Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

February 25th, 2023 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

, , , ,

Gateway to Privacy: This Is the Way – GDPR Article 5 Compliance

February 25th, 2023 | Posted by Claude-Etienne Armingaud in Case Law | Communication | Europe | Podcast | Privacy - (0 Comments)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

, , , , ,

EU Digital Services Act: Fundamental Changes for Online Intermediaries?

November 5th, 2022 | Posted by Claude-Etienne Armingaud in Competition | eCommerce | Europe | internet | Legislation - (0 Comments)

On 27 October 2022, the Digital Services Act (DSA) was published in the EU Official Journal as Regulation (EU) 2022/2065, with the aim to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. The Digital Services Act will require online intermediaries to amend their terms of service, to better handle complaints, and to increase their transparency, especially with respect to advertising.

(more…)

, , , , , ,

GDPR – What to Expect in France

July 18th, 2018 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)

, , , , ,

AMF synthesis of the contributions received on Initial Coin Offering (ICO) regulation in France

February 28th, 2018 | Posted by Claude-Etienne Armingaud in Blockchain | France | IT | Legislation | Trusted Services and eSignature - (0 Comments)

The French Autorité des Marchés Financiers has recently published a synthesis of the contributions it received in response to its public consultation on Initial Coin Offerings (ICOs) to obtain stakeholder views on how these new types of blockchain offerings might be regulated.

The consultation included a presentation of ICOs, a warning on the risks they present, a legal analysis of ICOs with respect to the rules overseen by the AMF and the regulatory options proposed by the AMF. Respondents were invited to give their views on all of these points.

The English version of the synthesis can be found here, the French version here and our previous coverage of the consultation can be found here.

First published on K&L Gates Fintech Law Blog.

, , ,

France’s Financial Markets Authority Considers Its Options for Regulating Initial Coin Offerings

December 6th, 2017 | Posted by Claude-Etienne Armingaud in Blockchain | France | IT | Legislation | Trusted Services and eSignature - (0 Comments)

On 26 October 2017, France’s Financial Markets Authority, the “Autorité des Marchés Financiers” (“AMF”), published a discussion paper focusing on initial coin offerings (“ICOs”) that highlights the (many) dangers that arise from these unregulated transactions and discusses the regulation options that it currently foresees.
(more…)

, , , ,

France Moves Forward With Proposed Blockchain For Certain Securities Exchange

October 5th, 2017 | Posted by Claude-Etienne Armingaud in Blockchain | France | Legislation | Trusted Services and eSignature - (0 Comments)

Further to the adoption of Act no.2016-1691, dated 9 December 2016, on Transparency, Anti-Corruption and Modernization of Economic Life (“Sapin II” – see our compliance coverage here) and the public consultation whose results were made public on 30 August 2017 (see our coverage here), the French Ministry of Finance published a draft document aiming at adapting the French legal framework to the use of blockchain technology.

The proposed draft (which may be accessed here in French) address the possibility, for company, to register in a “shared electronic registry”:

  • Negotiable debt securities;
  • Units or shares of undertakings for collective investment;
  • Capital securities issued by corporations and debt securities other than negotiable debt securities, provided that they are not traded on a trading platform

The conditions under which such registration would possible expressly exclude any item admitted to the operations of a central depository or delivered in a system for the payment and delivery of financial instruments. In addition, the bylaws of the issuer must expressly provide for the possibility to use such shared electronic registries.

In any case, the French regulatory framework would subject to French law whenever the issuer is headquartered in France or the issuance itself is already governed by French law.

Additional technical measures will subsequently be devised by a supplementing Decree, in order to provide the required safeguards.

While assessing the relevancy of a blockchain framework for corporate titles remains difficult in the absence of such technical details, all players are welcome to provide the Ministry with observations on the proposed framework until 9 October 2017.

First published on the K&L Gates Fintech Law Blog with Emilie Oberlis.

, ,

France: Securities Over the Blockchain Expected to Get Legal Framework this Fall

September 8th, 2017 | Posted by Claude-Etienne Armingaud in Blockchain | France | IT | Legislation - (0 Comments)

The French Act no.2016-1691 dated 9 December 2016 on Transparency, Anti-Corruption and Modernization of Economic Life (Or “Sapin II” – see our compliance coverage here) empowered the Government to amend the regulatory framework to facilitate the transmission of certain financial securities through blockchain technology

1)Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) … Continue reading

In order to prepare such executive order, the Ministry of Finance initiated last Spring a public consultation, whose results were made public on 30 August 2017.

The 43 contributions included the points of view of local associations, banks, management companies, fintech pure players, academics, law firms and consultants, and provided operational and technical aspects to be taken into consideration in order for the new regulatory framework not to hinder the adoption of blockchain technology, while balancing security and foreseeability for all the players involved.

(more…)

References

References
1 Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) amend the regulatory framework applicable to securities in order to allow the representation and the transmission (via a shared electronic recording device) of securities that are not admitted to the operations of a central depositary or a system of payment and delivery of financial instruments.”

, , , , ,

Momentum.africa – Opening Of Top-Level Domain Name To Create Opportunities For IP Right Owners

April 11th, 2017 | Posted by Claude-Etienne Armingaud in eCommerce | IT | Trademarks - (0 Comments)

The new generic top-level domain (gTLD) .africa, a regional domain for users located in and out of the continent, has been officially validated by ICANN.

More than a decade after its other regional counterparts, such as .eu or .asia, the .africa gTLD has been the subject matter of a legal conundrum for years.
The new generic top-level domain (gTLD) .africa, a regional domain for users located in and out of the continent, has been officially validated by ICANN.

More than a decade after its other regional counterparts, such as .eu or .asia, the .africa gTLD has been the subject matter of a legal conundrum for years.
(more…)

, , , , , , ,

Impact of the Digital Republic Act on Online Intermediation Platforms

March 17th, 2017 | Posted by Claude-Etienne Armingaud in Competition | eCommerce | France | IT | Legislation - (0 Comments)

The French Act No. 2016-1321 of 7 Oct. 2016 for a Digital Republic (the “Digital Republic Act”) amends the existing framework for online intermediation platform created under Article L.111-5-1 of the French Consumer code by the Act No. 2015-990 of 6 August 2015.

The Digital Republic Act creates a general, autonomous and impersonal status of online platform operator (“OPO”) and completes the existing legal framework relating to consumer protection through the consumers’ prior information.
(more…)

, , , ,