Data protection

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

We hear most often about the surveillance by security services of the U.S. but also European states need to get information about what criminal organisations and terrorists plan and who participate in them. On the other hand the total surveillance state raises justified suspicions, in particular in post-communist countries. Moreover, information does not always come from direct surveillance by the state, government agencies would also like to have access to the most possible data collected and stored by private actors for their own purposes. Although processing of data for prevention and fighting crime does not belong under the general Data Protection Regulation (GDPR), neither under the e-privacy directive, the collection of data by private organisations does. On Wednesday the 15 th January the opinion of the advocate general of the European Court of Justice (ECoJ) was published in three such cases (joint cases C-511/18 and C-512/18, C-623/17 and C-520/18). A French, a British an...

And here is already Schrems-II. The background of both “Schrems” cases are the Snowden revelations showing that U.S. government agencies are involved in an indiscriminate mass surveillance of European subjects whose data are transferred to the U.S. Therefore Maximilian Schrems holds that the U.S. does not ensure adequate protection and it was on this basis that the “Safe Harbour” was invalidated. The target is Facebook, but not its own shady data usage practices, just the possibility of the data being requested and obtained by U.S. authorities. It has to be mentioned that the U.S. government tried to get access– in individual cases, based on concrete suspicion of crimes – to data stored in the EU from Microsoft and Google. At the moment, Microsoft succeeded – based on its statement that the data are stored in the EU – to avoid it while Google – as it stated that data may not be stored in the U.S. but it is not known where they are – failed. Now, the question is whether Facebook has a ...

It is a little more than one year that the General Data Protection Regulation entered into force. The 22 nd May 2019, three days before the first anniversary, a press release [i] by the European Commission summarised certain statistical data [ii] on the year, including a Eurobarometer survey [iii] and the most important indicators of compliance, complaints and data breach notifications. Just two months later, the Commission has adopted the Communication on its session the 24 th July [iv] entitled: “Data protection rules as a trust - enabler in the EU and beyond – taking stock”. In this Communication, significant thought is given to the international dimension. On the other hand, some new judicial developments also concern the international dimension, mainly transfer of personal data to the United States. The new, clearer and somewhat stricter data protection rules in Europe exert an important influence on international relations, they are sometimes accused of enabling protect...

when the new GDPR entered into force. If not else, you noticed it by receiving e-mails from all quarters, partially confirming that the sender complies with the new rules or that changed its privacy policies in line with the new rules or asking for your consent to use your data. Did those who did not write you, miss something? Did you miss something when you did not write to all people whose data you store? Well, it depends. Those who complied with the old directive (and the national laws transposing it), do not necessarily have to do something. There are, however, three changes behind for them: - instead of relying on a notification to their data protection authority, they themselves have to keep documentation demonstrating that they comply with the new regulation - there are more strict and also more precise rules when someone can ask "to be forgotten" i.e. his/her data erased - non-compliance can result in hefty fines. Some organisations may have to nominate a data ...

The new General Data Protection  Regulation - as opposed to its predecessor, the Data Protection Directive ( Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ), which is actually in force till the 24th May 2018, has to be applied not only by companies and other organisation in the European Union but also by a controller or a processor not established in the Union processing of personal data of data subjects who are in the Union. Recital 23 explains a little more: The mere accessibility of a website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ord...