2020, Compliance and Personal data - Information Management Today

Singapore: Amendments to the Personal Data Protection Act 2012 (PDPA) now in force

DLA Piper Privacy Matters

FEBRUARY 3, 2021

Organisations must now notify the Personal Data Protection Commission (PDPC) and affected individuals if a data breach results in, or is likely to result in, significant harm to affected individuals, or affects 500 or more individuals. The Personal Data Protection (Amendment) Act 2020 is available here: [link].

Personal data

Personal data Data breaches Compliance Privacy

CIPL Submits Response to European Commission’s Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to the GDPR

Hunton Privacy

DECEMBER 16, 2020

The European Commission (the “Commission”) issued its draft on November 12, 2020, updating the SCCs to align with the GDPR and taking into account the requirements of the Court of Justice of the European Union Schrems II ruling of July 16, 2020.

Personal data

Personal data GDPR Compliance Government

Ireland: Irish Court of Appeal Clarifies Boundaries of Concept of Personal Data

DLA Piper Privacy Matters

JULY 21, 2020

The Irish Court of Appeal has clarified the scope of the definition of personal data – noting that, while the definition is deliberately very broad, it does not facilitate access by an individual to reports stemming from a complaint for the sole reason that the complaint was made by that individual. Submissions.

Personal data

Personal data Access Compliance Privacy

Irish Regulator Fines TikTok 345 Million Euros

Hunton Privacy

SEPTEMBER 22, 2023

On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. Read the DPC’s decision and the EDPB’s Article 65 binding decision.

GDPR

GDPR Personal data Privacy Compliance

Dutch DPA Fines Dutch Credit Registration Bureau 830,000 Euros for Non-Compliance with Data Subject Rights

Hunton Privacy

JULY 15, 2020

The Dutch DPA found that BKR had infringed the GDPR on the following grounds: Free of charge access requests: The Dutch DPA found that BKR had infringed Article 12(5) of the GDPR by charging a fee to data subjects wishing to access personal data in a digital format.

Compliance

Compliance GDPR Personal data Paper

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

Data Protection Report

FEBRUARY 18, 2021

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Schrems II still leads to legal uncertainty. They should prepare for how they might respond.

Personal data

Personal data Compliance Encryption Marketing

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS Joint Opinion on Draft SCCs

DLA Piper Privacy Matters

APRIL 20, 2021

The CJEU’s long-awaited Schrems II decision of 16 July 2020, raised important questions on the validity of data processing activities involving the transfer of personal data outside the EEA. Authors: Heidi Waem, Camille Vermosen. Schrems II. More information on these recommendations can be found here.

Personal data

Personal data GDPR Compliance Privacy

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Data Protection Report

NOVEMBER 13, 2020

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. On 11 November, the European Data Protection Board ( EDPB ) published its much anticipated guidance on the Schrems II judgment. A feedback period on the draft documents will run until 10 December.

Personal data

Personal data GDPR Encryption Government

Reflecting on APAC Data Protection and Cyber-security Highlights for 2019 (and what lies ahead!)

Data Protection Report

JANUARY 20, 2020

In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020. This decision enables personal data to flow freely between the two jurisdictions without the need for additional safeguards.

Personal data

Personal data Security Data Privacy GDPR

Ireland / Europe: DPC’s record GDPR fine has implications for calculation of GDPR fines and regulatory expectations around transparency rules

DLA Piper Privacy Matters

SEPTEMBER 6, 2021

On 2 September 2021, the Data Protection Commission (DPC) announced it has imposed a €225 million administrative fine against WhatsApp Ireland Limited , as well as a reprimand and an order to bring its processing into compliance. Non-User Data. This is the second major Article 60 draft decision which the DPC has finalised.

GDPR

GDPR Personal data e-Delivery Communications

UK Tribunal Rules on Direct Marketing ICO Case Against Experian

Hunton Privacy

FEBRUARY 23, 2023

On February 20, 2023, in the case of Experian Limited v The Information Commissioner , the First-Tier Tribunal in the UK (the “ Tribunal ”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes.

Marketing

Marketing Personal data GDPR Privacy

Belgian DPA Fines Company for Unlawful Processing and Non-Compliance with Data Subject Rights

Hunton Privacy

JULY 10, 2020

On June 16, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine on a company (the “defendant”) for unlawful and incorrect processing of personal data and non-compliance with the EU General Data Protection Regulation’s (the “GDPR”) data subject rights provisions.

Compliance

Compliance GDPR Marketing Personal data

Brazilian President Delays Applicability of LGPD Sanctions, but Other Provisions Remain Uncertain

Hunton Privacy

JUNE 17, 2020

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law ( Lei Geral de Proteção de Dados Pessoais , “LGPD”).

Compliance

Compliance IT Personal data

Brazilian Data Protection Law Update – Delayed Enforcement, Lack of Administrative Structure, and Market Unreadiness

Data Matters

JULY 22, 2020

Indeed, the comprehensive law has been viewed as a necessary measure for the country to join a select but growing group of nations in the systematic protection of individuals’ personal data. Compliance Costs and the 2020 Crisis. Currently, Brazil faces a growing economic crisis precipitated by the COVID-19 pandemic.

Marketing

Marketing Compliance Personal data GDPR

European Commission Releases Draft Standard Contractual Clauses for Article 28 Data Processing Agreements

Hunton Privacy

NOVEMBER 16, 2020

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

GDPR

GDPR Personal data Data breaches Information Security

Comments Submitted on California Consumer Privacy Act of 2020—Initiative 19-0021

Data Matters

NOVEMBER 12, 2019

Similar to what is already required with respect to data security incidents under federal financial and health privacy law, and more broadly under all 50 U.S. While your language explicitly recognizes this, to raise the specter of limitless backward searching may expand compliance burdens beyond the commensurate benefits.

Privacy

Privacy Data breaches Compliance Personal data

Cross-Border Data Privacy and Security Concerns in the Dawn of Quantum Computing

Thales Cloud Protection & Licensing

DECEMBER 22, 2020

Cross-Border Data Privacy and Security Concerns in the Dawn of Quantum Computing. Tue, 12/22/2020 - 10:08. New EU restrictions could force companies to change data transfer practices and adopt more advanced data encryption methods. Data privacy is not a check-the-box compliance or security item.

Data Privacy

Data Privacy Privacy Security Encryption

The Impact of Data Protection Laws on Your Records Retention Schedule

ARMA International

APRIL 18, 2022

Introduction to Data Protection Laws. Data protection laws, regulations, and rules control the collection, use, transfer, and storage of personal and sensitive information. Personal data protection requirements may be issued by federal, state (provincial), or local governments.

Personal data

Personal data GDPR Privacy Records Management

ICO Issues Enforcement Notice Against Experian

Hunton Privacy

OCTOBER 29, 2020

On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”).

Personal data

Personal data Marketing GDPR Compliance

CNIL Fines Two Companies of the Carrefour Group €3.05 Million for GDPR and Cookie Violations

Hunton Privacy

DECEMBER 1, 2020

On November 26, 2020, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €2.25 These inspections aimed to verify whether Carrefour France and Carrefour Banque were in compliance with all provisions of the GDPR and the French Data Protection Act. Background. GDPR and Cookie Violations.

GDPR

GDPR Personal data Data collection Marketing

ASEAN releases Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses and AI Governance Guide

Data Protection Report

FEBRUARY 27, 2024

Key takeaways With the addition of the Implementation Guide to further clarify the process of operationalising data transfer clauses, the Joint MCC – SCC Guide is a useful tool for organisations seeking to implement cross-border transfers of personal data within ASEAN and between ASEAN and the EU.

Government

Government Personal data Compliance Risk

European Commission Proposes Revised Standard Contractual Clauses

Data Matters

NOVEMBER 13, 2020

The European Commission (EC), on 12 November 2020, published a draft adequacy decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). In relation to special categories of personal data (e.g.,

Personal data

Personal data GDPR Privacy Compliance

New York SHIELD Act $600,000 settlement

Data Protection Report

FEBRUARY 8, 2022

million individuals was exposed, including approximately 98,632 New Yorkers.The AG began an investigation based on New York’s Executive Law § 63(12) [deception] and General Business Law §§ 349 [deception] and 899-bb. The latter is the 2019 data security law known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.

Passwords

Passwords Financial Services Authentication Insurance

EDPB Publishes FAQs on Recent Schrems II Judgment

Data Matters

JULY 24, 2020

The CJEU invalidated the EU-US Privacy Shield but upheld the use of Standard Contractual Clauses (“SCCs”) to transfer personal data to the U.S.: to ensure compliance with a level of protection “essentially equivalent” to that guaranteed within the EU by the GDPR). .: domestic law, in particular the ability for U.S.

Personal data

Personal data GDPR Privacy Access

More New York SHIELD Act guidance

Data Protection Report

JULY 12, 2022

In brief, on April 5, 2021, a security researcher contacted Wegmans about a serious flaw the left some of Wegmans’ customers’ personal data available to the public. Wegmans updated the container configurations to prohibit public access on May 12, 2021 and notified consumers. Wegmans does not confirm or deny the NYAG’s findings.

Passwords

Passwords Data collection Personal data Cloud

EDPB Publishes Guidelines on Data Protection by Design and by Default

Hunton Privacy

NOVEMBER 22, 2019

appropriate technical and organizational measures for ensuring that, by default, only personal data, which is necessary for each specific purpose of the data processing, is processed (“Data protection by default”). on how to handle personal data.

Personal data

Personal data GDPR Compliance Risk

The Belgian Data Protection Authority Publishes Recommendation Concerning Data Processing for Direct Marketing Purposes

HL Chronicle of Data Protection

MARCH 5, 2020

On January 17, The Belgian Data Protection Authority (DPA) published Recommendation no 01/2020 providing Guidance on direct marketing. The Recommendation provides a methodology on how to comply with the General Data Protection Regulation (GDPR) when conducting direct marketing. Necessity for Data Minimisation.

Marketing

Marketing GDPR Personal data Healthcare

Ireland: Non-material damages under GDPR – Irish law developments and the international approach

DLA Piper Privacy Matters

SEPTEMBER 7, 2023

The scrutiny by national courts over the lawfulness of certain processing, and commentary on the factors that will aggravate or mitigate an infringement, should be considered by these organisations and inform their approach to data protection compliance.

GDPR

GDPR Data breaches Risk Personal data

Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten

DLA Piper Privacy Matters

JULY 29, 2020

Until recently, most decisions of the Belgian Data Protection Authority (Belgian DPA) concerned national companies or individuals. However, on 14 July 2020, the Belgian DPA imposed a fine of EUR600,000 on Google Belgium SA/NV (Google Belgium) for not respecting a Belgian resident’s right to be forgotten.

GDPR

GDPR Compliance IT Privacy

ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

Privacy and Cybersecurity Law

FEBRUARY 14, 2020

On 21 January 2020, the ICO published the Age Appropriate Design Code of Practice. Detrimental Use of Data: You should not use children’s personal data in ways that have been shown to be detrimental to their wellbeing , or that go against industry codes of practice, other regulatory provisions, or Government advice.

Access

Access IoT Personal data Privacy

ICO Publishes Final Version of Its Age Appropriate Design Code

Hunton Privacy

JANUARY 22, 2020

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. The code will now be laid before Parliament for approval.

IT

IT Personal data Compliance Privacy

ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

Privacy and Cybersecurity Law

FEBRUARY 14, 2020

On 21 January 2020, the ICO published the Age Appropriate Design Code of Practice. Detrimental Use of Data: You should not use children’s personal data in ways that have been shown to be detrimental to their wellbeing , or that go against industry codes of practice, other regulatory provisions, or Government advice.

Access

Access Personal data IoT Privacy

Online advertising targeting : a CNIL priority for 2019

Data Protection Report

JULY 12, 2019

Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.

GDPR

GDPR Compliance Marketing Personal data

Europe: European Commission publishes draft updated Standard Contractual Clauses

DLA Piper Privacy Matters

NOVEMBER 13, 2020

On 12 November, the European Commission published its long awaited updated draft Implementing Decision on standard contractual clauses (“ SCCs ”) for the transfer of personal data to third countries. The draft SCCs are now subject to an initial public consultation running until 10 December 2020.

GDPR

GDPR Personal data Government Privacy

CNIL Publishes Action Plan Regarding Online Targeted Advertising

Hunton Privacy

JULY 1, 2019

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts. The CNIL will allow for a transition period of 12 months to comply with the new cookie guidelines.

GDPR

GDPR Marketing Personal data Privacy

UK: ICO rules regarding the online privacy of children enter into force

DLA Piper Privacy Matters

SEPTEMBER 2, 2021

The Children’s Code is not new law, but a statutory Code of Practice under the Data Protection Act 2018. The Code was laid before Parliament on 11 June 2020, under s. Therefore, whilst its recommendations are not themselves legally binding, compliance with the Code is strongly recommended. 125(1)(b) of the DPA.

Privacy

Privacy Education Personal data Compliance

Action Required: Privacy Shield Participants Must Update Privacy Policies for Brexit

HL Chronicle of Data Protection

APRIL 5, 2019

With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.

Privacy

Privacy Compliance Personal data Government

Germany: Bonn Regional Court overrules GDPR Fining Guidelines by German Data Protection Authorities

DLA Piper Privacy Matters

NOVEMBER 24, 2020

How to properly calculate administrative fines for non-compliance with the EU General Data Protection Regulation (‘ GDPR ’) is one of the most important questions when applying the GDPR on practical level, e.g. : What is actually meant by the reference to “undertaking” in Article 83 (4) to (6) GDPR? million Euro as was too high.

GDPR

GDPR Authentication Compliance Personal data

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

HL Chronicle of Data Protection

JULY 9, 2019

The ICO intends to use its own Sandbox to support organisations that are looking to use personal data in innovative ways through the use of new technologies and approaches. These organisations will participate in the beta phase which is due to run from July 2019 until September 2020.

GDPR

GDPR Personal data Privacy Financial Services

UK: Supreme Court judgment in Morrisons – employer not vicariously liable for data breach

DLA Piper Privacy Matters

APRIL 1, 2020

A few months later, he uploaded the data onto a file-sharing website and later sent it to newspapers. this applies whether the data controller is the employer or the employee (in this case it was the employee). this applies whether the data controller is the employer or the employee (in this case it was the employee).

Data breaches

Data breaches GDPR Personal data Information governance

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

Data Protection Report

JUNE 29, 2018

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. Consumer access and data portability rights.

Privacy

Privacy GDPR Personal data Risk

California Passes Major Legislation, Expanding Consumer Privacy Rights and Legal Exposure for US and Global Companies

Data Protection Report

JUNE 29, 2018

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. Consumer Access and Data Portability Rights.

Privacy

Privacy GDPR Personal data Risk

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

HL Chronicle of Data Protection

OCTOBER 26, 2018

As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records. Opt-Out for Sale of Personal Information. Why the Uncertainty?

Privacy

Privacy Sales Compliance Personal data

CNIL publishes a draft TIA guide

Data Protection Report

FEBRUARY 6, 2024

The Court of Justice of the European Union ( CJEU )’s Schrems II decision [1] clarified strict rules for personal data transfers outside of the European Union. It is currently in a consultation phase, with the consultation due to close on 12 February 2024 and the final guidance expected later in the year. When is a TIA required?

GDPR

GDPR Personal data Compliance IT

Singapore: Amendments to the Personal Data Protection Act 2012 (PDPA) now in force

CIPL Submits Response to European Commission’s Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to the GDPR

Trending Sources

Ireland: Irish Court of Appeal Clarifies Boundaries of Concept of Personal Data

Irish Regulator Fines TikTok 345 Million Euros

Dutch DPA Fines Dutch Credit Registration Bureau 830,000 Euros for Non-Compliance with Data Subject Rights

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS Joint Opinion on Draft SCCs

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Reflecting on APAC Data Protection and Cyber-security Highlights for 2019 (and what lies ahead!)

Ireland / Europe: DPC’s record GDPR fine has implications for calculation of GDPR fines and regulatory expectations around transparency rules

UK Tribunal Rules on Direct Marketing ICO Case Against Experian

Belgian DPA Fines Company for Unlawful Processing and Non-Compliance with Data Subject Rights

Brazilian President Delays Applicability of LGPD Sanctions, but Other Provisions Remain Uncertain

Brazilian Data Protection Law Update – Delayed Enforcement, Lack of Administrative Structure, and Market Unreadiness

European Commission Releases Draft Standard Contractual Clauses for Article 28 Data Processing Agreements

Comments Submitted on California Consumer Privacy Act of 2020—Initiative 19-0021

Cross-Border Data Privacy and Security Concerns in the Dawn of Quantum Computing

The Impact of Data Protection Laws on Your Records Retention Schedule

ICO Issues Enforcement Notice Against Experian

CNIL Fines Two Companies of the Carrefour Group €3.05 Million for GDPR and Cookie Violations

ASEAN releases Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses and AI Governance Guide

European Commission Proposes Revised Standard Contractual Clauses

New York SHIELD Act $600,000 settlement

EDPB Publishes FAQs on Recent Schrems II Judgment

More New York SHIELD Act guidance

EDPB Publishes Guidelines on Data Protection by Design and by Default

The Belgian Data Protection Authority Publishes Recommendation Concerning Data Processing for Direct Marketing Purposes

Ireland: Non-material damages under GDPR – Irish law developments and the international approach

Belgium: Belgian DPA imposes a EUR600,000 fine, its highest fine ever, on Google Belgium for non-compliance with right to be forgotten

ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

ICO Publishes Final Version of Its Age Appropriate Design Code

ICO Publishes Age Appropriate Design Code of Practice for Online Products and Services accessed by Children

Online advertising targeting : a CNIL priority for 2019

Europe: European Commission publishes draft updated Standard Contractual Clauses

CNIL Publishes Action Plan Regarding Online Targeted Advertising

UK: ICO rules regarding the online privacy of children enter into force

Action Required: Privacy Shield Participants Must Update Privacy Policies for Brexit

Germany: Bonn Regional Court overrules GDPR Fining Guidelines by German Data Protection Authorities

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

UK: Supreme Court judgment in Morrisons – employer not vicariously liable for data breach

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

California Passes Major Legislation, Expanding Consumer Privacy Rights and Legal Exposure for US and Global Companies

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

CNIL publishes a draft TIA guide

Stay Connected