Skip to main content


The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari
Recent posts

The Transatlantic Data Privacy Framework - new way to transfer personal data to US organisations

 After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: .   As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements. The mai

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam

What the games... tricks in cookie banners

 The e-privacy directive and the draft e-privacy regulation prescribe the rules internet sites have to follow in placing cookies. One of the main differences in opinion between the European Parliament and the Council, even within the Council was whether sites can place cookies based on legitimate interest. It is generally accepted that the e-privacy rules  should not be softer than the GDPR requirements. Many data protection experts believe that placing information on the terminal equipment of the user is so intrusive, that it should not be justified by legitimate interest. On the other hand, in case of processing of personal data based on legitimate interest, the user has the right to object - but only based on his/her particular situation. Cookies sometimes are absolutely necessary to provide the on line service. Most of these, maybe all, do not have to be kept after the session is closed (for example those which indicate that the user has been authenticated, which serve that the use

Doubts around data transfer - use of derogations

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed

What says the CoJ Schrems-II judgment?

  The Privacy Shield is dead, long live the Standard Contractual clauses? - not so simple Slowly the dust settles on the decision of the European Court of Justice invalidating the Privacy Shield, the most used basis of transfer of personal data to the U.S. The Court found no reason to invalidate the other frequent basis, the Standard Contractual causes but attached stringent conditions to their use. Some see the apocalypse coming, some say we cannot dispose of U.S: companies and try to find other solution. Staying in the middle, we try to shed light on what the 129-pages judgment means. I asked Andrea Jelinek, chair of the EDPB on behalf of - the answers were published in Hungarian , I am waiting for the English version. See below for a very interesting aspect of her answers. Indeed, the SCC can be used as a legal basis to transfer personal data to a third country, but only if its clauses can be complied with. It was often said that the new data protection legal framewor

Europe as digital champion - at what price?

Mark Scott might be right ( E urope is fighting tech battle with one hand tied behind its back ) , European rules may not   create the best climate for all-encompassing digital powers. At first glance, there are also simple answers at hand:   do we want to tolerate a chinese-type surveillance state or adopt an american-type business-is-all-that-counts mindset to be digital champions? Can we, on the other hand, exclude Chinese (think Huawei) or U.S. (Google knows it all, Amazon sells it all, etc.) giants and be digital champions only for ourselves, playing by our own rules? The success of European rules also over Facebook and the like - enter Maximian Schrems - means that we enjoy what these companies developed on the back of the citizens of their countries but we are not able to conquer their lands. To give a more balanced answer, we need to step one step back. Of course data are not the only force and not the only obstacle ( see also on Politico ) , let us, however, look at them.