Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

On 27 October 2022, the Digital Services Act (DSA) was published in the EU Official Journal as Regulation (EU) 2022/2065, with the aim to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. The Digital Services Act will require online intermediaries to amend their terms of service, to better handle complaints, and to increase their transparency, especially with respect to advertising.

(more…)

GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.

Speakers Include:

Jacob Høedt Larsen, Head of Communications, Wired Relations

Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation

Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates

More information.

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)

The French Autorité des Marchés Financiers has recently published a synthesis of the contributions it received in response to its public consultation on Initial Coin Offerings (ICOs) to obtain stakeholder views on how these new types of blockchain offerings might be regulated.

The consultation included a presentation of ICOs, a warning on the risks they present, a legal analysis of ICOs with respect to the rules overseen by the AMF and the regulatory options proposed by the AMF. Respondents were invited to give their views on all of these points.

The English version of the synthesis can be found here, the French version here and our previous coverage of the consultation can be found here.

First published on K&L Gates Fintech Law Blog.

On 26 October 2017, France’s Financial Markets Authority, the “Autorité des Marchés Financiers” (“AMF”), published a discussion paper focusing on initial coin offerings (“ICOs”) that highlights the (many) dangers that arise from these unregulated transactions and discusses the regulation options that it currently foresees.
(more…)

Further to the adoption of Act no.2016-1691, dated 9 December 2016, on Transparency, Anti-Corruption and Modernization of Economic Life (“Sapin II” – see our compliance coverage here) and the public consultation whose results were made public on 30 August 2017 (see our coverage here), the French Ministry of Finance published a draft document aiming at adapting the French legal framework to the use of blockchain technology.

The proposed draft (which may be accessed here in French) address the possibility, for company, to register in a “shared electronic registry”:

  • Negotiable debt securities;
  • Units or shares of undertakings for collective investment;
  • Capital securities issued by corporations and debt securities other than negotiable debt securities, provided that they are not traded on a trading platform

The conditions under which such registration would possible expressly exclude any item admitted to the operations of a central depository or delivered in a system for the payment and delivery of financial instruments. In addition, the bylaws of the issuer must expressly provide for the possibility to use such shared electronic registries.

In any case, the French regulatory framework would subject to French law whenever the issuer is headquartered in France or the issuance itself is already governed by French law.

Additional technical measures will subsequently be devised by a supplementing Decree, in order to provide the required safeguards.

While assessing the relevancy of a blockchain framework for corporate titles remains difficult in the absence of such technical details, all players are welcome to provide the Ministry with observations on the proposed framework until 9 October 2017.

First published on the K&L Gates Fintech Law Blog with Emilie Oberlis.

The French Act no.2016-1691 dated 9 December 2016 on Transparency, Anti-Corruption and Modernization of Economic Life (Or “Sapin II” – see our compliance coverage here) empowered the Government to amend the regulatory framework to facilitate the transmission of certain financial securities through blockchain technology

1)Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) … Continue reading

In order to prepare such executive order, the Ministry of Finance initiated last Spring a public consultation, whose results were made public on 30 August 2017.

The 43 contributions included the points of view of local associations, banks, management companies, fintech pure players, academics, law firms and consultants, and provided operational and technical aspects to be taken into consideration in order for the new regulatory framework not to hinder the adoption of blockchain technology, while balancing security and foreseeability for all the players involved.

(more…)

References

References
1 Article 120 of Sapin II “The Government may by way of executive orders within the 12 months following this Act take the measures necessary to (…) amend the regulatory framework applicable to securities in order to allow the representation and the transmission (via a shared electronic recording device) of securities that are not admitted to the operations of a central depositary or a system of payment and delivery of financial instruments.”