Some notes/reminders for data controllers based on the Bulgarian Personal Data Protection Commission’s practice from the last quarter of 2020: 1. The requirement for a timely and motivated response to a data subject’s request (e.g. for access to or erasure of her/his personal data) is a separate obligation of the data controller and its violation […]
On 16 July 2020 the European Court of Justice (ECJ) rendered its much anticipated ruling in Case C-311/18 (Schrems II) by which it invalidated the European Commission’s Decision on the adequacy of the protection provided by the EU-US Data Protection Shield (the Privacy Shield Decision) and provided some important insight on personal data transfers outside […]
COVID-19 screening at the workplace
On 29 July 2019 the European Court of Justice rendered its preliminary ruling in Case C-40/17 Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV providing insight on the limits of a controller’s responsibilities under Directive 95/46 and possibly under the GDPR. Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ plugin of Facebook which […]
On June 5, the European Court of Justice (ECJ) released its preliminary ruling in the case Wirtschaftsakademie Schleswig-Holstein. The ECJ found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page. By creating a fan page on Facebook and defining the criteria […]
A recent GDPR seminar attended by members of our team inspired us to share our thoughts on how the new European legislation on data protection would affect the M&A transactions. The GDPR implications on M&A deals would certainly go beyond the borders of the EU given the extraterritorial application of the Regulation. Privacy “by design” […]
Data protection officers (“DPO”) will become key figures within organisations striving to ensure compliance with the stricter requirements of the GDPR as from May 2018. In the end of 2016, a conservative estimate by the International Association of Privacy Professionals suggested that 75,000 DPO positions will be created globally in response to the adoption of […]
Before the GDPR enters into force on 25 May 2018, companies processing personal data will have to reassess their approach to personal data processing. Under the current state of the law, a company acting as a personal data processor that has been found liable for unlawful personal data processing would be liable for a breach […]
On its entry into force, the GDPR would make reliance on data subjects’ consents inappropriate for many personal data processing activities. A practical tip to self-test current consents: if it seems difficult for a controller to obtain a valid consent, perhaps there is another legal ground that should apply. When implementing a GDPR compliance strategy, […]
One of the most common grounds for lawful processing of personal data is obtaining the data subject’s consent. As from 25 May 2018 when the GDPR shall enter into force, the requirements for obtaining lawfully such consent will be significantly amended. Despite being more burdensome for companies, the new requirements may serve as a competitive […]
