GDPR

France: New guidance for data retention

By Denise Lebeau-Marianna – Partner and  Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …

France: New guidance for data retention Read More »

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements

On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements Read More »

EU: Europe’s toolbox for building compliant Corona tracking apps

Mobile applications supporting the EU in its fight against Covid-19: the common EU Toolbox for Member States By Heidi Waem and Alizée Stappers On the 8th of April 2020, the European Commission adopted Recommendation 2020/518 to address the need of a common toolbox (the “Toolbox”) for the use of technology and data in order to …

EU: Europe’s toolbox for building compliant Corona tracking apps Read More »

Global: International Data Protection Day!

International Data Protection Day, which falls annually on January 28, is “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”. We would like to take this opportunity to share a number of data protection resources developed by our global Data Protection, Privacy and Security team to assist …

Global: International Data Protection Day! Read More »

GERMANY: Data Protection Authorities Issue GDPR Fining Guidelines

On 16 October 2019 – after weeks of rumors and speculations – the German data protection authorities (‘DPAs’) published their guidelines (‘Guidelines’) for calculating administrative fines under Article 83 General Data Protection Regulation (‘GDPR’). The Guidelines are intended to guide enforcement action by German DPAs against business ‘undertakings’. They do not apply to individuals or associations …

GERMANY: Data Protection Authorities Issue GDPR Fining Guidelines Read More »

EU: Binding Corporate Rules are Generating Greater Interest

Multinationals increasingly turning to BCRs as providing more legal certainty for personal data transfers from the EU The EU General Data Protection Regulation (“GDPR”) brought about stricter data protection rules, and increased penalties for breaching these rules. For many multinationals this has led to reconsidering their framework for transferring personal data from the EU to …

EU: Binding Corporate Rules are Generating Greater Interest Read More »

Europe: ‘Right to be forgotten’, but only in Europe?

In its landmark decision of the 24th of September (C-507/17), the EU Court of Justice in Luxembourg has sided with Google over a claim by the French supervisory authority regarding the application of the so-called ‘right to be forgotten’. This right refers to the ability for individuals in Europe to demand that search engines, such …

Europe: ‘Right to be forgotten’, but only in Europe? Read More »

The Netherlands – First GDPR fine imposed: EUR 460,000

Today, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000. The fine is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records. The fact that the first GDPR-fine was imposed on a hospital isn’t a complete surprise, as already in December 2018, …

The Netherlands – First GDPR fine imposed: EUR 460,000 Read More »

Belgium: DPA updating its Recommendation on Direct Marketing – Provide your input before 31 July 2019!

Updated official guidance on direct marketing appears to be on the horizon: the Belgian Data Protection Authority has launched a public consultation on direct marketing, with a view to updating its Recommendation No. 02/2013 of 30 January 2013 on direct marketing. In its 2013 Recommendation, available in Dutch and French, the Belgian DPA covered several …

Belgium: DPA updating its Recommendation on Direct Marketing – Provide your input before 31 July 2019! Read More »

ITALY: First GDPR fine issued!

The first GDPR fine was issued in Italy by the Garante for the lack of implementation of privacy security measures following a data breach on the so-called Rousseau platform operating the websites of the Movimento 5 Stelle party.

Belgium: Newly appointed Belgian Data Protection Commissioner declares “I will not hesitate to issue fines to those not playing by the rules”

by Patrick Van Eecke & Gilles Hachez A little less than a month ago, the Belgian House of Representatives appointed the new commissioner and directors of the Belgian Data Protection Authority (DPA), as we explained in our blogpost here. Today, little less than eleven months after the establishment of the DPA, the new commissioner, Mr …

Belgium: Newly appointed Belgian Data Protection Commissioner declares “I will not hesitate to issue fines to those not playing by the rules” Read More »

FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes

By Denise Lebeau-Marianna and Caroline Chancé   On 11 April 2019, the French Data Protection Supervisory Authority (CNIL) published two draft standards intending to provide practical guidance in relation to the processing of personal data for HR management and whistleblowing systems. The purposes of such standards is to: Assist businesses in their compliance process, and Help …

FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes Read More »

The Netherlands – DPA reiterates strict position on alcohol, drug and medicine testing   

The Dutch Data Protection Authority published an article in which it again affirms that testing employees on alcohol, drugs or medicines can only be performed if there is a specific legal basis to carry out such tests. Earlier, the Dutch DPA gave an explanation on some Q&A’s on this subject. The Dutch DPA states that …

The Netherlands – DPA reiterates strict position on alcohol, drug and medicine testing    Read More »

The Netherlands: S.A. states that websites must be accessible at all times; cookie wall not allowed

On 7 March 2019, the Dutch Supervisory Authority (“S.A.”) created quite some buzz in the online Dutch (advertising) industry: websites that only give visitors access to their site if they agree to tracking cookies (or similar technologies) do not comply with the GDPR. This also means that the so-called cookie walls that are placed on  …

The Netherlands: S.A. states that websites must be accessible at all times; cookie wall not allowed Read More »

EU: European Court confirms journalism exception for citizen-journalists, but not in France?

By Patrick Van Eecke, Denise Lebeau-Marianna, Tiphaine Caulier and Laetitia Mouton Under European data protection law, journalists enjoy some regulatory exemptions when processing personal data for journalistic purposes, balancing the right to the protection of personal data with the principle of freedom of expression. A question which has however sparked some debate is whether so-called citizen …

EU: European Court confirms journalism exception for citizen-journalists, but not in France? Read More »

EU: EDPB provides more clarity on the legal basis for processing data in clinical trials

By Ilias Abassi Since the implementation of the GDPR, there has been much discussion with respect to the appropriate legal basis for the processing of personal data in the context of a clinical trial, in particular how this relates to the Clinical Trials Regulation (CTR) which is expected to enter into force in 2020. There …

EU: EDPB provides more clarity on the legal basis for processing data in clinical trials Read More »

FRANCE: New cooperation agreement between the CNIL and DGCCRF

By Denise Lebeau-Marianna and Caroline Chancé   On 31 January 2019, the French Data Protection Supervisory Authority (CNIL) and the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF, authority in charge of consumer protection) signed a new protocol of cooperation to improve protection of personal data of consumers.   This new protocol replaces a …

FRANCE: New cooperation agreement between the CNIL and DGCCRF Read More »

FRANCE: A new phase in European privacy law enforcement – CNIL fined Google LLC 50 million euros!

By Denise Lebeau-Marianna, Caroline Chancé and Alexandre Balducci   On 21 January 2019, the restricted committee of the French Data Protection Supervisory Authority (CNIL) fined Google LLC 50 million euros for breaching GDPR for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising.  This is the first decision rendered by the CNIL …

FRANCE: A new phase in European privacy law enforcement – CNIL fined Google LLC 50 million euros! Read More »

THE NETHERLANDS: Dutch SA initiates exploratory investigation into DPAs

The Dutch Supervisory Authority (Autoriteit Persoonsgegevens, “AP”) recently communicated a press release stating that it reached out to 30 organizations to request information relating to their data processing agreements (DPAs).  Organizations that have been contacted are companies in the media, energy and trade sectors. The AP has requested, among other things, what agreements organizations have …

THE NETHERLANDS: Dutch SA initiates exploratory investigation into DPAs Read More »

FRANCE: CNIL PUBLISHES GUIDANCE ON DATA SHARING FOR MARKETING PURPOSES

By Denise Lebeau-Marianna and Tiphaine Caulier The French Data Supervisory Authority (the CNIL) released guidance on December 28th 2018 on the principles to be followed when an organization that collects personal data through online or hard copy forms, shares it with business partners or data brokers to send SMS or emails for marketing purposes. To comply …

FRANCE: CNIL PUBLISHES GUIDANCE ON DATA SHARING FOR MARKETING PURPOSES Read More »