Faceapp Faceapp has been all over the news recently. The app has been around for a couple of years, but has gained sudden popularity over the last few weeks. With the popularity came the privacy concerns. The company behind Faceapp is based in Russia, or at least so it seems. It however subjects its terms … More FACEAPP & THE TERRITORIAL SCOPE OF GDPR
The European Data Protection Board (“EDPB”) has issued a note on how to approach overseas personal data transfers with the United Kingdom in case there would be a no-deal Brexit. No- Deal Brexit First of all what is understood under a no-deal Brexit? We explained that in our earlier post: what “a hard Brexit” actually meant. … More No-deal Brexit and Data Transfers. The EDPB issues a note of guidance.
Territorial scope of GDPR. Representative or DPO? We help answering that question for many of our clients. It is an important one because of the considerable fines that maybe imposed if a company gets it wrong. Article 3 of GDPR sets out the territorial scope of the Regulation: If the processing of personal data takes … More Territorial scope of GDPR – Representative or DPO?
In November 2018 Spanish Parliament adopted the new data protection act with a 93% positive vote. It adapts the Spanish legal framework to the General Data Protection Regulation and develops its topics. The Spanish Data Protection Agency issued a press release on the contents of the new Act. It further regulates issues like the rights … More The new Spanish Data Protection Act 2018
Almost 60,000 Data Breaches Reported since GDPR Implementation in May 2018 In the Netherlands 15,400 data breaches have been reported up to 29 January 2019; in Germany – 12,600; in the UK 10,600; and in Spain 670(!). To date, 91 reported fines have been imposed under the new GDPR regime. The highest GDPR fine imposed to date is €50 million, by … More Almost 60,000 Data Breaches since May 2018
Do I need a representative? For many companies outside of the European Union it is not clear whether they need to appoint a representative for data protection purposes. You will NOT need to fulfill this requirement when: processing which is occasional, and does not include, on a large scale, processing of special categories of data as referred … More Art. 27 GDPR – Representatives of companies not established in the Union
Article 37 of the General Data Protection Regulation entails: If your company processes special (i.e. health data, religious data, racial data, criminal offences, etc) categories of information on a large scale you must appoint one and communicate the details of that Officer to the authorities. Article 37 of the General Regulation of Data Protection lays … More The Data Protection Officer (“DPO”). Do you need one?
If you have any questions or doubts regarding your international set up and would like to discuss, we would be delighted to take a look and give our opinion. Do contact us without any obligation.
The General Data Protection Regulation (“GDPR”) establishes in its article 28 the rules around the “Processor”. The Processor processes Personal Data on behalf of the Controller. The Controller has a duty of diligence when selecting the Processor and has to be able to prove it has been diligent in its choosing. It should, logically, only … More The contractual relationship between Processor and Controller
If the General Data Protection Regulation (“GDPR”) is applicable to you, as of 25 May 2018 you will be obliged to inform the relevant authorities within 72 hours as of becoming aware of a data breach that you committed or your data processors on your behalf, unless the personal data breach is unlikely to result … More Data breach – the obligation to inform the authorities
The General Data Protection Regulation is about to come into force on the 28th of May 2018. We are getting a lot of requests for advice and notice that although companies are willing to comply, a lot of new details are generally not known. For example: you become are aware that you had a data breach. … More GDPR, the legal obligation to inform your customer.
The GDPR has set a couple of new rules for privacy policies. One of those conditions is a necessary mention that data subjects (the people whose personal data is being processed) can seek support from their local data protection authority when dealing with a data controller or processor who is not being helpful when a … More GDPR – Rules for Privacy Policies
Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in General Data Protection Regulation are met. In contrast to the current regime where sanctions for breaching transfer restrictions are limited, failure to comply with GDPR’s transfer requirements attract the highest category of fines of up to … More International transfers breaches fines
The new General Data Protection Regulation (“GDPR”) that will come into force in May 2018 requires companies that the accessibility of the Data Protection Officer (“DPO”) should be effective for Data Subjects and other players. To ensure that the DPO is accessible, the Working Party 29 (the cluster of European data protection authorities) recommends that … More Non EU companies should appoint a DPO in Europe
The Netherlands leads with reporting requirements on data leaks Germany and The Netherlands are the leaders in data protection in Europe. It means they are the front-runners in terms of reporting requirements on data leaks, Privacy Impact Assessments (an instrument for determining privacy risks of data processing in advance – PIA), the societal debate and … More Germany and The Netherlands, leaders in data protection in Europe
Background It could happen to anyone a leak, a hack or a loss in their personal data storage system which imposes a risk to the rights and freedoms of natural persons. But how to react to a breach? Although probably everybody advocates transparency in data processing, the majority of reactions to such a breach is to … More The use of Data Breach and other Data Protection Policies