Photo of Kristof Van Quathem

On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German).  The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”).  Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.

Continue Reading German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision

On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

Continue Reading European Data Protection Board Answers Commission’s Questions on Health Research

In January 2021, the Belgian Supervisory Authority issued detailed guidance (available in Dutch and French) on how to securely destroy personal data in accordance with the General Data Protection Regulation (“GDPR”).  Among other things, the guidance aims to help controllers and processors comply with their obligations under Article 32 of the GDPR.

Continue Reading Belgian Supervisory Authority Publishes Guidance on the Secure Destruction of Personal Data

On January 12, 2021, the German Ministry for the Economy and Energy released a new draft Law on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (“TTDSG” or “draft law”).  If enacted, the draft law will replace the existing data protection and privacy provisions of Germany’s Telemedia Act and Telecommunications Act (“Telemedia Act”), including provisions applicable to the use of cookies and similar technologies.  The draft text was subject to public consultation from its publication until January 22, 2021, and responses submitted during that period will now be considered by the German Federal Government in advance of a formal proposal for the Federal Parliament to consider.

Continue Reading Germany Publishes New Draft Rules for Cookies and Similar Technologies

On January 12, 2020, the Spanish Supervisory Authority (“AEPD”) issued guidance on how to audit personal data processing activities that involve Artificial Intelligence (“AI”) (available here, in Spanish).  The AEPD’s guidance is directed at data controllers and processors, as well as AI developers, data protection officers (“DPO”), and auditors.  The guidance aims to help ensure that products and services which incorporate AI comply with the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”).

Continue Reading Spanish Supervisory Authority Issues Guidance on Auditing Data Processing Activities Involving Artificial Intelligence

On January 13, 2021, the Advocate General (“AG”), Michal Bobek, of the Court of Justice of the European Union (“CJEU”) issued his Opinion in Case C-645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).  The AG determined that the one-stop shop mechanism under the EU’s General Data Protection Regulation (“GDPR”) prevents supervisory authorities, who are not the lead supervisory authority (“LSA”) of a controller or processor, from bringing proceedings before their national court, except in limited and exceptional cases specifically provided for by the GDPR.  The case will now move to the CJEU for a final judgment.

Continue Reading Supervisory Authorities Cannot Circumvent One-Stop-Shop According to CJEU Advocate General

On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.

The EDPB/EDPS joint opinion proposes

On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.

Continue Reading The European Union Agency for Cybersecurity Publishes a Draft Certification Scheme for Cloud Services

On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.

Below we provide a brief FAQ about the Code.


Continue Reading The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising