Peter Craddock’s Post

New Belgian Data Protection Authority decision: - Both the controller *and* the processor can be liable for not having a data processing agreement (DPA) in place - If you sign a DPA with "retroactivity clause" (i.e. foreseeing an earlier effective date than the signature date), that retroactivity clause does not have any effect from a #GDPR compliance perspective - the signature date is relevant for determining whether you had a DPA in place covering the processing => Conclusion for both the controller and the processor: infringement of Art. 28(3) GDPR, because they did not actually have a DPA in place at the time of the relevant processing A few key excerpts (machine translation): Para. 27: "the obligation to conclude a contract or to be bound by a binding legal act lies on both the controller (here the first defendant) and the processor (here the second defendant) and not on the controller alone. This is particularly important where, as is the case here, a processor offers its specialist services to a large number of separate controllers. It would not be consistent with the GDPR (or, moreover, with the reality on the ground) to consider that the initiative for concluding the contract (and its proposed content) should come solely from the data controller." Para. 29: "the Litigation Chamber is of the opinion that the retroactivity clause provided for in the contract of [DATE] is not such as to compensate for the absence of a contract at the time of the facts. If such a retroactivity clause were to be accepted, it would de facto make it possible to circumvent the temporal application of the obligation under Article 28.3. of the GDPR, which, as was as developed in points 26 and 27 above, on both the controller and the processor. the processor. However, as explained in point 28 above, the GDPR itself provides for a period of 2 years between its entry into force and its entry into application for progressive compliance by all the entities concerned. [...] The obligation to conclude such a contract [...] also pursues the objective of guaranteeing the protection of the rights and freedoms of the data subjects whose data which will be processed in the context of the relationship which the controller (here the first defendant) and the processor (here the second defendant) choose to create between them are thus protected. This lack of protection - which is required by the GDPR - cannot be covered by a contractual retroactivity clause agreed by the defendants alone, in defiance of the rights of the data subjects - who are not parties to the contract - enshrined in a standard that is moreover of a European level." Para. 30: "the Litigation Chamber concludes that both the first and second defendants [=> the controller *and* the processor] are guilty of a breach of Article 28(3) of the GDPR." Link (decision in French): https://lnkd.in/dw4xzsW7 #dataprotection #privacy

Third-Party Rights and Data Protection: The decision by the Belgian Data Protection Authority to fine a #datacontroller and #dataprocessor for failing to put in place a #dataprocessingagreement in place brings out the unique nature of #contracting in data protection. Typically the doctrine of #privity in contracts dictates that contracts are intended to only benefit those that are parties to it. This doctrine however seems to fall away when it comes to agreements that involve the processing of personal data as data subjects, despite not being parties to such agreements can lodge a claim against such processing.

EDPB adopted its contribution to the European Commission’s report on the application of the GDPR Art 97 GDPR requires the Commission to submit a report on the evaluation and review of the GDPR to the EP and the Council. The European Data Protection Board issued this week its first report to contribute to the Commission's report. In the report, the EDPB highlights that: • The application of the GDPR in the first 5 and a half years has been successful. • Since 2018, the EDPB has consolidated its position as the EU body in charge of ensuring the consistent application of the GDPR, making use of the full set of instruments at its disposal. • Effective and efficient cooperation between data protection authorities leads to a common data protection culture and consistent enforcement practices. The EDPB considers that the existing tools in the GDPR have the potential to achieve such a goal, although this requires that they are used in a sufficiently harmonised way. • The EDPB recalls that additional cooperationactions in the area of GDPR enforcement are essential in order to ensure a consistent application of the law. It highlighted though some important challenges, crucially, potential new responsibilities for SAs and lack of resources. • The technological landscape is continuously evolving and new technologies emerge regularly. The GDPR fully applies to emerging technologies and provides rules which foster innovation while, at the same time, ensuring the protection of personal data. • New responsibilities may be placed upon the SAs and/or EDPB with regard to the supervision and enforcement of new legal acts, such as the  - Data Governance Act (DGA),  - Digital Services Act (DSA),  - Digital Markets Act (DMA) - proposed AI Act • The resources of the SAs and EDPB are not increasing at the same pace as their responsibilities and tasks. • There is a lack of harmonisation with regard to the powers of the SAs under the new regulations adopted in the context of the Commission’s Digital Strategy and the European Data Strategy • For proposals that are still under negotiation, the EDPB calls on the colegislators to work towards greater clarity and homogeneity as to the role and powers of the SAs. • The importance to continue to develop, expand and multiply adequacy decisions with third countries and international organisations. In conclusion: no need to review the GDPR • The EDPB takes a positive view of the implementation of the GDPR including its capacity to also stand the test of new technological and societal developments. • There is no need to revise the legislative text at this point in time. H/T Maria Roberta Perugini

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR sets out a number of requirements for organizations that process personal data, including: * Obtaining consent from individuals before collecting or processing their personal data. * Providing individuals with access to their personal data and the right to correct or delete it. * Notifying individuals if their personal data has been breached. * Taking appropriate security measures to protect personal data. The GDPR also gives individuals a number of rights, including: * The right to be informed about how their personal data is being processed. * The right to access their personal data. * The right to correct or delete their personal data. * The right to object to the processing of their personal data. * The right to data portability. ' GDPR compliance toolkit. Here are some of the key provisions of the GDPR: * **Personal data:** The GDPR defines personal data as any information relating to an identified or identifiable natural person ('data subject'). This includes information such as a name, address, email address, phone number, and IP address. * **Processing:** The GDPR defines processing as any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. * **Data controller:** The GDPR defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. * **Data processor:** The GDPR defines a data processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. * **Consent:** The GDPR requires that consent be freely given, specific, informed and unambiguous. Consent must be given by a clear and affirmative act, such as ticking a box or clicking a button. * **Rights of the data subject:** The GDPR gives individuals a number of rights, including the right to access their personal data, the right to correct or delete their personal data, the right to object to the processing of their personal data, and the right to data portability. * **Enforcement:** The GDPR is enforced by the supervisory authorities in each EU member state. The supervisory authorities have the power to investigate complaints, issue fines, and take other enforcement actions. .

Principles and Lawful bases under General Data Protection Regulations (GDPR), 2018 I would like to discuss a basic difference between, Principles and Lawful bases under GDPR, 2018 The data processing principles provide the conditions on which an organization is permitted to process personal data. If an organization fails to satisfy these principles in their data processing then such processing shall be unlawful. Processing of personal data is lawful only, if and to the extent that, it is permitted under the EU data protection law. If the controller does not have a legal basis for a given data processing activity, then the data processing activity is prima facie unlawful. As discussed above in two paras about principles and lawful bases, let us suppose, if an organization has legal basis in its processing but does not satisfy GDPR principles, then what will be its impact on the processing? Will it be lawful or unlawful? Now, in brief, let us discuss about types of GDPR Principles and Lawful bases. GDPR Principles are as follows: 1.      Fair, Lawful and transparent processing 2.      The purpose of limitation principles 3.      Data Minimization 4.      Accuracy 5.      Data Retention Period 6.      Data Security 7.      Accountability GDPR Lawful bases are as follows: 1.      Consent 2.      Contractual Necessity 3.      Compliance with legal obligation 4.      Vital Interest 5.      Public Interest 6.      Legitimate interest E.g. Suppose an organization provides Car rental services such as OLA , Uber or any one like that, takes your consent while you create an account on their platform to use their services. Organization takes your consent to process your device batter percentage and you gives your consent for that, it does not matter whether the consent was taken with or without your knowledge and organization starts processing your device battery percentage for its benefit and shows you high fare if the battery percentage is low. Is this processing lawful while the organization took the consent of the data subject to process battery percentage which is a First Lawful bases (Consent) of GDPR ? Answer is No, whether the consent has been taken by an organization to process the data of data subject but the 3rd principle of  GDPR which is “Data Minimization” is not followed by the organization because to provide services to the data subject, organization does not require data subject’s device battery percentage. As per this principle only that much of data can be taken by the data controller which is only required and in the above case battery percentage is not required and it violates this principle. Hence, as stated above, if any of the GDPR principle is not followed then the processing will be unlawful. Skill Arbitrage LawSikho Freelance Department LawSikho SAURABH RAJ Ramanuj Mukherjee Abhyuday Agarwal

CJEU #GDPR Double Strike in German Preliminary Ruling Procedures! Within just a few days the Court of Justice for the European Union (#CJEU) has published 2 decisions originating from German courts regarding interpretation of GDPR provisions: 1. In its judgment dated 5 December 2023 (Case C-807/21 - Deutsche Wohnen) presented by the Higher Regional Court Berlin (#Kammergericht), the court held that a German law permitting administrative fines against corporate entities only where an identified legal representative of that entity was proven to have committed a criminal or administrative offence which at the same time led to a breach of the obligations of the entity is not in line with GDPR. The respective provision of the German Act on Administrative Fines (#OWiG) must consequently not be applied by German Data Protection Supervisory Authorites when imposing an administrative fine for GDPR vilation against an entity. However, the court also emphasized that such fine may still only be imposed if and to the extent the entity acting intentionally or negligently. As legal entities are not able to act on their own but only by their representatives and personnel, I remain curious how Data Protection Authorities will address this requirement going forward. Full text here: https://lnkd.in/gkVFa_dU 2. In its second judgment dated 7 December 2023 (C-634/21 - Schufa) presented by the Administrative court Wiesbaden, the court held that Art. 22 GDPR applies also to probability values created by credit scoring agencies based on personal data that are used by third parties in order to decide whether the respective indiviual is eligible for a credit or establishing a contract. The court affirmed by this judgdment that it is not required under Art. 22 GDPR that the generated value automatically leads to such a direct legal decision but that it is rather sufficient that the individual is factually rendered inelligible due to the score and receives a respective decision by the potential company relying on the value. Sec. 31 of the German Data Protection Act (#BDSG) imposes specific requirements on the use of such values by companies providing for an exception of the general rule of Art 22 GDPR that such "autmated" decisions are prohibited. This decision will on the one hand have a material impact on the practice of scoring agencies and companies relying on the scores but will as an indirect result also raise questions regarding the compliance of Sec. 31 BDSG with GDPR permitting national deviations only in very limited scenarios observing strict requirements. Full text here: https://lnkd.in/gTk3x6Ni

Data protection never sleeps... 🛌  The Court of Justice (CJEU) was very active at the end of last week, publishing three judgments on the subject. I present the key takeaways in order of practical importance for organisations processing personal data:  1) Endemol case (C-740/22): The CJEU was asked to rule on the following question: does the oral communication of data fall within the scope of the GDPR?  First of all, the Court considers that such communication does constitute "processing". So far, so good.  Second, the Court rules on the question of whether this processing falls within the material scope of the RGPD (automated or manual processing via a filing system). Here it becomes more surprising. After considering that it is no automated processing (obviously!), the Court seems to accept that oral communication may constitute manual processing via a filing system. According to the Court, the GDPR does not specify the structure or form of the file, so there is nothing to exclude oral communication from the GDPR, provided that the data can be easily retrieved.  This case law is new and surprising, and sounds the death knell for the frequent practice consisting in inviting a candidate to informally disclose their criminal record by showing it, without actually disclosing it by e-mail.  2) OC case (C-479/22): I have been waiting for this judgment for some time as it is an appeal brought against Decision T-384/20, which troubled me. The latter, relating to Regulation 2018/1725 (the "GDPR of the European institutions"), in fact deleted the criterion of indirect identification, since it ruled that only the acts of a European institution can give rise to liability, to the exclusion of external factors. In addition, the Court held that the identification criterion can only be met if an average reader is able to identify the data subject. Reading this decision made me think that there was a two-tier case-law on data protection, one for the European institutions and another for entities subject to the GDPR. Fortunately, the CJEU has eventually aligned the two case law and annuled the T-384/20 decision.  3) IAB Europe case (C-604/22): This long-awaited judgment is interesting because of the facts of the case. However, it does not provide any new legal lesson. The only element which, in my view, merits particular attention is recitals 62 to 64, where the Court considers that IAB determines the purpose of the processing (recording users' consent preferences) in that IAB promotes the sale and purchase of advertising space on the internet. Stibbe EU Legal Studies @ULiege #GDPR #Data #DataProtection #IAB #OC #Endemol

The European Data Protection Board (EDPB) recently submitted its first report to the European Commission, contributing to the Commission's mandated evaluation of the General Data Protection Regulation (GDPR) as required by Article 97 of the GDPR. The report offers several key observations: 1. The GDPR has been effectively applied since its inception five and a half years ago. 2. The EDPB has established itself as the key EU entity for ensuring GDPR's uniform application, utilizing various available tools. 3. Effective collaboration among data protection authorities is fostering a unified data protection culture and consistent enforcement practices, though harmonized tool usage is needed to fully realize this potential. 4. Additional collaborative actions in GDPR enforcement are critical for consistent law application. 5. Challenges include evolving technologies and potentially new responsibilities for Supervisory Authorities (SAs), such as oversight of emerging legal acts like the Data Governance Act, Digital Services Act, Digital Markets Act, and proposed AI Act. 6. The resources for SAs and the EDPB are not increasing commensurately with their expanding responsibilities. 7. There's a lack of uniformity in SAs' powers under new regulations tied to the Commission’s Digital Strategy and European Data Strategy. 8. The EDPB encourages clarity and uniformity in pending legislative proposals concerning SAs' roles and powers. 9. The report emphasizes the need to continue establishing data protection agreements with third countries and international organizations. In conclusion, the EDPB views GDPR implementation positively and sees no current need to revise the legislative text, considering its adaptability to new technological and societal changes. https://lnkd.in/ew8iZ4aP

𝗘𝗨 𝗖𝗼𝗺𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝗽𝗿𝗼𝗽𝗼𝘀𝗲𝘀 𝗮𝗺𝗲𝗻𝗱𝗲𝗱 𝘁𝗶𝗺𝗲 𝗽𝗲𝗿𝗶𝗼𝗱 𝗰𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗚𝗗𝗣𝗥 𝗮𝗻𝗱 𝗱𝗮𝘁𝗮 𝗯𝗿𝗲𝗮𝗰𝗵 𝗻𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 Between the years, you (sometimes) have time to deal with topics that were neglected during the year. For me, for example, this is the Commission's proposal for a Regulation laying down additional procedural rules relating the enforcement of the GDPR (COM(2023) 348 final). - Proposal of the EU Commission on the calculation of time periods - In my view, the proposed Art. 29 is interesting. This reads: 1.Time-limits provided for in or fixed by the supervisory authorities pursuant to Regulation (EU) 2016/679 shall be calculated in accordance with Regulation (EEC, Euratom) No 1182/71 of the Council. 2.Time periods shall begin on the working day following the event to which the relevant provision of Regulation (EU) 2016/679 or this Regulation refers.” Para 1 no longer comes as a big surprise. GDPR time limits are not calculated according to national law, but according to European law. But para 2 is more relevant. According to this, time periods shall begin on the working day "following the event to which the relevant provision of" GDPR refers. This requirement is not only related to the proposed regulation, but expressly to all time periods of the GDPR. Compared to Regulation (EEC, Euratom) No. 1182/71, it leads to a different calculation of time periods for periods in hours (like Art. 33 (1) GDPR). - Requirements of Regulation (EEC, Euratom) No. 1182/71 - According to Art. 3 para. 1 & para. 2 a), where a period expressed in hours is to be calculated from the moment at which an event occurs, the hour during which that event occurs shall not be considered as falling within the period. And, a period expressed in hours shall start at the beginning of the first hour. Such a period measured in hours can be found in Art. 33 (1) #GDPR. The notification should be made by the controller "where feasible, within 72 hours of becoming aware of the breach". - Amendment through Art. 29 para. 2 - If Art. 29 para. 2 of the regulation establishing additional procedural rules would actually become applicable, the time period would not start to run at the beginning of the next hour. Because, according to Art. 29 para. 2, the time period begins "on the working day following the event". The Art. 33 time period would therefore start to run later as currently in accordance with Regulation (EEC, Euratom) No. 1182/71. Example: If the controller becomes aware of the personal data breach at 16:20, the 72-hour period does not begin until 00:00 on the next working day. The controller therefore would "gain" a few hours. In other situations, the gain in time can be even greater. For example, the controller becomes aware of the breach at 09:45 in the morning. Then you gain 14 hours compared to the current calculation (period would currently start at 10 a.m.). #DSGVO #dataprotection #privacy