22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, including in relation to the rules for data access by public authorities.
What happens next?
The European Data Protection Board (EDPB) will now review and provide its (non-binding) opinion on the draft decisions. Representatives of each EU member state will then be asked to approve the adequacy decisions (the so-called ‘comitology procedure’) before the decisions are adopted by the Commission. In the meantime data can continue to be transferred from the EEA to the UK under regime set out in the UK-EU Trade and Cooperation Agreement, as discussed in my article UK-EU data transfers from 1st January 2021 – where are we? If the draft adequacy decisions are adopted, they will be valid for four years, following which they will be renewed if the level of protection in the UK continues to be adequate.
Tags: adequacy decision, data protection, data transfer, gdpr, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).
Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.
Information audit
The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:
Privacy notice
The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:
Final thoughts…
Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »
A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’).
Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.
As well as being the right thing to do commercially, controllers and processors are required by Art 28(3) of the GDPR (now incorporated into UK law, as amended) to enter into a contract which sets out:
The contract must also stipulate the processor obligations listed in paragraphs (a) – (h) of Art 28(3):
If a processor wants to engages its own processor (a ‘sub-processor’), the processor must obtain the controller’s specific or general prior authorisation. If the authorisation is general, then the processor must notify the controller of any additional or replacement sub-processor (Art 28(2)). The processor must also enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA between the processor and the controller (Art 28(4)).
Posted in Privacy, Updates | No Comments »
29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful. (more…)
Tags: adequacy decision, data protection, gdpr, TCA, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism. (more…)
Tags: data protection, modular SCCs, privacy, SCCs, Schrems II, Standard Contractual Clauses, transfer mechanism
Posted in Privacy, Updates | No Comments »
Ok, let’s start with the basics. What is ‘special category data’?
Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as:
In short, special category data is personal data that needs more protection because it is sensitive.
And what does ‘more protection’ mean?
It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:
Tags: Article 9 conditions, dpa 2018, gdpr, lawful basis, lexoo, sensitive data, special category data, UK gdpr
Posted in Privacy, Updates | No Comments »
21/09/20 – On 2 September 2020, the European Data Protection Board (EDPB) adopted ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’. The Guidelines deal with the principles underpinning the differences between controllers and processors, and also delve into the more esoteric world of joint controllers. (more…)
Posted in Updates | No Comments »
23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)
Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »
13/07/20 – The EU Platform to Business Regulation (the ‘P2B Regulation’) came into effect on 12 July 2020. The P2B Regulation applies to all online platforms and search engines which provide services to business users in the EU, where those business users offer goods or services to consumers in the EU. (more…)
Posted in Updates | No Comments »
12/03/20 – The UK government has issued a Statement in response to the Law Commission’s report on Electronic execution of documents. My article on the Law Commission’s report can be accessed here.
Key takeaways from the government’s Statement:
Tags: deeds, electronic signature, execution of documents, law commission, video witnessing
Posted in Commercial, Updates | No Comments »