Posted on Categories privacy/personal data protection

Standard contractual clauses need to be updated by 27 December 2022

Entities transferring personal data outside the European Economic Area on the basis of standard contractual clauses that are no longer in force (where the transfer began before 27 September 2021) should conclude agreements based on new clauses by 27 December 2022.

Under the General Data Protection Regulation, the transfer of personal data to “third countries” (outside the European Economic Area) is only permitted if the conditions set forth in the GDPR are met, i.e. generally when:

  • The transfer is made to a country which the European Commission has determined provides an adequate degree of protection (i.e. it has issued an adequacy decision—decisions issued so far are available on the European Commission website)
  • If there is no adequacy decision, then adequate safeguards are provided, including in the form of conclusion of an agreement based on standard contractual clauses between the entities involved in the transfer
  • If there is no adequacy decision or adequate safeguards, then one of the special circumstances specified in the GDPR applies.
Continue reading “Standard contractual clauses need to be updated by 27 December 2022”
Posted on Categories privacy/personal data protection

Cookies: The coming revolution

Last year regulators in the EU devoted a lot of attention to cookie files and other tracking technologies used on websites. This interest was generated among other sources by numerous complaints filed by NOYB—European Center for Digital Rights in the last year with data protection authorities, and has resulted in guidance and several decisions issued by regulators in recent months (e.g. in Austria, Belgium and France). Because they may shape the future approach of regulators to the use of cookies, it is worth discussing some of the main conclusions flowing from these decisions.

Continue reading “Cookies: The coming revolution”
Posted on Categories changes in law, privacy/personal data protection

Data Governance Act: A step closer to easier sharing of data

On 30 November 2021, the Council of the European Union and the European Parliament reached a provisional agreement on the final wording of a draft Data Governance Act (DGA) (COM/2020/767 final).

The aim of the proposal is to promote the availability of data and to build a trustworthy environment facilitating the use of data (both person and non-personal) for research and creation of innovative new products and services. It is also intended to create a legal framework for easier sharing of data and mechanisms facilitating re-use of certain data held by the public sector, including data involving health, agriculture and the environment.

Continue reading “Data Governance Act: A step closer to easier sharing of data”
Posted on Categories data economy, privacy/personal data protection

What is the right to personal data?

When seeking inspiration for the future legal status of data, it is worth taking a closer look at how the right to personal data has been shaped. In particular, we could consider whether it is a property right and whether the current legal framework for the right to personal data corresponds to reality and meets our needs.

The attempt to define an absolute right to personal data is mainly driven by Art. 1(2) of the EU’s General Data Protection Regulation, which states that one of the objectives of the regulation is to protect the “right to the protection of personal data.” The right to protection of personal data is also enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union.

The source of this right is found in European legislation. For this reason, an attempt to determine the substance of the right to data protection is difficult, as we cannot simply and directly refer to structures known from the different legal systems of the member states.

The essence of the right to data protection seems to be indicated in recital 7 of the GDPR preamble, which states, “Natural persons should have control of their own personal data.” Thus, the right to protection of personal data is primarily intended to give data subjects control over their data. The specific content of this right is defined by the protective instruments provided for in the GDPR. Among other things, these instruments consist of a guaranteed right to information about processed data, the right of control, but also the right to object to data processing. Many of these rights are similar to the bundle of rights also found in classical property law structures. However, important differences also exist.

Continue reading “What is the right to personal data?”
Posted on Categories electronic identification, privacy/personal data protection

Tech versus virus: Contact tracing

The battle with the coronavirus is dynamically entering another phase. After the initial shock, we are realising that technology may have a crucial impact on the rate of return to a somewhat more normal life. This doesn’t mean just biotech. Solutions keeping the virus under relative control until effective vaccines reach the market can prove just as important.

With this article, we would like to launch a series of publications on the legal aspects of solutions for supporting the battle with the coronavirus. These solutions are extremely interesting from the conceptual and technological perspective, but also entail numerous legal issues.

Continue reading “Tech versus virus: Contact tracing”
Posted on Categories electronic identification, privacy/personal data protection

Verification of age to access pornographic content

An anti-obscenity association issued a proposal for an Act on Protection of Minors against Pornographic Content on 16 December 2019. It has gained the official support of the Family Council, which recommended to the Prime Minister that the proposal be adopted for further legislative work. The Minister of Family, Labour and Social Policy announced that work on the bill should conclude in the first half of 2020. The need to restrict children’s access to pornography is obvious, but the proposal has generated much controversy, mainly due to the proposed mechanism for age verification, which may invade internet users’ privacy. The proposal would also impose additional obligations on telecommunications operators, electronic service providers, and payment service providers.

Continue reading “Verification of age to access pornographic content”