On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and
Continue Reading Meta Receives Record 1.2 Billion EUR Fine and Is Ordered to Suspend Its EU-U.S. Data TransfersEDPB
EDPB Issues Guidance on Cookie Banners
In January 2023, the European Data Protection Board (EDPB) published a report on cookie banners (Report). The Report provides practical guidance to companies doing business in the EU on how to comply with…
Continue Reading EDPB Issues Guidance on Cookie BannersNew Draft Guidance on Binding Corporate Rules for Controllers
On November 15, 2022, the European Data Protection Board (EDPB) adopted draft recommendations (here) for data controllers when applying for approval of their binding corporate rules for international data transfers (Recommendations).
Binding corporate…
Continue Reading New Draft Guidance on Binding Corporate Rules for ControllersEU Regulators Define Data Transfers
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR
On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers
EDPB Clarifies Key Health Research Data Protection Rules
On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing.
Continue Reading EDPB Clarifies Key Health Research Data Protection Rules
EDPB Publishes New Guidance for Data Breach Notification
On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).
The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations.
Continue Reading EDPB Publishes New Guidance for Data Breach Notification
Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements
On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements