Photo of Kristof Van Quathem

Kristof Van Quathem

Subscribe to Kristof Van Quathem's Posts

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Follow: Read more about Kristof Van QuathemEmail

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive

The most significant change that GDPR made to EU data privacy law was to enhance enforcement and create a framework for increased fines for non-compliance. Four years after the GDPR started to apply, and as enforcement action picks up across the EU, the EDPB has finally issued draft guidelines on the calculation of administrative fines

On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions.  The words “without a mandate” refers to the fact that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR, without naming particular data subjects.

Continue Reading Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate

On May 4, 2022, the General Court of the EU handed down a decision that helps clarify the standard of proof required to demonstrate that information that does not identify someone by name constitutes “personal data” under EU data protection law.  The court also clarifies that the burden of proof falls on the entity alleging that the information is personal data.

The case concerns an online press release published by the European Anti-Fraud Office’s (“OLAF”) announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  Among other things, the scientist alleged that the press release contained “personal data” about her and, therefore, OLAF breached data protection law because it did not have a legal basis to disseminate her “personal data”.  She also alleged that OLAF’s press release had enabled two journalists to identify her and write each an article mentioning her by name.

The court disagreed with the position taken by the scientist, holding that the she was not able to demonstrate that the published information enabled her identification and, therefore, it had not demonstrated that the information was “personal data”.  It also decided that OLAF was not responsible for the news articles that identified the scientist by name.

Continue Reading General Court of the EU Finds that Individual was Unable to Prove that Information Published Online Constitutes “Personal Data”

Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation.  It’s open for feedback until July 14, 2022.

Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.


Continue Reading Draft Version of the European Health Data Space Regulation

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021.  The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records.
Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection

On March 2, 2022, following a fast-track legislative process in the French National Assembly and Senate, President Macron of France signed into law a new piece of legislation designed to reinforce parental controls over minors’ access to the Internet (the “Law”) (see final text of the Law published in the Official Journal here, in French).

The Law will apply primarily to manufacturers of devices that enable minors to access online services and content likely to harm [their] physical, mental or moral development” (e.g., computers, smart phones, and tablets).  The Law – which extends only to devices sold with an operating system (e.g., PCs, mobile phones, tablets, smart TVs) – requires manufacturers of such devices to provide a pre-installed parental control system which can be activated by parents or guardians upon first use.  The installation, use, and (where applicable) uninstallation the system must be provided to end users at no additional cost.

Continue Reading France Enacts New Law on Parental Controls

On Episode 18 of Covington’s Inside Privacy Audiocast, Dan Cooper, Moritz Hüsch, Kristof van Quathem, and Petros Vinis discuss GDPR enforcement, and the evolution of regulatory fines since the GDPR was enacted in 2018.


Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside

In a decision handed down on December 1, 2021, the Brussels Market Court (Court of Appeal) had an opportunity to consider the GDPR right of access.  The Belgian Ministry of Finance appealed the Belgian Supervisory Authority’s recent decision requiring the Ministry to grant a complainant access to her financial file and make corrections to the