Free tools and resources for Data Protection Officers!

Tag Archives for " guidance "

EDPB’s common sense approach to the GDPR’s territorial scope

EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.

The guidelines start by treading into well-known territory: the “establishment criterion.” Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion.

Full article: EDPB’s common sense approach to the GDPR’s territorial scope

Germany proposes router security guidelines

The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers.

Once approved, router manufacturers don’t have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance.

Full article: Germany proposes router security guidelines | ZDNet

Does the EDPB answer frequently asked questions on territorial scope?

The European Data Protection Board (EDPB , the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation ( GDPR ); namely, Article 3 on territorial scope.

Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.

Source: Does the EDPB answer frequently asked questions on territorial scope?

Data watchdogs seek ‘added value’ in GDPR cloud codes

A revised version of the EU Cloud Code of Conduct was published earlier this month. It is the latest version of a code of conduct developed by the cloud computing industry and has been put forward as helping cloud service providers to meet their obligations under the General Data Protection Regulation (GDPR).

However, the code will only be truly relied upon to show effective GDPR compliance if it is approved by data protection authorities. To-date, none of the other codes the cloud industry has developed have had that approval.

Full article: Data watchdogs seek ‘added value’ in GDPR cloud codes

GDPR vs. CCPA

The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.

As highlighted by the Guide, the two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.

Full article: FPF and DataGuidance Comparison Guide: GDPR vs. CCPA

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR.

In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or loca­tion data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Full article: DP Impact Assessments: EDPB Differs Slightly from ICO Position

New EDPB Guidelines on the territorial scope of the GDPR

On 26 November 2018, the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR (Art. 3). The proposed Guidelines are open for public consultation until 18 January 2019. The Guidelines provide some clarification around the boundaries of what constitutes an establishment in the EU, the status of tourists and factors that determine whether data subjects in the EU are being targeted.

The EDPB also provides some guidance on the conditions of appointment of an EU representative for non-EU controllers and processors. However, the Guidelines do not address other key interpretive questions arising from Art. 3 and Chapter V (transfer restrictions) and leave many key legal questions open.

Full article: EU: New EDPB Guidelines on the territorial scope of the GDPR

You probably have more personal data, in more systems, than you think.

There’s lots of guides on the internet to consent and so-forth, but relatively few that dive into hands-on implementation details. Often, legal teams possess a strong understanding of regulatory requirements and the goals of company operations, but they don’t share the same knowledge of systems and data movements implemented across marketing and sales.

Full article: You probably have more personal data, in more systems, than you think.

Irish watchdog clarifies record keeping and DPIAs interaction under GDPR

Ireland’s data protection authority has clarified how record keeping obligations under the General Data Protection Authority (GDPR) interact with the duties of businesses to carry out data protection impact assessments (DPIAs).

Full article: GDPR: Irish watchdog clarifies record keeping and DPIAs interaction

CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”).

Source: CNIL Publishes DPIA Guidelines and List of Processing Operations Subject To DPIA

1 2 3 26
>