After years of consulting, drafting and negotiating at various levels, on 15 December 2015 the final compromise text of the EU General Data Protection Regulation (GDPR) was agreed. What a milestone! Once the European Parliament and Council both adopt the agreed text, the GDPR will officially come into force, which is expected to be January 2016. Businesses will have a two-year transitional period to adapt to the new regime.One Continent, One LawThe GDPR will apply directly in…
On October 22, 2015, the Czech Data Protection Authority (DPA) sent out letters to companies which are registered as data controllers with the DPA. The letter is essentially a notice to inform such Czech companies about the invalidation of Safe Harbor.RecommendationsThe DPA recommends using EU Model Clauses or BCRs instead for data transfers to third countries. The letter does not require companies to respond to it nor does it stipulate a specific timeline to take…
The Spanish Data Protection Agency sent out letters dated October 29, 2015 to companies that are registered with the DPA and that rely on Safe Harbor for data transfers to US recipients. The letter states that companies need to take alternative measures since Safe Harbor has been invalidated. The DPA asks specifically whether the notified data transfers to US recipients based on Safe Harbor will continue, and if so, which alternative measures the company will now take. Safe…
The following is the second part in a two-part commentary (Part One available here) on a position paper issued by the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection (“Conference”) following the recent decision of the Court of Justice of the European Union (“ECJ”) invalidating the Safe Harbor decision of the EU Commission. German DPAs Have The Power To Prohibit Or Suspend Data Flows Under…
On October 26, 2015, the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection (“Conference”) issued a position paper following the recent decision of the Court of Justice of the European Union (“ECJ”) invalidating the Safe Harbor decision of the EU Commission.Data Transfers Solely Based On Safe Harbor Will Be ProhibitedThe Conference states that the German data protection authorities (“DPAs”) will prohibit transfers to the U.S…
Safe Harbor FrameworkUS Department of Commerce Safe Harbor websiteUS Federal Trade Commission’s Safe Harbor Framework websiteUS – EU Safe Harbor Framework DocumentsUS – Swiss Safe Harbor Framework DocumentsFebruary 2, 2016EU Commission and US Department of Commerce announce progress on “EU-US Privacy Shield Agreement”Official Document – EU Commission Press ReleaseOfficial Document – FTC Press ReleaseOfficial Document – EU Article 29 Working Party Statement (February 3, 2016)November 19, 2015France – Data Protection Authority issues Guidance and FAQ…
With the anticipated publication of the Europe General Data Protection Regulation (the “GDPR”) in 2016, international companies must begin to assess how the GDPR will affect their global data protection and privacy compliance programs. The GDPR will likely affect companies based in and outside the EU, so it is important for all multi-national companies to assess the impact of the GDPR.What Is Happening?The GDPR will largely replace the existing data protection regulatory landscape in the…
Sharing personal data in connection with the sale of a business can create risk for both the seller and the purchaser if not undertaken in compliance with data protection requirements as illustrated in a recent German case. In this post, we point out the perils of sharing personal data in connection with an asset deal and provide tips on how to manage these risks.A typical scenarioLet’s say (as was the case in the recent German…
Since its genesis, the General Data Protection Regulation (GDPR) has been winding its way through the long and arduous EU law-making process. If you did not follow this process, here is your chance to catch up in a few minutes. If you are on top of the process to date, check back in next week when we start exploring the major concepts of the GDPR.Where Are Things Up To?The legislative process kicked-off in November 2010…