GDPR Compliance News

Fox Rothschild monitors the latest developments in the EU's implementation of its General Data Protection Regulation to keep clients ahead of the compliance curve. See below for the latest updates from Partner Odia Kagan, Chair of GDPR Compliance and International Privacy, which can also be found on our Privacy Compliance & Data Security Blog.

Recent Blog Posts

  • Draft GDPR Code of Conduct for Data Processors Has Broader Applications Meant for small and medium enterprises, a draft GDPR code of conduct for Data Processors has been submitted for approval in the Netherlands. It contains detailed requirements for data processor compliance including: Documented data protection plan Information security management system based on a recognized standard At least annual evaluation of your privacy and information security framework Store client data separately from other clients Render data inaccessible within no more than three months after client agreement ends Read a detailed analysis with useful takeaways.... More
  • Useful Non-political Takeaways from the ICO’s Code of Practice for Use of Data in Political Campaigns The UK ICO published a Code of Practice for use of Data in Political Campaigning for public consultation which ends October 9, 2019. Though it officially applies to UK-based political campaigns, the code contains deep analysis of GDPR issues and can serve as useful, actionable guidance on compliance to companies and organizations subject to GDPR on topics such as: How to provide privacy notice information and how to determine whether your profiling might have a legal or similarly significant effect. Read my detailed analysis.... More
  • Study: Spike in Data Subject Asset Requests Under GDPR A study by business process outsourcer Parseq shows shows an upsurge in data subject asset requests under GDPR. Almost two thirds of London firms (62 percent) saw an increase in data access requests from customers and their own employees in the 12 months following the GDPR’s introduction in May 2018. More than one in ten (13 percent) businesses in the capital experienced an increase of more than 50 percent in the volume of requests. Almost nine in ten (87 percent) firms that have seen... More
  • German DPA Association Details Its Position on Cookies, Legitimate Interest Analysis Much has been discussed about the recent cookie guidance by the UK ICO and the French CNIL, but what do other data protection authorities think? In a detailed position paper, the Association of German Data Protection Authorities (Datenschutzkonferenz, or DSK) sets out its worldview on cookies and provides a very helpful, detailed guide to conducting a legitimate interest analysis. Read my full analysis.... More
  • ICO Sets Deadline for Data Privacy Code Affecting Online Services The UK’s Information Commissioner’s Office (ICO) has announced a completion deadline for their code that will translate General Data Protection Regulation (GDPR) requirements into design standards that protect children who access online services. The code is being refined following a consultation period and will be made final on November 23, 2019. The ICO stated that it will allow a transition period and will support organizations through this transition period in implementing privacy obligations for companies processing children’s personal data. “The GDPR already sets... More
  • New International Standard Guides Company Data Privacy Management The International Organization for Standardization (ISO) published a standard for company’s to implement personal information management systems (PIMS). The ISO’s guidance aims to assist businesses with compliance goals and further the emphasis on personal data protection. In the wake of the detailed privacy framework requirements of the recent FTC Facebook settlement and the California Consumer Privacy Act’s (CCPA) upcoming effectuation, this standard may help establish a benchmark for companies to establish and maintain a privacy framework. Ready the ISO standard here.... More
  • Cookie Banners Impact Data Privacy Choices A web developer study shows that when a cookie banner allows users to refuse cookies, 50 percent of users choose this option and subsequently refuse all third-party services. However, when this choice is not available, we end up with a cookie acceptance rate between 90 and 98 percent via site users clicking the “I accept” button. In either scenario, only 2-4 percent of users click to read the privacy notice of the relevant website. A notable trend emerges: users typically select the faster... More
  • Romanian Data Protection Authority Fines Company for Inadequate Notice of Video Surveillance Privacy notices are  required under the European Union’s  General Data Protection Regulation even if your data processing is video surveillance/CCTV. The Romanian Data Protection Authority issued a fine against a company for failing to provide adequate notice of data processing in connection with CCTV video surveillance in violation of Article 12 of the GDPR. Full text of the opinion.... More
  • Life, Libra and the Pursuit of Data Protection The UK Information Commissioner’s Office (ICO) has joined data protection authorities from around the world in calling for more openness about the proposed Libra digital currency and infrastructure. Per the letter: The ambition to change the online payments landscape must work in tandem with people’s privacy expectations and rights.  Facebook’s involvement is particularly significant, as there is the potential to combine Facebook’s vast reserves of personal information with financial information and cryptocurrency, amplifying privacy concerns about the network’s design and data sharing arrangements. Key... More
  • German Court: Internal Recorded Statements and Notes Are Personal Data and Must Be Disclosed The Higher Regional Court of Cologne Germany has held that internal recorded statements, conversation notes or telephone notes constitute personal data and copies of them must be disclosed in response to a data access request. The court also held that: The information is not a trade secret since claims made by the plaintiff against his insurance company can not be protected against his or her business secret. It is not economically impossible for data controllers to provide this information. Data controllers... More