EDPB

Non-EEA Based Vendors Caught by GDPR’s Long-Arm Provisions

By Jan Dhont & Nikolaos Theodorakis on March 19, 2020

The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines).^[1] This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA.
Continue Reading Non-EEA Based Vendors Caught by GDPR’s Long-Arm Provisions

The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

By Cédric Burton, Jan Dhont, Rossana Fol & Josephine Jay on July 10, 2019

Posted in European Union, Privacy, Regulatory

On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);¹ among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.

Background

When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

EDPB Opinion on Consent and Legal Basis in Clinical Trials

By Cédric Burton, Jan Dhont, Lore Leitner & Elli Laine on February 6, 2019

Posted in Clinical Trial, Cybersecurity, European Union, Regulatory

On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.

In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials

The Data Advisor

EDPB

ABOUT OUR DATA, PRIVACY, AND CYBERSECURITY PRACTICE