Data Protection Officer

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here).  To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its oversight and enforcement authority for data protection.

According to the activity overview, the SA has received over 900 security breach notifications and around 350 complaints.  It has performed over 100 inspections and imposed 59 sanctions, 9 of which resulted in fines for a total of €189,000.  In fact, the SA has imposed the bulk of these fine amounts only in the last two months.Continue Reading Belgian Supervisory Authority’s GDPR Track Record So Far

On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here).

ISO 27001
Continue Reading Italian court decides that a data protection officer does not have to be a certified ISO 27001 Auditor

The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

This first salvo of GDPR-focused guidance concerns:

  1. the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
  2. the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
  3. the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).

Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017.  Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop

On June 16, 2016, the French data protection authority (“CNIL”) launched a public consultation on the General Data Protection Regulation (“GDPR).   The consultation focuses on four priority themes set out in the Article 29 Working Party’s 2016 Action plan:

  • the data protection officer;
  • the right to data portability;
  • data protection impact assessments; and
  • certification.

Continue Reading The CNIL and EDPS Launch Public Consultations