GDPR

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

Privacy Activist Challenges Data Collection for Internet Businesses

Written by

Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria.  These “Day 1” complaints could have a definite impact on ad-supported online businesses. The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more

Alston & Bird Issues Data Protection Paper on Accurate Retrieval of Personal Data under the GDPR

Written by

Today Alston & Bird’s Jan Dhont, Peter Swire, and DeBrae Kennedy-Mayo, with support from Senzing, Inc., are publishing a White Paper titled The Importance of Accurate Retrieval of Data Subjects’ Personal Data in Complying with GDPR Individual Rights Requirements. The General Data Protection Regulation, which enters into effect on May 25, 2018, goes considerably beyond existing law in setting forth individual rights that allow data subjects to control how their personal data is used. This Paper addresses an important issue for implementing individual rights – how can those companies [...] Read more

Belgian Privacy Commission Issues DPIA “Black” and “White List” Recommendation

Written by

On February 28, 2018, the Belgian Privacy Commission issued a recommendation on the position it takes with regard to data protection impact assessments (or “DPIAs”) as foreseen in the GDPR. A DPIA under the GDPR is similar in scope and impact to its predecessor, the PIA (or “privacy impact assessment”) and requires businesses to assess processing operations that are likely to present a high risk to individuals’ rights. Such “high risk” is, for instance, likely to present itself in processing operations involving sensitive data, systematic monitoring, or vulnerable individuals such [...] Read more

Belgian Court Uses Novel Argument to Assume International Jurisdiction over Non-EU Facebook Entities

Written by and

On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in [...] Read more

German DPAs Publish Model GDPR Processing Records – Translations Provided

Written by

In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Article 30 GDPR thus creates a new kind of documentation obligation.  This obligation [...] Read more

100 Days Until GDPR Effective Date – Sharing Our GDPR Experience

Written by and

In less than 100 days, the General Data Protection Regulation (GDPR) will go into effect. This means that as of May 25, 2018, each national Supervisory Authority will have the authority to apply and enforce the GDPR. The GDPR raises the bar in terms of requirements substantially higher than the Data Protection Framework Directive. For instance, it recognizes new rights for data subjects (e.g. right to be forgotten and right to data portability), introduces data breach notification requirements, introduces the concept of a Data Protection Officer, and brings enhanced accountability obligations. Given [...] Read more

Privacy & Data Security Team Launches Unique GDPR Tracker Website

Written by

“To Harmonize or Not To Harmonize: That Is the Question.” With the the GDPR fast approaching on May 25, 2018, European Member States are getting ready with the implementation of national legislation. Although the GDPR is a regulation, and directly applicable in all Member States, it has left room for country-specific legislation in several different regards (such as the processing of employee data or individual rights restrictions). Most Member States still only have draft legislation at this point, but the expectation (or at least intention) is that each country will have adopted legislation [...] Read more