Data protection

 After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: https://www.dataprivacyframework.gov/s/participant-search .   As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements. ...

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...

 The e-privacy directive and the draft e-privacy regulation prescribe the rules internet sites have to follow in placing cookies. One of the main differences in opinion between the European Parliament and the Council, even within the Council was whether sites can place cookies based on legitimate interest. It is generally accepted that the e-privacy rules  should not be softer than the GDPR requirements. Many data protection experts believe that placing information on the terminal equipment of the user is so intrusive, that it should not be justified by legitimate interest. On the other hand, in case of processing of personal data based on legitimate interest, the user has the right to object - but only based on his/her particular situation. Cookies sometimes are absolutely necessary to provide the on line service. Most of these, maybe all, do not have to be kept after the session is closed (for example those which indicate that the user has been authenticated, which serve tha...

Since about 2017,-mails are flowing in my inbox announcing the update of privacy statements (under any name) and also asking for my consent to continue keeping my data, sending me newsletters etc. – the reason is the GDPR, which entered into force in 2018, after two years of preparatory period. Also, “wherever I go, whatever I do”, I have to sign consent forms. Some of these are justified, but the sheer volume of consent I have to give makes me suspicious. And not by chance: consent is but one of the possible legal bases for processing personal data, and apparently not the soundest one, however sure it seems to be: if the data subject consents, who can complain? - thought some. Lawyers giving this latter advice were warned  as  early  as March 2019. Let’s jump in time: the 30th  July the Hellenic Data Protection Authority fined   PWC   for processing their employees’ data based on consent, at least telling the employees so. The summary of the decision can b...

I am not a fan of political speeches and introductions by VIPs. The contribution of Viviane Reding: was an exception as it was personal and gave an insight into the background of how the GDPR was born. At least to me, the long haggling about the GDPR and the discussion on what is   new and what not crowded out from public discussion the ethos: to protect personal liberties against dictatorship and the principle that data belong to the person herself (or himself). The ex-commissioner for the area and MEP rightly boasted that in this field, the EU is a standard maker. It is also interesting to note that while Europe only followed the U.S. in establishing net neutrality, now the U.S. has retreated from it. IT was on the Luxembourg Data Protection Days , organised by MGSI  that the experiences of one year of the GDPR were discussed. Tine Larsen from the CNPD c omplained about GDPR-bashing and that there were also fake news around GDPR. The fact that Luxembourg voted the la...

when the new GDPR entered into force. If not else, you noticed it by receiving e-mails from all quarters, partially confirming that the sender complies with the new rules or that changed its privacy policies in line with the new rules or asking for your consent to use your data. Did those who did not write you, miss something? Did you miss something when you did not write to all people whose data you store? Well, it depends. Those who complied with the old directive (and the national laws transposing it), do not necessarily have to do something. There are, however, three changes behind for them: - instead of relying on a notification to their data protection authority, they themselves have to keep documentation demonstrating that they comply with the new regulation - there are more strict and also more precise rules when someone can ask "to be forgotten" i.e. his/her data erased - non-compliance can result in hefty fines. Some organisations may have to nominate a data ...