It is the easiest excuse on the books right now. You want to do that…I am sorry data protection law prohibits it. Somethings are truly not allowed under data protection law, but sometimes people just use this as an excuse that they assume very few people can argue against. They just want to say “No”, […]
English Posts
Fines by the Spanish Data Protection Authority on cookies and the measures to verify customers’ identities.
In April 2022, the Spanish data protection supervisory authority – Agencia Española de Protección de Datos (AEPD) – issued several fines and in this article, we will review four decisions totaling 178,000 euros. What and why is the AEPD issuing fines? Unlawful use of cookies and outdated policies In Decisions 482, 483, and 603, the […]
We will record this call for contract proving purposes
The French data protection supervisory authority, Commission Nationale de l’Informatique et des Libertés (CNIL), recently published a Guide (25.04.2022) about call recording to prove the formation of a contract. When to record? The rule of thumb is to record calls that are necessary because there are no other means of proving that the data subject has […]
REJECT ALL by Google
Google introduced a “reject all” cookie button for Search and YouTube. Google launched in France a cookie banner enabling users to use Search and YouTube and “REJECT ALL” the cookies used for personalizing content and ads, measuring their effectiveness, or developing or improving new Google services. With the new cookie banner design, users are expected […]
Amazon Road Transport Spain Fined 2 Million EUR by Spanish Regulator for Requesting Certificates of Good Conduct from Drivers
The Spanish data protection supervisory authority, Agencia Española de Protección de Datos (AEPD), has issued a fined of 2 million EUR against Amazon Road Transport Spain, S. L., a logistics company that manages deliveries for US-based online-merchant Amazon (see here). Backgound, or: How to Become a Delivery Driver Amazon Road Transport works with formally self-employed […]
Will the Trans-Atlantic Data Privacy Framework Bloom this Summer?
Spring has sprung, but we are still waiting for the flowers to appear. As I wrote in a blog article dated, March 23, 2022, it was anticipated that this spring the EU and the U.S. would come to an agreement with regards to the EU-U.S. Privacy Shield. On March 25, 2022, a joint announcement was […]
Will Spring Bring a New EU-U.S. Privacy Shield Agreement?
As winter draws to an end and the sun begins to shine more often we are noticing the new buds of spring beginning to appear. This spring flowers may not be the only thing making their appearance, the European Commission and the U.S. Department of Commerce are back to the table discussing a new EU-U.S. […]
Backups and the Right to Erasure
Discussed many times and yet not less important: In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis. The same applies if the legal basis ceases to exist. In this case, too, processing must be prevented aswell […]
The Dutch Data Protection Authority has published brief guidance on the pressing issue of Google Analytics
The Austrian Data Protection Authority has recently on the back of a NOYB compliant, come to the decision that the use of Google Analytics is not compliant with the GDPR, Schrems II, and data transfer laws. In the case, they found that personal data from the complainant’s browser or device had been transferred to the […]
International transfers: The new EDPB Guidelines 05/2021: Ending the discussion about the new SCCs and recital 7?
The European Data Protection Board adopted new Guidelines (05/2021) on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR on 18 November 2021. These Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international […]
Foreign Entities Processing Personal Data in Turkey Must Appoint Representative by End of 2021
The Turkish Law on Personal Data Protection No. 6698 (DPL), which entered into force on April 7, 2016, prescribes that data controllers that are not established in Turkey but process personal data of subjects in Turkey („foreign controllers“) must appoint a data controller representative („representative“). This provision bears resemblance to article 27 of the EU […]
How will the approaching EU Whistleblower Directive impact companies?
What is Happening? In light of the increasing importance of whistleblowers and the decreasing levels of uniformity within EU legislation, the European Commission has created the: “Directive on the Protection of Persons who report Breaches of Union Law (Directive 2019/1937)” or more commonly known colloquially as “the whistleblower directive”. The directive entered into force on […]
Encryption measures validated by the Belgian Council of State as an additional measure to the transfer of personal data outside of the EEA
The Flemish Authorities initially considered the specific encryption tools as a valid supplementary measure in addition to the European Standard contractual clauses (SCCs). The measure was applied by a European branch of a US company using AWS cloud. The decision was confirmed by the Belgian Council of State upon a formal complaint of a third […]
China passed new data protection law
China issued its comprehensive data protection law, the Personal Information Protection Law (“PIPL”), on August 20, 2021. The PIPL will come into effect on November 1, 2021. This marks a new era in China’s data protection development. Before the PIPL, the main legislations regulating data processing activities in China are the Cybersecurity Law, the Data […]
Privacy Shield 2.0?
Since the CJEU declared the Privacy Shield agreement invalid with its Schrems II ruling, the EU and the USA have been working on a replacement agreement. This is intended to enable companies to transfer data between EU countries and the USA., thereby creating a legal mechanism for data transfers. This would then be the third […]