After a record-long negotiation (36 hours), the EU Parliament declared on Friday, December 8, 2023, that they have successfully reached an agreement on the upcoming AI Act. As of now, there is no official text available. The only official sources of information that we have are press releases from the EU institutions involved in the […]
English Posts
The Magic of Christmas…I mean Consent!
Every child wakes up with an extra little twinkle in their eye on Christmas morning. Whether that twinkle comes on the 24th of December when the Christ Child visits in Southern Germany or on the 25th when Santa leaves goodies for all the good girls and boys throughout the US. The magic of Christmas is […]
What does the Data Privacy Framework Self-Certification mean for your company?
Let’s take a closer look at what the decision to self-certify under the DPF means for your company. In terms of costs, other then the applicable fees, you need to consider administrative and organizational costs aimed at ensuring accountability while implementing mechanisms to allow data subjects the exercise of their rights. We are providing you […]
Does your Company Need a Data Privacy Framework Certification?
Well, it depends. Let me begin by providing an overview of the Data Privacy Framework as adopted on July 11th 2023 and follow by providing my opinion on whether and for which companies a certification under the new framework would add value. The EU-US Data Privacy Framework in the Big Picture of the Adequacy Decisions […]
Access to employee emails: A delicate balance between business needs and privacy rights
In the landscape of corporate operations, accessing employee emails may sometimes feel like a necessity for companies. Whether to investigate suspected misconduct of current employees, facilitate operational management during an employee’s prolonged absence, or streamline the transition after an employee departs, the reasons can be varied. However, this task is not straightforward as there are […]
CJEU rules on Right of Access and first copy of personal data: what companies should know
The Court of Justice of the European Union (CJEU) issued a recent ruling in case C-307/22, highlighting important considerations regarding the extent of the right of access under Article 15 of the GDPR. This ruling carries significant implications for companies that process personal data under the GDPR. It asserts that the GDPR right of access […]
New Data Protection Law in Saudi Arabia
Individual privacy in Saudi Arabia and the protection of personal data have long fallen under the general provisions of Saudi law and not under the specific provisions on „data protection“ or „data security“. In the absence of specific laws, Islamic law generally applies in Saudi Arabia. Thus, Saudi courts dealt with data protection issues according […]
Meta’s Court Defeat in Norway and the Europe-wide Repercussions
An exciting case was decided in Oslo at the beginning of September. In July, the Norwegian Data Protection Authority Datatilsynet had banned Meta Ireland and Facebook Norway (hereinafter referred to as Meta) from displaying personalised advertising via its platforms in Norway. Meta had appealed against this and as a result lost before an Oslo district […]
WhatsApp switches its legal basis to „Legitimate Interest“ due to severe sanctions
It is by far not the first time that Meta and its platforms had to face scrutiny in terms of their privacy policy. This time around, the Irish Data Protection Commission (DPC) sanctioned WhatsApp with a fine of 5.5 million Euros due to the lack of a legitimate legal basis for processing personal data in […]
Overcoming Challenges in Developing a GDPR-Compliant Data Deletion Framework
The General Data Protection Regulation (GDPR) has transformed the way companies manage personal data, introducing stringent requirements for data deletion. In accordance with the GDPR, personal data cannot be stored indefinitely, and companies must develop comprehensive deletion frameworks as explained in detail here. However, creating and implementing these frameworks presents significant challenges for organizations. In […]
Roadmap to the Development of a Deletion Framework
A data deletion framework refers to a structured set of guidelines and procedures governing an organization’s adherence to deletion obligations according to data protection and statutory laws, as well as its processes for managing and executing the deletion of personal data. Essentially, a data deletion framework entails the systematic classification of personal data along with […]
Technology and Children – U.S. Courts Place Injunctions on State Laws for Unconstitutionality
It is our duty as parents to protect our children from the harms of the world, but as a mother of two young children I have learned that I cannot do it alone. The saying “It takes a village to raise a child” means more to me now than I ever could have imagined 10 […]
Insurance company receives significant fine from Swedish SA
Another significant fine for the lack of adequate security measures on personal data was recently issued by a European Supervisory Authority (SA) to a controller responsible for private customers´ data. In the present case, the Swedish Supervisory Authority (IMY) imposed a fine of SEK 35 million (approx. EUR 2.9 million) to the insurance company Trygg-Hansa, […]
Update of the Application for Approval and Guiding Principles for the Controller Binding Corporate Rules (BCR-C)
On the 20th of June 2023 the European Data Protection Board (EDPB) adopted the recommendations 01/2022 on the application for approval and on the elements and principles to be found in the Controller Binding Corporate Rules (BCRs or more specific BCR-C, Art. 47 GDPR). The decision to update some of the principles and guidelines to […]
India’s new Digital Personal Data Protection Act
On August 11, 2023, the President of India gave his assent to the Digital Personal Data Protection Act, 2023 (DPDP Act). India, as a tech-savvy nation with a booming digital economy, recognized the need for a structured data protection framework. It shall come into force on such date as the Central Government may notify in […]