In this episode, Claude-Etienne Armingaud, Eleonora Curreri, and Camille Scarparo celebrate the fifth anniversary of GDPR accompanied with lawyers from our European offices; Thomas Nietsch and Andreas Müller (Berlin), Nóirín McFadden (London), and Gianmarco Marani (Milan). They reflect on how embedded GDPR has become in the cultural scene and with private enforcement. They also touch on the future for UK GDPR and the Data Protection and Digital Information (No.2) Bill.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri, Gianmarco Marani, Andreas Müller, Noirin M. McFadden, Dr. Thomas Nietsch, Camille Scarparo

K&L Gates LLP has carved out a niche for work involving medical technology and IT in the healthcare sector. The firm assists with joint ventures and acquisitions in this space, as well as providing advice on GDPR and further data compliance matters.

Source: Legal 500

The team at K&L Gates LLP has strong capabilities advising clients active in the areas of luxury goods, the metaverse and energy, on innovative technologies such as VR and augmented reality, in matters which are often cross-border in nature. It is also well-equipped to advise on e-commerce launches, GDPR due diligence reviews, and acquisition matters. The team, led by Claude-Etienne Armingaud, often works in collaboration with other global offices.

Practice head(s): Claude-Etienne Armingaud

(more…)

Backed by a global network spanning five continents, the data protection, privacy and security group at K&L Gates LLP assists financial institutions and multinationals in mining, biotech (Anika Therapeutics), energy (Envision), home appliances (SharkNinja), pharmaceuticals (Ipsen), manufacturing (K&N Engineering), luxury goods and tech, on wide array of matters across the practice area. Headed by Claude-Etienne Armingaud, an expert in multi-jurisdictional transactional matters, dealing with IT outsourcing and data protection, the group also assists clients with GDPR compliance, data sharing agreements and data protection elements of M&A transactions.

Leading individuals: Claude-Etienne Armingaud – K&L Gates LLP

Practice head(s): Claude-Etienne Armingaud

(more…)

In this episode, Claude Etienne Armingaud, Eleonora Curreri, and Camille Scarparo introduce a case regarding a U.S. company’s data privacy breach, the consequences a company may face for being non-compliant with GDPR for companies established outside of the EU, and which steps companies can take to prevent these situations.

First publication: K&L Gates Hub with Eleonora Curreri & Camille Scarparo

Well, that’s a wrap on #DPI23 France!

Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates

Gabriela MercuriManaging Director, SCOPE Europe

Jörn WittmannDirector Privacy Legislative Strategy and Public Policy, Volkswagen AG

Codes of conduct overseen by accredited monitoring bodies are one of the breakthrough innovations introduced by EU General Data Protection Regulation. As part of its accountability framework, GDPR not only shifted the onus of demonstrative compliance, but also created the possibility for stakeholders to engage in co-regulatory practices. The goal was to allow the industry to support regulatory implementation by developing workable guidance to concretize the GDPR’s provisions. More flexible than other previously adopted compliance tools, CoCs generated high expectations, particularly in the wake of Schrems II, as a possible solution to address international data transfers and enable legal foreseeability. CoCs have not yet reached their full potential, with only a handful of national CoCs deployed and even less at the pan-European level. However, as the cloud ecosystem leads the way, this panel will explore the background of this sectoral success while highlighting CoC’s benefits, as well as their limitations.

What you will learn:

• How to understand the relevancy of CoCs in a post-GDPR, post-Schrems II era.

• What CoCs can bring to an ecosystem, as well as what they should not be pursued for.

• The future of international data transfers amid emerging data protection systems at global levels.

More information.

K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri