GDPR Compliance News

Fox Rothschild monitors the latest developments in the EU's implementation of its General Data Protection Regulation to keep clients ahead of the compliance curve. See below for the latest updates from Partner Odia Kagan, Chair of GDPR Compliance and International Privacy, which can also be found on our Privacy Compliance & Data Security Blog.

Recent Blog Posts

  • EDPB Issues Guidance on Its Coordinated Enforcement Framework The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology The CEF is the foundation on which the annual coordinated action is built (the ‘rulebook’ for coordinated action). The objective of the CEF is to facilitate joint actions in the broad sense in a flexible but coordinated manner. Details in... More
  • European Parliament Addresses Smart Mobility Apps, Data Privacy and C-ITS The European Parliament issued a detailed study on the impact of smart mobility applications on the future of transport and addressed some data protection issues. Public authorities should further specify legislation for data privacy and protection. (e.g. addressing how drivers can grant third parties’ consent to use their data, where processing data is necessary for a task carried out in the public interest). The Cooperative Intelligent Transport System (C-ITS) industry and vehicle manufacturers should develop systems flexible enough to guarantee full control... More
  • European Commission Issues Long-Awaited Draft Standard Contractual Clauses The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone… Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C). Lots of emphasis on the laws of the country of transfer and pushing back on government requests. Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement) provisions. Requirements for transparency to the individuals. Individual redress, third party beneficiary and liability as among the entities Details in this client alert.... More
  • EDPB Adopts Measures on Post-Schrems II Supplemental Data Transfer Tools Brace yourselves, the post-Schrems II supplemental measures are coming! The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity... More
  • Denmark: Companies Should Provide Secure Means of Data Transmission Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information: Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the identified risks to citizens — not only when they send information to citizens, but... More
  • Helpful Advice on Videoconference Data Security From Gibraltar The Gibraltar Regulatory Authority has issued helpful guidance on data protection considerations for the use of video conferencing applications (VCAs). Key recommendations: Consider the implications of VCAs and their compliance with data protection laws to choose the one best suited to your organization’s needs. Establish appropriate technical and organizational security measures to protect personal data when using VCAs. Establish data protection policies where proportionate. Consider transparency and fairness when using VCAs, particularly if monitoring staff. Ensure staff are appropriately educated and trained so policies are effectively... More
  • Advice from Norway on Post-Shrems II Cross-Border Data Transfers When it comes to entering into new agreements with non-EU providers that involve the processing of EU personal data, if in doubt – don’t, says Norway DPA Datatilsynet. “One must be prepared for the fact that new agreements involving the illegal transfer of personal data to third countries may be considered more severely than existing agreements,” according to Norway’s Data Protection Authority. Key takeaways from Datatilsysnet’s new Q&A on cross-border data transfers in this client alert.... More
  • Irish Data Commissioner Discusses Schrems II, Enforcement and Consent “I worry that we are caught in a DPA (Data Protection Authority) beauty contest of who issues the bigger fine,” said Ireland Data Protection Commissioner Helen Dixon in her keynote for Daniel Solove’s Privacy+Security Academy Fall Forum Keynote. Additional Key Takeaways I am hesitant to list our enforcement priorities because I don’t feel that we are in control of setting the agenda and are reacting to complaints and to issues that arise, like the pandemic and the Schrems II judgment. Schrems II didn’t... More
  • Ireland: Employees Subject to Vehicle Tracking Must Be in the Know Due to the importance of data protection law for employee monitoring practices, a careful and considered approach must be taken when potentially highly intrusive methods, such as tracking employee vehicles, are used. Employees must be informed of the existence of tracking and how it operates, as well as being clearly informed of all the purposes for which their personal data is to be used, in advance of any such tracking being implemented. This means that the employer must clearly explain to... More
  • French Data Protection Authority Offers Guidance on Cookies, Trackers The French data protection authority (CNIL) recently issued detailed guidance on online cookies and trackers. The guidance includes four documents: Guidelines, Recommendations, FAQs, and a specific statement on audience measurement. Here are some highlights: You can offer users a global consent to a set of purposes if you present, in advance, all the purposes pursued, for example “accept all,” “refuse all.” Present each purpose with a short and prominent title, accompanied by a brief description. Make the exhaustive and regularly updated list of... More