Privacy

EU-UK data transfers – final update

05/07/21  (updated) – As part of the Trade and Cooperation Agreement the EU and the UK agreed a six-month ‘bridging period’, allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021, to give the European Commission enough time to adopt the adequacy decisions which are necessary to […]

Read more »

What’s happening with SCCs? – Part 2

09/06/21 – At the end of last week, and more than three months later than originally expected, the European Commission published final versions of the new standard contractual clauses (SCCs) for the transfer of personal data to third countries (New EU SCCs). The New EU SCCs replace the standard contractual clauses adopted by the European […]

Read more »

What’s happening with SCCs? – Part 1

05/05/21 – If your organisation does not transfer personal data to ‘third countries’, i.e. countries outside the EEA that do not have a UK adequacy finding, then breathe a sigh of relief and feel free to go and do something else.  If, however, your organisation does transfer personal data to a ‘third country’ (which for […]

Read more »

UK adequacy decisions – lukewarm thumbs-up from the EDPB

15/04/21 – If you’ve been following the progress of the UK adequacy decisions (see updates from December 2020 and March 2021), you will know that we have been waiting for the European Data Protection Board’s opinions on the draft UK adequacy decisions.  As per the EDPB’s press release yesterday, these opinions have now been adopted. […]

Read more »

EU-UK data transfers – update

30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021 – more detail here.  Half-way through the bridging period is probably a good […]

Read more »

Transfer Impact Assessment – what is it, and do I need to do one?

In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield.  In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior […]

Read more »

European Commission publishes draft UK adequacy decisions

22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive.  Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure […]

Read more »

How to draft a privacy policy

Article 13 of the GDPR (now incorporated into UK law, as amended) states that at the time you collect personal data from individuals you must provide them with certain information.  The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which […]

Read more »

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’). Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ […]

Read more »

EU-UK data transfers from 1st January 2021 – where are we?

29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful.

Read more »

Get in touch

  • Your email address will only be used to respond to your message