Draft Data Security Measures and How They Compare to the GDPR

On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation in the Member States can be found here).

Continue Reading The Czech Republic: GDPR Adaptation Legislation Becomes Effective

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following: Continue Reading Understanding the Layered Approach to International Data Transfers Under GDPR

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR.

The hospital was fined for the following three violations of the GDPR:

  1. Breach of the data minimisation principle;
  2. Breach of the integrity and confidentiality principle; and
  3. The failure to ensure the ongoing security of processing under Article 32 of the GDPR.

For breaches of the data protection principles, a maximum fine of €20,000,000 or 4% of global turnover, whichever is higher, may be imposed. However, the maximum fine for the third violation is €10,000,000 or 2% of global turnover, whichever is higher. Continue Reading GDPR Enforcement: Portugal

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

  1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
  2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
  3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3)  (“Draft Guidelines”). These are now subject to consultation until 18 January 2019.

These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” applies to them. The Draft Guidelines are just as important for companies that must comply with the GDPR in their business dealings with non-EU organisations. Continue Reading EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR’s Article 3