Complementing the GDPR: The ePrivacy Regulation Part I

This is the first blog of a series of posts which will explore aspects of the ePrivacy Regulation adopted on 10 January 2017 which aims to provide stronger privacy protections in electronic communications. On 10 January 2017 the European Commission adopted the Proposal for a Regulation on Privacy and Electronic Communications (the Draft ePrivacy Regulation) concerning ...

University of Maastricht’s European Centre on Privacy and Cybersecurity

In January of this year I became a Visiting Fellow at the University of Maastricht's European Centre on Privacy and Cybersecurity, a platform for research focused on legal issues related to personal data protection and cybersecurity. ECPC has a strong European and international outlook and brings together an interdisciplinary group of researchers active in areas of ...

Brexit and the future of data transfers to the UK

On 29 March 2017 Theresa May, the Prime Minister of the United Kingdom, officially invoked Article 50 of the Treaty on European Union, effectively triggering Brexit.  But what does that mean for us as data protection and privacy experts and how will companies be affected by Brexit? The Lisbon Treaty establishes that countries exiting the EU ...

The Case of Standard Contractual Clauses: The Irish Data Protection Commissioner & Max Schrems

“The supervisory authorities should have the power to prohibit or suspend a data transfer or a set of transfers based on the standard contractual clauses in those exceptional cases where it is established that a transfer on contractual basis is likely to have a substantial adverse effect on the warranties and obligations providing adequate protection ...

Article 29 Working Party publishes Privacy Shield enforcement documents

The Article 29 Working Party is preparing for enforcement as the nine-month grace period for US Companies that self-certified before 30 September 2016 comes to an end on 30 June 2017. As of today there are a total of 1,750 organizations signed up to the EU-US Privacy Shield List, which applies to the transfer of all ...

ENISA’s Guidelines for the implementation of minimum security measures for Digital Service Providers

ENISA's "Technical Guidelines for the implementation of minimum security measures for Digital Service Providers" will prove to be extremely useful for businesses. The guidelines spell out minimum security measures and are especially relevant with respect to alignment with the GDPR which only set forth in Article 32 (Security of processing) the obligation of controllers and ...

Italian employers can no longer control employees’ e-mails and communications when private-professional use of corporate devices are allowed

Background information/scenario Since the publication of the Guidelines Applying to the Use of E-Mails and the Internet in the Employment Context, the Italian Data Protection Authority (“Garante”) has had more than one opportunity to state its view on the controls of IT devices provided to employees to perform their job. In the case at stake, a ...

The Italian Data Protection Authority forbids the use of contact details of companies and professionals for marketing purposes without prior consent

Background information/scenario Do marketing purposes need specific consent and does such consent apply even when targeting professionals and companies whose contacts are publicly available on Internet? In one of its first decisions dated 2017, the Italian Data Protection Authority  (“Garante”) restated that all data controllers must collect a freely given and specific consent in order to ...

Privacy, maratona di eventi per aziende e professionisti

Adnkronos, 16/02/2017:  "A poco più di un anno dalla scadenza del 25 maggio 2018, imprese e pubbliche amministrazioni devono adeguarsi al nuovo Regolamento sulla protezione dei dati personali. Da nord a sud della penisola, sono ben 15 le giornate di formazione organizzate o patrocinate da Federprivacy nel giro di un mese e mezzo, in cui gli ...