My blog

Who owns the copyright in software created by your employees?

12/03/21 – In accordance with the Copyright, Designs and Patents Act 1988 where any work “is made by an employee in the course of his employment, his employer is the first owner of any copyright in the work, subject to any agreement to the contrary”.

Read more »

Transfer Impact Assessment – what is it, and do I need to do one?

In July 2020 the European Court of Justice in its ‘Schrems II’ judgment invalidated the EU-U.S. Privacy Shield.  In their judgement the ECJ, whilst upholding Standard Contractual Clauses (SCCs) as a transfer tool, made it clear that data exporters (i.e. organisations within the EEA which transfer personal data to countries outside the EEA) must “verify, prior […]

Read more »

European Commission publishes draft UK adequacy decisions

22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive.  Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure […]

Read more »

How to draft a privacy policy

Article 13 of the GDPR (now incorporated into UK law, as amended) states that at the time you collect personal data from individuals you must provide them with certain information.  The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which […]

Read more »

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’). Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ […]

Read more »

EU-UK data transfers from 1st January 2021 – where are we?

29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful.

Read more »

European Commission publishes new draft SCCs for consultation

19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism.

Read more »

Special category data – what do I need to know?

Ok, let’s start with the basics.  What is ‘special category data’? Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as: Personal data revealing: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership. Data concerning: health a person’s sex life a person’s […]

Read more »

EDPB Guidelines on controllers and processors

21/09/20 – On 2 September 2020, the European Data Protection Board (EDPB) adopted ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’.  The Guidelines deal with the principles underpinning the differences between controllers and processors, and also delve into the more esoteric world of joint controllers.

Read more »

Demise of the EU-U.S. Privacy Shield

23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’.

Read more »

Get in touch

  • Your email address will only be used to respond to your message