When is the right to privacy more important than the right to life itself? In Israel, as in many other countries, the coronavirus is rampant. There are various strategies available to contend with this...
Data breaches in healthcare due to human errors: two hospitals and a Local Health Administration Unit sanctioned by the Italian Data Protection Authority Data breaches are violations of database security that may result not only from cyber attacks, as it is usually assumed, but also...
Hong Kong’s Stale Data Protection Laws When it was introduced twenty years ago, Hong Kong’s data protection law was one of the leading regimes of its type in Asia. But time...
A new member has joined the INPLP: Justyna Matuszak-Leśny (Poland) e|s|b Adwokaci i Radcowie Prawni (e|s|b Legal) is a boutique law firm with an international atmosphere and scale of activity, located...
Does the draft Data Governance Act signal a more economic approach of personal data in the EU? The draft Data Governance Act, which was published by the European Commission last November, aims to foster the availability of both...
Swiss Federal Supreme Court rules: Smart Metering infringes informational self-determination right In one of its most recent decisions, the Swiss Federal Supreme Court ruled on smart metering. It decided that the permanent...
A new member has joined the INPLP: Ana Popović (Republic of Serbia) Živković Samardžić is one of the Serbia’s leading full-service independent law firms. Their 10 partners / 23 lawyers strong team...
Romanian public authorities sanctioned for GDPR breaches Towards the end of 2020, the Romanian Data Protection Authority (ANSPDCP) disclosed on its website information regarding the...
When Can Information On Criminal Records Be Requested By Employers A recent Opinion of the Bulgarian data protection authority and certain legislative changes lead to the conclusion that in Bulgaria...
A new member has joined the INPLP: Kirsten Wolgast (Germany) Pinsent Masons is a full-service international law firm. They respond to the pressures and opportunities facing businesses globally...
Denmark´s first GDPR fine to date On February 12th 2021 the city Court in Aarhus handed down the first verdict in Denmark that has led to a fine based on GDPR. The...
Right to access of origin of the information based on Swiss Federal Act on Data Protection (FADP) The Swiss Federal Supreme Court has made an interesting decision on the scope of the right to information under Swiss Federal Act on...
Schrems II: An opportunity for the Sovereign Cloud As personal data crossborder flows cannot benefit from the “EU-US privacy shield” anymore, as a consequence of the Schrems II...
When privacy became an investment risk. Shall companies report its security incidents to the market? Potential investors are being warned of the negative impact that the GDPR sanctions may have on the expected profitability of the...
No surprise here – the EU Court confirms again that public authorities’ access to telecom data is strictly limited Public authorities’ access to electronic communications data has always been and continues to be a hot topic, even (or especially)...
Dramatic Changes are Coming to the Privacy Landscape in Canada This article discusses how the proposed legislation seeks to strike a balance between protecting consumer’s personal information, and...
Brazil’s Data Protection Law: A Brief Overview Despite being no stranger to data privacy regulation, only recently has Brazil enacted a comprehensive set of rules to regulate the...
Cyprus Data Protection Watchdog imposes fine on major banking institution for integrity and confidentiality violations. On 19 October 2020, The Office of the Commissioner for Personal Data Protection ('the Commissioner') announced its decision to fine...
No GDPR fines for public sector bodies at all? No discrimination, and no problem! The GDPR explicitly allows Member States to determine whether and to what extent administrative fines can be imposed on public...
A new member has joined the INPLP: Wendy Wagner (Canada) Gowling WLG provides its clients with in-depth expertise in key global sectors and a suite of legal services at home and abroad...
A Privacy Law for 25% of the World’s Population: China’s Personal Information Protection Law China published the Personal Information Protection Law (Draft) ("PIPL") for public consultation on 21 October 2020. This is the...
A new member has joined the INPLP: Paul Haswell (Hong Kong) Pinsent Masons is a full-service international law firm. We respond to the pressures and opportunities facing businesses globally...
Can data protection rules affect the assignment of receivables in Bulgaria? For many years, a common practice in Bulgaria is debtors to submit complains to the Bulgarian DPA for unlawful processing of their...
Are fines imposed by the Luxembourg Data Protection Authority for breach of data protection regulations insurable? There is no shortage of recent examples of cyber-attacks and the current COVID-19 pandemic is undoubtedly contributing to an...
A new member has joined the INPLP: Fábio Lacaz (Brazil) ALV Advogados is a mid-sized commercial law-firm established in 2006, with the purpose of assisting domestic and foreign clients in...
Austrian Data Protection Authority Ruling On The Right To Obtain A Copy (Art 15 Para 3 Gdpr) Art 15 GDPR does not only enable the data subject to obtain information on the content of his/her data undergoing processing, but...
Recent decisions of the Austrian Data Protection Authority This article presents interesting decisions on Austrian data protection law, in particular the decisions on (1) disclosure of trade...
Detecting Online Terrorist Content and the Confines of Privacy Terrorist attacks aren’t new: they’ve been a feature of warfare ever since humans formed societies. As humanity evolves, the methods...
A new member has joined the INPLP: Jonathan Kirsop (United Kingdom) Pinsent Masons is a full-service international law firm. We respond to the pressures and opportunities facing businesses globally...
Switzerland’s Data Protection Landscape post Schrems II and Brexit On 25th of September 2020, the Swiss parliament has adapted the Federal Act on Data Protection (FADP). However, the FADP - which aims...
A new member has joined the INPLP: Francisco Pérez Bes and Esmeralda Saracíbar (Spain) ECIX is a consultancy specializing in data protection and regulatory compliance, helping its clients meet the challenges that the...
A new member has joined the INPLP: Jasmina Brezovska and Katerina Rumenova (North Macedonia) BONA FIDE is a full-service corporate law firm based in the Republic of North Macedonia and specialized in general corporate/M&A,...
When use of chat apps and social media platforms backfire on companies and data subjects' rights On 17 December 2020, the Romanian Data Protection Authority (ANSPDCP) has published on its website a new administrative sanction in...
Digital Platformer Regulations in Japan The Act on Improvement of Transparency and Fairness in Trading on Specified Digital Platforms
Letter to the EDPB in response to the recently adopted recommendations published by the EDPB With a letter to the European Data Protection Board (EDPB), the International Network of Privacy Law Professionals (INPLP) made use...
Monaco: the 2019 Report of the Personal Data Protection Authority published The Monegasque Data Protection Authority (hereinafter “CCIN”) has just published its 11th Activity Report covering the year 2019, of...
A Path Forward – Draft Guidance Published For Dealing With International Data Transfers Post-Schrems II In the wake of the decision of the Court of Justice of the European Union (CJEU) in Schrems II, controllers and processors have been...
Scientific Research across Europe. Does the GDPR ensure an aligned approach? The GDPR aims to establish a uniform legal framework applicable to the processing of personal data across Europe, while allowing...
Personal data breaches: guidelines to support data controllers released The Spanish Data Protection Authority (AEPD) has just released a tool to help data controllers decide whether to communicate or not a...
Data Privacy And Protection Regulations In Nigeria Challenges Confronting Implementation Of Data Privacy And Protection Regulations In Nigeria
U.S. Outlines Privacy Safeguards for Post-Schrems II Data Transfers The U.S. government has published a whitepaper that outlines the robust limits and safeguards in the United States pertaining to...
Schrems II recommendations Important recommendations EDPB (European Data Protection Board) after Schrems II and new standard contractual clauses ...
5th annual INPLP conference The International Network of Privacy Law Professionals hosted its 5th annual conference
The Czech Republic: Is There A Possibility To Further Process Legally Published Personal Data That Are Not Open Data? The concept of open data in the European Union was firstly brought up by directive 2003/98/EC on the re-use of public sector...
600.000 EUR fine to Google Belgium for misapplying the right to be forgotten The right to be forgotten is one of the more complex rights in the GDPR, requiring a careful balancing of principles and interests....
Draft Code of Conduct of lawyers, law firms and lawyers’ unions on the processing of personal data issued in Greece Under the GDPR, Codes of Conduct (CoC) constitute an effective accountability tool for achieving self-regulation and transparency of...
Romanian DPA fines the lack of cooperation with the supervisory authority The Romanian Data Protection Authority ("Romanian DPA") has recently sanctioned three entities (two private companies and a...
Slovak country-wide COVID-19 testing from the perspective of personal data protection Slovakia has recently witnessed a significant increase in the number of confirmed COVID-19 cases. The country exceeded the threshold...
The Danish Data Protection Agency is investigating the research area The Danish Data Protection Agency has decided to supervise a number of activities in the research area. The Authority also initiates...
Facial recognition technologies from a Swedish data protection perspective Technologies for facial recognition - capable of identifying and/or verifying a physical person automatically from a digital image or...
Judicial remedy against decisions issued by Turkish data protection board Under the Personal Data Protection Law No. 6698 Article 18 ("DPL") the Personal Data Protection Board (“Board”) has the authority to...
The norwegian data protection authority threatens to impose legal measures against the international baccalaureate organization The DPA considered IBO’s processing to be in violation of the fairness requirement, transparency requirement and the accuracy...
The handbook on the protection of privacy by transport entities in a digital environment in Israel The Israeli Privacy Protection Authority published a handbook for transport entities on the protection of privacy by in a digital...
Microsoft cloud contracts under a cloud amid GDPR concerns (continuation — and conclusion?) In April 2019, the “EDPS” or European Data Protection Supervisor, launched an investigation into the use of Microsoft products and...
GDPR versus ISO 27701 Although some jurisdiction such as EU's GDPR provide a mechanism for an organization to demonstrate its compliance to GDPR (Article...
Spanish Data Protection Authority (AEPD) releases new Guidelines on the use of Cookies The Spanish Data Protection Authority (AEPD) has just updated the Guide on the use of “cookies” to adapt it to the Guidelines 05/2020...
Overview on the Amendment of the Act on the Protection of Personal Information The Act on the Protection of Personal Information (“APPI”) of Japan was established in 2003, and had only been amended once, in 2015....
The British Data Protection Authority ICO considers operating systems that are no longer supported inadequate security. If systems such as Windows 7 and Windows Server 2008 R2 SP1 are no longer supported by Microsoft, this may result in inadequate...
New member has joined the INPLP. Mr. Fredrik Roos and Ms. Linda Källström (Sweden) Setterwalls is one of Sweden’s leading full-service business law firms, as well as one of Sweden’s largest law firms, with some 190...
Judicial remedy against decisions issued by Turkish data protection board Under the Personal Data Protection Law No. 6698 Article 18 ("DPL") the Personal Data Protection Board (“Board”) has the authority to...
The Bulgarian Data Protection Authority Issued Opinions on the Processing of Personal Data by Employers During the COVID-19 Pandemic In its Newsletter 4 (85) of July 2020 the Bulgarian Commission for Personal Data Protection (CPDP) released two opinions that provide...
An extensive article on data privacy and data protection law in nigeria The transformational value of data in today’s world cannot be overemphasised. The right to data privacy and protection is an...
DATA PROTECTION AND CORONAVIRUS: A difficult challenge for Businesses. In the context of the coronavirus pandemic, companies are implementing exceptional measures to protect the health and safety of their...
GDPR and Artificial Intelligence – A Conscious Coupling It is an undeniable fact that Artificial Intelligence (“AI”) has rapidly evolved in recent years and has even more swiftly been...
New Dutch class action legislation makes it possible to claim damages in a collective action to ensure enforcement of the GDPR On 1 January 2020, a new Act allowing representative entities to seek damages in a collective action came into effect in the...
The Italian Data Protection Authority Published Its Annual Report: In 2019, Public And Private Entities Notified 1443 Data Breaches The annual report summaries the different issues on which the Italian Data Protection Authority (“Italian DPA” or “Authority”) worked...
The Unauthorised Access to Personal Data by the Slovenian Police On July 10, 2020, a press conference was held in the hall of Slovenia’s legislative body by Jožef Horvat, MP, a member of one of the...
Gaia-X: European sovereign cloud guidelines unveiled The guidelines of the European Gaia-X cloud are now known.
German Federal Court - Finally clarified: tracking cookies not without active consent The discussion is not new. The European Court of Justice (ECJ) had already decided on 01.10.2019. But only the German Federal Court...
Estonia wants to introduce administrative fines into its legal system to allow for a more effective response to data protection law violations On 6 May 2020, the Estonian Ministry of Justice sent for coordination round the concept of administrative fines. The goal is to...
New member has joined the INPLP. Mr. Uche Val Obi SAN (Nigeria) Alliance Law Firm is a dynamic partnership registered under the laws of the Federal Republic of Nigeria. With a seamless blend of...
Appointment of director of Croatian supervisory authority As everyone already knows, Article 53(2) of the General Data Protection Regulation prescribes the criteria that the director of a...
Is it possible and if it is, how can an employer in Serbia collect personal data of the employees that refer to their criminal records Criminal records contain personal data on the perpetrator of a criminal offense, on the criminal offense for which he was convicted,...
First GDPR fines in Ireland: Big Tech Fines on the horizon In May 2020 the Data Protection Commission (DPC) in Ireland issued its first fines under the GDPR, just prior to the second...
2 years of GDPR, 1 year of Portuguese implementation law The 25th of May marked the second anniversary of the application of the General Data Protection Regulation (GDPR) in the European...
Revision of the Swiss Federal Data Protection Act (FDPA) Due to the Covid-19 pandemic, the last debates in the Swiss parliament were postponed to the autumn session. However, an outlook can...
New member has joined the INPLP. Mr. Chris Yau (Hong Kong) SGS Hong Kong Limited is the Hong Kong branch of SGS group. Established in 1878, SGS is the world’s leading inspection, verification,...
The Swedish and Norwegian Data Protection Authorities have recognized the Danish standard contractual clauses in relation to data processor agreements The Danish Protection Authority has adopted standard contractual clauses in accordance with article 28(3) of the GDPR. The national...
Statement by the Spanish Data Protection Authority (AEPD) on processing of certain health data in the context of Covid-19 The Spanish DPA (AEPD) issued this May a statement regarding the practice of taking the temperature to data subjects in shops, work...
Body temperature readings and the Covid-19. What should we do? Short synopsis of the Romanian status During the Covid-19 pandemic we received numerous and various questions from our clients regarding body temperature readings of...
Fight against covid-19 pandemic in Monaco: temperature taking, camera detection of facemask wearing, and diagnostic tests In early May 2020, the Monegasque Data Protection Authority (Commission de Contrôle des Informations Nominatives, in brief “CCIN”)...
Austrian Court Ruling on Immaterial Damages for GDPR violation – A Mere Violation Of Data Protection Regulations Is Not Enough In February, the first decision of an Austrian Appellate Court regarding a claim for immaterial damages under Art 82 GDPR has been...
New member has joined the INPLP. Mr. George Dimitrov and Mrs. Desislava Krusteva (bulgaria) Dimitrov, Petrov & Co. (DPC) is a full-service business law firm, pioneer in the dynamic field of technology law and data protection...
New member has joined the INPLP Mr. Satoshi Shono (Japan) Matsuda & Partners is a one-stop shop, offering a variety of legal services that cover business related practice including corporate...
Greek data protection watchdog makes its presence clear During the unprecedented Covid-19 pandemic, but also before its appearance, the Greek Data Protection Authority (“DPA”) has taken an...
Presentation of the casebook on Data Protection INPLP member, Olumide Babalola (Lagos, Nigeria), cordially invites the general public to the (virtual) presentation of a book titled...
When is it legal to be named as a reference? For many companies, it is significant for customer acquisition not only to present the advantages of their own products and services,...
New member has joined the INPLP. Mr. Michel Molitor and Mrs. Virginie Liebermann (Luxemburg) Founded in 1996, MOLITOR Avocats à la Cour is a highly respected and independent law firm in Luxembourg City, a full-service firm...
New member has joined the INPLP. Mrs Nicole Beranek Zanon (Switzerland) Nicole Beranek Zanon is a founding partner of de la cruz beranek Attorneys at Law Lt, which is one of the leading IT boutique law...
EU Guidance on Apps Supporting Fight against COVID-19 Pandemic in Relation to Data Protection At the end of April, the European Union published non-binding guidance on apps supporting the fight against COVID 19 pandemic in...
New member has joined the INPLP. Mr Xawery Konarski (Poland) Xawery Konarski is Senior Partner at Traple Konarski Podrecki & Partners which is one of the leading law firms on the Polish market...
Facial recognition and GDPR compliance: the impossible convergence? The use of photographs in police investigations is nothing new. It is the use of algorithms so that a machine, using template image...
United Kingdom’s Supreme Court erred on liability of joint-data controllers UK Supreme Court decision on an employer’s liability for data breach in the case of WM Morrison Supermarkets versus Various...
New Member has joined the INPLP. Mr Olumide Babalola (Lagos, Nigeria) Olumide is the managing partner of Olumide Babalola, LP - his flagship full service law office with particular bias for digital...
The Belgian data protection authority fines a data controller 50,000 EUR for appointing a DPO with a potentially conflicting position It is not too uncommon for a single person to be in charge of general compliance in an organisation, and to also act as its DPO. Is...
A US$ 6 Million Judgment was Passed in Israel, for the Sale of Location Data On March 23, 2020, a 5 year class action that was until now under a gag order, was finally lifted and the Judgment (authorization of...
Protection of Personal Data vs. Citizen’s Health At the time of the fight against the corona virus pandemic, the need to establish an imaginary border between the protection of...
Using data from mobile phone apps in the combat of COVID-19 in Norway The COVID-19 pandemic and the measures to combat the spread of the virus are having a severe impact in a number of countries,...
Covid-19 and personal data protection in turkey – Frequently asked questions This article answers many freuqently asked questions concerning data protection in turkey during times of Covid-19. ...
Protection of personal data of employees (and other persons) during the state of emergency in the Republic of Serbia One of the possible solutions for processing personal data based on a legitimate interest of companies.
Italian data protection authority against the unlawful data processing through telemarketing activities The Italian Data protection Authority (Italian DPA) issued two fines against Tim and Eni Gas e Luce, for a total amount of almost 36...
EDPB Issues Guidance on GDPR Compliance in the Age of COVID-19 After many data protection authorities (in the European Union and beyond) provided guidance and FAQ's on the relationship between...
The re-use of public sector information The re-use of Public Sector information has to be built on a balanced approach where the public interests of such use have to be...
GDPR through the prism of coronavirus epidemic The difficulty of drawing a hard-and-fast line between the right to privacy and the rights of other people to stay healthy ...
Fine for a lack of legal basis of scoring sick leaves of employees An administrative Fine of 82,000 EURO was imposed by the Cyprus Data Protection Authority concerning the lack of legal basis of...
Fine for Dutch tennis association for unlawfully selling personal data The Dutch DPA imposed a fine of 525,000 euros for the unlawful sale of personal data by the Dutch national tennis association the...
Recent decisions of the Austrian Data Protection Authority (DPA) This article presents interesting decisions on Austrian data protection law, which deal in particular with the admissibility of...
Five tips on preparing for ‘whistleblowing’ rules In order to guarantee protection of people who report breaches, I.E. Whistleblowers, employers will soon be obliged to create a clear...
Enforcement of GDPR Infringements by Third Parties – First Decision of the Austrian Supreme Court While the GDPR deals extensively with the rights and claims of data subjects, it mainly leaves the provisions for the assertion of...
Romanian DPA published its activity report for 2019 On the European Data Protection Day 2020 (i.e. on 28 January 2020), the Romanian DPA published (in Romanian and English languages) a...
GDPR news from Croatia at the beginning of 2020 The topic discussed here is the difference between personal data protection before the GDPR entered into effect and the current data...
Data Protection round-up: Key stories of 2019 and forecast for 2020 2019 was a year of major developments for privacy and data protection in Ireland and abroad. According to Ireland, the year 2020 will...
Microsoft under a cloud amid GDPR concerns over its cloud contracts Since the implementation of the GDPR, cloud players have been forced to both rethink their tools and review their contracts. ...
Data breach notification obligation under turkish data protection law In Turkey, the Personal Data Protection Law No. 6698 (the "Law") requires data controllers to take all necessary technical and...
5 takeaways from the first year and a half of GDPR fines The end of the year is usually the time for reflections. Although the first year of GDPR officially ended at the end of May 2019, now...
Report on the State of Privacy in Slovakia The Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as “Office”) pursuant to the provisions of §...
The Danish Data Protection Agency has published new rulings regarding email encryption within the security of processing area Article 32 of the GDPR on the security of processing has been one of the main focus areas of the Danish Data Protection Agency (the...
The Belgian data protection authority issues a fine for unlawful use of the national identity card as a tool for customer card enrolment The Belgian electronic identity card system has been in vogue for a number of years now as a reliable means for electronic...
Administrative fine of 14.500.000 Euro imposed against German Real Estate Company The Berlin Data Protection Authority has imposed an administrative fine against a Berlin real estate company for 14,5 Million euros...
Conditions for imposing administrative fines – The German Data Protection Authorities’ approach On 16 October 2019, the German Data Protection Authorities (DPAs) published their concept of how to determine administrative fines. ...
Portugal: recent fines for the breach of the GDPR More than a year has passed since the General Data Protection Regulation (hereinafter “GDPR”) has been applicable in all EU member...
iGaming and Privacy in Malta: Tensions? Data, and not FIAT or digital currency, is the real currency that measures the worth of a gambling operation, and the single common...
Privacy News from Israel On November 24, 2019 the Israeli Privacy Protection Authority (the “IPPA”) announced that it had hosted an inter-sectoral roundtable...
Draft Guidelines on Data Protection by Design and by Default issued by the EDPB On 20 November 2019, the European Data Protection Board (EDPB) issued a draft of Guidelines on Data Protection by Design and by...
PERSONAL DATA PROTECTION LAW IN MONACO: A “STRUCTURAL MODIFICATION” ANNOUNCED The preparatory work for the reform of the Monegasque data protection law (Act No. 1.165 of 23 December 1993, consolidated), carried...
Significant fines imposed by the Bulgarian Commission for Personal Data Protection Earlier in 2019 the Bulgarian data protection supervisory authority – the Bulgarian Commission for Personal Data Protection (“CPDP”)-...
CNIL on monitoring employee software / internet use Use of video recording of screens, coupled with recordings of telephone conversations in a professional setting, may be proportionate...
Obligation of Notification of Personal Data Violations to Turkish DPA Law on Protection of Personal Data numbered 6698 provides under the article titled “Data Security Liabilities” that, data controllers...
Serbia - readiness/lack of readiness of controllers and processors and knowledge of individuals regarding application of the new Law on Personal Data Protection In August 2019, Serbia started applying new Law on Personal Data Protection. Many challenges were expected before initiation of the...
New European judgment on cookies In its recent judgment in the “Planet49 case”, the Court of Justice of the European Union (“CJEU”) held that consent for cookies...
New Greek law on GDPR Following a fast track procedure, the Greek Parliament adopted Law 4624/2019, which frames the provisions of the GDPR in Greece and...
Does the California Consumer Privacy Act Apply to Me? The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed...
If at First You GDPR, CCPA, CCPA Again The California Consumer Privacy Act (CCPA), which takes effect in 2020, has been dubbed “GDPR-Lite” or “California GDPR” because it...
On The Road Again: Practical First Steps On Your Way to Compliance with the CCPA The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, will take...
20 Questions (and Short Answers) on the California Consumer Privacy Act (CCPA) The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed...
Recent decisions of the Austrian Data Protection Authority (3/3) This article presents the third out of three interesting decisions on Austrian data protection law, in particular dealing with...
Would you like some cookies? When users browse through the internet, cookies perform multi-faceted functions for the benefit of both the webmasters and users...
Recent decisions of the Austrian Data Protection Authority (2/3) This article presents the second out of three interesting decisions on Austrian data protection law, in particular dealing with...
The Italian Data Protection Authority Limits the Sending of Advertising and Promotional Contents to Fidelity Cards Holders For the first time, the Italian Data Protection Authority has exercised its power of "warning" provided by the GDPR, through which it...
Recent decisions of the Austrian Data Protection Authority (1/3) This article presents the first out of three interesting decisions on Austrian data protection law, in particular dealing with...
The Spanish DPA (AEPD) issues a model report to help carry out data protection impact assessments for public administrations The AEPD published in July 2019 a model report to help Public Administrations carry out im-pact assessments on data protection. ...
€ 150.000,- GDPR fine imposed on PWC by Greek Data Protection Authority for being not accountable The Greek HDPA (Hellenic Data Protection Authority) imposed a fine of € 150.000,- on PWC Greece.
GDPR - the real threat to privacy? Over 2 years, GDPR and personal data protection has been discussed across the EU. Vast majority of companies, public authorities and...
Fine of € 460.000,- imposed on Dutch Haga Hospital by Dutch Data Protection Officer, the first Dutch fine under GDPR (July 19, 2019) This first fine under the GDPR is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records...
Slovenia’s DPA says mere possession of processing equipment does not amount to personal data processing Slovenian courts have in place a system for audio recording of court hearings. The data recorded (which in itself constitute personal...
Welcome to Croatian version of GDPR - Introduction First, I would like to thank the members and the entire EuroCloud organization for letting me join their ranks. I sincerely thank...
One year of GDPR in Estonia Each Spring, the Estonian Data Protection Inspectorate (DPI) publishes its Annual, summarising its main activities of the previous...
GDPR IN NUMBERS – The Irish Perspective To mark the occasion of GDPR's first anniversary, findings and statistics tracked from May 2018 to May 2019 concerning awareness,...
Portuguese Law implementing GDPR finally approved On the 14th of June 2019 (one year later than expected) Portugal has finally approved Draft Law no. 120/XIII/3.ª (GOV), implementing...
GDPR: A Game Changer for Cloud Contracts Until recently, most IT contracts, even the large-scale ones, were generally based on a simple purchase order and sometimes a...
The 4th version of the StarAudit Catalogue has been released We've introduced a new Area focused on GDPR and several enhancements to existing controls as part of this major update. ...
Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union Last week the European Commission published guidance on the free flow of non-personal data, focussing on the interaction of the FFD...
Legislative and practical adjustments in Bulgaria implementing GDPR Earlier in 2019 Bulgaria has become another European Union member to adopt the EU’s privacy regime. The Bulgarian Personal Data...
The Danish Data Protection Agency has reported a large Danish taxi company to the police for violation of GDPR rules The Danish Data Protection Agency has reported the taxi company, Taxi 4x35, to the police and recommended the company for a fine of...
Serbia: New Law on Personal Data Protection At the end of November 2018, the new Law on Personal Data Protection (Law) came into force but its application was postponed for nine...
The Belgian data protection authority bans the use of private sector logins as an access condition to public sector websites The Belgian tax authorities maintain an online repository called FisconetPlus, on which tax payers can find key information and...
Slovak list of processing operations which are subject to the requirement for a data protection impact assessment Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of...
Challenges for Companies with an Israel Nexus In May 2018, the Israeli Protection Of Privacy Regulations (Data Security 2017) (the “Regulations”) came into effect. The...
Norwegian DPA publishes list of processing activities with mandatory DPIA Under Article 35 of the GDPR, the national Data Processing Authority (DPA) shall establish and make public a list of processing...
Three Legal Opinions of the Italian DPA clarify some GDPR Implementation Aspects The aim of this article is to focus on three important legal opinions published by the Italian Data Protection Authority on the...
On 19 February 2019, the Dutch Data Protection Authority has come up with its own policy for determining the levels of administrative fines On the basis of the guidelines of the article 29 working party of what now is the EDPB (European Data Protection Board) and the...
The Spanish DPA published a report on the processing of personal data related to political opinions by political parties The Spanish DPA published a recent report on the processing by political parties of personal data related to political opinions. ...
Implications on Data Protection law in the event of a no-deal Brexit Since the 2016 referendum whereby voters expressed their wish for the United Kingdom (the “UK”) to leave the European Union (the...
Data Protection Officers under Slovenia’s Draft Personal Data Protection Act (ZVOP-2) In the light of the GDPR, on March 6, 2019, Slovenia’s Ministry of Justice published <a...
The role of Romanian courts in the protection of personal data in the post GDPR era Where does the role of the data protection authority (DPA) end and where the court takes priority? The relevant legal provisions are...
Three interesting decisions on Austrian data protection law This article presents three interesting decisions on Austrian data protection law, in particular dealing with an unlawful video...
Liability of Joint Controllers in the Light of the CJEU Case Law General Data Protection Regulation (GDPR) brought (for the Czech legal environment completely new) legal construct of joint...
The Looming Clouds: How and why cloud services are reshaping the future of financial services in Europe EuroCloud Europe publishes a new whitepaper in partnership with RedHat and Accenture, tracing the drivers of change across the...
To be or not to be (a processor). That is the question. In the case of a service provider that is not contracted by a controller to process personal data on its behalf but may gain custody...
EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019 The EDPB (European Data Protection Board) assessed in its January 22, 2019 report once again whether the safeguards provided under...
Google fined $57m by French regulator for breaching GDPR French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the...
Joint Controllership Report EuroCloud Europe will establish a European database of case-studies describing sector specific joint-controllership relations, as...
Data Breach Report EuroCloud Europe will undertake to create a European database of data-breach-related DPA decisions and court judgments. ...
Is a violation of a GDPR rule at the same time a violation of competition law? According to the Oberlandesgericht Hamburg (Higher Regional Court Hamburg) violations of data protection rules can also mean a...
Properly identifying roles in processing personal data: the latest from the EU Court of Justice In the last six months, the EU Court of Justice has provided its views on the roles of different parties processing personal data on...
2018 Highlights of data protection in Monaco The year 2018 was for Monaco a preparatory year for the forthcoming adaptation of Act No. 1.165 on the protection of personal data,...
The Dutch Data Protection Authority (Dutch DPA) clarifies the concept “large scale” for the Data Protection Officer (DPO) Government agencies and public organisations have the obligation to appoint a DPA, regardless the type of data they process. ...
Joint Controllership Sub-group News During 2018, the Not-for-Profit International Network CPC set up some study groups with the aim to analyze and compare the Member...
Compete for the best cloud solution worldwide – the EuroCloud Awards 2019 start now The EuroCloud Awards recognize the best digital services from Europe and around the world based on their underlying cloud computing...
Supreme Court Finds the Publisher and the State Liable for Personal Data Breach In August 2018, the Supreme Court of the Republic of Slovenia upheld the judgements of the lower courts finding the publisher and the...
New cybersecurity law imposes security and reporting obligations to Operators of Essential Services and Digital Service Providers The Greek Parliament recently enacted Law 4577/2018, the purpose of which is to transpose Directive (EU) 2016/1148 on security of...
Uber fined £385,000 in the UK and €600,000 in the Netherlands Uber US and Uber Netherlands were considered to be joint controllers which made them both separately liable for claims of customers...
3rd CPC Conference of the members of the EuroCloud CPC Network Vienna, 24 Nov 2018: This year, lawyers from 13 countries attended the event in Vienna and approved a comprehensive list of...
Slovenia’s ICO defines DPO’s additional tasks that could result in a conflict of interests Paragraph 6, Article 38 of the General Data Protection Regulation (GDPR) allows the Data Protection Officer (DPO) to fulfil other...
The Spanish DPA (AEPD) issues guidelines regarding the management and notification of security breaches according to GDPR The Agencia Española de Protección de Datos ( AEPD) presented guidelines regarding the management and notification of security...
Turkey: Data Protection Matters in M&A Transactions Privacy issues in mergers and acquisitions take the attention of transaction parties among other things in these days. ...
With Legislative Decree 101/2018, Italy harmonized the national privacy legislation to the GDPR With Legislative Decree n. 101/2018 the Italian legislator has finally taken the last necessary step in order to coordinate the local...
Doping control in sport – how about personal data? As the legal representatives of the Slovak Anti-doping Agency (hereinafter referred to as “SADA”), we have taken part in several...
List of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”) The CNPD (Portuguese Data Protection National Commission), as the Portuguese supervisory authority, has approved Regulation nr....
In-vehicle emergency call systems (e-call) in Turkey In-vehicle emergency call (eCall) systems, which have been in use for a long time, are defined as systems within vehicles being...
Privacy Shield: Brace Yourself, Changes are Coming Since the application of the GDPR, the days of the EU-U.S. Privacy Shield may be numbered and parties to an IT contract must be on...
Controller-Processor relationship in public sector (Bulgaria) With the entry into force of Regulation (EU) 2016/679 (the “General Data Protection Regulation”) on 25th May 2018, the matter of...
Mandatory e-mail encryption from January 1st 2019 in Denmark The new practice of the Danish Data Protection Agency requires all work related e-mails containing personal data is to be encoded...
The days after the GDPR – The Cyprus Law on the Protection of Natural Persons against the Processing of Personal Data and the Free Movement of this Data This year, on the 25th of May 2018, the highly anticipated and monumental EU General Data Protection Regulation (henceforth “the...
GDPR With an Irish Flavour – The Irish Data Protection Act 2018 Ireland's Data Protection Act 2018 (the "DPA"), which implements elements of the European Union's General Data Protection Regulation...
Oliver – Helping the Masses Navigate GDPR through Artificial Intelligence Privacy is key to a healthy information society and the recently-enacted GDPR offers EU citizens significant control over how their...
Portuguese Data Protection Authority activities - Data Protection Impact Assessment List and notifications for DPO and Data Breaches The Portuguese Data Protection Authority (“DPA”) recently announced a public consultation on the list of processing activities that...
The Estonian data protection authority issued guidance on the definition of “large scale” processing The Estonian data protection authority (Data Protection Inspectorate, DPI) issued guidance on the definition of “large scale”...
Latvia has adopted the Law on Personal Data Processing The national Law on Personal Data Processing (the National Law) has entered into force on July 5th, 2018, which made Latvia the first...
GDPR: Your rights after death Dr. Gege Gatt, Partner of the EuroCloud CPC Network, shares his thoughts following the recent landmark judgement by the German Court...
“White list” – (Austrian) Exceptions to the Privacy Impact Assessment The General Data Protection Regulation (GDPR) stipulates that (data) controllers must carry out what is known as a "data protection...
A European Sovereign Cloud: the Silver Lining to the U.S. CLOUD Act The adoption of the U.S. Cloud Act weakens the integrity and security model of leading public cloud providers. ...
The Spanish Data Protection Authority (AEPD) issues a check-list on regulatory compliance The Spanish DPA issued a check-list regarding regulatory compliance to facilitate the implementation of GDPR. ...
Employee monitoring under the Romanian law implementing GDPR On 27 June 2018, the Romanian Parliament finally approved the Romanian law intending to cover the open clauses under the General Data...
GDPR in a Post-Brexit Era: Some New Challenges? The General Data Protection Regulation (GDPR) came into full operation on 25 May 2018 and was described by the Information...
CPC Presentation Brochure 2018 Halfway through 2018, we have published a presentation brochure detailing the status and results the Cloud Privacy Check (CPC)...
The Impact of the GDPR in Monaco until the Revision of the Monegasque Data Protection Legislation The Monegasque Data Protection Authority has published on its website on May 2, 2018 a list of the key questions on the GDPR...
A brief history of data protection: How did it all start? With the GDPR being enforced on 25th of May, we decided to take a glimpse back into the history of data privacy and traced it's first...
The discussions around the national law on personal data processing The Latvian legislator is facing delays with the adaptation of the national Law on Personal Data Processing (the Draft Law). On April...
A guide to the insurability of GDPR fines across Europe: the price of data security Zepos & Yannopoulos, partners of the EuroCloud CPC network, participated in a multi jurisdictional exercise organised by the...
The Danish Parliament has adopted the Danish Data Protection Act The act will to some extent replace the Danish Act on Processing of Personal Data and it will enter into force simultaneously with...
GDPR and its influence outside EU - Why, What, Who, When, How (Macedonia’s case study) GDPR is knocking on the door. Being a Europe’s country, and not being a European Union member country yet, does not release the...
Cloud Contracts, GDPR and Liability Caps Liability caps in contracts under the GDPR is a hot-button issue for data controllers and data processors. A few days before the...
Consent in imbalance of power Consent of a data subject is often used by data controllers in order to ensure lawful data processing. Still, processing on the...
The right to be forgotten… for convicted criminals? Earlier in March 2018, the Maltese press reported and revealed that private individuals have successfully requested that court cases...
Portuguese GDPR implementation legislation Even though the GDPR is directly applicable in the Member States, it has left open the possibility for Member States to enact...
Every Irish Cloud Has A GDPR Lining Ireland's Data Protection Bill 2018 (the "Bill"), which will implement elements of the European Union's General Data Protection...
Data Processing Agreement and its new challenges The long-expected General Data Protection Regulation (GDPR) comes with new, specific requirements for data processing agreements, as...
The recent provisions of the Italian legislator on data protection The Italian Legislator recently adopted two new laws on data protection matter, Law. n. 167/2017 and Law n. 205/2017, with the aim of...
The GDPR and the Fall of Biometrics In a world where smart technology has become the norm, where people access their phones and TVs with fingerprints and voice commands,...
Recent decisions of the Austrian Data Protection Office (DSB) and the Austrian Administrative Supreme Court (VwGH) The article presents three interesting decisions on Austrian data protection law, in particular dealing with control measures at the...
The New Belgian Data Protection Authority under the GDPR The Belgian Act of 3 December 2017, which was published in the Belgian Official Journal on 10 January 2018, partially implements the...
Österreich übernimmt Vorsitz der Artikel-29-Gruppe der europäischen Datenschutzbehörden Die österreichische Datenschutzbeauftragte Andrea Jelinek wurde zur Leiterin der Artikel-29-Datenschutzgruppe gewählt. Diese wird ab...
Public hospitals in Norway threatened with fines of NOK 7.2 million (EUR 720,000) following outsourcing project Public hospitals in Norway are organized in a structure where they are owned by four different regional legal entities. The regional...
How to choose a DPO? Practical insights The data protection officer (DPO) is a key function/office/position under the GDPR responsible for compliance with data protection...
GDPR in the Czech environment General Data Protection Regulation (GDPR) is going to govern the personal data protection matters across Europe since May 2018. Even...
20Q&A – The latest CPC project The 20Q&A project is intended to give the reader a quick overview and short summary of the most urgent questions regarding the...
The Data Protection Bill, Brexit and Data Transfers The Data Protection Bill (Bill) will replace the Data Protection Act 1998 and will implement the General Data Protection Regulation...
Monegasque DPA vs GDPR: Can you spot the difference? It would be wrong to infer from the fact that the Principality of Monaco is a non-EU State, that the General Data Protection...
Ireland: DP Bill to Implement GDPR and Overhaul Data Protection Commission A new Data Protection Bill will soon issue which will implement elements of the GDPR into Irish law and overhaul the Office of the...
Proposed Regulation on the Free Flow of Non-Personal Data in the EU Data is a resource for digital business and we can expect more and more rules regulating this vital resource. In addition to the GDPR...
How will national DPAs impose fines for GDPR violations? The GDPR introduced an antitrust-type sanction regime with fines which, for severe infringements, may amount up to 20 million euros...
New Latvian Personal Data Processing law is being developed Latvian Ministry of Justice has drafted text of new Personal Data Processing Law, which fulfils the assignment of Regulation (EU)...
Testimonials after the 2nd CPC Conference The CPC Conference participants present in Vienna between 24-26 November 2017 offer their feedback of the event. ...
Belgium’s New Data Protection Authority In implementation of the General Data Protection Regulation (2016/679), the Belgian Privacy Commission is being replaced by a new...
2nd Cloud Privacy Check (CPC) Event The 2nd Cloud Privacy Check (CPC) event took place between 24-26 November 2017 in Vienna, Austria.
Data Protection Law Enters the Social Media Era This last decade has undoubtedly marked a vast and worldwide sociological evolution which has defined and created a new generation...
The Spanish DPA (AEPD) presents “Facilita RGPD” The Spanish DPA (AEPD) presents “Facilita RGPD”, a tool created to help companies comply with the European Data Protection Regulation...
The Standard Contract Clauses under fire? In the recent case between the Data Protection Commissioner vs Facebook Ireland ltd and Maximillian Schrems of October 3rd 2017,...
Final straight for Luxembourg in implementing the European package on Data Protection A rapid overview of Luxembourg’s latest legislative measures in its preparation for European package on Data Protection with a...
GDPR: It is not just the fines! Even if a person does not know anything else about the GDPR, it usually knows about the massive potential fines the GDPR will bring...
Germany's GDPR implementation law, it's just the beginning The EU data protection reform package consisting of the General Data Protection Regulation (EU) 2016/679 (in German:...
Bărbulescu ruling: Workplace privacy is alive and kicking On Sept. 5, the European Court of Human Rights handed down a landmark judgement about privacy and monitoring at the workplace. The...
Cloud And Data Protection – A Challenge to Users Is your cloud compliant? Cloud experts Dr. Tobias Höllwarth, Dr. Jens Eckhardt, Christian Laux, and Dr. Clemens Thiele explore the...
GDPR: Rights and Obligations of Sub-Processors The GDPR clearly sets out the rights and obligations of sub-processors and requires them to meet strong contractual requirements. ...
Data Protection Officer / Bulgarian Overview With the upcoming entrance into force of the new General Data Protection Regulation in May 2018, the Bulgarian Commission for...
Notification of Personal Data Breaches: Promoting joint pro-activity in data security A brief discussion regarding the obligation of Controllers to notify the data subject and supervisory authority in the event of a...
New white paper on the general data protection regulation from the danish ministry of justice On May 24, 2017, the Danish Ministry of Justice published their long-awaited report on the Personal Data Regulation, which will...
The Greek Data Protection Authority issues an announcement on the need of certification of DPOs As we get closer to May 2018 when the GDPR will enter into force, the discussions on whether organisations should appoint a DPO and...
A Call for a European “Civil Code” of Digital Data Amid the rush to be GDPR-ready, the former European Commissioner for Digital Economy and Society was campaigning for a comprehensive...
Cloud Service Provider – processor, controller or both? Cloud service providers (hereinafter referred to as the „CSP“) offer nowadays a wide spectrum of cloud computing services. Benefits...
Certification and GDPR: Italy’s DPA Clarifications The GDPR encourages (through the Member States, the supervisory authorities, the Board and the Commission) the adoption of data...
Cloud Contracts: Impacts of GDPR on Joint Controllers The GDPR clarifies the concept of “joint controllers”, which is of particular interest for the cloud computing community. Already...
GDPR implementation in Portugal While studies show that there is a medium / high degree of awareness of the obligations and impacts of implementing the GDPR, the...
Recent decisions of the Austrian Data Protection Office (DSB) The article presents three interesting decisions on Austrian data protection law, in particular dealing with the scope of the right...
Cloud Contracts: Impacts of GDPR on Processors The GDPR clarifies the clauses to be contained in a data processing agreement. The new European Regulation does not change the...
Data protection and Luxembourg At a time where the General Data Protection Regulation (“GDPR”) has been spoken and written about extensively in all European...
GDPR-Complementing Regulations Just a Hair’s Breadth Away Introducing high administrative fines (a maximum of EUR 20 million or 4% of global annual turnover, depending on which is higher) and...
Five Key Takeaways from the Recent Report on National Implementation of the GDPR in Finland Right before the midsummer holidays, the TATTI working group appointed by the Finnish Ministry of Justice published its report on the...
Slovenia Strengthening its Position on Personal Data Protection The Supreme Court rules in favour of suspects' privacy while the Parliament declares "revenge porn" a criminal act. ...
Records of processing activities according to the General Data Protection Regulation (Art. 30) The General Data Protection Regulation (GDPR) will apply from 25 May 2018. Until then, all regulations of the GDPR have to be...
Dutch DPA published 10 steps to prepare for GDPR Recently the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: "AP") published a 10-step-plan for Dutch organizations to...
Norway: New standard document on connected cars and privacy Modern cars generate, collect and process a large quantity of data. Some of the data can be linked to the owner, the driver and/or...
Emergence of a European cloud combining growth and security A safer and people-friendlier cloud must be built at the European level.
New Whitepaper "Cloud and Annual Accounts" June 2017 EuroCloud Europe has published in June 2017 a new whitepaper "Cloud & Annual Accounts".
New Whitepaper "Cloud & Data Protection" June 2017 EuroCloud Europe has published in June 2017 a new whitepaper "Cloud & Data Protection - The Cloud Privacy Check (CPC)". ...
The Swedish Data Protection Act Today the processing of personal data in Sweden is regulated in the Personal Data Act (Sw. Personuppgiftslag (1998:204)). On 25 May...
GDPR: The Italian Data Protection Authority Issues its First Guidelines By a press release dated April 28th, 2017, the Italian Data Protection Authority (“DPA”) issued its first guidelines (“Guidelines”)...
GDPR: Read from a CPC perspective I write this text assuming that the reader already knows well about the four-step test implemented by the CPC...
The impact of Brexit on EEA-UK data flows The free movement of personal data within the EEA is a cornerstone of the Single Market – crucial to businesses and consumers...
Draft Regulation on Data Controllers’ Registry On May 5th, 2017 the Turkish Data Protection Authority published the Draft Regulation on Data Controllers’ Registry (“Draft...
While preparing for the GDPR – Romania's perspective Data protection becomes hotter and hotter. Years ago a rather low tier area of law and practice, data protection is now being...
Characteristics of the General Data Protection Regulation A look at the new European Regulation which is bringing Data Protection law into the new century.
Personal Data Protection vis-à-vis Freedom of Expression and Information Respect for basic human rights and freedoms is a conditio sina qua non for continuous and proper development of individuals and...
The Spanish DPA (AEPD) presented new materials to help SMEs comply with the European Data Protection Regulation The Spanish DPA intends to make it easier for SMEs to be aware -during the transitional period until May 25, 2018- of the impact that...
Irish DPC Issues Guidance Note on the GDPR The Irish Data Protection Commissioner ("DPC") published a guidance note on the General Data Protection Regulation ("GDPR") in...
Data State Inspectorate examines the obtaining and saving personal data by third persons While the Ministry of Justice of the Republic of Latvia is working on the changes of national legislation for the application of the...
The Right to be forgotten - Practical perspective The right to be forgotten under article 17 of GDPR brought up conflict between the right of an individual to object to processing his...
Data Protection Compliance in Monaco: new online preregistration and new modalities for the declaration forms The Monegasque Data Protection Authority (CCIN) announced on the European Data Protection Day (28 January 2017) the possibility for...
Data Protection Compliance in Turkey On April 7th 2016, the long awaited Law on the Protection of Personal Data was enacted (the “Law”) in Turkey to regulate process and...
The Greek Supreme Court opens the way for employers to review electronic communications of employees The access to and review of corporate emails, other electronic communications and electronic files stored on the business computers...
The Belgian data protection authority provides its perspective on Data Protection Impact Assessments The upcoming General Data Protection Regulation contains an obligation to conduct a data protection impact assessment (DPIA) for...
Cloud Conference 2017 discussed the best practices, recent developments and risks of the cloud On 8 March 2017, the annual Cloud Conference organised by IT News (in Estonian: ITuudised) took place in Tallinn, Estonia. The...
Hearings in preparation of the GDPR The Danish Ministry of Justice has begun its work with the Danish adoption of the General Data Protection Regulation (the GDPR) in...
GDPR: a new hope for the use of BCRs for cloud providers in Portugal The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific...
The new law on personal data protection: legislative process in Slovakia has been launched In January 2017, the Office for Personal Data Protection of the Slovak Republic initiated the legislative process leading to the new...
Polish Data Protection Authority recommends encrypting email Polish DPA recent opinion on encryption as preferred response to confidentiality risks associated with email. ...
Two selected decisions on Austrian data protection law A case of the DSB (Austrian Data Protection Office) and one of the VwGH (Austrian Administrative Supreme Court) are presented below....
Meeting at the offices of Alain Bensoussan Avocats Lexing Paris, 6th of February 2017: meeting at the offices of Alain Bensoussan Avocats Lexing with Alain Bensoussan, Eric Le Quellenec,...
Malta IT Law Association (MITLA) workshop on Cloud Computing The Malta IT Law Association (MITLA) organised a workshop on Cloud Computing on the 12th of December 2016.
Data Protection Law Made Easy Lawyers from 32 countries have created the Cloud Privacy Check (CPC), the largest European information platform explaining data...
CPC conference Vienna, 28th-30th of October Contributors of the CPC projects from 20 countries met in Vienna for two days to prepare for the publications of the international...
Meeting with CPC partner Dr. Laux in Switzerland to prepare Phase2 of the project 25th February, Zürich: Meeting with CPC (cloudprivacycheck.eu) partner Dr. Laux in Switzerland to prepare Phase2 of the project....
EU GDPR, BCR, CPC and other stuff Tobias Höllwarth draws some lines between the new EU General Data Protection Regulation, Binding Corporate Rules, strategies of...