Search results for: GDPR

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR.

The hospital was fined for the following three violations of the GDPR:

  1. Breach of the data minimisation principle;
  2. Breach of the integrity and confidentiality principle; and
  3. The failure to ensure the ongoing security of processing under Article 32 of the GDPR.

For breaches of the data protection principles, a maximum fine of €20,000,000 or 4% of global turnover, whichever is higher, may be imposed. However, the maximum fine for the third violation is €10,000,000 or 2% of global turnover, whichever is higher. Continue Reading GDPR Enforcement: Portugal

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

  1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
  2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
  3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

The European Data Protection Board (EDPB) has finally published its long-awaited draft guidelines 3/2018 on the territorial scope of GDPR (article 3)  (“Draft Guidelines”). These are now subject to consultation until 18 January 2019.

These Draft Guidelines are pertinent to companies outside of the EU seeking to determine whether the General Data Protection Regulation “GDPR” applies to them. The Draft Guidelines are just as important for companies that must comply with the GDPR in their business dealings with non-EU organisations. Continue Reading EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR’s Article 3

Since 25 May 2018, controllers experiencing a personal data breach must – as a general rule – notify it to the appropriate supervisory authority. Not all breaches will require notifications: those that do not pose a risk to the rights and freedoms of natural persons will generally fall under the radar. However, if such risk shall exist, the data controller will be required to notify a given breach to the relevant supervisory authority as well as to the natural persons concerned – if the likelihood of risk is high.  Continue Reading Personal Data Breach Notification Obligations Arise from Various Sources, not Only the GDPR

In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR. Continue Reading GDPR’s Impact on Employee Data Subject Access Requests in the UK

The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants.

For further information on the forthcoming update to the CAP Code and its expected impact on advertising, please read the post prepared by my colleagues Carlton Daniel, Ailin O’Flaherty and me, which has published on Squire Patton Boggs  Global IP & Technology Law Blog.

European Economic AreaThe General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July.  The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland. Continue Reading GDPR is Now EEA Wide!

Regulators across Europe, have recorded a sharp increase in the number of data-related complaints and data breach notifications since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has radically reshaped how businesses can collect, use and store personal information. As a result of the new and expanded rights for people to know how their data is being used, and to decide whether it is shared or deleted, regulators are being overwhelmed with complaints and businesses are increasingly finding themselves subject to data breaches. Continue Reading Post GDPR Rise in Data-Related Complaints and Data Breach Notifications

The final countdown has started, there are a few days left before GDPR takes effect on Friday 25 May 2018. What are you doing about compliance?

 

If you need assistance, in the EU or outside the EU, for your GDPR compliance program do not hesitate to contact a member of our global Data Protection and Cybersecurity team.