EDPB Releases New Guidance: When Can Companies Rely on the Need to Fulfill the Terms of a Contract as a Legal Basis to Process?

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements. Background To lawfully process data, companies must establish one of six legal bases articulated in Article…

READ MORE

Framework for GDPR Fines Published by the Dutch Authorities

The Dutch Data Protection Authority (AP) has announced a new policy for determining the fines to be imposed for violations of the General Data Protection Regulation (GDPR) and its national implementing act. The AP’s assessment will first take into account the maximum amounts specified by the European Regulation: either 10 million euros or 2% of the annual worldwide turnover, or 20 million euros or 4% of the annual worldwide turnover, depending on the violation incurred. Violations that are subject to fines are divided into three or four categories designed by the data protection authority to take into account the weight of the breached requirements, with each assigned a…

READ MORE

European Data Protection Board Issues Guidance on Interplay Between GDPR and Rules Governing Data in Clinical Trials

On January 23, 2019, the European Data Protection Board (EDPB), released an opinion on the relationship between the European Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR) (the “Opinion”). The CTR, scheduled to take effect in 2020, is designed to harmonize how clinical trials are assessed and supervised across the EU. It introduces a Clinical Trials Information System and establishes rules that protect individuals and enhance transparency requirements. In its Opinion, the EDPB provides guidance on (1) the legal bases for primary uses of clinical data, i.e., processing personal data in the course of a clinical trial protocol, and (2) secondary uses of clinical trial data…

READ MORE

French Data Protection Authorities Fine Google Nearly $57 Million for Violations of the General Data Protection Regulation’s Notice and Consent Requirements

French regulators have fined Google nearly $57 million for violations of the General Data Protection Regulation (GDPR). This fine was the first major penalty levied against a large U.S. technology company since the regulation took effect in May 2018. France’s data protection authority, known as the CNIL, said that Google failed to fully disclose to users how their personal information is collected and what happens to it. Significantly, regulators said that Google also did not properly obtain users’ consent to use the data to serve them personalized advertisements. The CNIL said in a statement that the violations “deprive the users of essentially guarantees regarding processing operations that can…

READ MORE

Belgian Data Protection Authority Publishes Review of Post-GDPR Activity

The Belgian Data Protection Authority (Belgian DPA) published a review of its activities in the six months since the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. This early report offers a window into the impact of the GDPR on companies, the public and the activity of at least one regulator’s office.  The review, available in French and Dutch, notes that since the GDPR came into force, the Belgian DPA has received 317 data breaches, most of which were reported from the health care sector, insurance companies, public institutions and defense, telecommunications and postal services, and financial services companies. The Belgian DPA has received…

READ MORE

Data Regulators Focus on Artificial Intelligence and Data Ethics at Annual International Meeting in Brussels

Achieved Compliance attended the 40th Annual International Conference of Data Protection and Privacy Commissioners which convened this year in Brussels. This meeting is the largest and most significant gathering of data protection authorities in the world. It provides an important window on the status of data protection law and regulation, the impact of new technology on privacy and what is top of mind for regulators. While companies continue to grapple with the requirements of the General Data Protection Regulation (GDPR), which took effect in May of this year, the law did not take center stage at the annual meeting of regulators. Instead, the focus of this year’s conference was artificial…

READ MORE

European Data Protection Supervisor Predicts Sanctions Coming Soon for Violations of General Data Protection Regulation

Regulators in the European Union could impose sanctions for violations of the General Data Protection Regulation (GDPR) as soon as by the end of 2018, according to European Data Protection Supervisor Giovanni Buttarelli. According to a Reuter’s news report, Butarelli said in an interview, “I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban, or to give them an ultimatum.” Regulators in France and Italy report a 53 percent increase in complaints about violations over last year, Buttarelli said, adding that enforcers have seen a sharp…

READ MORE

Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessments

An important aspect of the General Data Protection Regulation (GDPR) that may be new to companies is the requirement set forth in Articles 35 and 36 that they conduct data protection impact assessments (DPIAs) when embarking on new data processing activities. While some organizations may have experience with DPIAs, often referred to as Privacy Impact Assessments in the United States, many may be unfamiliar with how they should be carried out and what data protection authorities look for when they review them. Companies may find help in the Belgian Privacy Commission’s Recommendation on Data Protection Impact Assessments and the prior consultation requirements provided for by Articles 35 and…

READ MORE