Data protection

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

We hear most often about the surveillance by security services of the U.S. but also European states need to get information about what criminal organisations and terrorists plan and who participate in them. On the other hand the total surveillance state raises justified suspicions, in particular in post-communist countries. Moreover, information does not always come from direct surveillance by the state, government agencies would also like to have access to the most possible data collected and stored by private actors for their own purposes. Although processing of data for prevention and fighting crime does not belong under the general Data Protection Regulation (GDPR), neither under the e-privacy directive, the collection of data by private organisations does. On Wednesday the 15 th January the opinion of the advocate general of the European Court of Justice (ECoJ) was published in three such cases (joint cases C-511/18 and C-512/18, C-623/17 and C-520/18). A French, a British an...