Data protection

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural...

  The Privacy Shield is dead, long live the Standard Contractual clauses? - not so simple Slowly the dust settles on the decision of the European Court of Justice invalidating the Privacy Shield, the most used basis of transfer of personal data to the U.S. The Court found no reason to invalidate the other frequent basis, the Standard Contractual causes but attached stringent conditions to their use. Some see the apocalypse coming, some say we cannot dispose of U.S: companies and try to find other solution. Staying in the middle, we try to shed light on what the 129-pages judgment means. I asked Andrea Jelinek, chair of the EDPB on behalf of portfolio.hu - the answers were published in Hungarian , I am waiting for the English version. See below for a very interesting aspect of her answers. Indeed, the SCC can be used as a legal basis to transfer personal data to a third country, but only if its clauses can be complied with. It was often said that the new data protection legal fram...

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

I am not a fan of political speeches and introductions by VIPs. The contribution of Viviane Reding: was an exception as it was personal and gave an insight into the background of how the GDPR was born. At least to me, the long haggling about the GDPR and the discussion on what is   new and what not crowded out from public discussion the ethos: to protect personal liberties against dictatorship and the principle that data belong to the person herself (or himself). The ex-commissioner for the area and MEP rightly boasted that in this field, the EU is a standard maker. It is also interesting to note that while Europe only followed the U.S. in establishing net neutrality, now the U.S. has retreated from it. IT was on the Luxembourg Data Protection Days , organised by MGSI  that the experiences of one year of the GDPR were discussed. Tine Larsen from the CNPD c omplained about GDPR-bashing and that there were also fake news around GDPR. The fact that Luxembourg voted the la...

The new General Data Protection  Regulation - as opposed to its predecessor, the Data Protection Directive ( Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ), which is actually in force till the 24th May 2018, has to be applied not only by companies and other organisation in the European Union but also by a controller or a processor not established in the Union processing of personal data of data subjects who are in the Union. Recital 23 explains a little more: The mere accessibility of a website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ord...