With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.
(more…)GDPR/Brexit – What Future For UK-EU Data Flows
October 29th, 2020 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)Leaders League Ranking 2020 – Health, pharma & biotechnology – E-Health – France
October 2nd, 2020 | Posted by in eHealth | France | IT | Privacy | Rankings - (0 Comments)GPDR – European Data Protection Board Publishes Guidelines on the Concepts of Controller and Processor, Brings New Light on the Notion of “Joint-Controllers”
September 29th, 2020 | Posted by in Europe | Privacy - (0 Comments)The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020, the Guidelines) and on the targeting of social media users (Guidelines 08/2020 – see our Alert here). The earlier aims to replace the previous opinion by EDPB’s predecessor, the WP29, on these concepts by clarifying the main concepts of “controller”, “joint-controllers” and “processor” and by specifying the consequences attached to these notions.
(more…)Guidelines 07/2020 on the concepts of controller and processor in the GDPR v 1.0
September 10th, 2020 | Posted by in Europe | Guidelines | Privacy - (0 Comments)Version 1.0 dated 06 September 2020 adopted for public consultation. Go to the finalized version.
Go to official PDF version.
EXECUTIVE SUMMARY
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA).
The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.
(more…)EU Data Protection: Standard Contractual Clauses May have Been Confirmed by the CJEU, But At What Price?
July 16th, 2020 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.
(more…)EU Data Protection: In a Post-Privacy Shield, Sectorial Code of Conduct Could Lead the Way to Safeguard Data Transfers Outside the EU/EEE
July 16th, 2020 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.
While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union
Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.
(more…)EU Data Protection: Privacy Shield Shattered by the Sword of European Justice – What Comes Next for Transatlantic Dataflows?
July 16th, 2020 | Posted by in Data Transfer | Europe | Privacy - (0 Comments)In a highly anticipated Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the legal framework allowing transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, mainly citing US surveillance practices and inadequate recourse to EU individuals. On the other hand, the CJEU upheld the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries (see out alert here).
(more…)EU Court of Justice Invalidates Privacy Shield
July 16th, 2020 | Posted by in Case Law | Data Transfer | Europe | Privacy - (0 Comments)On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.
What is the Privacy Shield
The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.
(more…)
Copyright © 2025 All rights reserved.
Designed by 