Tag Archive: EU GDPR

Data Protection Day 2017!

At DLA Piper we pride ourselves in providing the insights, tools and know how you need to plan ahead and manage change in a privacy landscape that is constantly evolving. With publication of the final text of the EU General Data Protection Regulation in April 2016, many organisations are now actively looking ahead to a challenging timetable to secure GDPR readiness, ahead of May 2018.

International Data Protection Day provides an opportunity to reflect on where we see organisations are in terms of managing privacy to an appropriate standard of protection, and share some of the materials and learning we have created to help those on the compliance journey navigate the road ahead.

Data Protection Laws of the World

We are pleased to launch the 2017 edition of our newly designed Data Protection Laws of the World, which now covers over 95 jurisdictions. This highly regarded complimentary go-to guide offers a high-level snapshot of selected aspects of data protection laws across the globe, in an easily accessible online format.

Access the handbook

Data Privacy Snapshot

Over 250 organisations have completed our Data Privacy Scorebox to assess current levels of privacy compliance in their respective business operations. Our inaugural Global Data Privacy Snapshot draws on data from the scorebox assessments to provide a perspective on current maturity levels in levels of compliance across the market. The report pays particular focus on maturity levels in the Financial Services, Life Sciences and Healthcare, and Technology and Telecoms sectors, with an overall finding that suggests most organisations have a lot of work on their plate to achieve the levels of compliance they need.

This report will be launching soon.

Data Privacy Scorebox

Launched in 2016, this online tool will help you assess your organisation’s data protection maturity level. Complete a survey covering areas such as storage of data, use of data, and customers’ rights to generate a report that shows your organisation’s maturity levels against 12 key areas of privacy compliance. The report includes a practical action point check list and peer benchmarking data.

Access the scorebox.

Privacy Matters Blog

Our Privacy Matters blog is where you will find the latest updates (often within hours) from our global privacy team on all matters related to data protection, privacy and security. Subscribe with your email address on the home page to receive a message whenever a new post is made.

Access the blog.

Want to know more about the EU Data Protection Regulation? 

We maintain a dedicated GDPR microsite, where you can find lots of useful information to help you learn about the EU Data Protection Regulation – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events.

You will also find our summary Guide to the GDPR which many organisations find a helpful quick guide to the key requirements of the GDPR.

Access the microsite.

COMING SOON: EU GDPR App

We are soon to launch an EU GDPR App which gives easy access to the Regulation text. Available for download on iOS and Android, the App will provide a handy guide to the GDPR so you can quickly access Articles, link to relevant Recitals and make comparisons back to the Directive. The App will be available in 13 different languages.

For more information on any of these tools or to contact us, please email dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/data-protection-day-2017/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

HUNGARY: Hungarian DPA issues 12 step guide on the GDPR

By Zoltan Kozma (Senior Associate, Budapest)

The Hungarian Data Protection Authority published on its website a 12 step guide on how to get ready for the GDPR. Similar to the guides already issued by other DPAs from various jurisdictions (e.g. UK and Belgium), the guide includes 12 steps data controllers and data processors should follow in order to achieve compliance. Although this is a useful initial guideline from the Hungarian DPA for controllers and processors, it still leaves room for interpretation. Further guidance and other tools can be expected from the DPA to assist with preparation for GDPR compliance by 25 May 2018.

The guide includes the following steps:

1. Increase awareness

Awareness must be ensured within the organization to get ready for compliance with the GDPR.

2. Criteria of the data controlling activities must be reviewed

Purpose and context of the data processing activities, together with the concept of processing the personal data must be reviewed. With a well prepared data protection policy, compliance with the accountability principle and lawful processing can be achieved.

3. Appropriate information should be provided to data subjects

Attention must be paid to the fact that where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.

4. Rights of data subjects

Rules regarding the rights of data subjects and data processing procedures must be checked. The most important new right of data subjects is data portability, which means that data subjects shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Data subjects must be able to have their data deleted from any accessible sources.

5. Right of access by the data subjects

New rules regarding access requests and timescales to respond must be checked. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month. That period may be extended by two further months where necessary.

Right of access can be ensured by a secure online system through which data subjects can have easy and quick access to their information.

6. Legal basis for processing personal data

Data processing activities must be looked at within the organization and in compliance with the legal bases provided for in the new Regulation, informational self-determination must be ensured. Be aware that on the basis of ‘right to be forgotten’, if requested by the data subject, the personal data must be erased without undue delay, should the data subject withdraw his or her consent to the data processing. Accordingly, consent means a stronger erasure obligation on the side of the data controller.

7. Conditions of consent must be reviewed

If processing is based on consent, data processing operations must be checked to ensure compliance with the new criteria of the GDPR. Like the Info Act, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not determined in either the Info Act or in the GDPR, however, in any case consent is only valid if it is freely given, specific, informed and unambiguous.

8. More emphasis on children’s rights

If an organization processes children’s data, more emphasis should be placed on children’s rights in relation to information society services. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is under the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes, provided that such lower age is not below 13 years.

9. Notification of data breach

Pursuant to the current rules of the Info Act, data breaches must be recorded by the controller and information must be provided only at the request of the data subjects.

Pursuant to the new rules in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

10. Data protection by design and data protection impact assessment

Under the new rules, in certain cases data controllers must carry out a data protection impact assessment. Although this might impose administrative burden on data controllers, however, in the case of high risk data processing situations it can be justifiable to carry out a data protection impact assessment.

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk.

11. Data protection officers

The GDPR requires more data controllers to appoint data protection officers than the Info Act, e.g. if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.

12. Competence of supervisory authorities

Under the GDPR each supervisory authority shall be competent for the performance of the tasks assigned to it and  exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State.

The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.

Should the activity of the organization not be limited to only one country, it must be checked in which country most of the data processing is carried out (usually the seat of the parent company) and on this basis it should be reviewed which country’s supervisory authority will proceed as lead supervisory authority in respect of the data processing.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/hungary-hungarian-dpa-issues-12-step-guide-on-the-gdpr/

GERMANY: Bavarian Data Protection Authority issues guidance on GDPR Sanctions

By: Dr. Thomas Jansen and Mari Martin

On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (German-language only).

Background

The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.

Amount and Scope of Administrative Violations and Fines Increased

According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.

Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”

The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.

The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.

According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.

Fines Imposed for Violations of Technical and Organizational Measures

In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.

Factors Influencing the Amount of Fines

According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.

As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.

Relevance

All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.

In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.

If you would like to discuss how we can help your organisation, please get in touch with your usual DLA Piper contact or email us at dataprivacy@dlapiper.com.

For further information on the GDPR please visit our dedicated GDPR microsite.

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/

EUROPE: European Parliament Passes Resolution Calling for Improvement of EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 25, 2016, the European Parliament (EP) passed a non-binding resolution calling for the European Commission (EC) to reopen negotiations with the United States in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

The resolution requested improvements beyond the agreement reached between U.S. and EU negotiators in February. On February 29, 2016, the EC published a draft decision that approved the Privacy Shield arrangement as adequate. The Privacy Shield is intended to replace the EU-U.S. Safe Harbor Framework, which the Court of Justice of the European Union invalidated in October 2015.

The resolution, which the EP adopted in a 501-119 vote with 31 abstentions, largely supports criticisms in the April 13, 2016 Opinion issued by the Article 29 Working Party. Although the resolution acknowledged that the Privacy Shield contains “substantial improvements” compared to the Safe Harbor arrangement, it also called on the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”

The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:

  • the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
  • the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
  • the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”

Further, the resolution called on the EC to:

  • fully implement the recommendations in the April 13, 2016 Opinion of the Article 29 Data Protection Working Party;
  • conduct robust periodic reviews of its decision that the protection provided by the Privacy Shield is adequate, particularly in the light of the new General Data Protection Regulation, which will go into effect in 2018; and
  • continue its dialogue with the U.S. to negotiate further improvements to the Privacy Shield.

The Article 31 Committee responsible for approving the Privacy Shield will take the EP’s resolution into consideration before voting on its adequacy. The Committee, which is composed of Member State representatives and chaired by the EC, is still deliberating regarding the Privacy Shield. The EC is expected to present to the Article 31 Committee a revised adequacy decision at the beginning of June. A vote is intended by the end of the month, and the EC aims to conclude approval of the Privacy Shield by mid-July.

Practical Implications

Invalidation of the EU-U.S. Safe Harbor Framework created considerable uncertainty for both businesses and consumers regarding transatlantic data transfer. Speaking after the European Parliament adopted its resolution, MEP Timothy Kirkhope, a member of the UK Conservative Party, stated:

“The Privacy Shield needs some clarifications as to how it will work in practice, which the Commission have said it is pursuing, but getting the Privacy Shield up and running swiftly is essential for businesses operating across the Atlantic. Businesses and consumers were left in legal limbo and uncertainty when Safe Harbor was rejected. It is about time that the businesses and their clients have legal certainty.”

The resolution should contribute to increased clarity for both businesses and individuals regarding data transfer between the EU and United States.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-parliament-passes-resolution-calling-for-improvement-of-eu-u-s-privacy-shield/

European General Data Protection Regulation Adopted! Are you ready?

EU GDPRToday, 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR). The Regulation will have a considerable impact on all organisations based in the European Union that process personal data, but also on organisations based outside of Europe providing services to the European market.

The GDPR is expected to be published in the Official Journal of the European Union by June, and 20 days after publication the GDPR will enter into force. From that moment onwards, the clock starts running: companies will have two years to prepare themselves to comply with the GDPR.

Key Changes

The GDPR replaces the current European data protection regime consisting of the 1995 Data Protection Directive and 28 national data protection laws. The GDPR will be directly applicable in every EU Member State, without the necessity of national implementing laws.

The Regulation contains many key changes, such as:

1. Harmonisation: There will be a single set of rules on data protection, directly applicable in all EU Member States, thereby mitigating the current fragmentation of national data protection laws.

2. Stronger Enforcement: Non-compliance could lead to heavier sanctions. The revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the organisation.

3. Off Shore Processing: The GDPR will apply to companies established outside the EU that process data related to the activities of EU organisations. Non-EU companies will also be subject to the Regulation if they target EU residents by profiling, or proposing products or services.

4. Governance: Organisations will have increased responsibility and accountability on how they control and process personal data.

5. Consent: The Regulation requires a more active consent based model to support lawful processing of personal data; wherever consent is required for data to be processed, consent must be explicit, rather than implied.

6. Transparency: Organisations will have increased transparency obligations; privacy notices will need to include much more detailed information.

7. Data Breaches: Organisations will be required to notify the local supervisory authority, and (in some cases) data subjects, of significant data breaches.

8. Data Portability: Organisations must ensure data subjects can easily transfer their data files from one service provider to another.

9. Right To Be Forgotten: The GDPR consecrates the “right to be forgotten”, allowing data subjects the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it.

10. Data Processors: Organisations processing data on behalf of other companies will be required to comply with a number of specific data protection related obligations. They will be liable to sanctions if they fail to meet these criteria.

11. Data Protection Officer: Companies will have to appoint a Data Protection Officer when they are, for example, processing sensitive data. The DPO will report to the highest management level.

12. One-Stop-Shop: A single national data protection authority will act as the lead regulator for compliance issues in the EU, where the organisation has multiple points of presence across the EU.

13. Privacy Impact Assessment: A PIA will become a mandatory pre-requisite before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation.

14. Privacy By Design & Privacy By Default: Companies must take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained. An approved certification mechanism can be used to demonstrate compliance with the applicable requirements.

It should be noted, the 2002 E-Privacy Directive regulating cookies and spam remains in place and is currently under review. Organisations should continue to follow national rules on cookies and spam.

For further information on the Regulation, please visit our dedicated EU GDPR microsite.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/european-general-data-protection-regulation-adopted-are-you-ready/

2016 – Main trends on Cybersecurity

While many are not yet aware of the full breadth of the cybercrime phenomenon (cybercrime globally generates more revenues and is more profitable than drug trafficking!), there is a general consensus about the fact that certain breaches cannot be avoided. With a proliferation of connected devices operated remotely and a more pervasive use of data, companies are facing increasing (and more sophisticated) cyber threats. Such trend leads to increasing regulations fostering cybersecurity best practices. Here are our main takeaways from the cybersecurity seminar held in Milan last week. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/2016-main-trends-on-cybersecurity/

Happy Data Protection Day!

To mark International Data Protection Day 2016 we would like to share with you some exciting new projects we have been working on to help you and your organisation prepare for what is expected to be an interesting year for data protection, privacy and security.

Everything you need to know about the EU Data Protection Regulation

We have launched a new microsite providing key information to help you learn more about the EU Data Protection Regulation – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events.

Access the microsite.


Data Privacy ScoreboxWeb DPD Privacy Scorebox January 2016

This is our brand new tool to help you assess your data protection maturity level.  It requires completing a survey covering areas such as storage of data, use of data, and customers’ rights. Once completed, a report summarising your organisation’s alignment with 12 key areas of global data protection is produced.  The report also includes a practical action point check list and peer benchmarking data.

Access the scorebox.

 

Web DPD Laws of the World Handbook January 2016

 

Data Protection Laws of the World Handbook

We are pleased to release the 2016 edition of our highly regarded Data Protection Laws of the World Handbook, which now covers over 80 jurisdictions. This complimentary go-to guide offers a high-level snapshot of selected aspects of data protection laws across the globe, in an easily accessible online format.

Access the handbook.

 

 

 

About DLA Piper’s Data Protection, Privacy and Security Group
The DLA Piper Data Protection, Privacy and Security Group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/happy-data-protection-day/

WEBINAR RECORDING: European Data Protection Regulation – Agreement reached!

EU GDPRLast week, European policy makers reached political agreement on European data protection reform and the terms of the forthcoming General Data Protection Regulation (GDPR). The final text will be formally adopted in the next few days and will take effect early 2018.

Please see below for a link to our webinar in which we discuss the 20 most frequently asked questions by our clients on the forthcoming Regulation. This webinar was held on Tuesday, December 22, 2015.

Please access the webinar recording here.
Recording Password:
20645278

The questions covered include:

  • What is all the buzz around the EU General Data Protection Regulation?
  • Has it been adopted now? Are these really the final rules?
  • To whom does it apply?
  • Do the principles stay the same or are we starting over?
  • How large are the fines likely to be?
  • Will international data transfer mechanisms be affected?
  • Will we need to appoint a Data Protection Officer or not?
  • How will one-stop-shop change our compliance program?
  • What will we need to do in case of a data breach?
  • Can we still process personal data on the basis of consent?
  • Can we still process personal data on the basis of legitimate interest?
  • Will data collection from kids become illegal?
  • Will individuals get new rights?
  • Will we get new types of sensitive data?
  • Does the Regulation still apply if we de-identify our data?
  • When will we need to conduct a privacy impact assessment?
  • We’ve always acted as a processor – what will our liability be?
  • Is it true the G29 will be dissolved?
  • Will the regulators be issuing guidelines or recommendations?
  • How far does harmonization really go?

 

Speakers:

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/webinar-recording-european-data-protection-regulation-agreement-reached/

WEBINAR: European Data Protection Regulation – Agreement reached!

EU GDPRLast week, European policy makers reached political agreement on European data protection reform and the terms of the forthcoming General Data Protection Regulation (GDPR). The final text will be formally adopted in the next few days and will take effect early 2018.

We have collected the 20 most frequently asked questions by our clients and will be discussing these during our upcoming webinar on Tuesday 22 December (15:00pm GMT / 16:00pm CET / 10:00am EST).

 

  • What is all the fuss about that EU General Data Protection Regulation?
  • Has it been adopted now? Are these really the final rules?
  • To whom does it apply? My company is not based in the EU, should I worry?
  • Are the main principles still the same as the old directive, or will we see substantial changes?
  • How large are the fines likely to be?
  • Will international data transfer mechanisms be affected?
  • Will we need to appoint a Data Protection Officer or not?
  • How will one-stop-shop change our compliance program?
  • What will we need to do in case of a data breach?
  • Can we still process personal data on the basis of consent?
  • Can we still process personal data on the basis of legitimate interest?
  • Will data collection from kids become illegal?
  • Will individuals get new rights?
  • Will we get new types of sensitive data?
  • Does the Regulation still apply if we de-identify our data?
  • When will we need to conduct a privacy impact assessment?
  • We’ve always acted as a processor – what will our liability be?
  • Is it true the G29 will be dissolved?
  • Will the regulators be issuing guidelines or recommendations?
  • How far does harmonization really go? Do individual countries still have the right to diverge?

We hope you can join us!

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/webinar-european-data-protection-regulation-agreement-reached/

Older posts «