SlideShare a Scribd company logo

GDPR - One Year Later

S
Simon Roth

On 17 May 2019, Lex Futura held a practical workshop on GDPR developments in Year 1.

Law
1 of 46
Download to read offline
GDPR – One Year Later Simon Roth 16th May 2019
1. GDPR Enforcement in Numbers 2. Developments in GDPR Case Law and Practice 3. Workshop: GDPR Paint Points in Practice 4. Digest this 5. Apéro and Flying Dinner Today’s schedule
GDPR Enforcement in Numbers
Cases opened
Fines imposed (1/2) Fines Google Other
Fines imposed (2/2) Average fine in Germany = € 6.100,00
Headcount of regulator
Budget of regulator (1/2)
Budget of regulator (2/2) «Although the majority of the 17 replying Supervisory Authorities stated that they would need an increase in the budget of 30-50%, almost none of them received the requested amount.»
Data breaches notified
Developments in GDPR Case Law and Practice
The GDPR actors Court of Justice of the European Union (CJEU) National Appellate Courts (NAC) European Data Protection Board (EDPB) Supervisory Authorities (SA) National Courts (NC) Court of Justice of the European Union – Advocate General (AG)
Jehova‘s Witnesses (1/3) CJEU NC EDPB SA NAC Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • Processing personal data in the context of door-to-door preaching is not a «purely personal or household activity» (which would fall outside of GDPR). • Handwritten notes taken by door-to-door preachers consisting of names, addresses and religious beliefs constitute a «filing system», which is subject to GDPR although the processing occurs by non-automated means. GDPR 2(2)(c) GDPR 2(1), 4(6) AG
Jehova‘s Witnesses (2/3) Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • The community of Jehova’s Witnesses is a joint controller of the personal data processed by the door-to-door preachers even though • the community has no access to the personal data and • the community has not given written guidelines or instructions to the preachers in relation to the processing. • This is because the community «organizes, coordinates and encourages» the preaching to «help to achieve the community’s objective, which is to spread its faith». GDPR 4(7), 26 CJEU NC EDPB SA NAC AG
Jehova‘s Witnesses (3/3) Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • Focus of the test lies on purpose, not on means, which has become quite irrelevant. • Taken to the extreme: Appointing someone who furthers your objectives makes you the joint controller of personal data processed by that person in that context. • In my opinion: unduly wide definition of controller but shows were the CJEU was heading to in 2018. CJEU NC EDPB SA NAC AG GDPR 4(7)
Wirtschaftsakademie (1/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG
Wirtschaftsakademie (2/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG • The administrator of a Facebook fan page is a joint controller of the personal data processed by Facebook. • This is because: • «the administrator gives Facebook the opportunity to place cookies on the computer of a person visiting its fan page» • «the administrator of the fan page can ask for demographic data relating to its target audience, […] and more generally enable it to target best the information it offers.» (Facebook Insights). GDPR 4(7), 26
Wirtschaftsakademie (3/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG • This is the case notwithstanding that: • «the audience statistics are transmitted to the administrator only in anonymized form» • because «the production of those statistics is based on the prior collection and the processing of the personal data of those visitors for such statistical purposes» • and in any event, «it is not required that each of the joint controllers have access to the personal data concerned.» GDPR 4(7), 26
Wirtschaftsakademie (4/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG GDPR 4(7), 26 But: «the existence of joint responsibility does not necessarily imply equal responsibility»
Joint controller agreements after Wirtschaftsakademie «Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under GDPR with respect to the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR). Facebook Ireland will also make the essence of this Page Insights Addendum available to data subjects.» https://www.facebook.com/legal/terms/page_controller_addendum
Digital marketing after Wirtschaftsakademie Not a joint controller Joint controller
Fashion ID (1/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG Advocate General Bobek (born 1977) highly critical of Jehova’s Witnesses and Wirtschaftsakademie: «Will effective protection be enhanced if everyone is made responsible for ensuring it?» «It is difficult to see how normal users of an online application would not also become joint controllers.» «Pushed to an extreme, if the only relevant criterion for joint control is to have made the data processing possible, would the internet service provider, or even the electricity provider, then not also be joint controllers potentially jointly liable for the processing of personal data?» «The intuitive answer is of course ‘no’. The problem is that the delineation of responsibility so far does not follow from the broad definition of a controller.» «A social network, like any other application or program, is a tool. Similar to a knife or a car, it can be used in a number of ways. There is also no doubt that if used for the wrong purposes, that use must be prosecuted. But it might perhaps not be the best idea to punish anyone and everyone who has ever used a knife. One normally prosecutes the person(s) controlling the knife when it caused harm.» GDPR 4(7), 26
Fashion ID (2/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG GDPR 4(7), 26 • AG Bobek proposes to the CJEU to rule as follows: • «A person embedding a third-party plug-in in its website (Like Button), which causes the collection and transmission of personal data, is a joint controller together with the service provider (Facebook).» • «However, that joint responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.» • «The responsibility cannot spill over into any potential subsequent stages of data processing, if such processing occurs outside the control and without the knowledge of the the website operator.»
Fashion ID (3/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG GDPR 6(1)(a) • If both Facebook and the website operator are joint controllers, to whom must consent to data processing (setting of cookies) be given? • And who must give the transparency notice to the data subject? • AG Bobek: to/by the website operator • However, both consent and notice must only cover the collection and transmission of personal data, and not the subsequent processing by Facebook! GDPR 13, 14
Fashion ID (4/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG • AG Bobek to be lauded for trying to take a more nuanced approach to who should be a (joint) controller and thus potentially liable for GDPR infringements. • CJEU given the opportunity to put reasonable limits to liability. Will they, however, take AG Bobek’s lead? • Given the breadth of arguments put forward, Fashion ID will be the final precedent on how far liability attaches in digital marketing scenarios. • The result of Fashion ID will be crucial for assessing the privacy risks of digital marketing in the future. • Even if the CJEU follows the AG, how to make the distinction between collection and transmission and subsequent processing will need more thoughts to implement in practice.
Planet49 (1/2) Opinion of Advocate General Szpunar of 21 March 2019, C-673/17, Planet49 GmbH v Bundesverbandder Verbraucherzentralen und Verbraucherverbände e.V. CJEU NC EDPB SA NAC AG • Having to untick a pre-ticked checkbox to “not consent” to the data processing (opt-out) is not valid GDPR consent. • Setting cookies requires consent by virtue of the ePrivacy Directive (ePRD) whether or not • the cookies are personal data for the purposes or GDPR, or • other legal bases (such as legitimate interest) are available under GDPR. • For consent purposes, the use of a button would be preferable over a checkbox to make the consent «separate». GDPR 6(1)(a), 7 GDPR 7(2) ePRD 5(3)
Planet49 (2/2) Opinion of Advocate General Szpunar of 21 March 2019, C-673/17, Planet49 GmbH v Bundesverbandder Verbraucherzentralen und Verbraucherverbände e.V. CJEU NC EDPB SA NAC AG • AG Szpunar’s remarkable statement regarding the requirement to unbundle consent: «It should be kept in mind that the underlying purpose in the participation in the lottery is the ‘selling’ of personal data. In other words, it is the providing of personal data which constitutes the main obligation of the user in order to participate in the lottery. In such a situation it appears to me that the processing of this personal data is necessary for the participation in the lottery.» • If confirmed, controllers could rely on consent in much wider circumstances. GDPR 7(4)
simpli services (Austria) Judgment of the Supreme Court of Austria of 31 August 2018, 6 Ob 140/18, Verein für Konsumenteninformation v simpli services GmbH & Co KG. CJEU NC EDPB SA NAC AG GDPR 7(4)• There is an absolute rule against making the performance of a contract conditional on the data subject consenting to the processing of personal data if such processing is not necessary for the performance of the contract. • No exceptions! • But obviously wrong if you read GDPR 7(4).
AD SPRAY (Italy) Judgment of the Supreme Court of Italy of 11 May 2018, 8194/2017, Autorità Garante per la Protezione di Dati Personali v AD SPRAY S.r.l. CJEU NC EDPB SA NAC AG GDPR 7(4)• The rule against making the performance of a contract conditional on the data subject consenting to the processing of personal data is qualified. • The authority should enquire whether the services in question can only be obtained through the controller or not. If they can be obtained elsewhere, bundling consent is less problematic. • At hand, the controller operated a financial news service. Such information can be obtained elsewhere without any difficulty. • If the user does not want to consent, then he or she should go to the kiosk, and buy a newspaper.
Therapeutic allergens (Germany) Judgment of the Higher Regional Court of Hamburg of 25 October 2018, 3 U 66/17, X v Y CJEU NC EDPB SA NAC AG GDPR 84• GDPR does not prevent Member States to create a private cause of action in unfair competition if a competitor infringes the GDPR. • German law makes it an act of unfair competition to breach the GDPR. • A competitor has a right to send a cease and desist letter (Abmahnung) to the infringer and then seek an injunction against the infringer.
Whistleblower (Germany) Judgment of the District Labor Court of Baden-Württemberg of 20 December 2018, 17 Sa 11/18, X v Y CJEU NC EDPB SA NAC AG GDPR 15(1), 15(4)• The right of access is applicable in the employment relationship and also while an employment dispute is pending in court. • The employee’s access request can be limited where complying with it would adversely affect the rights and freedoms of others. • However, it is not sufficient to generally invoke the “protection of whistleblowers” to restrict a former employee’s right of access to his HR data. • The controller that intends to restrict access must establish the compliance incident it relies on and show that the rights of the whistleblower outweigh the rights of the employee.
• The collection and publication of Admin-C and Tech-C contact information in the WHOIS directory cannot be based on consent. • For the simple reason that these persons are not asked for their consent when the registrant registers a URL. • There is also no legitimate interest in collecting and publishing this information. ICANN (Germany) CJEU NC EDPB SA NAC AG Interim Injunction of the District Court of Bonn of 18 July 2018, 10 O 171/18, EPAG Domainservices GmbH v Internet Corporation for Assigned Names and Numbers GDPR 6(1)(a) GDPR 6(1)(f)
• GDPR applies where the controller has an establishment in the European Economic Area (EEA) even if its processing activities are only directed towards non-EEA data subjects. Guidelines on the territorial scope – EEA establishment (1/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
• GDPR does not apply to a non-EEA established processor merely because an EEA controller uses the services of this processor. • However, the controller is required to use only GDPR-compliant processors and will ensure this in the Data Processing Agreement with the processor. • Still, the non-EEA processor’s liability will be indirect and contractual only. Guidelines on the territorial scope – EEA establishment (2/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
• GDPR does not apply to a non-EEA controller merely because this controller uses the services of an EEA processor. • However, GDPR applies to the EEA processor and it needs to comply with the processor obligations also in relation to the processing for the non-EEA controller. Guidelines on the territorial scope – EEA establishment (3/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
• When considering the targeting criterion, the relevant question is whether such targeting is directed towards data subjects «who are in the EEA» at the time of the processing. • Citizenship, residence or workplace of the data subject is not relevant. Guidelines on the territorial scope – EEA targeting (1/2) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(a)
• Targeting the EEA must always be present under this criterion. • Merely processing personal data of EEA-located subjects is in itself not sufficient. • Relevant elements for targeting are for example: • Search Engine Optimization tailored to a EEA country • Mentioning contact points in the EEA • Use of top level domains belonging to EEA countries (.de, .it, .fr, etc.) • Testimonials of EEA customers • Payment in Euro or other currency only used in an EEA country • Using a language that is (predominantly) only spoken in a EEA country • Offer to deliver ordered goods to an EEA address. • Not sufficient in itself: Accessibility of website in EEA Guidelines on the territorial scope – EEA targeting (2/2) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(a)
• Monitoring must relate to the data subject’s behavior taking place in the EEA. • Monitoring includes for example: • Behavioral advertising • Geo-localization • Online tracking through cookies and similar technologies • However, if the controller shows an intention not to monitor behavior taking place in the EEA, GDPR does not apply. • By geo-blocking online monitoring technologies where the visitor accesses from the EEA, you can disapply the GDPR under this criterion! Guidelines on the territorial scope – EEA monitoring CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(b)
• The E-Privacy Directive (ePRD) and GDPR co-exist (as of today). • Where ePRD provides for a special rule, ePRD prevails over GDPR. • ePRD therefore prevails over GDPR with regard to the legal basis for setting cookies: • Prior consent from the end user is required, unless the cookie is strictly necessary from a technical point of view. • The concept of consent in ePRD is the same as in GDPR. • However, enforcement of ePRD and sanctions for non-compliance are not governed by GDPR but rather the national law of Member States (which usually provide for much lower fines). Opinion on the interplay of ePRD and GDPR CJEU NC EDPB SA NAC AG Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, adopted on 12 March 2019 GDPR 95 ePRD 5(3)
• The ePRD is going to be replaced by a new ePrivacy Regulation (ePR). However, this change is unlikely to take effect before 2021. • The latest draft allows to set cookies without the end user’s consent if this is necessary (amongst others) • for audience measuring, • to maintain or restore security of an information society service. • This should at least help around the current problems with Google Analytics, Piwik and other audience measuring tools/cookies. • But ePR will introduce the same level of fines as for GDPR infringements. ePrivacy Regulation
• On 25 May 2018 endorsed previous WP29 guidance with regard to: • Lead Supervisory Authority • Automated decision-making and profiling • Data protection impact assessments • Data Protection Officer • Rights to data portability • Personal data breach notifications • Transparency • Consent Endorsement of WP29 guidelines CJEU NC EDPB SA NAC AG
• On 21 January 2019, the French CNIL fined Google €50,000,000.00 for • failing to make the transparency notice «easily accessible» as the relevant information would have been disseminated over several documents and obtainable only through several steps, and • failing to obtain valid consent for personalized ads because the consent would not have been «sufficiently informed» nor «specific» nor «unambiguous». • What happened to the one-stop shop? • Google has appealed the decision. CNIL – Fine against Google CJEU NC EDPB SA NAC AG Decision of the Commission Nationale de l’Informatique et des Libertés of 21 January 2019 GDPR 83 GDPR 12(1) GDPR 7 GDPR 60
• Poland, Bisnode, €220,000 – data scraping without legal basis. • Denmark, Taxa 4X35, €160,000 – violation of data minimization. • Portugal, Hospital near Lisbon, €400,000 – data breach. • Germany, knuddels.de, €20,000 – data breach. Selection of other fines CJEU NC EDPB SA NAC AG
Workshop: GDPR Pain Points in Practice
Some pain points in our experience What legal basis? How to map the data? How to negotiate DPAs? What to do with cookies? Do I need a tool? When to do a DPIA? Do I need to appoint a DPO? Does GDPR apply to me? Where to place the privacy notice? How to handle large SARs?
Thank you!

Recommended

Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanChristian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandChristian Folini
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Dhs rfc on cybersecurity scholarships dhs 15-0302
Dhs rfc on cybersecurity scholarships dhs 15-0302Dhs rfc on cybersecurity scholarships dhs 15-0302
Dhs rfc on cybersecurity scholarships dhs 15-0302PublicLeaks
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber AttackBrian Miller, Solicitor
 

Recommended

Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanChristian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandChristian Folini
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Dhs rfc on cybersecurity scholarships dhs 15-0302
Dhs rfc on cybersecurity scholarships dhs 15-0302Dhs rfc on cybersecurity scholarships dhs 15-0302
Dhs rfc on cybersecurity scholarships dhs 15-0302PublicLeaks
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber AttackBrian Miller, Solicitor
 
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...Emma Mirrington
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
United Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyUnited Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyBarry Schuman
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regimeijtsrd
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CMSLondon
 
Why Data Protection Impact Assessment
Why Data Protection Impact AssessmentWhy Data Protection Impact Assessment
Why Data Protection Impact Assessmentshaabalbaghdadi
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
 
4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시David Lee
 
Gdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoGdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoKeithBudden3
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
 
The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...Środkowoeuropejskie Studia Polityczne
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminarBrowne Jacobson LLP
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM TyszkaJean-Michel Tyszka
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018Altimeter, a Prophet Company
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Keith Purves
 
CPDP 2022
CPDP 2022CPDP 2022
CPDP 2022Johnny Ryan
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Johnny Ryan
 
GIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentGIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentIAB Europe
 
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Mobile Age Project
 

More Related Content

What's hot

#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...Emma Mirrington
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
United Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyUnited Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyBarry Schuman
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regimeijtsrd
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CMSLondon
 
Why Data Protection Impact Assessment
Why Data Protection Impact AssessmentWhy Data Protection Impact Assessment
Why Data Protection Impact Assessmentshaabalbaghdadi
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkDavid Erdos
 
4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시David Lee
 
Gdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoGdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoKeithBudden3
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveTrustArc
 
The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...Środkowoeuropejskie Studia Polityczne
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminarBrowne Jacobson LLP
 

What's hot (13)

#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
#FIRMday Manchester Autumn 2017 - The General Data Protection Regulation (GDP...
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
 
United Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian CompanyUnited Kingdom GDPR Action Taken Against Canadian Company
United Kingdom GDPR Action Taken Against Canadian Company
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regime
 
CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2CEE CMS Data Protection webinar series - Part 2
CEE CMS Data Protection webinar series - Part 2
 
Why Data Protection Impact Assessment
Why Data Protection Impact AssessmentWhy Data Protection Impact Assessment
Why Data Protection Impact Assessment
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
 
4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시4차 산업혁명과 프라이버시
4차 산업혁명과 프라이버시
 
Gdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seoGdpr brexit presentation for brighton seo
Gdpr brexit presentation for brighton seo
 
Brexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK PerspectiveBrexit Data Protection Update: The EU, US and UK Perspective
Brexit Data Protection Update: The EU, US and UK Perspective
 
The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...The impact of Brexit on the member states’ ability to build blocking coalitio...
The impact of Brexit on the member states’ ability to build blocking coalitio...
 
Administrative and public law seminar
Administrative and public law seminarAdministrative and public law seminar
Administrative and public law seminar
 

Similar to GDPR - One Year Later

IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Keith Purves
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Johnny Ryan
 
GIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentGIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentIAB Europe
 
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Mobile Age Project
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conferenceJisc
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.James Seville
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
The new EU regulatory landscape - How might it impact digital advertising?
The new EU regulatory landscape - How might it impact digital advertising?The new EU regulatory landscape - How might it impact digital advertising?
The new EU regulatory landscape - How might it impact digital advertising?Nick Stringer
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesEquiGov Institute
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowVisitor Analytics
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 

Similar to GDPR - One Year Later (20)

GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
IAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulationIAB Europe position on the proposal for an ePrivacy regulation
IAB Europe position on the proposal for an ePrivacy regulation
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
CPDP 2022
CPDP 2022CPDP 2022
CPDP 2022
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
 
GIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - ConsentGIG Working Paper 03/2017 - Consent
GIG Working Paper 03/2017 - Consent
 
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
Policy Brief : Can the GDPR help SMEs innovate for older adults in Europe?
 
Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018Esc Rennes gdpr oct 2018
Esc Rennes gdpr oct 2018
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conference
 
Didier Reynders letter to the EU Parliament
Didier Reynders letter to the EU ParliamentDidier Reynders letter to the EU Parliament
Didier Reynders letter to the EU Parliament
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
The new EU regulatory landscape - How might it impact digital advertising?
The new EU regulatory landscape - How might it impact digital advertising?The new EU regulatory landscape - How might it impact digital advertising?
The new EU regulatory landscape - How might it impact digital advertising?
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
Impact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economiesImpact of GDPR on the pre dominant business model for digital economies
Impact of GDPR on the pre dominant business model for digital economies
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to Know
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 

Recently uploaded

Doctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddpptDoctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddppt2020000445musaib
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxfilippoluciani9
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxMollyBrown86
 
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...PsychicRuben LoveSpells
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptxPamelaAbegailMonsant2
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书E LSS
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueSkyLaw Professional Corporation
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfKelechi48
 
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxPresentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxRRR Chambers
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxca2or2tx
 
Clarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo forClarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo forRoger Valdez
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdfSUSHMITAPOTHAL
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfPoojaGadiya1
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxRRR Chambers
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.pptseri bangash
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxRRR Chambers
 

Recently uploaded (20)

Doctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddpptDoctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddppt
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxPresentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
 
PowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptxPowerPoint - Legal Citation Form 1 - Case Law.pptx
PowerPoint - Legal Citation Form 1 - Case Law.pptx
 
Clarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo forClarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo for
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 

GDPR - One Year Later

  • 1. GDPR – One Year Later Simon Roth 16th May 2019
  • 2. 1. GDPR Enforcement in Numbers 2. Developments in GDPR Case Law and Practice 3. Workshop: GDPR Paint Points in Practice 4. Digest this 5. Apéro and Flying Dinner Today’s schedule
  • 6. Fines imposed (2/2) Average fine in Germany = € 6.100,00
  • 9. Budget of regulator (2/2) «Although the majority of the 17 replying Supervisory Authorities stated that they would need an increase in the budget of 30-50%, almost none of them received the requested amount.»
  • 11. Developments in GDPR Case Law and Practice
  • 12. The GDPR actors Court of Justice of the European Union (CJEU) National Appellate Courts (NAC) European Data Protection Board (EDPB) Supervisory Authorities (SA) National Courts (NC) Court of Justice of the European Union – Advocate General (AG)
  • 13. Jehova‘s Witnesses (1/3) CJEU NC EDPB SA NAC Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • Processing personal data in the context of door-to-door preaching is not a «purely personal or household activity» (which would fall outside of GDPR). • Handwritten notes taken by door-to-door preachers consisting of names, addresses and religious beliefs constitute a «filing system», which is subject to GDPR although the processing occurs by non-automated means. GDPR 2(2)(c) GDPR 2(1), 4(6) AG
  • 14. Jehova‘s Witnesses (2/3) Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • The community of Jehova’s Witnesses is a joint controller of the personal data processed by the door-to-door preachers even though • the community has no access to the personal data and • the community has not given written guidelines or instructions to the preachers in relation to the processing. • This is because the community «organizes, coordinates and encourages» the preaching to «help to achieve the community’s objective, which is to spread its faith». GDPR 4(7), 26 CJEU NC EDPB SA NAC AG
  • 15. Jehova‘s Witnesses (3/3) Judgment of the CJEU (Grand Chamber) of 10 July 2018, C-25/17, Tietosuojavaltuutettu v Jehovan todistajat— uskonnollinen yhdyskunta • Focus of the test lies on purpose, not on means, which has become quite irrelevant. • Taken to the extreme: Appointing someone who furthers your objectives makes you the joint controller of personal data processed by that person in that context. • In my opinion: unduly wide definition of controller but shows were the CJEU was heading to in 2018. CJEU NC EDPB SA NAC AG GDPR 4(7)
  • 16. Wirtschaftsakademie (1/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG
  • 17. Wirtschaftsakademie (2/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG • The administrator of a Facebook fan page is a joint controller of the personal data processed by Facebook. • This is because: • «the administrator gives Facebook the opportunity to place cookies on the computer of a person visiting its fan page» • «the administrator of the fan page can ask for demographic data relating to its target audience, […] and more generally enable it to target best the information it offers.» (Facebook Insights). GDPR 4(7), 26
  • 18. Wirtschaftsakademie (3/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG • This is the case notwithstanding that: • «the audience statistics are transmitted to the administrator only in anonymized form» • because «the production of those statistics is based on the prior collection and the processing of the personal data of those visitors for such statistical purposes» • and in any event, «it is not required that each of the joint controllers have access to the personal data concerned.» GDPR 4(7), 26
  • 19. Wirtschaftsakademie (4/4) Judgment of the CJEU (Grand Chamber) of 5 June 2018, C-210/16, UnabhängigesLandeszentrumfür Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig Holstein GmbH CJEU NC EDPB SA NAC AG GDPR 4(7), 26 But: «the existence of joint responsibility does not necessarily imply equal responsibility»
  • 20. Joint controller agreements after Wirtschaftsakademie «Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under GDPR with respect to the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR). Facebook Ireland will also make the essence of this Page Insights Addendum available to data subjects.» https://www.facebook.com/legal/terms/page_controller_addendum
  • 21. Digital marketing after Wirtschaftsakademie Not a joint controller Joint controller
  • 22. Fashion ID (1/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG Advocate General Bobek (born 1977) highly critical of Jehova’s Witnesses and Wirtschaftsakademie: «Will effective protection be enhanced if everyone is made responsible for ensuring it?» «It is difficult to see how normal users of an online application would not also become joint controllers.» «Pushed to an extreme, if the only relevant criterion for joint control is to have made the data processing possible, would the internet service provider, or even the electricity provider, then not also be joint controllers potentially jointly liable for the processing of personal data?» «The intuitive answer is of course ‘no’. The problem is that the delineation of responsibility so far does not follow from the broad definition of a controller.» «A social network, like any other application or program, is a tool. Similar to a knife or a car, it can be used in a number of ways. There is also no doubt that if used for the wrong purposes, that use must be prosecuted. But it might perhaps not be the best idea to punish anyone and everyone who has ever used a knife. One normally prosecutes the person(s) controlling the knife when it caused harm.» GDPR 4(7), 26
  • 23. Fashion ID (2/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG GDPR 4(7), 26 • AG Bobek proposes to the CJEU to rule as follows: • «A person embedding a third-party plug-in in its website (Like Button), which causes the collection and transmission of personal data, is a joint controller together with the service provider (Facebook).» • «However, that joint responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.» • «The responsibility cannot spill over into any potential subsequent stages of data processing, if such processing occurs outside the control and without the knowledge of the the website operator.»
  • 24. Fashion ID (3/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG GDPR 6(1)(a) • If both Facebook and the website operator are joint controllers, to whom must consent to data processing (setting of cookies) be given? • And who must give the transparency notice to the data subject? • AG Bobek: to/by the website operator • However, both consent and notice must only cover the collection and transmission of personal data, and not the subsequent processing by Facebook! GDPR 13, 14
  • 25. Fashion ID (4/4) Opinion of Advocate General Bobek of 19 December 2018, C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. CJEU NC EDPB SA NAC AG • AG Bobek to be lauded for trying to take a more nuanced approach to who should be a (joint) controller and thus potentially liable for GDPR infringements. • CJEU given the opportunity to put reasonable limits to liability. Will they, however, take AG Bobek’s lead? • Given the breadth of arguments put forward, Fashion ID will be the final precedent on how far liability attaches in digital marketing scenarios. • The result of Fashion ID will be crucial for assessing the privacy risks of digital marketing in the future. • Even if the CJEU follows the AG, how to make the distinction between collection and transmission and subsequent processing will need more thoughts to implement in practice.
  • 26. Planet49 (1/2) Opinion of Advocate General Szpunar of 21 March 2019, C-673/17, Planet49 GmbH v Bundesverbandder Verbraucherzentralen und Verbraucherverbände e.V. CJEU NC EDPB SA NAC AG • Having to untick a pre-ticked checkbox to “not consent” to the data processing (opt-out) is not valid GDPR consent. • Setting cookies requires consent by virtue of the ePrivacy Directive (ePRD) whether or not • the cookies are personal data for the purposes or GDPR, or • other legal bases (such as legitimate interest) are available under GDPR. • For consent purposes, the use of a button would be preferable over a checkbox to make the consent «separate». GDPR 6(1)(a), 7 GDPR 7(2) ePRD 5(3)
  • 27. Planet49 (2/2) Opinion of Advocate General Szpunar of 21 March 2019, C-673/17, Planet49 GmbH v Bundesverbandder Verbraucherzentralen und Verbraucherverbände e.V. CJEU NC EDPB SA NAC AG • AG Szpunar’s remarkable statement regarding the requirement to unbundle consent: «It should be kept in mind that the underlying purpose in the participation in the lottery is the ‘selling’ of personal data. In other words, it is the providing of personal data which constitutes the main obligation of the user in order to participate in the lottery. In such a situation it appears to me that the processing of this personal data is necessary for the participation in the lottery.» • If confirmed, controllers could rely on consent in much wider circumstances. GDPR 7(4)
  • 28. simpli services (Austria) Judgment of the Supreme Court of Austria of 31 August 2018, 6 Ob 140/18, Verein für Konsumenteninformation v simpli services GmbH & Co KG. CJEU NC EDPB SA NAC AG GDPR 7(4)• There is an absolute rule against making the performance of a contract conditional on the data subject consenting to the processing of personal data if such processing is not necessary for the performance of the contract. • No exceptions! • But obviously wrong if you read GDPR 7(4).
  • 29. AD SPRAY (Italy) Judgment of the Supreme Court of Italy of 11 May 2018, 8194/2017, Autorità Garante per la Protezione di Dati Personali v AD SPRAY S.r.l. CJEU NC EDPB SA NAC AG GDPR 7(4)• The rule against making the performance of a contract conditional on the data subject consenting to the processing of personal data is qualified. • The authority should enquire whether the services in question can only be obtained through the controller or not. If they can be obtained elsewhere, bundling consent is less problematic. • At hand, the controller operated a financial news service. Such information can be obtained elsewhere without any difficulty. • If the user does not want to consent, then he or she should go to the kiosk, and buy a newspaper.
  • 30. Therapeutic allergens (Germany) Judgment of the Higher Regional Court of Hamburg of 25 October 2018, 3 U 66/17, X v Y CJEU NC EDPB SA NAC AG GDPR 84• GDPR does not prevent Member States to create a private cause of action in unfair competition if a competitor infringes the GDPR. • German law makes it an act of unfair competition to breach the GDPR. • A competitor has a right to send a cease and desist letter (Abmahnung) to the infringer and then seek an injunction against the infringer.
  • 31. Whistleblower (Germany) Judgment of the District Labor Court of Baden-Württemberg of 20 December 2018, 17 Sa 11/18, X v Y CJEU NC EDPB SA NAC AG GDPR 15(1), 15(4)• The right of access is applicable in the employment relationship and also while an employment dispute is pending in court. • The employee’s access request can be limited where complying with it would adversely affect the rights and freedoms of others. • However, it is not sufficient to generally invoke the “protection of whistleblowers” to restrict a former employee’s right of access to his HR data. • The controller that intends to restrict access must establish the compliance incident it relies on and show that the rights of the whistleblower outweigh the rights of the employee.
  • 32. • The collection and publication of Admin-C and Tech-C contact information in the WHOIS directory cannot be based on consent. • For the simple reason that these persons are not asked for their consent when the registrant registers a URL. • There is also no legitimate interest in collecting and publishing this information. ICANN (Germany) CJEU NC EDPB SA NAC AG Interim Injunction of the District Court of Bonn of 18 July 2018, 10 O 171/18, EPAG Domainservices GmbH v Internet Corporation for Assigned Names and Numbers GDPR 6(1)(a) GDPR 6(1)(f)
  • 33. • GDPR applies where the controller has an establishment in the European Economic Area (EEA) even if its processing activities are only directed towards non-EEA data subjects. Guidelines on the territorial scope – EEA establishment (1/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
  • 34. • GDPR does not apply to a non-EEA established processor merely because an EEA controller uses the services of this processor. • However, the controller is required to use only GDPR-compliant processors and will ensure this in the Data Processing Agreement with the processor. • Still, the non-EEA processor’s liability will be indirect and contractual only. Guidelines on the territorial scope – EEA establishment (2/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
  • 35. • GDPR does not apply to a non-EEA controller merely because this controller uses the services of an EEA processor. • However, GDPR applies to the EEA processor and it needs to comply with the processor obligations also in relation to the processing for the non-EEA controller. Guidelines on the territorial scope – EEA establishment (3/3) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(1)
  • 36. • When considering the targeting criterion, the relevant question is whether such targeting is directed towards data subjects «who are in the EEA» at the time of the processing. • Citizenship, residence or workplace of the data subject is not relevant. Guidelines on the territorial scope – EEA targeting (1/2) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(a)
  • 37. • Targeting the EEA must always be present under this criterion. • Merely processing personal data of EEA-located subjects is in itself not sufficient. • Relevant elements for targeting are for example: • Search Engine Optimization tailored to a EEA country • Mentioning contact points in the EEA • Use of top level domains belonging to EEA countries (.de, .it, .fr, etc.) • Testimonials of EEA customers • Payment in Euro or other currency only used in an EEA country • Using a language that is (predominantly) only spoken in a EEA country • Offer to deliver ordered goods to an EEA address. • Not sufficient in itself: Accessibility of website in EEA Guidelines on the territorial scope – EEA targeting (2/2) CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(a)
  • 38. • Monitoring must relate to the data subject’s behavior taking place in the EEA. • Monitoring includes for example: • Behavioral advertising • Geo-localization • Online tracking through cookies and similar technologies • However, if the controller shows an intention not to monitor behavior taking place in the EEA, GDPR does not apply. • By geo-blocking online monitoring technologies where the visitor accesses from the EEA, you can disapply the GDPR under this criterion! Guidelines on the territorial scope – EEA monitoring CJEU NC EDPB SA NAC AG Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation adopted on 16 November 2018 GDPR 3(2)(b)
  • 39. • The E-Privacy Directive (ePRD) and GDPR co-exist (as of today). • Where ePRD provides for a special rule, ePRD prevails over GDPR. • ePRD therefore prevails over GDPR with regard to the legal basis for setting cookies: • Prior consent from the end user is required, unless the cookie is strictly necessary from a technical point of view. • The concept of consent in ePRD is the same as in GDPR. • However, enforcement of ePRD and sanctions for non-compliance are not governed by GDPR but rather the national law of Member States (which usually provide for much lower fines). Opinion on the interplay of ePRD and GDPR CJEU NC EDPB SA NAC AG Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, adopted on 12 March 2019 GDPR 95 ePRD 5(3)
  • 40. • The ePRD is going to be replaced by a new ePrivacy Regulation (ePR). However, this change is unlikely to take effect before 2021. • The latest draft allows to set cookies without the end user’s consent if this is necessary (amongst others) • for audience measuring, • to maintain or restore security of an information society service. • This should at least help around the current problems with Google Analytics, Piwik and other audience measuring tools/cookies. • But ePR will introduce the same level of fines as for GDPR infringements. ePrivacy Regulation
  • 41. • On 25 May 2018 endorsed previous WP29 guidance with regard to: • Lead Supervisory Authority • Automated decision-making and profiling • Data protection impact assessments • Data Protection Officer • Rights to data portability • Personal data breach notifications • Transparency • Consent Endorsement of WP29 guidelines CJEU NC EDPB SA NAC AG
  • 42. • On 21 January 2019, the French CNIL fined Google €50,000,000.00 for • failing to make the transparency notice «easily accessible» as the relevant information would have been disseminated over several documents and obtainable only through several steps, and • failing to obtain valid consent for personalized ads because the consent would not have been «sufficiently informed» nor «specific» nor «unambiguous». • What happened to the one-stop shop? • Google has appealed the decision. CNIL – Fine against Google CJEU NC EDPB SA NAC AG Decision of the Commission Nationale de l’Informatique et des Libertés of 21 January 2019 GDPR 83 GDPR 12(1) GDPR 7 GDPR 60
  • 43. • Poland, Bisnode, €220,000 – data scraping without legal basis. • Denmark, Taxa 4X35, €160,000 – violation of data minimization. • Portugal, Hospital near Lisbon, €400,000 – data breach. • Germany, knuddels.de, €20,000 – data breach. Selection of other fines CJEU NC EDPB SA NAC AG
  • 45. Some pain points in our experience What legal basis? How to map the data? How to negotiate DPAs? What to do with cookies? Do I need a tool? When to do a DPIA? Do I need to appoint a DPO? Does GDPR apply to me? Where to place the privacy notice? How to handle large SARs?