Kristof Van Quathem

Kristof Van Quathem

Subscribe to all posts by Kristof Van Quathem

The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two … Continue Reading

French Court of Cassation Decides That an Employer Can Use a Facebook Post to Dismiss an Employee

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French).  In particular, the employee in this case posted a photograph of a new clothing collection of the employer on a … Continue Reading

French Supervisory Authority Releases Strict Guidance on the Use of Facial Recognition Technology at Airports

On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to … Continue Reading

French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021

On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this … Continue Reading

Life After Schrems II: Practical Recommendations In An Uncertain Time

On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs … Continue Reading

Inside Privacy Audiocast: Episode 1 – Post-Schrems II: Paving A Way Forward

The Court of Justice of the European Union’s recent decision in the “Schrems II’ case was one of the most highly anticipated decisions in the world of data privacy, striking down the EU-U.S. Privacy Shield, but upholding the validity of standard contractual clauses. Tune in to the first episode of Covington’s Inside Privacy Audiocast, where … Continue Reading

AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to … Continue Reading

EU’s Highest Court Strikes Down Privacy Shield But Upholds Other Key International Data Transfer Mechanism

Today, the Court of Justice of the European Union issued a landmark decision striking down the EU-U.S. Privacy Shield—an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States—but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to transfer data internationally. Covington represents … Continue Reading

European Commission Publishes 2-Year Report on the Implementation of the GDPR

On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect.  The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other … Continue Reading

French Council of State Decides that the French Supervisory Authority Cannot Prohibit Cookie Walls

On June 19, 2020, the French Council of State (Conseil d’État) decided that the French Supervisory Authority (“CNIL”) had gone too far in its guidance on cookies and similar technologies when it stated that conditioning a user’s access to a website upon his or her acceptance of certain cookies (commonly known as “cookie walls”) is … Continue Reading

Belgian SA Decision on Lodging GDPR Complaints

On June 8, 2020, the Belgian Supervisory Authority (“SA”) fined a (then ex-) politician €5,000 for sending political marketing materials without an appropriate legal basis.  Although the fine was not massive, the case is interesting for another reason: the complaint was brought not by the individuals who received the marketing materials, but by their employer. … Continue Reading

Belgian Supervisory Authority’s GDPR Track Record So Far

On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here).  To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its … Continue Reading

French CNIL Publishes Paper on Algorithmic Discrimination

On June 2, 2020, the French Supervisory Authority (“CNIL”) published a paper on algorithmic discrimination prepared by the French independent administrative authority known as “Défenseur des droits”.  The paper is divided into two parts: the first part discusses how algorithms can lead to discriminatory outcomes, and the second part includes recommendations on how to identify … Continue Reading

German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications

On April 21, 2020, the Regulation on the Requirements and Reimbursement Process for Digital Health Applications (Digitale Gesundheitsanwendungen-Verordnung or „DiGAV“, available here) entered into force in Germany.  Among other provisions, the DiGAV includes specific IT security and privacy requirements.  Shortly after the law took effect, Germany’s Federal Medicines and Medical Devices Agency (“BfArM”) also released … Continue Reading

Dutch Supervisory Authority Fines Company for Processing Biometric Data of Employees

On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees. In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came … Continue Reading

European Data Protection Board Issues Guidelines on Processing Personal Data for Scientific Research Related to COVID-19

On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19.  The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps … Continue Reading

French Supervisory Authority Launches Public Consultation on the Digital Rights of Minors

On April 21, 2020, the French Supervisory Authority (“CNIL”) launched a public consultation on the rights of minors in the digital services. The consultation is open until June 1, 2020.  The CNIL will use the contributions it receives to prepare recommendations in this area. Under the French Data Protection Law, minors over 15 years old … Continue Reading

German Supervisory Authority Publishes New Standard Clauses for Processors

On April 9, 2020, the German Supervisory Authority of Baden-Wuerttemberg published standard contractual clauses for data processors pursuant to Article 28(8) GDPR.  It is the first German Supervisory Authority to do so, and the second in EU after the Danish Supervisory Authority published its own standard clauses in July 2019.  However, while the Danish clauses … Continue Reading

New German Legislation Facilitates Scientific Research in the Health Sector

On March 28, 2020, the “Federal Act for the Protection of the Population against an Epidemic of National Significance” (Bevölkerungsschutzgesetz) went into effect.  The law forms part of an emergency legislative package introduced by the German government in response to COVID-19. The law amends the Social Code V (SGB V) by introducing a new provision … Continue Reading

COVID-19 Apps and Websites – The “Pan-European Privacy Preserving Proximity Tracing Initiative” and Guidance by Supervisory Authorities

Pan-European Privacy Preserving Proximity Tracing Initiative According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19.  The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 … Continue Reading

Dutch Supervisory Authority Investigates Connected Cars

On March 24, 2020, the Dutch Supervisory Authority (“SA”) announced the launch of a broad investigation into automobile manufacturers, to determine whether any violations of data protection laws have occurred in relation to connected cars. The Dutch SA sent a questionnaire to all Netherlands-based car and truck manufacturers, asking what types of personal data they … Continue Reading

Guidance released by EU Authorities on How to Ensure IT Security when Working Remotely

In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory … Continue Reading

COVID-19, Scientific Research and the GDPR – Some Basic Principles

As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful. The GDPR and national data … Continue Reading

Belgian Supervisory Authority Issues Guidance on Data Protection and Coronavirus

On March 13, 2020, the Belgian data protection authority (“APD”) issued guidance on data protection and COVID-19. The guidance is mainly aimed at employers processing personal data of employees in the context of the measures they have taken to contain the spreading of COVID-19. The guidance is divided in the following three parts: legal basis … Continue Reading
LexBlog