EU FlagThis continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

EU FlagWe continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller.  See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here.   Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.

Part 3: Focus on Joint Controllers

 

What is new in the draft Guidelines?

The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.

What are the criteria for classification as joint controllers?

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 3)

EU FlagThis is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”).  This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here.  Upcoming posts will address joint controllers, “third parties” and “recipients.”

Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 2)

EU FlagThis is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”).  Comments on the draft guidelines are due by 19 October 2020.

Part 1: Focus on Processors

On 7 September 2020, the EDPB published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” Businesses and members of the public may provide feedback on the draft Guidelines by 19 October 2020. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 1)

EU FlagIt has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities.

The EC is currently in the “roadmap” phase of the process. A roadmap aims to inform citizens and stakeholders about the EC’s work. One element of the roadmap is to gather feedback from citizens and stakeholders, and the opportunity to provide such feedback opened on 2 April 2020. The closing date for feedback is 29 April 2020. There is a 4000 character limit on the feedback function, but word documents can be uploaded where they contain research or other findings that support the feedback being provided. This feedback will be used to further develop and finesse the review. There are specific rules for providing feedback, which are linked here. Continue Reading The European Commission is set to review the GDPR

Article 3(2) of the GDPR and the second criterion: Targeting criterion

 

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.

Two Types of Targeting Activities Relating to Data Subjects in the EU

Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.

Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required

There are two important issues in this respect:

  • Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
  • It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.

Continue Reading Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.

The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.

Continue Reading Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The Cyberspace Administration of China (the “CAC”) launched a public consultation on the draft Administrative Measures on Data Security (the “Draft Measures”) on May 28, 2019. This consultation falls in the middle of the publication of the drafts for two other data protection rules, namely the Measures for Security Assessment for Cross-border Transfer of Personal Information and the Measures for Cybersecurity Review.

Together, these three measures will implement a significant portion of the Cyber Security Law (the “CSL”) and become the first set of binding laws focused solely on data protection, adopting certain rules from the non-binding Personal Information Security Specification. The Draft Measures were published just over a year after the General Data Protection Regulation (the “GDPR”) came into effect in the EU and certain similarities between the two regimes are apparent. Continue Reading China’s Draft Data Security Measures and How They Compare to the GDPR

On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation in the Member States can be found here).

Continue Reading The Czech Republic: GDPR Adaptation Legislation Becomes Effective

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following: Continue Reading Understanding the Layered Approach to International Data Transfers Under GDPR