Tracking trouble: AS Watson's €600,000 fine and Google’s Privacy Sandbox under scrutiny Recently, two notable cases have emerged demonstrating that the consent requirement for cookies is not always adhered to. The Dutch...
Controversial Swedish Freedom of Press Exemption challenged by the GDPR The GDPR, designed to safeguard personal data, sometimes conflicts with rights like freedom of expression. In Sweden, online...
Stowaways or Allies? Legal risks of using artificial intelligence (AI) transcription services in work meetings Unlock the potential and pitfalls of AI transcription services in your workplace—while they offer unmatched convenience, they also...
The Mischief of Mismanagement: Tale of a Breach of the GDPR In early 2022, the Portuguese National Data Protection Supervisory Authority (“CNPD”) accused Lisbon’s Municipality of retaining...
A new member has joined the INPLP: Jason Kravitz (United States) Nixon Peabody is a full-service law firm with 15 locations and 600 attorneys throughout the United States and in international...
New Amendment to Israeli Privacy Protection Law and Mandatory DPO Appointment The Israeli parliament recently adopted a new amendment to the Israeli Protection of Privacy Law, 5741-1981 ("PPL") entering into...
Data Protection ramifications emerging from the now in force Digital Services Act (DSA) This article seeks to inform businesses and industry professionals such as marketing specialists and data engineers on the data...
AI, ChatGPT and the EDPB: Regulatory Insights from Taskforce Report Report on ChatGPT outlines European data protection regulator's preliminary views and early indicators about the direction of...
Transparency, personal data and the proposed reform in Mexico. Mexico's approach to personal data protection operates through distinct frameworks for the public and private sectors. The Federal...
The North Macedonia Government violated the Law on PDP publishing personal data of awarded applicants in front of the European Court of Human Rights This resolution includes data for 519 applicants i.e. their names and surnames, personal identification numbers (PIN), bank accounts...
Time to Legalize Data Transfers from Turkey - Deadline: September 1, 2024. The Turkish Data Protection Law was amended to introduce new mechanisms to transfer personal data from Turkey to other countries. One...
China’s Data Export Landscape - An Overview of the Regulatory Framework for Multinationals The Chinese government's focus on regulating data exports poses a major challenge for multinationals in China. This article discusses...
DPC’s 2023 Report – increase in access requests, breach notifications and cross border co-operation The Irish Data Protection Commission (“DPC”) published its 2023 Annual Report on 29 May 2024 (the “Report”). The Report can be...
ACTIVITY OF THE PERSONAL DATA SUPERVISORY AUTHORITY OF MONACO (CCIN) IN 2023/24 This article is devoted to the positions of principle of the personal data supervisory authority of Monaco (hereinafter “CCIN”)...
Overfitting: A Conversation Starter for the Next Summer Party Overfitting in AI, where models over-specialize in training data, exemplifies the challenge faced by Transformer-based LLMs which...
Upcoming: The 9th annual INPLP conference We are excited to announce the upcoming 9th INPLP conference, set to take place this November in the lively city of Luxembourg!...
Blockchain vs Data protection At first sight, blockchain technology and the General Data Protection Regulation (GDPR) seem to be intrinsically incompatible. The...
Predicting the Next Amendment of the Japanese Privacy Law The Personal Information Protection Commission recently publishes an interim summary of issues for the next amendment of the Japanese...
3 Personal Data Conundrums For India’s New Government While India’s new Government will continue to push new digital laws, successful implementation of new concepts may require a little...
Swiss-US Data Privacy Framework: Slowly But Steady? Despite ongoing efforts to align with EU data protection standards, the Swiss-U.S. Privacy Framework remains a work in progress,...
Israel and the EU: Data Protection Adequacy Adequacy is a status granted by the Commission of the European Union to countries outside the European Economic Area (EEA) that...
The Right to Compensation Under the GDPR: Key Takeaways from Recent Case Law of the Court of Justice of the European Union Over the course of several preliminary references during 2023 and 2024, the Court of Justice of the European Union (“CJEU”) has...
Video surveillance and artificial intelligence: sanctions against a Public Body by the Italian DPA With the decision No. 5 of 2024, the Italian Data Protection Authority (“DPA”) penalised the Municipality of Trento for the unlawful...
Cyprus DPC Rulings on Data Breaches by the Cyprus Football Association, Cyprus News Agency, and Arktinos Publications Ltd On 17 June 2024, the Commissioner for Data Protection of Cyprus published her decisions (issued in February 2024) in relation to...
French pass system to be deployed during 2024 Olympic and Paralympic Games. As France gears up to host the 2024 Olympic and Paralympic Games, expecting several million spectators and thousands of athletes, the...
New members have joined the INPLP: José Antonio Arochi, Verónica Siten and Montserrat Landaverde (Mexico) Arochi & Lindner (A&L) is a premier law firm with more than 30 years of experience in providing world-class advice and representation...
A new member has joined the INPLP: Oscar Montezuma Panez Niubox is a premier consulting firm at the forefront of providing highly specialized legal counsel and strategic consulting services...
Data Governance Act: data intermediation services provider, a new player involved in personal data processing? Data sharing is a subject of ever-increasing importance, and one that is occupying the European Union exponentially, which has sought...
Registration of data controllers commences in Jamaica The widely anticipated registration of controllers commenced on June 1, 2024, and both local and international controllers are...
A new member has joined the INPLP: Justine A. Collins (Jamaica) Hart Muirhead Fatta is a law firm, offering a wide range of services to corporate and individual clients. The firm provides the range...
PRECAUTIONARY MEASURE ORDERED BY THE SPANISH DPA TO HALT META’S FUNCTIONALITIES “ELECTION DAY INFORMATION” AND “VOTER INFORMATION UNIT” IN SPAIN The Spanish DPA (AEPD) has ordered a precautionary measure against Meta Platforms Ireland Limited to immediately suspend the...
A new member has joined the INPLP: Yiannis Karamanolis (Cyprus) Karamanolis & Karamanolis LLC is a boutique firm with seasoned senior lawyers who specialize in commercial and corporate law. The...
A new member has joined the INPLP: David Tang (China) Han Kun is a leading full-service law firm in China. Over the years, Han Kun has been widely recognized as a leader in complex...
Insufficient legal basis to use Google Workspace as an educational tool in schools The Danish Data Protection Agency has in the widely discussed Chromebook case assessed the legal basis for disclosure of personal...
CCTV in Schools in order to combat crime. «Green light» from the Cyprus DPA for the operation of CCTV in school units! Combating law violation and crime in school units in Cyprus through CCTV.
Chile stares EU: a bill of law to regulate AI. Chile is the first country in latinamerica that seeks to regulate AI. For this purpose, the country has chosen to follow the EU,...
Canada introduces Bill C-63, the Online Harms Act The recently proposed Online Harms Act, introduced in Bill C-63, is Canada’s latest attempt at addressing online harms. This article...
Employer care vs. data protection - when well-intentioned is not good enough. The first of May is a public holiday in Germany, among other countries, and is known as Labour Day. To this day, the "Day of the...
New members have joined the INPLP: Lukas Bühlmann and Michael Reinle (Switzerland) MLL Legal Ltd is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of...
The US CHIPS Act of 2022 strengthens Costa Rica's role in the global semiconductor ecosystem In July 2023, the United States Department of State announced its partnership with the Government of Costa Rica to explore...
A new member has joined the INPLP: Dalit Ben-Israel (Israel) Naschitz, Brandes, Amir & Co., Advocates is one of Israel’s preeminent full-service law firms, with a long-standing international and...
A new member has joined the INPLP: Eyal Roy Sage (Israel) AYR is one of Israel's largest and fastest-growing law firms, consistently ranked as a leader in quality and size by prestigious...
CJEU RULING IN THE MATTER OF “SCHUFA” NOT ONLY AFFECTS CREDIT SCORING (C-634/21) In December 2023, the European Court of Justice (CJEU) had to decide yet another case that will have a significant effect beyond the...
Does the GDPR trump the Bible? Probably not, but it might trump religious administration Depending on where you live, religious ceremonies can trigger a certain degree of administrative follow-up. In Belgium – like in many...
Turkish Personal Data Protection Law 2.0 (“PDPL 2.0”) The first step has been taken in the long-awaited harmonisation of the Turkish Data Protection Law with the GDPR. With this step, the...
The European Commission confirms that Argentina has adequate legislation for the international transfer of personal data Argentina, along with 10 other countries, receives ratification from the European Union on its adequacy note for the international...
The Brazilian Data Protection Authority´s Regulatory Sandbox Pilot Program on Artificial Intelligence and Data Protection: A Brief Overview. The current debates on artificial intelligence create a timely opportunity for the development of mechanisms that balance the...
Further processing videosurveillance recordings for assessing performance of employees is inadmissible. Bulgarian Personal Data Protection Commission has issued an opinion on the admissibility of processing video surveillance records...
CJEU increases the requirements for claiming non-material damage within the meaning of the GDPR Whether or not (nearly) any and all violation of the General Data Protection Regulation (GDPR) entitles data subjects to non-material...
INPLP Activity Report 2023 published The past year was a success for the INPLP, marked by robust collaboration and network growth. The annual conference in Dublin, hosted...
Extraterritorial Implications of Turkish Data Protection Legislation This article explores the regulatory landscape for data controllers located outside Turkey and their obligations under the Turkish...
Violation of personal data protection by the City of Trnava as the Controller of personal data In a recent decision by the Office for Personal Data Protection, we witnessed a case of violation of the Personal Data Protection Act...
A thin line between a typo and a data breach: A case study in enhancing data security practices In a recent case, the Serbian Commissioner for Information of Public Importance and Personal Data Protection issued a cautionary...
Europe’s AI Act: a new role for the Dutch Data Protection Authority? "The genie is out of the bottle. We need to move forward on artificial intelligence development but we also need to be mindful of its...
Financial companies for fast loans fined for processing personal data without consent from personal data subject The North Macedonian Personal Data Protection Agency has issued several fines for financial companies for fast loans due to...
Activity of the personal data supervisory authority of Monaco (CCIN): Increase in the number of complaints and recommendations This article outlines the complaints addressed to the CCIN by data subjects, the number of which, in proportion to Monaco, is rising...
Processing Children’s Data Correctly: Takeaways from the Recent TikTok Decision In September 2023, the Irish Data Protection Commission (“DPC”) adopted its final decision in an own-volition inquiry into the...
Analysis of Legal Functionality in the Face of Technological Advancement, Case of Ecuador: Neuro-Rights. This article analyses the impact of advancing neurotechnology on human rights, particularly regarding cognitive freedom, mental...
The Brazilian National Data Protection Authority’s View On Artificial Intelligence Despite Brazil having it’s own all-encompassing law on data protection (i.e. the General Data Protection Law - LGPD) and its own...
How does India’s new privacy law compare to GDPR? India is now one-month into its grand experiment with data privacy regulation, having replaced a decade-old set of data security...
New members have joined the INPLP: Betül Çolak and Ceren Cakir (Turkey) Tevetoglu Legal is an Istanbul-based international law firm that excels in offering exceptional legal counsel to pioneering...
Cyberattacks based on the victim´s compliance Information security compliance has become now a new exploit that cybercriminals are taking advantage from, prompting a need for...
New CPRA Regs are here again! California Privacy Protection Agency issues new amendments to the CPRA regs for discussion in its upcoming December 8 meeting. What...
A new member has joined the INPLP: Bora Yazıcıoğlu (Turkey) YAZICIOGLU Legal is an Istanbul-based technology, media, telecommunications, data protection/cyber security and commercial law...
Understanding data transfers and data transmissions under Mexican Data Protection Law You may want to avoid getting lost in translation when preparing a data transfer to or from Mexico. We have different names to...
Chile on the way to GDPR standards Even though Chile was the first Latin American country to have a data privacy regulation and has developed one of the most successful...
WHO IS ACCOUNTABLE WHEN THE COMPANY SUFFERS A CYBERATTACK? Managing cyber attacks has always been a complex task and, in almost every scenario, it implied the dismissal of the CISO of the...
Data Protection vs. Anti-Doping Measures - Advocate General Ćapeta Perspective This case highlights the challenging balance between safeguarding data privacy and preserving the integrity of sport through...
Cyber Security Breaches in Hong Kong: A Growing Trend and a Call to Action Hong Kong is grappling with a surge in cyber security breaches, prompting the authority to take proactive measures. This article...
Hungary is prepared to introduce a new act which would further digitize the services provided by the state to its citizens The new Hungarian Digital Citizenship Act would make communication with public administration, as well as management of official...
Privacy of war crimes victims The right for Privacy is a fundamental right according to Israeli law but it is a relative right. How should State interests to...
This is how Costa Rica closes 2023 in terms of privacy and data protection 2023 has been a year of growth and learning for Costa Rica in terms of privacy. Two takeaways on local supervisory authority...
Extraterritorial Implications of Turkish Data Protection Legislation This article explores the regulatory landscape for data controllers located outside Turkey and their obligations under the Turkish...
CaliforniAI: New Executive Order takes on Generative AI California Governor, Gavin Newsom, issues Executive Order on Generative AI, which echoes some points in the recent Texas and...
Constitutional Court: The Criteria for Access to Traffic Data Too Loose Slovenia’s Constitutional Court found the provisions of the Criminal Procedure Act (CPA) enabling the prosecution (police) to access...
A thin line between a typo and a data breach: A case study in enhancing data security practices In a recent case, the Serbian Commissioner for Information of Public Importance and Personal Data Protection issued a cautionary...
Finding the balance between fighting crime and privacy: an Update to the use of Metadata in Criminal Prosecution On October 13, 2023, the Portuguese Parliament approved an updated version of Law No. 32/2008, which had been declared...
Insurance company fined SEK 35 million for security failures and putting data subjects’ data at risk. The Swedish Authority for Privacy Protection issued an administrative fine of SEK 35 million (3MEUR+) against the insurance company...
AUSTRIA: Is legal advice by software solutions and/or AI permitted in Austria? In its judgment 4 Ob 77/23m from 27th June 2023 the Austrian Supreme Court, among other things, ruled that the provision of...
ChaptGPT: the Italian Data Protection Authority leads the way and imposes GDPR compliance. The Italian Data Protection Authority recently gained international attention for being the first to address the privacy risks of...
Czech Data Protection Office record breaking penalty for spam The Czech Data Protection Office (Úřad pro ochranu osobních údajů or ÚOOÚ, further as “CZDPA”) is the authority supervising...
Waiting for Cjeu Ruling in the Matter of “Deutsche Wohnen” (C-807/21) Since the end of December 2021, the preliminary ruling of the European Court of Justice (CJEU) on the conditions under which an...
Unveiling some salient features of Nigeria’s novel Nigeria Data Protection Act (NDPA) 2023. For a period, the Nigeria Data Protection regulation (NDPR) 2019 was the reference point for data privacy and protection compliance...
AI Act and GDPR: managing the world of data in the world of privacy. Contrary to some persisting beliefs that the AI Act and GDPR are inherently incompatible, GDPR may in fact be interpreted in a way...
Generative AI and the Protection of Personal Information under the Japanese Law While generative AI has been getting attention in business, there has been a concern on the protection of personal information when...
Cross-Border Data Transfer: Navigating Compliance under the Nigerian Data Protection Act 2023 The recently enacted Nigeria Data Protection Act (“the Act”) 2023 is now the principal data privacy and protection legislation in...
Brazil's innovative approaches to data protection: the main differences between GDPR and LGPD. The General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Act (LGPD) are two comprehensive data...
AdTech Update: CJEU landmark data protection ruling for online and behavioral advertising Online advertising is one of the largest online industries. However, it also has long faced issues with data protection regulators....
Romanian Whistleblowing Law. About Protecting Data while Fostering Transparency Romania transposed the EU Whistleblowing Directive on 22 December 2022, via Law No. 361/2022 on the protection of whistleblowers in...
Loud and Clear! CNIL sends strong privacy with new €40 million fine of CRITEO French Data Protection Authority, the CNIL, has fined advertising company CRITEO €40 million for improper conduct in handling users’...
Data transfers across the Atlantic… a storm in a teacup?! The European Commission's new adequacy decision concerning the United States puts a stop to the European doctrine that was taking...
The Polish Supreme Administrative Court concluded “Morele.net saga” In its judgement from February 2023, the Supreme Administrative Court of Poland announced a significant decision from 2019 of the...
Barbados urges banks to bolster cyber resilience with new guideline The Central Bank of Barbados recently published its Technology and Cyber Risk Management Guideline. Not only does the Guideline...
New Guidelines With Updated Obligations on Cookies in Spain: Companies Have Just a Few Months to Adapt Their Websites The Spanish DPA (AEPD) published earlier this week new guidelines on cookies in order to update the existing ones to the...
Data Privacy in Peru: Considerations for foreign personal data controllers with no physical presence in the Peruvian territory. As in the case of other Latin American and European jurisdictions, the scope of data protection rules in Peru has been designed to be...
“Another breach in the wall” – the Polish DPA’s views regarding data security and notifying data breaches under the GDPR In the ever-evolving landscape of data protection and privacy regulations, organizations must remain vigilant in upholding the...
Recommendations for reliable artificial intelligence Argentine Information Technology Subsecretariat approves a set of recommendations for trustworthy artificial intelligence (“AI”),...
Serious Criticism and Injunction Issued for using Facebook Business Tools The Danish Data Protection Authority, Datatilsynet, has issued severe criticism of Boligportal, Denmark's largest online marketplace...
Is the Austrian Communication-Platforms-Act contrary to EU law? On 8th June 2023 the ECJ’s Advocate General, Maciej Szpunar, delivered his opinion in the Case C-376/22, concerning the conformity of...
A new member has joined the INPLP: Ibrahim Can Cayirpare (Turkey) CVG Law Firm is an Istanbul-based law firm offering legal consultancy and dispute resolution services to foreign and Turkish...
A new member has joined the INPLP: Macarena Gatica (Chile) Alessandri is one of the most prestigious law firms in Chile. Its services meet the entire range of legal requirements of local and...
Another new direction: UK reintroduces the Data Protection and Digital Information Bill, but what's changed? On 8 March 2023, the Department for Science, Innovation and Technology ("DSIT") introduced the Data Protection and Digital...
The cost of non-compliance with the GDPR – the Data Protection Commission issues a record fine of €1.2 billion against Meta Ireland On 22 May 2023, the Irish Data Protection Commission (DPC) announced the conclusion of its inquiry into Meta Platforms Ireland...
Bulgarian DPA Introduce Deep Audits as a Standard Practice in Cases of Data Breaches Bulgarian DPA is currently applying on a regular basis a new procedure in cases of data breach notifications which includes complex...
Curricula vitae vs Transparency equals? Do political appointments fall under data privacy? The type of information we need to know Publication of the CVs of persons holding public office serves the principle of...
Data Subject Requests Under Turkish Data Protection Law The Law on Protection of Personal Data w. no. 6698 (“DPL”) contains data subject rights that are similar to those that can be found...
A new member has joined the INPLP: Daryl A. Palmer (Jamaica) Palmer Legal provides best in class legal services with a human centered approached. They believe in listening to the client and...
Biometric Data and their “sensitivity” under Mexican Data Protection Laws Mexico has not yet explicitly included biometric data as a special category of personal data (or sensitive data), but this has not...
Sweden: The EU implements the Travel Rule for transfers of crypto-assets The so-called “Travel Rule” will soon be extended to cover transfers of crypto-assets following the approval of the revised Transfer...
Norway: The Norwegian DPA bans the government’s collection of supermarket data for statistical purposes Statistics Norway (SSB) is a Norwegian government agency that is responsible for development of official statistics for public...
Smile, you're being recorded! Following the American and European trend, Portugal is now one of the countries that has determined the use of Bodycams by security...
As the last EU state, Slovenia passed Personal Data Protection Act As of 2023 data privacy in Slovenia will be governed by the newly passed Personal Data Protection Act (ZVOP-2), which aims to bring...
What steps should employers take when publishing the labor act on the notice board to comply with labor act publication regulations in Serbia? According to the Labor Law of the Republic of Serbia, if an employee refuses to accept at the premises of the employer a document...
New Cookie Regulations in Japan – Amendment of Telecommunications Business Act The Telecommunications Business Act (“TBA”) is a law administered by the Ministry of Internal Affairs and Communications of Japan....
Authority is planning to overhaul the decade old data protection regime in Hong Kong – business should prepare for changes The Hong Kong Privacy Commissioner for Personal Data has release signs of revamping the data protection regime in the region that...
Brazilian DPA can start to apply fines now After two years of the law in force, and a countless actions to ensure compliance with the data protection regulation in Brazil, the...
The Data Protection Commission’s 2022 Annual Report On 7 March 2023, the Data Protection Commission (“DPC”) released its 2022 Annual Report. We have summarized the key points from the...
2022 was a busy year for all privacy practitioners. This active spirit did not skip over Israel and its citizens Among the privacy changes some interesting Legislative amendments were proposed to the Israeli Privacy Protection Law (correction...
Transparency in the sights of the Luxembourg data protection Authority As in the past, the Luxembourg data protection Authority (the “CNPD”) launched in 2020 a thematic investigation on transparency...
I Meta Tracking Tools Illegal – Austrian Data Protection Authority Holds That the Use Directly Violates the Gdpr and the “Schrems II” Decision The Austrian Data Protection Authority (DPA) decided (6th of March 2023, D155.028, 2022-0.726.643) that the use of the Facebook...
Facebook is in trouble again … … And this time it’s not Max Schrems who’s behind it. On March 15, 2023, the Amsterdam District Court ruled that Facebook Ireland...
Am I My Brother’s Keeper? Understanding the Importance of Data Protection Compliance Management in Processing Chains: Key Takeaways from the CJEU’s “Proximus”...
The privacy risks of the “virtual friend”: the Italian DPA clamps down Replika The Italian Data Protection Authority (“Garante Privacy”) has ordered the limitation of the data processing activities carried out by...
The ‘Chat GPT Effect’ – Parsing Privacy and AI Regulation in India The increasingly common use of AI in our daily lives raises multiple concerns, particularly around data privacy and regulatory...
2022 and 2023 in Baltic Data Protection At the end of January, we celebrated Data Protection Day. To mark that annual occasion, TGS Baltic’s Data Protection Team compiled an...
China first attempt to regulate deepfake-like risks. China recently released an administration regulation on the use of deep synthesis technologies and their use on the internet. The...
Online identifiers are not always personal data The Voivodeship Administrative Court in Warsaw recognizes online identifiers, including cookies, should not be automatically...
Cyber insurance: the French legal framework is changing France makes the payment by insurers in case of cyber attacks conditional upon the prior filing of a criminal complaint within 72...
The Guidelines on Use of Cookies in Turkey The Guidelines on Use of Cookies (the “Guidelines”) was published by the Personal Data Protection Authority (the “Authority”) on June...
Non-material Damage for Data Protection Breaches before the Irish and EU Courts – Clarity Ahead? Data protection claims are in the dock. The Irish Circuit Court has temporarily halted proceedings for non-material damage claims...
The Digital Operational Resilience Act (DORA) The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation, as it...
A new member has joined the INPLP: Bartlett D. Morgan (Barbardos) Chancery Advocates is an innovative and progressive dispute resolution set, focused on corporate and commercial matters. Chancery...
A new member has joined the INPLP: Laura Fannin (Ireland) Hayes solicitors provides a comprehensive range of legal services to corporate, public and private clients in Ireland and...
The interplay between contractual relations and the GDPR’s security principle: A lesson from France Security breaches and data loss are a core concern of any controller or processor. What possible avenues of redress can a Controller...
First European Report on the Use of Cloud Computing in the Public Sector From the Privacy Perspective The Spanish DPA (AEPD) just published the conclusions of this first European report, coordinated by the European Data Protection...
The largest bank in Denmark - Danske Bank - is set to be fined DKK 10 million (approximately € 1.35 million) The Danish Data Protection Authority has found that the largest bank in Denmark - Danske Bank - has failed to demonstrate that it has...
Data Controller Registry Requirement in Turkey In accordance with Personal Data Protection Law No. 6698 (the “DPL”) and the Regulation on Data Controllers’ Registry (“Regulation”),...
Do you think that a black van serves only transportation purposes? Well, maybe you want to reconsider your opinion! How Cyprus found itself in the epicenter of the spy scandal in Greece
The lists for financial support for vulnerable categories of citizens must be removed from the web sites of the competent authorities. The lists for financial support for vulnerable categories of citizens may be available to the public only during the duration of the...
Personal Data Protection Act: Ecuador’s Current Challenges A highly advanced Personal Data Protection Law to become into force on May 31st 2023, brings some challenges to Ecuador’s economy...
The year of “Google Fonts” warning letters Last year, there were some positive developments in related to data protection law. Unfortunately there were also bad ones in which...
Is There Any Legal Protection for the Personal Data of a Tourist in Nigeria? Article 1.2 of the Nigeria Data Protection Regulation (NDPR) 2019 provides the extent and limit of the territorial application of the...
The French doctrine on the use of the cloud tested against free American solutions for education After a member of the French Parliament warned about the potential unlawfulness of using Office 365 and Google Workspace for free in...
Facial Recognition Technology and Data Protection: How to comply? The development of facial recognition technology has introduced many possibilities to increase cybersecurity, productivity, and...
‘Mere Upset’ Not Sufficient for GDPR Compensation Claims On 6 October 2022, Advocate General Manuel Campos Sánchez-Bordona issued an opinion concerning the right to compensation for...
Activity of the personal data supervisory authority of Monaco in 2021 The Personal Data Supervisory Authority (hereinafter "CCIN") has published its 13th Activity Report covering the year 2021. This...
Responsible use of AI based tools in medical diagnosis and treatment – the AI sandbox In 2021, the Norwegian Data Processing Authority (DPA) established a regulatory test environment (“sandbox”) for Artificial...
The Panamanian Data Protection Law The Data Protection Law entered into force in March 2021, two years after its publication on March 29, 2019. This law -although...
Data Protection and Press Freedom in the panamanian framework In 2022, the Panamanian Data Protection Authority sanctioned the digital media for publishing a public document without the consent. ...
Transfers of personal data in early stages of technology transactions or M&As. As part of negotiations, due diligence, preliminary reviews and analysis, a party may request or need certain information containing...
UK ICO's new approach to publishing details of complaints, breach reports and reprimands The UK Information Commissioner's Office (ICO) has started routinely publishing information about complaints made against...
Canada’s Proposed Artificial Intelligence and Data Act (AIDA) This article summarizes the substantive highlights and legislative progress of the proposed Artificial Intelligence and Data Act...
Bulgarian DPA on the Admissibility of Ongoing Access to Municipality’s Video Surveillance Bulgarian DPA issued an opinion on the questions from a Bulgarian City Municipality regarding requested ongoing access from the...
Argentina - Changes in the Classification and Ranking for Infringements to the Personal Data Protection Law Trough Resolutions No. 240/2022 and 244/2022 the Agency for Access to Public Information through Resolutions No. 240/2022 and...
A new member has joined the INPLP: Boris Kozlevcar (Slovenia) JK GROUP is a legal and tax consulting company located in Slovenia, focused on south-east European countries. They are specializing...
What information needs to provided when personal information will be processed by Artifical Intelligence? If an entity collecting data is not fully transparent about the information that is being collected and how it will be processed and...
Nothing about #SchremsX: What should companies do while EU bodies discuss the draft US adequacy decision? New US adequacy draft opinion is out. Everyone is talking about #SchremsIII (and IV and X), so I will not. Instead - let's discuss...
Slovenia’s DPA Finds Cloud Computing Provider a (Joint) Controller of Personal Data Slovenia’s Information Commissioner (IC) ordered a cloud computing provider (a public administration body) to enter into written...
Multiple online pharmacies under investigation for the use of Facebook Pixel The Swedish Authority for Privacy Protection (“the Swedish DPA”) is currently investigating four online pharmacies in Sweden for...
Analysis of the recent activity of the Portuguese Supervisory Authority - What to expect? It has been perceived that the sanctioning activity of the Portuguese Supervisory Authority has been fundamentally focused on public...
Biden’s Executive Order – A UK Perspective This article discusses the content of and responses to President Biden’s executive order implementing the new EU-US Data Privacy...
Data Act – one of the key regulation proposals for the EU data economy of the future Data is certainly a valuable commodity for the digital economy and society. As part of the 2020 European Data Strategy, the European...
A new member has joined the INPLP: Burak Ozdagistanli (Turkey) Ozdagistanli Ekici is a leading independent firm located in Istanbul with an impressive track record in IP and IT matters. The firm...
Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law: what are impacts on data protection? Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report...
Right of access to data: the Italian Data Protection Authority fines company 70,000 euros for failure to respond fully. The Italian Data Protection Authority (“Garante Privacy”) has imposed a fine of 70,000 euros on a data controller for failing to...
PPC Introducing a Data Mapping Toolkit for Privacy Protection The Personal Information Protection Commission (“PPC”), recently published a data mapping tool kit, while using cross-border transfer...
The 7th INPLP conference The 7th INPLP Conference was successfully held in Vienna under the auspices of EuroCloud Europe and organised by Sourcing...
Copenhagen-based law firm fined for failing to implement basic security measures A Copenhagen-based law firm has just been fined DKK 500,000, approx. EURO 67,150, for failing to implement basic security measures...
Standard Contractual Clauses for Cross Border Data Transfers in Hong Kong and Mainland China Businesses around the world now face strict rules governing the cross-border transfer of personal data. Like as has happened in...
Modernizing Canada’s Federal Privacy Law This article discusses Bill C-27, the recently introduced Federal legislation to update Canada’s private sector privacy law. The bill...
How India’s new draft Telecom Law may impact Data Privacy India recently released a new draft Telecommunications Bill, 2022, which is currently open to public consultation. This Bill would...
EU Regulators Elevate the Threshold of Compliance around Data Subject Access Requests. The European Data Protection Board and the Irish Data Protection Commission have recently published guidelines for businesses in...
China's Measures for Security Assessment for Outbound Data Transfer China’s Measures for Security Assessment for Outbound Data Transfer came into effect on 1 Sep 2022. The Measures require risk...
Same data protection guarantees around the world? The privacy team of ECIX GROUP has carried out a comparative analysis focused on the existing different data protection regulations...
A new member has joined the INPLP: Alexandra Orbezo (Peru) Rebaza, Alcázar & De Las Casas has a team of lawyers that is dedicated to advising local and international clients on complex issues,...
Ecuadorian Digital Transformation Policy: Data Protection implications The current Ecuadorian government is about to issue a new digital transformation policy. Once the working tables have closed, the...
The CNIL reminds us of the rules on e-marketing and the rights of individuals Companies have long used e-marketing to facilitate their development and attract new customers, and in our digital world, reliance on...
The Baltic DPAs to carry out joint supervision in the field of short-term rental of vehicles This summer, the data protection authorities (DPAs) of the three Baltic States – Estonia, Latvia and Lithuania – announced that they...
A new member has joined the INPLP: Andrés Terán (Ecuador) Heka Law was created with the aim of offering legal services through practical and intelligent solutions that contemplate a...
Reference to trade secret outruled as a reason to deny access to voice recordings in Hungary The Hungarian data protection authority confirmed in a new case that the controller cannot block access to voice recordings by...
The Metaverse and privacy: guidance by the spanish data protection authority The Metaverse uses a variety of technologies such as AR and VR, DLTs (Blockchain), AI, IoT, IoRT, 5G, that enable the creation of...
Careful where you point that thing: the right to be forgotten is picky when it comes to targeting The right to be forgotten is one of the most frequently referenced and misunderstood parts of the GDPR. Like most data subject...
Data Protection Law and the culture change in the laboral routines of companies: the use of the data protection theme as a strategic tool Despite being clear that Brazil’s Data Protection Law (”LGPD”) applies to employment relationships, it is not usual to discuss the...
FOUR YEARS OF GDPR: The Danish approach to data protection, or absence thereof? 25th May 2022 marked the 4th anniversary of the entry into force of the General Data Protection Regulation (GDPR) and the...
Bulgarian PDPC adopted a list of processing operations requiring prior consultation Bulgarian PDPC has adopted a list of processing operations that require prior consultation which is addressed to the authorities...
Largest cyber attack in the history of Costa Rica: Does the state of emergency continue? On May 11, 2022, the Costa Rican government declared a National State of Emergency throughout the public sector for cybercrimes...
The Annual Report for 2021 of the Macedonian Personal Data Protection Agency is released Compared to the previous year, the number of supervisions carried out in 2021 by the Macedonian Personal Data Protection Agency is...
A New Direction for UK Data Protection Law: the Data Protection and Digital Information Bill The UK government’s Department for Digital, Culture, Media & Sport ("DCMS") has published proposed legislation that will make...
Decision of the Slovak court regarding requested disclosure of personal data In today's society, the issue of fulfilling the characteristics of personal data is the subject of many disputes as well as legal...
A brief overview of the legal framework for the use of cookies on websites in Austria The question of cookies and data protection is always present, but what are cookies, are they always person-related, what is the...
Use of Google analytics (still) breaches the GDPR – austrian data protection authority rejects risk based approach The Austrian Data Protection Authority (DPA) decided in another decision (22nd of April 2022, D155.026, 2022-0.298.191) that the use...
Slovenia: Publication of an E-mail Address not a Waiver of the Right to Privacy The Constitutional Court of the Republic of Slovenia annulled the criminal conviction for the development, advertising, and selling...
Klarna Bank AB - the importance of transparency in privacy notices Earlier this spring, the Swedish Authority for Privacy Protection issued an administrative fine of approximately EUR 724 000 against...
Can an employer ask the candidate to provide him with a court certificate that criminal proceedings are not being conducted against him When establishing an employment relationship, employers often ask the candidates for a court confirmation that no criminal...
A new member has joined the INPLP: Fabian Solis (Costa Rica) Aguilar Castillo Love’s vision for their role as a law firm is borne of their heritage. Their ethos is drawn from many models,...
Finding a balance between fighting crime and privacy – the use of metadata Last April, the Portuguese Constitutional Court declared unconstitutional the provisions of articles 4, 6, and 9 of Law 32/2008 of...
Can a controller rely on legitimate interest in Nigeria? Legitimate interest is one of the lawful bases for processing personal information. However, the Nigeria Data Protection Regulation...
Monaco: New legislation on the protection of personal data eagerly awaited The government's bill for a major reform of Monaco's personal data protection legislation is currently being examined by the...
The use of CCTV in light of the Luxembourg National Commission for Data Protection’s sanctions. In 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued 48 decisions following assessments. 18 of these...
Access Granted: DSAR changes for data controllers granting access to health data Updated regulations in Ireland regarding data subjects' access to their health data emerged in March 2022. The new regulations have...
AP applies incremental penalty authority to the fullest It is the first time in history that the Dutch Data Protection Authority (DPA) has identified six violations of the GDPR in only one...
Cross Border Transfers: Recent Developments Generally, data transfers to third countries are prohibited unless the receiving country has received an adequacy decision from the...
A new member has joined the INPLP: Lia Hernández Pérez (Panama) Legal IT Abogados is the first legal boutique specialized in Digital Law in Panama. They offer legal solutions in the world of...
Shaping the limits of the Right to be Notified in 2022 Israel. The Israeli Privacy Protection Authority recently published a new memo aimed to clarify the scope of interpretation of the obligation...
Facial recognition systems: 20 million fine against the American company Clearview. "Not everything that is technically possible is legally and ethically lawful." These are the words of Guido Scorza, member of the...
The INPLP is growing worldwide INPLP: We continue our path to success and are pleased to welcome our new members from Mexico and Panama and thus further expand our...
5th INPLP online Webinar Topics of this meeting were:MEET&GREET: New member Héctor Guzmán (MEXICO)BELEN: Next EU-US framework for international data...
A new member has joined the INPLP: Héctor Guzmán-Rodríguez (Mexico) BGBG provides solutions and highly specialized advice in an agile, clear, and sincere manner, generating positive results for their...
Seven Key figures from the Irish Data Protection Commission’s 2021 Annual Report On 24 February 2022, the Data Protection Commission released its 2021 Annual Report (the “Report”) running to over one hundred pages....
Data retention overturned? Aftermath to the private sector? The European Court of Justice has not just brought its settled case-law on data retention in line. Furthermore the ECJ also provides...
Argentina's Data Protection Authority publishes its 2021 Annual Report Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data...
Can audio surveillance be justified? At the end of 2021, the Estonian Data Protection Inspectorate (DPA) issued a precept to a gas station using audio surveillance in its...
China’s New Regulations on Controlling Algorithmic Recommendations in Applications The Cyberspace Administration of China (CAC) has circulated the Regulations on the Management of Algorithm Recommendations for...
Three criteria for the elaboration of the Regulation to the Ecuadorian data protection law Ecuador continues to build its personal data protection system, for which those responsible for developing the regulation must...
Unpacking the New Privacy Regime in India: The When, Who, What, and How? The new Indian Privacy law mimics GDPR when it requires a ‘privacy by design’ architecture, sets up a central data protection...
The destruction of the algorithm: the new sanction for breaching the GDPR? Since 2019, The Federlñ Trade Commission (FTC) has been seeking ways to punish the new digital unfair practices, consisting on...
Personal data protection in Ecuador, a few steps forward The process of designating the Personal Data Protection Authority, the next milestone in the construction of the national data...
CCTV monitoring and the practice of the Hungarian DPA CCTV monitoring has long been a key field for the Hungarian DPA. The article summarizes the DPA’s practice, as well as the related...
Expensive update for Tesla: Car seller liable for failing to provide essential information In September 2021, Munich’s regional court (the LG Munich) awarded a plaintiff 130,446 euros in damages. A vehicle purchased by the...
Schrems II resolved? Unpacking the EU-US Trans-Atlantic Data Privacy Framework The United States and the European Commission have agreed in principle to a new Trans-Atlantic Data Privacy Framework (the...
Important concepts in cross-border transfer of data from China The Data Security Law (“DSL”) and Personal Information Protection Law (“PIPL”) of mainland China, which came into force last year,...
First European Code of Conduct for the pharma industry approved A Code of Conduct regulating the processing of personal data in the field of clinical trials and other clinical research and...
CNIL orders 3 websites to stop using Google Analytics The French supervisory authority has adopted 3 formal notices against famous French websites requiring them to stop using Google...
The Polish DPA rules about the right to access the personal data contained in trackers The Polish DPA (the President of the Personal Data Protection Office, further as "the Polish DPA") has reprimanded a webiste operator...
INPLP Activity Report 2021 published The past year was immensely impactful for the INPLP and characterized by strong collaboration, hard work, continued growth of the...
The Telecommunication Telemedia Data Protection Act – a new “cookie law” for Germany On 1 December 2021, the Telecommunication Telemedia Data Protection Act (“TTDSG”) came into effect. Amongst others, it was meant to...
A new member has joined the INPLP: Rob Corbet (Ireland) Rob Corbet is a Partner and Head of Technology & Innovation at Arthur Cox. He leads a market leading team dedicated to specialist...
Dutch GDPR class action against Oracle and Salesforce declared inadmissible The first major GDPR class action under the Dutch Act on Mass Damages Settlement in Class Actions (WAMCA) has been declared...
Representation of data processors under the new Swiss Data Protection Act (FADP) Switzerland has made an effort to renew its Federal Act on Data Protection (revFADP) in order to modernise its data protection law...
Clearview AI: Alignment in Global Enforcement Approach Investigations into US facial recognition firm Clearview AI by Canadian regulators and UK/Australia yeilded similar findings...
Bulgarian Supreme Administrative Court with Decision on Processing Data for Journalistic Purposes Bulgarian Supreme Administrative Court issued a decision setting out criteria relevant for assessing the balance between the right to...
What has to be in a copy? – Art 15 GDPR on the European test bench The first preliminary ruling of the Federal Administrative Court concerning information proceedings For the first time since the entry into force of the General Data Protection Regulation, the Federal Administrative Court has...
Supermarket chain fined for breach of data security duty Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data...
Securing privacy compliance for Virtual Voice Assistants Virtual Voice Assistants (“VVA”) continue to grow in popularity as the precision of the technology improves. The European Data...
2021 in GDPR fines The EU General Data Regulation (GDPR) is among the world's toughest data protection laws. In this article you will have a general...
Activity of the Personal Data Supervisory Authority in Monaco The Personal Data Supervisory Authority (hereinafter "CCIN") has published its 12th Activity Report covering the year 2020. This...
A new member has joined the INPLP: Katie Hewson (United Kingdom) Stephenson Harwood is a law firm with over 1100 people worldwide, including more than 180 partners. They assemble teams of bright...
UK’s proposed data protection reforms - a step in the wrong direction? The proposed reforms to data protection laws by the UK government are ones that have been longed promised in a post-Brexit world and...
New members have joined the INPLP: Vikram Jeet Singh and Prashant Mara (India) BTG Legal is a disputes and transactional law firm with best-of-breed technical expertise, a culture of innovation, and an...
PROCESSING COVID-19 VACCINATION DATA OF EMPLOYEES IN ROMANIA: OPTIONS AND EXPECTATIONS The processing of COVID-19 related health data is certainly a hot and/or unsettled legal matter everywhere in the world. This article...
Ecuador is building its future on data (protection) Ecuador joins the party of personal data protection with the issuance of its new law on the subject and leaves the group of regional...
Athletes' Performance Data & Project Red Card This article provides an insight to the ever increasing market of performance analysis and the intersection with athlete's...
The new Slovak Electronic Communication Act shall change opt-out regime to opt-in regime for cookies The use of cookies will therefore no longer be linked to the passivity of the users concerned (opt-out). Anyone who stores or obtains...
Use of Google analytics violates the GDPR - Recent decision of the austrian data protection authority The Austrian Data Protection Authority (DPA) decided in a recent groundbreaking decision (22nd of December 2021, D155.027...
The Norwegian Data Processing Authority issues USD 7.2 million fine to U.S. company Grindr LLC Following an investigation carried out by the Norwegian Consumer Council, the Norwegian Data Processing Authority on 13 December 2021...
New members have joined the INPLP: Charlotte Gerrish and Anthi Pesmazoglou (France) Gerrish Legal offers Enterprise Solutions, Law Firm Services and Automated Law to clients being a multi-national company, a small to...
Data posted on Facebook vs GDPR in the light of the Warsaw WSA judgement What the exemption from the application of the Regulation due to private and domestic purposes is? Polish Regional Administrative...
A new member has joined the INPLP: Christian Espinosa Velarde (Ecuador) ECIJA GPA is recognized by prestigious international legal classification and research directories, offering legal services in all...
Constitutional Court: No IP address to be Revealed Without a Court Order The Constitutional Court of the Republic of Slovenia annulled the criminal conviction for an online defamation, which was based on...
Are you a controller or a processor? Assess carefully. It often happens that we get confused by the difference between a controller and a processor. The problem may arise when a controller...
Why Is Nigeria’s Obligatory Mandate And Safeguards On International Data Transfer Topical? Transfer of data has become a major subject of international trade, and understanding the prerequisite for such transfer is...
6th INPLP conference – great success The 6th INPLP Conference was successfully held in Vienna under the auspices of EuroCloud Europe and organised by Sourcing...
Malta amends its rules relating to personal data processing in education Malta has recently amended its rules in relation to the processing of personal data in the educational sector. ...
SCCs and CoCs and BCR – Untangling the Web and Spotting the Difference Under GDPR, data export to third countries is only permitted if the conditions under Chapter 5 are met. The adequacy decision by the...
New draft law on the "right to be forgotten" for those who have overcome serious illness Last October, the Portuguese parliament approved in a final vote a draft law that establishes the "right to be forgotten", preventing...
China’s New Data Laws China has recently introduced two new data laws which as well as bringing the rules in relation to personal data in China up to date...
When AI met privacy How to fulfil the data protection obligations when using artificial intelligence? One of the main issues of concern is the use of...
New guidelines on teleworking by the Greek Data Protection Authority Responding to the extensive and intensive remote working during the Covid-19 pandemic and the risks that are lurking for employees’...
Class actions against big tech in the Netherlands Big tech is getting sued for billions. What are these claims based on and who is supporting them? A short article on the recent...
Back to work: open sesame! The health situation in Luxembourg has been stable for several weeks now which allows for a possible return to a pre-crisis...
Additional Six Months Period For Implementation Of The New Law On Personal Data Protection Facing the fact that the complaince with the new Law on Personal Data Protection was not in line with the planned dynamics, the...
Cry and pray some more: Garante issues Schrems II decision Garante prohibits further data transfer and fines university 200,000EUR and for SchremsII failures in retaining a US based processor...
Third Amendment of the Japanese Privacy Law – Amendment based on the Digital Arrangement Act The Digital Arrangement Act was promuglated on May 19 of this year, which requires the Act on the Protection of Personal Information...
Ministry of Health of the Province of San Juan Receives Sanction for Database Vulnerability Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data...
Tracking of employee location data is a significant violation of privacy according to the Israeli Privacy Protection Authority In recent years, and especially in recent times when remote work has become more common, the practice of employers using...
New Rules on Automotive Data Security to be Effective on 1 Oct 2021 The Cyberspace Administration of China (CAC) has circulated the Provisions on the Management of Automotive Data Security (Trial) 2021...
GAFAM or not GAFAM, that is (still) the question? After the “Schrems II” decision of the European Court of Justice invalidating the Privacy Shield framework and raising further doubts...
Part II: What Could Privacy Reform Look Like in Canada? Insights from Bill C-11 Bill C-11 died on the order paper in August when the Canadian federal election was called. In this article we explore how the...
The Spanish Data Protection Authority (AEPD) publishes its Annual Report summarizing last year’s activities including enforcement cases This Annual Report comprehensively collects the activities carried out by this institution, most relevant facts and figures,...
Polish administrative court rules that the GDPR does not grant power to the data protection to order the disclosure of personal data to third parties at their request The Provincial Administrative Court in Warsaw ruled that Polish Data Protection Supervisory Authority is not competent to order a...
New Italian cookie Guidelines: this is how the regulation of users' browsing data changes. On 9 July 2021, the Italian DPA released the new guidelines on the use of cookies. The purpose of these new guidelines is to achieve...
Nothing to risk – data transfers to third countries under the GDPR Due to their extreme importance in an increasingly digitalised and globalised economy, data transfers to third countries have been in...
First GDPR code of conduct for a European sovereign cloud The CISPE code of conduct simplifies data processing contracts under the GDPR and lays the foundations for a sovereign cloud. ...
Data breach in the Estonian Information System Authority results in photos of almost 300,000 people stolen A hacker was able to obtain the identification document photos of almost 300,000 people from a state database. Criminal...
New members have joined the INPLP: Marie-Hélène Tonnellier and Charlotte Barraco-David (France) Latournerie Wolfrom Avocats (LWA), a multidisciplinary and independent business Law Firm, is recognised for its technical expertise,...
Ecuador: 3 challenges to progress and avoid the nightmare The first ecuadorian data protection law have just came into force the last May 26th. Ecuador now starts a long and decesive journey...
Right of access pursuant to Art. 15 GDPR – News from Germany Germany’s Federal Court of Justice decided on the scope of data subject’s rights under Art. 15 GDPR - and set certain limits....
Blockchain and the GDPR: Clash of the Titans At the legal intersection between the emerging distributed ledger technolgies and data privacy a lot has been said and written in...
FDPIC publishes guidance on auditing the transfer of personal data abroad The Federal Data Protection and Information Commissioner (FDPIC) has published in its new guidance how to proceed with data transfer...
Technical Cooperation Agreement between the National Data Protection Authority (“ANPD”) and the Brazilian Antitrust Authority (“CADE”) Following one of ANPD’s main goals set out in its strategic agenda for 2021-2023, which includes establishing an effective regulatory...
Request for Preliminary Rulings on Data Controllers Liability in Case of a Data Breach The Bulgarian Supreme Administrative Court has referred several questions to the CJEU regarding preliminary rulings on the liability...
A new member has joined the INPLP: Pablo Arteaga (Ecuador) M. Bodero & Asociados is an Ecuadorian Law Firm, specialized in investment issues, complex transactions, business conflicts,...
Damages For GDPR Violation – Austrian Supreme Court Refers Several Questions To Court Of Justice Of The European Union (Cjeu) The Austrian Supreme Court paved the way for a more coherent interpretation of the GDPR regarding damages by initiating the...
Data protection in teleworking context. Romanian perspective The pandemic context has accelerated the use of telework and triggered a shift towards additional flexibility of work that will most...
Based on the appeal of the controller, the imposed fine for several GDPR violations has been increased almost 15 times! By filing an appeal against the first-instance decision, the controller worsened its situation when the supervisory body increased...
Tracking the slow demise of third-party cookies – A UK update. Regulatory pressure and heightened consumer concern around the use of third-party cookies to track users online and to deliver...
Argentina's Data Protection Authority publishes its 2020 Annual Report Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data...
Recent decisions of the Austrian Data Protection Authority (DPA) The pandemic year did not make data protection obsolete. Instead, a large amount of personal data was collected and processed in...
"Schrems - Counter-Schrems" New Bill sets to Impose Limitations on Transfers of Personal Data FROM the US to countries to which export of personal data would...
E-Health, Data Protection and Data Security: Legal foundations and practical implementation of data transfer management in the health sector Fitness trackers, electronic health cards, online consultations – the digital age has long since arrived in the world of medicine....
Artificial Intelligence and the Law Francisco Perez Bes (INPLP member representing Spain) has edited the book "Artificial Intelligence and the Law" with the goal to...
New Hungarian regime aiming to reform local digital economy and introduce data wallets Hungary’s new draft Act on National Data Assets introduces a new regime, where data held by state agencies and local governments...
Data Localization Rules Imposed on Social Media Companies in Turkey On Oct. 1, 2020, amendements to the Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts (Law...
China's First DPO-like Pilot Roll-out Similar to GDPR, China’s draft Personal Information Protection Law also requires the designation of a Responsible Person for Personal...
Slovenian Information Commissioner authorises publication of data on Police staff salaries and other personal data Following a strike announcement by two Police unions (over low pay, among other issues), the Ministry of Interior published on its...
The Swedish Authority for Privacy Protection has published its privacy protection report for 2020 In January 2021, the Swedish Authority for Privacy Protection (“IMY”) published its privacy protection report for 2020 (the...
Can an employer use video surveillance to monitor whether its employees abide by preventive measures and wear protective masks? The on-going pandemic of Covid-19 has put many challenges before the society. In order to ensure healthy working environment, many...
INPLP Activity Report 2020 published INPLP continues its path of robust and professional growth and expects to welcome its 100th member in 2022.
A new member has joined the INPLP: Diego Fernandez (Argentina) Marval O’Farrell Mairal was founded in 1923 and is the largest law firm in Argentina. Being a market leader at both local and Latin...
Will co-regulation finally work? The first EU level codes of conduct are approved under the GDPR in Belgium and France Like the old Data Protection Directive, the GDPR allows the private sector to draft codes of conduct to help demonstrate compliance...
The way to the right for employee sobriety checks – Polish perspective The article presents a current issue concerning sobriety data in the context of personal data protection and labour law from the...
New members have joined the INPLP: Dániel Necz and Kinga Madocsai (Hungary) SimpLEGAL is a Budapest-based state-of-the-art digital law firm both in the sense of practice areas and its client service methods....
Portuguese Data Protection Authority activity report 2019/2020 As part of the fulfilment of the duties assigned to it by the General Data Protection Regulation (hereinafter “GDPR”), the National...
Data breach reported to late? That’s a €475,000 fine! The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has imposed a €475,000 fine on Booking.com because the company took...
Enforcement of the GPDR in Luxembourg: an issue at stake? Max Schrems and his organisation NOYB (None Of Your Business) have recently begun a new battle, taking place in Luxembourg! Legal...
Monaco: Overview Of The Prior Control Activity Of The Personal Data Protection Authority (“Ccin”) Since 2020 According to the current Monegasque legislation, the automated processing of personal data is subject to the control of the CCIN...
Amendment on Enforcement Rules of the Japanese Privacy Law The amendment on Enforcement Rules for the Act on the Protection of Personal Information was promulgated on March 26 of this year. ...
A new member has joined the INPLP: Peter Hense (Germany) Spirit Legal is based in Leipzig, although they advise domestic and foreign businesses with an international focus, regardless of...
German Federal Cartel Office vs. Facebook – The one who wins the battle might not win the war The dispute between the German Federal Cartel Office and Facebook continues before the ECJ. This may mean that business models of the...
The challenges related to the transfer of personal data from the perspective of the new Law on Personal Data Protection The purpose of this Article is to provide an overview of the legal mechanisms by which personal data can be transferred from the...
Personal data breach resulting from data subjects' mistakes have to be notified! The Polish Data Protection Authority has imposed on WARTA. S.A, a Polish insurance and reinsurance company, a new administrative...
Scientific research using health data: Is the GDPR in contradiction with FAIR principles? Medical research is becoming increasingly reliant on the analysis of large amounts of biologically derived data. Greater scientific...
EDPB’s Guidelines on the concepts of controller and processor in the GDPR The European Data Protection Board issued the Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version...
GDPR Fines: Ramping up and DPAs Setting standards European Supervisory Authorities imposed more than €158m in fines under the GDPR during 2020; close to a 40% increase on the previous...
When is the right to privacy more important than the right to life itself? In Israel, as in many other countries, the coronavirus is rampant. There are various strategies available to contend with this...
Data breaches in healthcare due to human errors: two hospitals and a Local Health Administration Unit sanctioned by the Italian Data Protection Authority Data breaches are violations of database security that may result not only from cyber attacks, as it is usually assumed, but also...
Hong Kong’s Stale Data Protection Laws When it was introduced twenty years ago, Hong Kong’s data protection law was one of the leading regimes of its type in Asia. But time...
A new member has joined the INPLP: Justyna Matuszak-Leśny (Poland) e|s|b Adwokaci i Radcowie Prawni (e|s|b Legal) is a boutique law firm with an international atmosphere and scale of activity, located...
Does the draft Data Governance Act signal a more economic approach of personal data in the EU? The draft Data Governance Act, which was published by the European Commission last November, aims to foster the availability of both...
Swiss Federal Supreme Court rules: Smart Metering infringes informational self-determination right In one of its most recent decisions, the Swiss Federal Supreme Court ruled on smart metering. It decided that the permanent...
A new member has joined the INPLP: Ana Popović (Republic of Serbia) Živković Samardžić is one of the Serbia’s leading full-service independent law firms. Their 10 partners / 23 lawyers strong team...
Romanian public authorities sanctioned for GDPR breaches Towards the end of 2020, the Romanian Data Protection Authority (ANSPDCP) disclosed on its website information regarding the...
When Can Information On Criminal Records Be Requested By Employers A recent Opinion of the Bulgarian data protection authority and certain legislative changes lead to the conclusion that in Bulgaria...
A new member has joined the INPLP: Kirsten Wolgast (Germany) Pinsent Masons is a full-service international law firm. They respond to the pressures and opportunities facing businesses globally...
Denmark´s first GDPR fine to date On February 12th 2021 the city Court in Aarhus handed down the first verdict in Denmark that has led to a fine based on GDPR. The...
Right to access of origin of the information based on Swiss Federal Act on Data Protection (FADP) The Swiss Federal Supreme Court has made an interesting decision on the scope of the right to information under Swiss Federal Act on...
Schrems II: An opportunity for the Sovereign Cloud As personal data crossborder flows cannot benefit from the “EU-US privacy shield” anymore, as a consequence of the Schrems II...
When privacy became an investment risk. Shall companies report its security incidents to the market? Potential investors are being warned of the negative impact that the GDPR sanctions may have on the expected profitability of the...
No surprise here – the EU Court confirms again that public authorities’ access to telecom data is strictly limited Public authorities’ access to electronic communications data has always been and continues to be a hot topic, even (or especially)...
Dramatic Changes are Coming to the Privacy Landscape in Canada This article discusses how the proposed legislation seeks to strike a balance between protecting consumer’s personal information, and...
Brazil’s Data Protection Law: A Brief Overview Despite being no stranger to data privacy regulation, only recently has Brazil enacted a comprehensive set of rules to regulate the...
Cyprus Data Protection Watchdog imposes fine on major banking institution for integrity and confidentiality violations. On 19 October 2020, The Office of the Commissioner for Personal Data Protection ('the Commissioner') announced its decision to fine...
No GDPR fines for public sector bodies at all? No discrimination, and no problem! The GDPR explicitly allows Member States to determine whether and to what extent administrative fines can be imposed on public...
A new member has joined the INPLP: Wendy Wagner (Canada) Gowling WLG provides its clients with in-depth expertise in key global sectors and a suite of legal services at home and abroad...
A Privacy Law for 25% of the World’s Population: China’s Personal Information Protection Law China published the Personal Information Protection Law (Draft) ("PIPL") for public consultation on 21 October 2020. This is the...
A new member has joined the INPLP: Paul Haswell (Hong Kong) Pinsent Masons is a full-service international law firm. We respond to the pressures and opportunities facing businesses globally...
Can data protection rules affect the assignment of receivables in Bulgaria? For many years, a common practice in Bulgaria is debtors to submit complains to the Bulgarian DPA for unlawful processing of their...
Are fines imposed by the Luxembourg Data Protection Authority for breach of data protection regulations insurable? There is no shortage of recent examples of cyber-attacks and the current COVID-19 pandemic is undoubtedly contributing to an...
A new member has joined the INPLP: Fábio Lacaz (Brazil) ALV Advogados is a mid-sized commercial law-firm established in 2006, with the purpose of assisting domestic and foreign clients in...
Austrian Data Protection Authority Ruling On The Right To Obtain A Copy (Art 15 Para 3 Gdpr) Art 15 GDPR does not only enable the data subject to obtain information on the content of his/her data undergoing processing, but...
Recent decisions of the Austrian Data Protection Authority This article presents interesting decisions on Austrian data protection law, in particular the decisions on (1) disclosure of trade...
Detecting Online Terrorist Content and the Confines of Privacy Terrorist attacks aren’t new: they’ve been a feature of warfare ever since humans formed societies. As humanity evolves, the methods...
A new member has joined the INPLP: Jonathan Kirsop (United Kingdom) Pinsent Masons is a full-service international law firm. We respond to the pressures and opportunities facing businesses globally...
Switzerland’s Data Protection Landscape post Schrems II and Brexit On 25th of September 2020, the Swiss parliament has adapted the Federal Act on Data Protection (FADP). However, the FADP - which aims...
A new member has joined the INPLP: Francisco Pérez Bes and Esmeralda Saracíbar (Spain) ECIX is a consultancy specializing in data protection and regulatory compliance, helping its clients meet the challenges that the...
A new member has joined the INPLP: Jasmina Brezovska and Katerina Rumenova (North Macedonia) BONA FIDE is a full-service corporate law firm based in the Republic of North Macedonia and specialized in general corporate/M&A,...
When use of chat apps and social media platforms backfire on companies and data subjects' rights On 17 December 2020, the Romanian Data Protection Authority (ANSPDCP) has published on its website a new administrative sanction in...
Digital Platformer Regulations in Japan The Act on Improvement of Transparency and Fairness in Trading on Specified Digital Platforms
Letter to the EDPB in response to the recently adopted recommendations published by the EDPB With a letter to the European Data Protection Board (EDPB), the International Network of Privacy Law Professionals (INPLP) made use...
Monaco: the 2019 Report of the Personal Data Protection Authority published The Monegasque Data Protection Authority (hereinafter “CCIN”) has just published its 11th Activity Report covering the year 2019, of...
A Path Forward – Draft Guidance Published For Dealing With International Data Transfers Post-Schrems II In the wake of the decision of the Court of Justice of the European Union (CJEU) in Schrems II, controllers and processors have been...
Scientific Research across Europe. Does the GDPR ensure an aligned approach? The GDPR aims to establish a uniform legal framework applicable to the processing of personal data across Europe, while allowing...
Personal data breaches: guidelines to support data controllers released The Spanish Data Protection Authority (AEPD) has just released a tool to help data controllers decide whether to communicate or not a...
Data Privacy And Protection Regulations In Nigeria Challenges Confronting Implementation Of Data Privacy And Protection Regulations In Nigeria
U.S. Outlines Privacy Safeguards for Post-Schrems II Data Transfers The U.S. government has published a whitepaper that outlines the robust limits and safeguards in the United States pertaining to...
Schrems II recommendations Important recommendations EDPB (European Data Protection Board) after Schrems II and new standard contractual clauses ...
5th annual INPLP conference The International Network of Privacy Law Professionals hosted its 5th annual conference
The Czech Republic: Is There A Possibility To Further Process Legally Published Personal Data That Are Not Open Data? The concept of open data in the European Union was firstly brought up by directive 2003/98/EC on the re-use of public sector...
600.000 EUR fine to Google Belgium for misapplying the right to be forgotten The right to be forgotten is one of the more complex rights in the GDPR, requiring a careful balancing of principles and interests....
Draft Code of Conduct of lawyers, law firms and lawyers’ unions on the processing of personal data issued in Greece Under the GDPR, Codes of Conduct (CoC) constitute an effective accountability tool for achieving self-regulation and transparency of...
Romanian DPA fines the lack of cooperation with the supervisory authority The Romanian Data Protection Authority ("Romanian DPA") has recently sanctioned three entities (two private companies and a...
Slovak country-wide COVID-19 testing from the perspective of personal data protection Slovakia has recently witnessed a significant increase in the number of confirmed COVID-19 cases. The country exceeded the threshold...
The Danish Data Protection Agency is investigating the research area The Danish Data Protection Agency has decided to supervise a number of activities in the research area. The Authority also initiates...
Facial recognition technologies from a Swedish data protection perspective Technologies for facial recognition - capable of identifying and/or verifying a physical person automatically from a digital image or...
Judicial remedy against decisions issued by Turkish data protection board Under the Personal Data Protection Law No. 6698 Article 18 ("DPL") the Personal Data Protection Board (“Board”) has the authority to...
The norwegian data protection authority threatens to impose legal measures against the international baccalaureate organization The DPA considered IBO’s processing to be in violation of the fairness requirement, transparency requirement and the accuracy...
The handbook on the protection of privacy by transport entities in a digital environment in Israel The Israeli Privacy Protection Authority published a handbook for transport entities on the protection of privacy by in a digital...
Microsoft cloud contracts under a cloud amid GDPR concerns (continuation — and conclusion?) In April 2019, the “EDPS” or European Data Protection Supervisor, launched an investigation into the use of Microsoft products and...
GDPR versus ISO 27701 Although some jurisdiction such as EU's GDPR provide a mechanism for an organization to demonstrate its compliance to GDPR (Article...
Spanish Data Protection Authority (AEPD) releases new Guidelines on the use of Cookies The Spanish Data Protection Authority (AEPD) has just updated the Guide on the use of “cookies” to adapt it to the Guidelines 05/2020...
Overview on the Amendment of the Act on the Protection of Personal Information The Act on the Protection of Personal Information (“APPI”) of Japan was established in 2003, and had only been amended once, in 2015....
The British Data Protection Authority ICO considers operating systems that are no longer supported inadequate security. If systems such as Windows 7 and Windows Server 2008 R2 SP1 are no longer supported by Microsoft, this may result in inadequate...
New member has joined the INPLP. Mr. Fredrik Roos and Ms. Linda Källström (Sweden) Setterwalls is one of Sweden’s leading full-service business law firms, as well as one of Sweden’s largest law firms, with some 190...
Judicial remedy against decisions issued by Turkish data protection board Under the Personal Data Protection Law No. 6698 Article 18 ("DPL") the Personal Data Protection Board (“Board”) has the authority to...
The Bulgarian Data Protection Authority Issued Opinions on the Processing of Personal Data by Employers During the COVID-19 Pandemic In its Newsletter 4 (85) of July 2020 the Bulgarian Commission for Personal Data Protection (CPDP) released two opinions that provide...
An extensive article on data privacy and data protection law in nigeria The transformational value of data in today’s world cannot be overemphasised. The right to data privacy and protection is an...
DATA PROTECTION AND CORONAVIRUS: A difficult challenge for Businesses. In the context of the coronavirus pandemic, companies are implementing exceptional measures to protect the health and safety of their...
GDPR and Artificial Intelligence – A Conscious Coupling It is an undeniable fact that Artificial Intelligence (“AI”) has rapidly evolved in recent years and has even more swiftly been...
New Dutch class action legislation makes it possible to claim damages in a collective action to ensure enforcement of the GDPR On 1 January 2020, a new Act allowing representative entities to seek damages in a collective action came into effect in the...
The Italian Data Protection Authority Published Its Annual Report: In 2019, Public And Private Entities Notified 1443 Data Breaches The annual report summaries the different issues on which the Italian Data Protection Authority (“Italian DPA” or “Authority”) worked...
The Unauthorised Access to Personal Data by the Slovenian Police On July 10, 2020, a press conference was held in the hall of Slovenia’s legislative body by Jožef Horvat, MP, a member of one of the...
Gaia-X: European sovereign cloud guidelines unveiled The guidelines of the European Gaia-X cloud are now known.
German Federal Court - Finally clarified: tracking cookies not without active consent The discussion is not new. The European Court of Justice (ECJ) had already decided on 01.10.2019. But only the German Federal Court...
Estonia wants to introduce administrative fines into its legal system to allow for a more effective response to data protection law violations On 6 May 2020, the Estonian Ministry of Justice sent for coordination round the concept of administrative fines. The goal is to...
New member has joined the INPLP. Mr. Uche Val Obi SAN (Nigeria) Alliance Law Firm is a dynamic partnership registered under the laws of the Federal Republic of Nigeria. With a seamless blend of...
Appointment of director of Croatian supervisory authority As everyone already knows, Article 53(2) of the General Data Protection Regulation prescribes the criteria that the director of a...
Is it possible and if it is, how can an employer in Serbia collect personal data of the employees that refer to their criminal records Criminal records contain personal data on the perpetrator of a criminal offense, on the criminal offense for which he was convicted,...
First GDPR fines in Ireland: Big Tech Fines on the horizon In May 2020 the Data Protection Commission (DPC) in Ireland issued its first fines under the GDPR, just prior to the second...
2 years of GDPR, 1 year of Portuguese implementation law The 25th of May marked the second anniversary of the application of the General Data Protection Regulation (GDPR) in the European...
Revision of the Swiss Federal Data Protection Act (FDPA) Due to the Covid-19 pandemic, the last debates in the Swiss parliament were postponed to the autumn session. However, an outlook can...
New member has joined the INPLP. Mr. Chris Yau (Hong Kong) SGS Hong Kong Limited is the Hong Kong branch of SGS group. Established in 1878, SGS is the world’s leading inspection, verification,...
The Swedish and Norwegian Data Protection Authorities have recognized the Danish standard contractual clauses in relation to data processor agreements The Danish Protection Authority has adopted standard contractual clauses in accordance with article 28(3) of the GDPR. The national...
Statement by the Spanish Data Protection Authority (AEPD) on processing of certain health data in the context of Covid-19 The Spanish DPA (AEPD) issued this May a statement regarding the practice of taking the temperature to data subjects in shops, work...
Body temperature readings and the Covid-19. What should we do? Short synopsis of the Romanian status During the Covid-19 pandemic we received numerous and various questions from our clients regarding body temperature readings of...
Fight against covid-19 pandemic in Monaco: temperature taking, camera detection of facemask wearing, and diagnostic tests In early May 2020, the Monegasque Data Protection Authority (Commission de Contrôle des Informations Nominatives, in brief “CCIN”)...
Austrian Court Ruling on Immaterial Damages for GDPR violation – A Mere Violation Of Data Protection Regulations Is Not Enough In February, the first decision of an Austrian Appellate Court regarding a claim for immaterial damages under Art 82 GDPR has been...
New member has joined the INPLP. Mr. George Dimitrov and Mrs. Desislava Krusteva (bulgaria) Dimitrov, Petrov & Co. (DPC) is a full-service business law firm, pioneer in the dynamic field of technology law and data protection...
New member has joined the INPLP Mr. Satoshi Shono (Japan) Matsuda & Partners is a one-stop shop, offering a variety of legal services that cover business related practice including corporate...
Greek data protection watchdog makes its presence clear During the unprecedented Covid-19 pandemic, but also before its appearance, the Greek Data Protection Authority (“DPA”) has taken an...
Presentation of the casebook on Data Protection INPLP member, Olumide Babalola (Lagos, Nigeria), cordially invites the general public to the (virtual) presentation of a book titled...
When is it legal to be named as a reference? For many companies, it is significant for customer acquisition not only to present the advantages of their own products and services,...
New member has joined the INPLP. Mr. Michel Molitor and Mrs. Virginie Liebermann (Luxemburg) Founded in 1996, MOLITOR Avocats à la Cour is a highly respected and independent law firm in Luxembourg City, a full-service firm...
New member has joined the INPLP. Mrs Nicole Beranek Zanon (Switzerland) Nicole Beranek Zanon is a founding partner of de la cruz beranek Attorneys at Law Lt, which is one of the leading IT boutique law...
EU Guidance on Apps Supporting Fight against COVID-19 Pandemic in Relation to Data Protection At the end of April, the European Union published non-binding guidance on apps supporting the fight against COVID 19 pandemic in...
New member has joined the INPLP. Mr Xawery Konarski (Poland) Xawery Konarski is Senior Partner at Traple Konarski Podrecki & Partners which is one of the leading law firms on the Polish market...
Facial recognition and GDPR compliance: the impossible convergence? The use of photographs in police investigations is nothing new. It is the use of algorithms so that a machine, using template image...
United Kingdom’s Supreme Court erred on liability of joint-data controllers UK Supreme Court decision on an employer’s liability for data breach in the case of WM Morrison Supermarkets versus Various...
New Member has joined the INPLP. Mr Olumide Babalola (Lagos, Nigeria) Olumide is the managing partner of Olumide Babalola, LP - his flagship full service law office with particular bias for digital...
The Belgian data protection authority fines a data controller 50,000 EUR for appointing a DPO with a potentially conflicting position It is not too uncommon for a single person to be in charge of general compliance in an organisation, and to also act as its DPO. Is...
A US$ 6 Million Judgment was Passed in Israel, for the Sale of Location Data On March 23, 2020, a 5 year class action that was until now under a gag order, was finally lifted and the Judgment (authorization of...
Protection of Personal Data vs. Citizen’s Health At the time of the fight against the corona virus pandemic, the need to establish an imaginary border between the protection of...
Using data from mobile phone apps in the combat of COVID-19 in Norway The COVID-19 pandemic and the measures to combat the spread of the virus are having a severe impact in a number of countries,...
Covid-19 and personal data protection in turkey – Frequently asked questions This article answers many freuqently asked questions concerning data protection in turkey during times of Covid-19. ...
Protection of personal data of employees (and other persons) during the state of emergency in the Republic of Serbia One of the possible solutions for processing personal data based on a legitimate interest of companies.
Italian data protection authority against the unlawful data processing through telemarketing activities The Italian Data protection Authority (Italian DPA) issued two fines against Tim and Eni Gas e Luce, for a total amount of almost 36...
EDPB Issues Guidance on GDPR Compliance in the Age of COVID-19 After many data protection authorities (in the European Union and beyond) provided guidance and FAQ's on the relationship between...
The re-use of public sector information The re-use of Public Sector information has to be built on a balanced approach where the public interests of such use have to be...
GDPR through the prism of coronavirus epidemic The difficulty of drawing a hard-and-fast line between the right to privacy and the rights of other people to stay healthy ...
Fine for a lack of legal basis of scoring sick leaves of employees An administrative Fine of 82,000 EURO was imposed by the Cyprus Data Protection Authority concerning the lack of legal basis of...
Fine for Dutch tennis association for unlawfully selling personal data The Dutch DPA imposed a fine of 525,000 euros for the unlawful sale of personal data by the Dutch national tennis association the...
Recent decisions of the Austrian Data Protection Authority (DPA) This article presents interesting decisions on Austrian data protection law, which deal in particular with the admissibility of...
Five tips on preparing for ‘whistleblowing’ rules In order to guarantee protection of people who report breaches, I.E. Whistleblowers, employers will soon be obliged to create a clear...
Enforcement of GDPR Infringements by Third Parties – First Decision of the Austrian Supreme Court While the GDPR deals extensively with the rights and claims of data subjects, it mainly leaves the provisions for the assertion of...
Romanian DPA published its activity report for 2019 On the European Data Protection Day 2020 (i.e. on 28 January 2020), the Romanian DPA published (in Romanian and English languages) a...
GDPR news from Croatia at the beginning of 2020 The topic discussed here is the difference between personal data protection before the GDPR entered into effect and the current data...
Data Protection round-up: Key stories of 2019 and forecast for 2020 2019 was a year of major developments for privacy and data protection in Ireland and abroad. According to Ireland, the year 2020 will...
Microsoft under a cloud amid GDPR concerns over its cloud contracts Since the implementation of the GDPR, cloud players have been forced to both rethink their tools and review their contracts. ...
Data breach notification obligation under turkish data protection law In Turkey, the Personal Data Protection Law No. 6698 (the "Law") requires data controllers to take all necessary technical and...
5 takeaways from the first year and a half of GDPR fines The end of the year is usually the time for reflections. Although the first year of GDPR officially ended at the end of May 2019, now...
Report on the State of Privacy in Slovakia The Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as “Office”) pursuant to the provisions of §...
The Danish Data Protection Agency has published new rulings regarding email encryption within the security of processing area Article 32 of the GDPR on the security of processing has been one of the main focus areas of the Danish Data Protection Agency (the...
The Belgian data protection authority issues a fine for unlawful use of the national identity card as a tool for customer card enrolment The Belgian electronic identity card system has been in vogue for a number of years now as a reliable means for electronic...
Administrative fine of 14.500.000 Euro imposed against German Real Estate Company The Berlin Data Protection Authority has imposed an administrative fine against a Berlin real estate company for 14,5 Million euros...
Conditions for imposing administrative fines – The German Data Protection Authorities’ approach On 16 October 2019, the German Data Protection Authorities (DPAs) published their concept of how to determine administrative fines. ...
Portugal: recent fines for the breach of the GDPR More than a year has passed since the General Data Protection Regulation (hereinafter “GDPR”) has been applicable in all EU member...
iGaming and Privacy in Malta: Tensions? Data, and not FIAT or digital currency, is the real currency that measures the worth of a gambling operation, and the single common...
Privacy News from Israel On November 24, 2019 the Israeli Privacy Protection Authority (the “IPPA”) announced that it had hosted an inter-sectoral roundtable...
Draft Guidelines on Data Protection by Design and by Default issued by the EDPB On 20 November 2019, the European Data Protection Board (EDPB) issued a draft of Guidelines on Data Protection by Design and by...
PERSONAL DATA PROTECTION LAW IN MONACO: A “STRUCTURAL MODIFICATION” ANNOUNCED The preparatory work for the reform of the Monegasque data protection law (Act No. 1.165 of 23 December 1993, consolidated), carried...
Significant fines imposed by the Bulgarian Commission for Personal Data Protection Earlier in 2019 the Bulgarian data protection supervisory authority – the Bulgarian Commission for Personal Data Protection (“CPDP”)-...
CNIL on monitoring employee software / internet use Use of video recording of screens, coupled with recordings of telephone conversations in a professional setting, may be proportionate...
Obligation of Notification of Personal Data Violations to Turkish DPA Law on Protection of Personal Data numbered 6698 provides under the article titled “Data Security Liabilities” that, data controllers...
Serbia - readiness/lack of readiness of controllers and processors and knowledge of individuals regarding application of the new Law on Personal Data Protection In August 2019, Serbia started applying new Law on Personal Data Protection. Many challenges were expected before initiation of the...
New European judgment on cookies In its recent judgment in the “Planet49 case”, the Court of Justice of the European Union (“CJEU”) held that consent for cookies...
New Greek law on GDPR Following a fast track procedure, the Greek Parliament adopted Law 4624/2019, which frames the provisions of the GDPR in Greece and...
Does the California Consumer Privacy Act Apply to Me? The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed...
If at First You GDPR, CCPA, CCPA Again The California Consumer Privacy Act (CCPA), which takes effect in 2020, has been dubbed “GDPR-Lite” or “California GDPR” because it...
On The Road Again: Practical First Steps On Your Way to Compliance with the CCPA The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, will take...
20 Questions (and Short Answers) on the California Consumer Privacy Act (CCPA) The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed...
Recent decisions of the Austrian Data Protection Authority (3/3) This article presents the third out of three interesting decisions on Austrian data protection law, in particular dealing with...
Would you like some cookies? When users browse through the internet, cookies perform multi-faceted functions for the benefit of both the webmasters and users...
Recent decisions of the Austrian Data Protection Authority (2/3) This article presents the second out of three interesting decisions on Austrian data protection law, in particular dealing with...
The Italian Data Protection Authority Limits the Sending of Advertising and Promotional Contents to Fidelity Cards Holders For the first time, the Italian Data Protection Authority has exercised its power of "warning" provided by the GDPR, through which it...
Recent decisions of the Austrian Data Protection Authority (1/3) This article presents the first out of three interesting decisions on Austrian data protection law, in particular dealing with...
The Spanish DPA (AEPD) issues a model report to help carry out data protection impact assessments for public administrations The AEPD published in July 2019 a model report to help Public Administrations carry out im-pact assessments on data protection. ...
€ 150.000,- GDPR fine imposed on PWC by Greek Data Protection Authority for being not accountable The Greek HDPA (Hellenic Data Protection Authority) imposed a fine of € 150.000,- on PWC Greece.
GDPR - the real threat to privacy? Over 2 years, GDPR and personal data protection has been discussed across the EU. Vast majority of companies, public authorities and...
Fine of € 460.000,- imposed on Dutch Haga Hospital by Dutch Data Protection Officer, the first Dutch fine under GDPR (July 19, 2019) This first fine under the GDPR is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records...
Slovenia’s DPA says mere possession of processing equipment does not amount to personal data processing Slovenian courts have in place a system for audio recording of court hearings. The data recorded (which in itself constitute personal...
Welcome to Croatian version of GDPR - Introduction First, I would like to thank the members and the entire EuroCloud organization for letting me join their ranks. I sincerely thank...
One year of GDPR in Estonia Each Spring, the Estonian Data Protection Inspectorate (DPI) publishes its Annual, summarising its main activities of the previous...
GDPR IN NUMBERS – The Irish Perspective To mark the occasion of GDPR's first anniversary, findings and statistics tracked from May 2018 to May 2019 concerning awareness,...
Portuguese Law implementing GDPR finally approved On the 14th of June 2019 (one year later than expected) Portugal has finally approved Draft Law no. 120/XIII/3.ª (GOV), implementing...
GDPR: A Game Changer for Cloud Contracts Until recently, most IT contracts, even the large-scale ones, were generally based on a simple purchase order and sometimes a...
The 4th version of the StarAudit Catalogue has been released We've introduced a new Area focused on GDPR and several enhancements to existing controls as part of this major update. ...
Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union Last week the European Commission published guidance on the free flow of non-personal data, focussing on the interaction of the FFD...
Legislative and practical adjustments in Bulgaria implementing GDPR Earlier in 2019 Bulgaria has become another European Union member to adopt the EU’s privacy regime. The Bulgarian Personal Data...
The Danish Data Protection Agency has reported a large Danish taxi company to the police for violation of GDPR rules The Danish Data Protection Agency has reported the taxi company, Taxi 4x35, to the police and recommended the company for a fine of...
Serbia: New Law on Personal Data Protection At the end of November 2018, the new Law on Personal Data Protection (Law) came into force but its application was postponed for nine...
The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites The Belgian tax authorities maintain an online repository called FisconetPlus, on which tax payers can find key information and...
Slovak list of processing operations which are subject to the requirement for a data protection impact assessment Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of...
Challenges for Companies with an Israel Nexus In May 2018, the Israeli Protection Of Privacy Regulations (Data Security 2017) (the “Regulations”) came into effect. The...
Norwegian DPA publishes list of processing activities with mandatory DPIA Under Article 35 of the GDPR, the national Data Processing Authority (DPA) shall establish and make public a list of processing...
Three Legal Opinions of the Italian DPA clarify some GDPR Implementation Aspects The aim of this article is to focus on three important legal opinions published by the Italian Data Protection Authority on the...
On 19 February 2019, the Dutch Data Protection Authority has come up with its own policy for determining the levels of administrative fines On the basis of the guidelines of the article 29 working party of what now is the EDPB (European Data Protection Board) and the...
The Spanish DPA published a report on the processing of personal data related to political opinions by political parties The Spanish DPA published a recent report on the processing by political parties of personal data related to political opinions. ...
Implications on Data Protection law in the event of a no-deal Brexit Since the 2016 referendum whereby voters expressed their wish for the United Kingdom (the “UK”) to leave the European Union (the...
Data Protection Officers under Slovenia’s Draft Personal Data Protection Act (ZVOP-2) In the light of the GDPR, on March 6, 2019, Slovenia’s Ministry of Justice published <a...
The role of Romanian courts in the protection of personal data in the post GDPR era Where does the role of the data protection authority (DPA) end and where the court takes priority? The relevant legal provisions are...
Three interesting decisions on Austrian data protection law This article presents three interesting decisions on Austrian data protection law, in particular dealing with an unlawful video...
Liability of Joint Controllers in the Light of the CJEU Case Law General Data Protection Regulation (GDPR) brought (for the Czech legal environment completely new) legal construct of joint...
The Looming Clouds: How and why cloud services are reshaping the future of financial services in Europe EuroCloud Europe publishes a new whitepaper in partnership with RedHat and Accenture, tracing the drivers of change across the...
To be or not to be (a processor). That is the question. In the case of a service provider that is not contracted by a controller to process personal data on its behalf but may gain custody...
EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019 The EDPB (European Data Protection Board) assessed in its January 22, 2019 report once again whether the safeguards provided under...
Google fined $57m by French regulator for breaching GDPR French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the...
Joint Controllership Report EuroCloud Europe will establish a European database of case-studies describing sector specific joint-controllership relations, as...
Data Breach Report EuroCloud Europe will undertake to create a European database of data-breach-related DPA decisions and court judgments. ...
Is a violation of a GDPR rule at the same time a violation of competition law? According to the Oberlandesgericht Hamburg (Higher Regional Court Hamburg) violations of data protection rules can also mean a...
Properly identifying roles in processing personal data: the latest from the EU Court of Justice In the last six months, the EU Court of Justice has provided its views on the roles of different parties processing personal data on...
2018 Highlights of data protection in Monaco The year 2018 was for Monaco a preparatory year for the forthcoming adaptation of Act No. 1.165 on the protection of personal data,...
The Dutch Data Protection Authority (Dutch DPA) clarifies the concept “large scale” for the Data Protection Officer (DPO) Government agencies and public organisations have the obligation to appoint a DPA, regardless the type of data they process. ...
Joint Controllership Sub-group News During 2018, the Not-for-Profit International Network CPC set up some study groups with the aim to analyze and compare the Member...
Compete for the best cloud solution worldwide – the EuroCloud Awards 2019 start now The EuroCloud Awards recognize the best digital services from Europe and around the world based on their underlying cloud computing...
Supreme Court Finds the Publisher and the State Liable for Personal Data Breach In August 2018, the Supreme Court of the Republic of Slovenia upheld the judgements of the lower courts finding the publisher and the...
New cybersecurity law imposes security and reporting obligations to Operators of Essential Services and Digital Service Providers The Greek Parliament recently enacted Law 4577/2018, the purpose of which is to transpose Directive (EU) 2016/1148 on security of...
Uber fined £385,000 in the UK and €600,000 in the Netherlands Uber US and Uber Netherlands were considered to be joint controllers which made them both separately liable for claims of customers...
3rd CPC Conference of the members of the EuroCloud CPC Network Vienna, 24 Nov 2018: This year, lawyers from 13 countries attended the event in Vienna and approved a comprehensive list of...
Slovenia’s ICO defines DPO’s additional tasks that could result in a conflict of interests Paragraph 6, Article 38 of the General Data Protection Regulation (GDPR) allows the Data Protection Officer (DPO) to fulfil other...
The Spanish DPA (AEPD) issues guidelines regarding the management and notification of security breaches according to GDPR The Agencia Española de Protección de Datos ( AEPD) presented guidelines regarding the management and notification of security...
Turkey: Data Protection Matters in M&A Transactions Privacy issues in mergers and acquisitions take the attention of transaction parties among other things in these days. ...
With Legislative Decree 101/2018, Italy harmonized the national privacy legislation to the GDPR With Legislative Decree n. 101/2018 the Italian legislator has finally taken the last necessary step in order to coordinate the local...
Doping control in sport – how about personal data? As the legal representatives of the Slovak Anti-doping Agency (hereinafter referred to as “SADA”), we have taken part in several...
List of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”) The CNPD (Portuguese Data Protection National Commission), as the Portuguese supervisory authority, has approved Regulation nr....
In-vehicle emergency call systems (e-call) in Turkey In-vehicle emergency call (eCall) systems, which have been in use for a long time, are defined as systems within vehicles being...
Privacy Shield: Brace Yourself, Changes are Coming Since the application of the GDPR, the days of the EU-U.S. Privacy Shield may be numbered and parties to an IT contract must be on...
Controller-Processor relationship in public sector (Bulgaria) With the entry into force of Regulation (EU) 2016/679 (the “General Data Protection Regulation”) on 25th May 2018, the matter of...
Mandatory e-mail encryption from January 1st 2019 in Denmark The new practice of the Danish Data Protection Agency requires all work related e-mails containing personal data is to be encoded...
The days after the GDPR – The Cyprus Law on the Protection of Natural Persons against the Processing of Personal Data and the Free Movement of this Data This year, on the 25th of May 2018, the highly anticipated and monumental EU General Data Protection Regulation (henceforth “the...
GDPR With an Irish Flavour – The Irish Data Protection Act 2018 Ireland's Data Protection Act 2018 (the "DPA"), which implements elements of the European Union's General Data Protection Regulation...
Oliver – Helping the Masses Navigate GDPR through Artificial Intelligence Privacy is key to a healthy information society and the recently-enacted GDPR offers EU citizens significant control over how their...
Portuguese Data Protection Authority activities - Data Protection Impact Assessment List and notifications for DPO and Data Breaches The Portuguese Data Protection Authority (“DPA”) recently announced a public consultation on the list of processing activities that...
The Estonian data protection authority issued guidance on the definition of “large scale” processing The Estonian data protection authority (Data Protection Inspectorate, DPI) issued guidance on the definition of “large scale”...
Latvia has adopted the Law on Personal Data Processing The national Law on Personal Data Processing (the National Law) has entered into force on July 5th, 2018, which made Latvia the first...
GDPR: Your rights after death Dr. Gege Gatt, Partner of the EuroCloud CPC Network, shares his thoughts following the recent landmark judgement by the German Court...
“White list” – (Austrian) Exceptions to the Privacy Impact Assessment The General Data Protection Regulation (GDPR) stipulates that (data) controllers must carry out what is known as a "data protection...
A European Sovereign Cloud: the Silver Lining to the U.S. CLOUD Act The adoption of the U.S. Cloud Act weakens the integrity and security model of leading public cloud providers. ...
The Spanish Data Protection Authority (AEPD) issues a check-list on regulatory compliance The Spanish DPA issued a check-list regarding regulatory compliance to facilitate the implementation of GDPR. ...
Employee monitoring under the Romanian law implementing GDPR On 27 June 2018, the Romanian Parliament finally approved the Romanian law intending to cover the open clauses under the General Data...
GDPR in a Post-Brexit Era: Some New Challenges? The General Data Protection Regulation (GDPR) came into full operation on 25 May 2018 and was described by the Information...
CPC Presentation Brochure 2018 Halfway through 2018, we have published a presentation brochure detailing the status and results the Cloud Privacy Check (CPC)...
The Impact of the GDPR in Monaco until the Revision of the Monegasque Data Protection Legislation The Monegasque Data Protection Authority has published on its website on May 2, 2018 a list of the key questions on the GDPR...
A brief history of data protection: How did it all start? With the GDPR being enforced on 25th of May, we decided to take a glimpse back into the history of data privacy and traced it's first...
The discussions around the national law on personal data processing The Latvian legislator is facing delays with the adaptation of the national Law on Personal Data Processing (the Draft Law). On April...
A guide to the insurability of GDPR fines across Europe: the price of data security Zepos & Yannopoulos, partners of the EuroCloud CPC network, participated in a multi jurisdictional exercise organised by the...
The Danish Parliament has adopted the Danish Data Protection Act The act will to some extent replace the Danish Act on Processing of Personal Data and it will enter into force simultaneously with...
GDPR and its influence outside EU - Why, What, Who, When, How (Macedonia’s case study) GDPR is knocking on the door. Being a Europe’s country, and not being a European Union member country yet, does not release the...
Cloud Contracts, GDPR and Liability Caps Liability caps in contracts under the GDPR is a hot-button issue for data controllers and data processors. A few days before the...
Consent in imbalance of power Consent of a data subject is often used by data controllers in order to ensure lawful data processing. Still, processing on the...
The right to be forgotten… for convicted criminals? Earlier in March 2018, the Maltese press reported and revealed that private individuals have successfully requested that court cases...
Portuguese GDPR implementation legislation Even though the GDPR is directly applicable in the Member States, it has left open the possibility for Member States to enact...
Every Irish Cloud Has A GDPR Lining Ireland's Data Protection Bill 2018 (the "Bill"), which will implement elements of the European Union's General Data Protection...
Data Processing Agreement and its new challenges The long-expected General Data Protection Regulation (GDPR) comes with new, specific requirements for data processing agreements, as...
The recent provisions of the Italian legislator on data protection The Italian Legislator recently adopted two new laws on data protection matter, Law. n. 167/2017 and Law n. 205/2017, with the aim of...
The GDPR and the Fall of Biometrics In a world where smart technology has become the norm, where people access their phones and TVs with fingerprints and voice commands,...
Recent decisions of the Austrian Data Protection Office (DSB) and the Austrian Administrative Supreme Court (VwGH) The article presents three interesting decisions on Austrian data protection law, in particular dealing with control measures at the...
The New Belgian Data Protection Authority under the GDPR The Belgian Act of 3 December 2017, which was published in the Belgian Official Journal on 10 January 2018, partially implements the...
Österreich übernimmt Vorsitz der Artikel-29-Gruppe der europäischen Datenschutzbehörden Die österreichische Datenschutzbeauftragte Andrea Jelinek wurde zur Leiterin der Artikel-29-Datenschutzgruppe gewählt. Diese wird ab...
Public hospitals in Norway threatened with fines of NOK 7.2 million (EUR 720,000) following outsourcing project Public hospitals in Norway are organized in a structure where they are owned by four different regional legal entities. The regional...
How to choose a DPO? Practical insights The data protection officer (DPO) is a key function/office/position under the GDPR responsible for compliance with data protection...
GDPR in the Czech environment General Data Protection Regulation (GDPR) is going to govern the personal data protection matters across Europe since May 2018. Even...
20Q&A – The latest CPC project The 20Q&A project is intended to give the reader a quick overview and short summary of the most urgent questions regarding the...
The Data Protection Bill, Brexit and Data Transfers The Data Protection Bill (Bill) will replace the Data Protection Act 1998 and will implement the General Data Protection Regulation...
Monegasque DPA vs GDPR: Can you spot the difference? It would be wrong to infer from the fact that the Principality of Monaco is a non-EU State, that the General Data Protection...
Ireland: DP Bill to Implement GDPR and Overhaul Data Protection Commission A new Data Protection Bill will soon issue which will implement elements of the GDPR into Irish law and overhaul the Office of the...
Proposed Regulation on the Free Flow of Non-Personal Data in the EU Data is a resource for digital business and we can expect more and more rules regulating this vital resource. In addition to the GDPR...
How will national DPAs impose fines for GDPR violations? The GDPR introduced an antitrust-type sanction regime with fines which, for severe infringements, may amount up to 20 million euros...
New Latvian Personal Data Processing law is being developed Latvian Ministry of Justice has drafted text of new Personal Data Processing Law, which fulfils the assignment of Regulation (EU)...
Testimonials after the 2nd CPC Conference The CPC Conference participants present in Vienna between 24-26 November 2017 offer their feedback of the event. ...
Belgium’s New Data Protection Authority In implementation of the General Data Protection Regulation (2016/679), the Belgian Privacy Commission is being replaced by a new...
2nd Cloud Privacy Check (CPC) Event The 2nd Cloud Privacy Check (CPC) event took place between 24-26 November 2017 in Vienna, Austria.
Data Protection Law Enters the Social Media Era This last decade has undoubtedly marked a vast and worldwide sociological evolution which has defined and created a new generation...
The Spanish DPA (AEPD) presents “Facilita RGPD” The Spanish DPA (AEPD) presents “Facilita RGPD”, a tool created to help companies comply with the European Data Protection Regulation...
The Standard Contract Clauses under fire? In the recent case between the Data Protection Commissioner vs Facebook Ireland ltd and Maximillian Schrems of October 3rd 2017,...
Final straight for Luxembourg in implementing the European package on Data Protection A rapid overview of Luxembourg’s latest legislative measures in its preparation for European package on Data Protection with a...
GDPR: It is not just the fines! Even if a person does not know anything else about the GDPR, it usually knows about the massive potential fines the GDPR will bring...
Germany's GDPR implementation law, it's just the beginning The EU data protection reform package consisting of the General Data Protection Regulation (EU) 2016/679 (in German:...
Bărbulescu ruling: Workplace privacy is alive and kicking On Sept. 5, the European Court of Human Rights handed down a landmark judgement about privacy and monitoring at the workplace. The...
Cloud And Data Protection – A Challenge to Users Is your cloud compliant? Cloud experts Dr. Tobias Höllwarth, Dr. Jens Eckhardt, Christian Laux, and Dr. Clemens Thiele explore the...
GDPR: Rights and Obligations of Sub-Processors The GDPR clearly sets out the rights and obligations of sub-processors and requires them to meet strong contractual requirements. ...
Data Protection Officer / Bulgarian Overview With the upcoming entrance into force of the new General Data Protection Regulation in May 2018, the Bulgarian Commission for...
Notification of Personal Data Breaches: Promoting joint pro-activity in data security A brief discussion regarding the obligation of Controllers to notify the data subject and supervisory authority in the event of a...
New white paper on the general data protection regulation from the danish ministry of justice On May 24, 2017, the Danish Ministry of Justice published their long-awaited report on the Personal Data Regulation, which will...
The Greek Data Protection Authority issues an announcement on the need of certification of DPOs As we get closer to May 2018 when the GDPR will enter into force, the discussions on whether organisations should appoint a DPO and...
A Call for a European “Civil Code” of Digital Data Amid the rush to be GDPR-ready, the former European Commissioner for Digital Economy and Society was campaigning for a comprehensive...
Cloud Service Provider – processor, controller or both? Cloud service providers (hereinafter referred to as the „CSP“) offer nowadays a wide spectrum of cloud computing services. Benefits...
Certification and GDPR: Italy’s DPA Clarifications The GDPR encourages (through the Member States, the supervisory authorities, the Board and the Commission) the adoption of data...
Cloud Contracts: Impacts of GDPR on Joint Controllers The GDPR clarifies the concept of “joint controllers”, which is of particular interest for the cloud computing community. Already...
GDPR implementation in Portugal While studies show that there is a medium / high degree of awareness of the obligations and impacts of implementing the GDPR, the...
Recent decisions of the Austrian Data Protection Office (DSB) The article presents three interesting decisions on Austrian data protection law, in particular dealing with the scope of the right...
Cloud Contracts: Impacts of GDPR on Processors The GDPR clarifies the clauses to be contained in a data processing agreement. The new European Regulation does not change the...
Data protection and Luxembourg At a time where the General Data Protection Regulation (“GDPR”) has been spoken and written about extensively in all European...
GDPR-Complementing Regulations Just a Hair’s Breadth Away Introducing high administrative fines (a maximum of EUR 20 million or 4% of global annual turnover, depending on which is higher) and...
Five Key Takeaways from the Recent Report on National Implementation of the GDPR in Finland Right before the midsummer holidays, the TATTI working group appointed by the Finnish Ministry of Justice published its report on the...
Slovenia Strengthening its Position on Personal Data Protection The Supreme Court rules in favour of suspects' privacy while the Parliament declares "revenge porn" a criminal act. ...
Records of processing activities according to the General Data Protection Regulation (Art. 30) The General Data Protection Regulation (GDPR) will apply from 25 May 2018. Until then, all regulations of the GDPR have to be...
Dutch DPA published 10 steps to prepare for GDPR Recently the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: "AP") published a 10-step-plan for Dutch organizations to...
Norway: New standard document on connected cars and privacy Modern cars generate, collect and process a large quantity of data. Some of the data can be linked to the owner, the driver and/or...
Emergence of a European cloud combining growth and security A safer and people-friendlier cloud must be built at the European level.
New Whitepaper "Cloud and Annual Accounts" June 2017 EuroCloud Europe has published in June 2017 a new whitepaper "Cloud & Annual Accounts".
New Whitepaper "Cloud & Data Protection" June 2017 EuroCloud Europe has published in June 2017 a new whitepaper "Cloud & Data Protection - The Cloud Privacy Check (CPC)". ...
The Swedish Data Protection Act Today the processing of personal data in Sweden is regulated in the Personal Data Act (Sw. Personuppgiftslag (1998:204)). On 25 May...
GDPR: The Italian Data Protection Authority Issues its First Guidelines By a press release dated April 28th, 2017, the Italian Data Protection Authority (“DPA”) issued its first guidelines (“Guidelines”)...
GDPR: Read from a CPC perspective I write this text assuming that the reader already knows well about the four-step test implemented by the CPC...
The impact of Brexit on EEA-UK data flows The free movement of personal data within the EEA is a cornerstone of the Single Market – crucial to businesses and consumers...
Draft Regulation on Data Controllers’ Registry On May 5th, 2017 the Turkish Data Protection Authority published the Draft Regulation on Data Controllers’ Registry (“Draft...
While preparing for the GDPR – Romania's perspective Data protection becomes hotter and hotter. Years ago a rather low tier area of law and practice, data protection is now being...
Characteristics of the General Data Protection Regulation A look at the new European Regulation which is bringing Data Protection law into the new century.
Personal Data Protection vis-à-vis Freedom of Expression and Information Respect for basic human rights and freedoms is a conditio sina qua non for continuous and proper development of individuals and...
The Spanish DPA (AEPD) presented new materials to help SMEs comply with the European Data Protection Regulation The Spanish DPA intends to make it easier for SMEs to be aware -during the transitional period until May 25, 2018- of the impact that...
Irish DPC Issues Guidance Note on the GDPR The Irish Data Protection Commissioner ("DPC") published a guidance note on the General Data Protection Regulation ("GDPR") in...
Data State Inspectorate examines the obtaining and saving personal data by third persons While the Ministry of Justice of the Republic of Latvia is working on the changes of national legislation for the application of the...
The Right to be forgotten - Practical perspective The right to be forgotten under article 17 of GDPR brought up conflict between the right of an individual to object to processing his...
Data Protection Compliance in Monaco: new online preregistration and new modalities for the declaration forms The Monegasque Data Protection Authority (CCIN) announced on the European Data Protection Day (28 January 2017) the possibility for...
Data Protection Compliance in Turkey On April 7th 2016, the long awaited Law on the Protection of Personal Data was enacted (the “Law”) in Turkey to regulate process and...
The Greek Supreme Court opens the way for employers to review electronic communications of employees The access to and review of corporate emails, other electronic communications and electronic files stored on the business computers...
The Belgian data protection authority provides its perspective on Data Protection Impact Assessments The upcoming General Data Protection Regulation contains an obligation to conduct a data protection impact assessment (DPIA) for...
Cloud Conference 2017 discussed the best practices, recent developments and risks of the cloud On 8 March 2017, the annual Cloud Conference organised by IT News (in Estonian: ITuudised) took place in Tallinn, Estonia. The...
Hearings in preparation of the GDPR The Danish Ministry of Justice has begun its work with the Danish adoption of the General Data Protection Regulation (the GDPR) in...
GDPR: a new hope for the use of BCRs for cloud providers in Portugal The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific...
The new law on personal data protection: legislative process in Slovakia has been launched In January 2017, the Office for Personal Data Protection of the Slovak Republic initiated the legislative process leading to the new...
Polish Data Protection Authority recommends encrypting email Polish DPA recent opinion on encryption as preferred response to confidentiality risks associated with email. ...
Two selected decisions on Austrian data protection law A case of the DSB (Austrian Data Protection Office) and one of the VwGH (Austrian Administrative Supreme Court) are presented below....
Meeting at the offices of Alain Bensoussan Avocats Lexing Paris, 6th of February 2017: meeting at the offices of Alain Bensoussan Avocats Lexing with Alain Bensoussan, Eric Le Quellenec,...
Malta IT Law Association (MITLA) workshop on Cloud Computing The Malta IT Law Association (MITLA) organised a workshop on Cloud Computing on the 12th of December 2016.
Data Protection Law Made Easy Lawyers from 32 countries have created the Cloud Privacy Check (CPC), the largest European information platform explaining data...
CPC conference Vienna, 28th-30th of October Contributors of the CPC projects from 20 countries met in Vienna for two days to prepare for the publications of the international...
Meeting with CPC partner Dr. Laux in Switzerland to prepare Phase2 of the project 25th February, Zürich: Meeting with CPC (cloudprivacycheck.eu) partner Dr. Laux in Switzerland to prepare Phase2 of the project....
EU GDPR, BCR, CPC and other stuff Tobias Höllwarth draws some lines between the new EU General Data Protection Regulation, Binding Corporate Rules, strategies of...