Data Protection Officer

On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU.  In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR.  This blog post summarizes the key findings of the EDPB’s 2023 CEF report.Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).  The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA).  In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.
Continue Reading South Africa: Guidance on POPIA Exemptions and Registration of Information Officers

On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO.

The Framework will help those within organisations who are responsible for implementing data protection compliance strategies.  The ICO envisages that organisations will use the Framework in conjunction with other relevant guidance and materials available from the ICO.  The ICO emphasises that each organisation must be mindful of its own circumstances when managing data protection risks, and that a “one size fits all” approach should not be adopted.
Continue Reading UK Information Commissioner’s Office Publishes Draft Accountability Framework Tool