Following the first designation of Very Large Online Platforms (“VLOPS“) and Very Large Online Search Engines (“VLOSEs”) under the Digital Services Act Regulation (“DSA“) on 25 April 2023, the European Commission has now announced a call for evidence from stakeholders to inform proposed delegated acts on data access mechanisms.
Continue Reading Commission Calls for Stakeholder Views on Data Access Mechanism under DSA
In a recent significant judgment1 from the Irish Circuit Court, the judge concluded that “justice is best served” by granting a stay of a data subject’s damages claim pending determination of certain preliminary references currently before the CJEU. The court expressed a view that damages in the case, if awarded, were likely to be small and a stay would not impact the procedural efficiency of the proceedings, but a delay in granting a stay could substantially and unnecessarily increase legal costs for the defendant.
Continue Reading “Justice Best Served” – Data Subject Claims Stayed
The Digital Services Act (DSA), a major EU regulation for online content, was signed into law yesterday.
The DSA together with the Digital Markets Act (the DMA) form part of an EU legislative strategy that seeks to create a level playing field for both big and small businesses in the digital world,
When the European Commission adopted the new EU Standard Contractual Clauses (new SCCs) for international data transfers earlier this year, we highlighted 3 key dates to be aware of. As one of those dates – 27 September 2021 – has now passed, its timely to remind ourselves why those dates are important.
Continue Reading Old EU SCCs now repealed
The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover
The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.
Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part II)
The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I of this blog, we outline some of the key highlights of the Guidelines in respect of the controller and processor concepts and the implications of the controller to processor relationship. Part II will address the key highlights of the Guidelines in respect of joint controllers.
Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part I)
The finalised EDPB Guidelines on the concepts of controller and processor (07/2020) in the GDPR were published this week. The Guidelines set out the EDPB’s recommendations on what should be included in data processing contracts between controllers and processors, in order to ensure compliance with Article 28 GDPR. We have set out some key highlights of the Guidelines below.
Continue Reading EDPB provides guidance on requirements of data processing contracts
The Data Protection Commission (DPC) recently published its decision following a formal inquiry into the Irish Credit Bureau DAC (the ICB) following the ICB’s notification to the DPC of a personal data breach on the 31 August 2018. The ICB is a credit reference agency that maintains a database on the performance of credit agreements between financial institutions and borrowers.
The personal data breach occurred when the ICB implemented a code change to its database that contained a technical error. As a result, between 28 June 2018 and 30 August 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. This update had the effect of changing key data in a data subject’s record so that it appeared that their accounts had been closed recently, even where the loans or credit facilities had been paid off years before. This caused the ICB to disclose 1,062 inaccurate account records to financial institutions as part of credit checks, which would have potentially resulted in a refusal of credit in circumstances where it would have been granted. The records did not, however, misstate that a balance was outstanding on the accounts.
The incident was handled by the ICB as a data breach and was reported to the DPC. The DPC’s investigation focussed on the application of Data Protection by Design and by Default (Article 25), the appropriateness of organisational and technical controls under Article 24, and whether or not there was a joint controller relationship under Article 26 GDPR between the ICB and the lenders who shared data with them.
Continue Reading Irish Credit Bureau fine offers insight into the DPC’s use of its corrective powers
The Court of Justice of the European Union (CJEU) has confirmed the limited competence of a national supervisory authority, that is not the lead supervisory authority (LSA), to bring legal proceedings in their national courts for alleged infringements of the GDPR. The CJEU concluded that in cases of cross-border data processing, a national supervisory authority that is not the LSA has power to bring legal proceedings in its national courts, only if: (i) that power is exercised in one of the situations where the GDPR confers on that supervisory authority a competence to adopt a decision finding that such processing infringes the rules contained in the GDPR, and (ii) that power is exercised with due regard to the cooperation and consistency procedures laid down by the GDPR.
Continue Reading CJEU confirms limited derogations from the GDPR’s one-stop-shop mechanism