Laura De Boel

Subscribe to Laura De Boel's Posts

They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR

On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers

As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this deadline.
Continue Reading Don’t Forget to Use the New SCCs to Transfer EU Personal Data as of September 27, 2021

On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.
Continue Reading EU Commission Publishes Template Data Processing Agreement

New Set of SCCs for Data Transfers to Third Countries

On June 4, 2021, the European Commission (EC) published its long awaited new set of Standard Contractual Clauses (New SCCs). This new data transfer mechanism allows for the transfers of personal data outside of the European Economic Area (EEA) and replaces the current Standard Contractual Clauses (current SCCs). The New SCCs take into account the European Court of Justice’s (CJEU) Schrems II ruling, which invalidated the EU-U.S. Privacy Shield and requires that data exporters and importers take measures to ensure that the SCCs are effectively complied with.
Continue Reading A New Data Transfer Mechanism Is Available for EU Personal Data

On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).

The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations.
Continue Reading EDPB Publishes New Guidance for Data Breach Notification

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.

At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools