EU Data Protection

EDPB issues draft guidelines on the interplay between the GDPR’s provisions on territorial scope and international data transfers

November 22, 2021 By Wim Nauwelaerts and Privacy, Cyber & Data Strategy Team

On November 18, the European Data Protection Board (“EDPB”) released draft guidelines on the interplay between Article 3 GDPR – which sets out the GDPR’s territorial scope – and the provisions in Chapter V of the GDPR, which impose restrictions on international data transfers. In this draft guidance, the EDPB clarifies which (cumulative) criteria must […]

UK Unveils Post-Brexit Data Plans with an Emphasis on International Transfers of Personal Data

August 26, 2021 By Paul Greaves

Today, the UK Department of Digital, Culture, Media and Sport (“DCMS”) has made a series of announcements shedding light on the UK’s post-Brexit data strategy. The announcements – which emphasize the importance of international transfers of personal data to global trade – include as follows: A Press Release, providing an overview of the UK government’s […]

Swiss Data Protection Regulator Is Latest to Outline Framework for Transferring Data to the SEC

August 17, 2021 By Daniel Felz, Kate Hanniford and Wim Nauwelaerts

Entities registered with the U.S. Securities & Exchange Commission (SEC) must maintain certain books and records and can be subject to the SEC’s examination, inspection, and enforcement authority. Responding to SEC requests can require cross-border transfers of personal data, and this has historically risked non-compliance under foreign data protection law. The SEC has been proactive […]

EDPB publishes Guidelines on the Concepts of Controller and Processor in the GDPR

July 21, 2021 By Paul Greaves, Wim Nauwelaerts and Privacy, Cyber & Data Strategy Team

On July 7th, the European Data Protection Board (“EDPB”) adopted its finalized guidelines on the concepts of controller and processor in the General Data Protection Regulation (“GDPR”). While the EDPB’s predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor (Opinion 1/2010, WP169) back in 2010, many practical concerns […]

The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways

February 4, 2021 By Wim Nauwelaerts

When a controller engages a processor, the GDPR requires that the parties enter into a specific contract that contains certain mandatory provisions. This contract is often referred to as a ‘data processing agreement’ or ‘DPA’. To facilitate compliance with this requirement, the GDPR has provided the European Commission with the power to issue standard contractual […]