Photo of Davinia Brennan

The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful.  When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.

Continue Reading Bavarian DPA finds data transfers to US-based email marketing platform unlawful

Photo of Davinia Brennan

The Irish Data Protection Commission (DPC) has imposed a €70,000 fine on University College Dublin (UCD) for failure to implement appropriate security measures; storing data longer than necessary, and delaying in notifying the DPC of a data breach. This is the sixth GDPR fine imposed by the DPC.  Previous GDPR fines included 3 fines on Tusla (the Child and Family Agency) amounting to a total of €200,000; a €450,000 fine on Twitter, and a €65,000 fine on the HSE. These fines similarly concerned failure to implement appropriate security measures to prevent the unauthorised disclosure of personal data; delaying in notifying the  DPC of the data breach; and failing to adequately document the breach.

Continue Reading DPC fines UCD €70,000 for GDPR breach

Photo of Davinia Brennan

On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.

Continue Reading Trade Agreement keeps EU-UK personal data flowing for 6 months

Photo of Davinia Brennan

The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.

The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.

Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned.  Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.


Continue Reading European Commission publishes draft new SCCs

Photo of Davinia Brennan

​The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.

Continue Reading EDPB’s register of one-stop-shop decisions now live

Photo of Davinia Brennan

The European Data Protection Board (EDPB) has published updated Guidelines 05/2020 on Consent under the GDPR, replacing the previous Article 29 Working Party Consent Guidelines published in April 2018. The purpose of the updated guidelines is to provide clarity on: (i) data subject consent in relation to cookie walls (which are not allowed), and (ii) scrolling or swiping through a webpage or similar actions (which does not constitute valid consent). ​The paragraphs (38-41 and 86) concerning these two issues have been revised and updated, while the rest of the document has been left unchanged, except for editorial changes.

Continue Reading EDPB issue updated Guidelines on Consent

Photo of Davinia Brennan

Covid-19 is presenting unique and unprecedented challenges for employers who have to grapple with often complex HR and data protection related issues in a rapidly escalating crisis. Employers are anxious to ensure continuity of their business, the health and safety of their employees and compliance with data protection obligations where these arise.

Our Employment and

Photo of Davinia Brennan

The Minister of Finance has passed new Regulations, the Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2019, permitting data subjects’ rights under Articles 12-22 and Article 34, and controllers’ obligations under Article 5 GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank of Ireland (CBI) to carry out certain functions.

Continue Reading New Regulations permitting Central Bank to restrict individuals’ data protection rights

Photo of Daniel Jackson

On 17 April 2018, the European Commission proposed new rules in the form of a Regulation and an accompanying Directive, which aim to improve law enforcement authorities’ cross-border access to e-evidence.

The proposed Regulation on European Production and Preservation Orders enables a judicial authority in a Member State to obtain electronic evidence in criminal matters directly from a service provider in another Member State. The Directive complements the Regulation, as it sets out the rules for the appointment of service providers’ legal representatives, whose role is to receive and respond to judicial orders. The new rules will ensure swift access to e-evidence, with service providers being required to respond to judicial orders within 10 days and in emergency cases within 6 hours, compared to 10 months under the current Mutual Legal Assistance process.


Continue Reading European Council reaches position on proposed e-evidence Directive