On 9 October 2024, the European Data Protection Board (EDPB) published its Opinion 22/2024, clarifying the responsibilities of controllers when relying on processors and sub-processors. This guidance emphasizes the importance...more
In October 2024, a new draft for a German Employee Data Act (Beschäftigtendatengesetz) was published. The draft aims on a comprehensive regulation of the processing of employee data prior, during, and after the termination of...more
The 17 October 2024 deadline for the national implementation of the NIS2 Directive is fast approaching, leaving only little time for the German legislature to finalize the necessary legislative measures. As a much anticipated...more
On 24 April 2024, the European Data Protection Board ("EDPB") released a set of guidance documents and template complaint forms to facilitate the implementation of the redress mechanisms corresponding to the EU-U.S. Data...more
On 6 May 2024, the German data protection authorities (“DPAs”) issued an extensive guidance paper on the GDPR compliant deployment of artificial intelligence (“AI”) applications. This article summarizes the key findings of...more
Following the European Court of Justice’s (“ECJ”) landmark judgement of 5 December 2023 (case no. C-807/21), the Higher Regional Court of Berlin specified the requirements for GDPR fine notices issued by data protection...more
Earlier this month, EU lawmakers met for the second trilogue meeting in the negotiations on the upcoming Cyber Resilience Act (“CRA”). The CRA aims to strengthen cybersecurity in Europe on an unprecedent scale – the European...more
This summer, the European Data Protection Board (“EDPB”) published the final version of its Recommendations 01/2022 (“Recommendations”) on Binding Corporate Rules for Controllers (“C-BCR”). During the turbulence caused by the...more
On 10 July 2023, the European Commission (EC) adopted its eagerly expected adequacy decision on data transfers under the EU-U.S. Data Privacy Framework (DPF). The adequacy decision was preceded by substantial changes to U.S....more
On the bumpy road towards a new adequacy decision for EU-U.S. data transfers, the European Data Protection Board (“EDPB”) has published its Opinion 5/2023 (“Opinion”) on the European Commission's (“Commission”) draft adequacy...more
The Data Protection Authority (“DPA”) of the German state Hamburg is one of the first European DPA to publish an optimistic assessment on the U.S. Executive Order on “Enhancing Safeguards for United States Signals...more
12/5/2022
/ Adequacy Requirement ,
Court of Justice of the European Union (CJEU) ,
Data Collection ,
Data Protection Authority ,
EU ,
European Commission ,
Executive Orders ,
Germany ,
Government Investigations ,
Intelligence Services ,
International Data Transfers ,
Judicial Review ,
Personal Data ,
Privacy Framework ,
Proportionality ,
Schrems I & Schrems II
Binding Corporate Rules (BCR) are often considered the “gold standard” for international transfers of personal data subject to the GDPR. In contrast to the Standard Contractual Clauses of the European Commission (SCC), BCR...more
On 25 May 2022, the European Commission released long-awaited guidance for the Standard Contractual Clauses (SCCs) adopted in June 2021. The Commission has developed Questions and Answers (Q&As) as a dynamic source of...more
At the beginning of the year, the German data protection authorities (DPAs) announced that they would take joint action to enforce the decision of the European Court of Justice (ECJ) in the "Schrems II" case. On June 1,...more
6/17/2021
/ Audits ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Data Protection ,
Data Protection Authority ,
EU ,
Germany ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Web Tracking
Following the coming into effect of the GDPR three years ago and in light of last year’s Schrems II decision, the European Commission has adopted a new set of Standard Contractual Clauses (SCCs) aimed at enabling lawful...more
6/4/2021
/ Corporate Counsel ,
Cybersecurity ,
Data Controller ,
Data Processors ,
Data Protection ,
EDPS ,
EU ,
European Data Protection Board (EDPB) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) weigh in on the new Standard Contractual Clauses proposed by the European Commission (EC) for transfers to third countries (new...more
2/5/2021
/ Cybersecurity ,
Data Protection ,
EDPS ,
EU ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Schrems I & Schrems II ,
Standard Contractual Clauses
Germany has seen a couple of record GDPR fines since the German Data Protection Authorities (DPA) issued their guidance paper on how to measure GDPR fines in October 2019. One of these DPA sanctions was recently subject to...more
11/18/2020
/ Cybersecurity ,
Data Protection ,
Enforcement Actions ,
EU ,
European Economic Area (EEA) ,
Fines ,
General Data Protection Regulation (GDPR) ,
Germany ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Statutory Violations
The European Data Protection Board (EDPB) has issued its long-awaited practical guidance following the Court of Justice of the European Union’s (CJEU) landmark Schrems II decision....more
When it comes to infringements of the EU General Data Protection Regulation (GDPR), the first thing that comes to mind are proceedings and fines imposed by the data protection authorities. It is often neglected that GDPR...more