Data protection

I am not a fan of political speeches and introductions by VIPs. The contribution of Viviane Reding: was an exception as it was personal and gave an insight into the background of how the GDPR was born. At least to me, the long haggling about the GDPR and the discussion on what is   new and what not crowded out from public discussion the ethos: to protect personal liberties against dictatorship and the principle that data belong to the person herself (or himself). The ex-commissioner for the area and MEP rightly boasted that in this field, the EU is a standard maker. It is also interesting to note that while Europe only followed the U.S. in establishing net neutrality, now the U.S. has retreated from it. IT was on the Luxembourg Data Protection Days , organised by MGSI  that the experiences of one year of the GDPR were discussed. Tine Larsen from the CNPD c omplained about GDPR-bashing and that there were also fake news around GDPR. The fact that Luxembourg voted the la...

when the new GDPR entered into force. If not else, you noticed it by receiving e-mails from all quarters, partially confirming that the sender complies with the new rules or that changed its privacy policies in line with the new rules or asking for your consent to use your data. Did those who did not write you, miss something? Did you miss something when you did not write to all people whose data you store? Well, it depends. Those who complied with the old directive (and the national laws transposing it), do not necessarily have to do something. There are, however, three changes behind for them: - instead of relying on a notification to their data protection authority, they themselves have to keep documentation demonstrating that they comply with the new regulation - there are more strict and also more precise rules when someone can ask "to be forgotten" i.e. his/her data erased - non-compliance can result in hefty fines. Some organisations may have to nominate a data ...

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...

The new General Data Protection  Regulation - as opposed to its predecessor, the Data Protection Directive ( Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ), which is actually in force till the 24th May 2018, has to be applied not only by companies and other organisation in the European Union but also by a controller or a processor not established in the Union processing of personal data of data subjects who are in the Union. Recital 23 explains a little more: The mere accessibility of a website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ord...

The new General Data Protection Regulation of the EU was voted the 25th May 2016 ans will therefore enter into force the 25th May 2018. As opposed to its predecessor (which will be in force till then) which was a directive, this will be a regulation. The difference is that a directive has to be transposed by national legislation and is therefore subject to "customisation" by the different national legislations. Thus, companies operating in several EU member states were faced with these different rules. The new regulation also defines some questions which member states can regulate but these mainly concern processing of data by their public services. Companies and nonprofits will have to adapt to the same rules whichever member state of the European Economic Area they operate in. By the "one stop shop" and the rules of co-operation between the national data protection authorities will make easier both for data subjects and data controllers to deal with cases conce...