This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the final post in our series  on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the updates to the concept of “third parties” and “recipients” in the draft Guidelines.  Notably, as the authors explain, this clarity is important as the GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations.  The EDPB Guidelines, however, offer clarity as they consider the roles of “third parties” and “recipients” from the perspective of their relationship to a controller or processor.

Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the third in our series of posts on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the role of joint controllers.  What is a joint controller under the GDPR? A joint controller is an entity that jointly determines the purposes and means of processing data with another controller.  Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a must-read four part series addressing the key concepts and issues covered.  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”).  In case you missed it, the first part is available here.  You can access the second part in the series here.  As the authors explain, “[a]lthough the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorizing data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.”

If you are a reader of CPW, you have probably heard of the the General Data Protection Regulation (“GDPR”).  The GDPR applies to companies outside the European Union (including, that is right, United States companies) because it is extra-territorial in scope.  Which means, to overly generalize, if you collect any personal data of people in the EU and meet certain criteria, you are required to comply with the GDPR.  Even if you are based in the United States.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a fantastic, four part series addressing the key concepts and issues covered.  As Part 1 explains, “One of the baseline issues that must be considered when assessing the obligations and potential liabilities of an organization that is subject to the GDPR when it collects and processes personal data is whether the organization should be classified as a data controller or a data processor, as defined in the GDPR.  This is not a new issue, since these terms were originally introduced in the 1995 EU General Data Protection Directive and the definitions were not changed significantly by the GDPR.  Determining whether an organization is acting as a controller or processor is often not straightforward as the dividing line between these concepts is not always clear.”

Part 1 of the must read series, available here, provides an overview of the updated guidance on the concept of data processor.  Subsequent posts will deal with the concepts of data controller and joint controllers.

EU FlagThis continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

EU FlagWe continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller.  See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here.   Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.

Part 3: Focus on Joint Controllers

 

What is new in the draft Guidelines?

The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.

What are the criteria for classification as joint controllers?

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 3)

EU FlagThis is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”).  This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here.  Upcoming posts will address joint controllers, “third parties” and “recipients.”

Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.

Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 2)

EU FlagThis is the first in a series of posts that discuss the key concepts and issues addressed in a set of draft guidelines recently issued by the European Data Protection Board (“EDPB”).  Comments on the draft guidelines are due by 19 October 2020.

Part 1: Focus on Processors

On 7 September 2020, the EDPB published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.” Businesses and members of the public may provide feedback on the draft Guidelines by 19 October 2020. Continue Reading What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 1)

In the wake of CPW’s must-read four part series on the European Data Protection Board’s (“EDPB”)  draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR,” we have a follow up on important documents that have recently been released relating to rules governing the transfer of EU personal data.  These materials were published by the EDPB and the EU Commission.

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers (with potential significant impact on U.S. companies) – the so-called Schrems II judgment  – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).  A comprehensive overview of this must-read guidance is here.

 

"Hot" ButtonSeveral important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.

Transfers of Personal Data to Third Countries

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).

The following documents have been published in relation to implementation of Schrems II. Continue Reading Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data