Organizations are left with no practical legal grounds to transfer personal data to the United States. “A new age of data transfers” Part III

After the official statements of the European Data Protection Board (EDPB) and several Supervisory Authorities (SAs), it is clear that at the moment there is no practical way for data to lawfully flow from the EU to the US. The reasoning in 5 steps: On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the European ...

UPDATE (i): “PUBLIC HEALTH AND PRIVACY” AND NOT “PUBLIC HEALTH OR PRIVACY”: A COLLECTION OF GUIDANCE ON COVID-19

In the evolving COVID-19 scenario in which business continuity also depends on adequate data protection and cybersecurity practices on the part of organizations, knowledge mapping of privacy & data protection guidance and cybersecurity best practices has taken on an even more important role. It’s for that very reason that, without the presumption of completeness, I ...

Joint Controllership: A collection of recent guidance

Article 26 GDPR on Joint controllers determines that, "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the ...

EDPS announces investigation into European Parliament’s 2019 election activities and is taking enforcement actions

On 28 November 2019 the European Data Protection Supervisor announced that "it is carrying out an investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary election." In its press release the EDPS stressed that "Election campaigns are ...

EDPS publishes Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725

By No tags Permalink

The EDPS Guidelines provide instructions to EU institutions and bodies for compliance with Regulation 2018/1725 with respect to the concepts of controller, processor and joint controllership and examines responsibilities and obligations concerning data subject rights, specific case studies for controller-processor, separate controllership and joint controllership situations and are intended to aid managment in "supporting ...

Welcoming Regulation (EU) 2018/1725 and new data protection rules for EU institutions

By No tags Permalink

The new rules governing the protection of personal data in EU institutions and the formal duties of the EDPS are established in Regulation (EU) 2018/1725 which replaces Regulation (EC) No 45/2001.  As the EDPS pointed out in it's recent press release, the adoption of this regulation represents a fundamental step in the completion of the EU data protection framework. What's ...

EDPS Publishes Opinion on “A New Deal for Consumers” legislative package

The EDPS has published a new Opinion on the “A New Deal for Consumers” legislative package. The package consists of two proposals: one for a Directive as regards better enforcement and modernisation of EU consumer protection rules and  for a Directive on representative actions for the protection of the collective interests of consumers. You can access the ...

Cambridge Analytica and the Concept of Fairness by Design

Just a few days ago the ICO published its "Investigation into the use of data analytics in political campaigns Investigation update" report that provides details with respect to the office of Information Commissioner Elizabeth Denham's investigation of the widespread use of data analytics in electoral campaigns.  The report largely focuses on Facebook and Cambridge Analytica as ...

Let’s not forget about Data Protection by Design

One month after the EU's General Data Protection Regulation has become directly applicable in all EU Member States, I would like to take the opportunity to consider the importance of what I deem to be a fundamental pillar of privacy and data protection: Data Protection by Design/Default (“DPbD”). What is data protection ‘by design’ and ‘by default’? ...

Wojciech Wiewiórowski (EDPS) on Civil society organisations as allies of DPAs

Earlier this week in his blog, Wojciech Wiewiórowski (Assistant Supervisor at the EDPS) discussed the importance of civil society organisations as strategic allies of European DPAs because they play an important role in the practical application of data protection principles by "empowering individuals to assert their rights and holding data controllers accountable for their actions." Wiewiórowski pointed out ...