In a significant decision on 4 October 2024, the Court of Justice of the European Union clarified the interpretation of ‘data concerning health’ under the General Data Protection Regulation (GDPR). This ruling has important implications for online pharmacies and e-commerce platforms handling health-related products.
Data Protecton
When we think about data protection and GDPR compliance, it’s easy to focus on Big Tech giants like Google and Meta. However, the GDPR applies to all organisations, regardless of size or industry. Businesses across sectors – from healthcare providers to energy firms – are increasingly subject to investigations and penalties. Here, we explore five recent cases where companies outside of Big Tech were fined for breaches of GDPR, showing that no one is immune from investigations and fines.
In an age where data flows seamlessly across borders, safeguarding personal information has become a pivotal concern for businesses worldwide. The General Data Protection Regulation (GDPR), a beacon of data protection laws, casts a wide net to safeguard personal data within and beyond the European Economic Area (EEA). A critical tool in this endeavour is the Transfer Impact Assessment (TIA), a process that scrutinises data transfers to ensure they meet GDPR’s standards.
If your US-based business handles data from European customers, you need to be aware of the General Data Protection Regulation (GDPR). This regulation extends beyond Europe and has practical implications for businesses worldwide. Here’s a guide to help you understand two crucial aspects of GDPR compliance: privacy notices and the requirement for a data protection representative in the European Union (EU).
The European AI Act introduces new requirements for developing and using AI systems. Similar to the GDPR, the AI Act impacts businesses outside Europe. Since many AI applications involve personal data, both the AI Act and GDPR will often apply.
AI technologies, especially Large Language Models (LLMs), are becoming integral to various applications, from customer service chatbots to complex analytical tools. However, their use raises significant data protection concerns. The Conference of Independent Federal and State Data Protection Supervisory Authorities in Germany recently released a guide on AI and data protection, providing a detailed framework for using AI in compliance with data protection laws.
In Switzerland, personal data may not be transferred to countries lacking adequate levels of data protection unless specific protections are ensured. The Federal Act on Data Protection (FADP) stipulates that personal data originating from Switzerland must receive comparable levels of protection when it crosses borders as it does within the country.
The world of commerce thrives on competition, and at the heart of this competition lies pricing.
But what happens when pricing practices become deceptive or prevent healthy competition? This is where pricing bans and rules come into play. These regulations aim to protect consumers and ensure a fair marketplace, but navigating this maze can be complex for both businesses and consumers.
The new Swiss Data Protection Act introduces several key provisions, including the requirement for entities processing personal data to maintain detailed records of their data processing activities. The regulation outlines specific elements that must be included in the records of data processing, such as the objectives behind data processing, the varieties of personal data processed, and particulars of data transfers to foreign territories, among other requirements.
A data protection impact assessment is about foresight. It’s about spotting data protection issues early on, simplifying solutions, and cutting costs. Think of it as the planning stage of your hike, where you assess the path for potential hazards. Just as you’d want to know about a washed-out bridge on your hiking route in advance, data protection impact assessments help catch problems before they become complex and expensive.
In January 2024, the European Data Protection Board (EDPB) released a significant report following an extensive review of Data Protection Officers’ (DPOs) roles across the EU. This article aims to break down the report’s findings and offer straightforward advice for DPOs and businesses looking to improve their data protection efforts.
In today’s fast-paced digital world, the hunt for information drives businesses to adopt innovative techniques like data scraping. This method, which automates the extraction of vast amounts of information from digital platforms, is a game-changer for anyone looking to gain insights, generate leads, or simply stay ahead in the market. However, as handy as data scraping can be, it treads a fine line within the complex web of European legal standards, particularly when it comes to privacy and intellectual property rights. Let’s dive into the world of data scraping, understand its legal challenges, and explore how businesses can operate within the bounds of European law.
The General Data Protection Regulation (GDPR) has reshaped the way businesses handle personal data, introducing stricter rules and giving individuals more control over their information. A significant aspect of the GDPR is its provision for class actions, allowing groups of individuals to seek compensation for breaches of their data rights. This development is crucial for businesses to understand, as it brings new challenges and responsibilities.
Legitimate interest is one of the six lawful bases under the GDPR that businesses can use to process personal data. It’s the most flexible basis but comes with an added responsibility to protect the rights and interests of data subjects. This basis is often appropriate when data is used in ways that individuals would reasonably expect and with minimal privacy impact.
In the labyrinth of data protection, a Data Protection Impact Assessment (DPIA) stands out as a vital navigational tool. Think of a DPIA as your GPS through the intricate world of data processing – it doesn’t just keep you on the right side of the law but also steers you towards a more trustworthy and transparent relationship with your users. By performing DPIAs, you’re not just ticking a compliance box; you’re heading to smarter data handling, reducing risks, and dodging those hefty non-compliance GDPR fines.
The General Data Protection Regulation (GDPR) has revolutionised the way personal data is handled across the European Union and beyond. A crucial aspect of GDPR compliance is the implementation of various assessments to ensure data protection and privacy. These assessments include the Data Protection Impact Assessment (DPIA), Transfer Impact Assessment (TIA), and Legitimate Interest Impact Assessment (LIA). Each of these plays an important role in safeguarding personal data and ensuring that businesses comply with GDPR requirements.
In an age where data shapes our daily lives, understanding the new European Data Act is crucial for everyone, from business leaders to everyday consumers. This landmark legislation, introduced by the European Union, is set to transform how data is managed, shared, and protected. In this clear and concise guide, we’ll explore what the European Data Act is, why it matters, and how it impacts you.
In the digital age, data protection is a critical aspect of every business operation, especially in recruitment. The UK Information Commissioner’s Office (ICO) has issued detailed guidance on recruitment and selection, focusing on compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This article delves into these guidelines, offering key insights and pragmatic advice for businesses to navigate the complexities of data protection in recruitment.
The roles of Data Protection Officers (DPOs) and representatives stand as critical figures, ensuring businesses navigate the complex seas of compliance. Yet, there often exists a cloud of ambiguity around their distinct functions, responsibilities, and the nuances that set them apart.
In the digital age, regulations and directives have been established to protect consumers and ensure a level playing field for businesses. Three significant pieces of legislation in this realm are the Digital Services Act (DSA), the General Data Protection Regulation (GDPR), and the Consumer Rights Directive (CRD). This article provides a brief overview of each and outlines the fines and penalties associated with non-compliance.
In the digital space, e-commerce platforms are leveraging personalised advertising to enhance customer experiences and boost sales. Retargeting, a form of personalised advertising, has become a game changer, enabling businesses to re-engage potential customers by displaying ads based on their previous online activities. While this approach can significantly uplift conversion rates, it also entails critical considerations regarding data protection and privacy compliance, notably in the light of the General Data Protection Regulation (GDPR).
The year 2023 has marked a significant uptick in GDPR fines, making it the year with the highest penalties for data protection violations. While the world is abuzz with high-profile GDPR fines against tech giants like Meta and Google, it’s crucial to understand that smaller companies are also under regulatory scrutiny.
Email marketing is a powerful business tool for connecting with audiences, boosting brand awareness, and driving sales. However, it’s crucial to assess and handle personal data protection issues carefully when using this strategy.
Are you aware of the recent changes affecting Swiss data protection regulations? In this article, we explore the revised Swiss Federal Data Protection Act (revFADP), delve into the key changes and explain the main differences between the revFA and the GDPR. Mark your calendars, as the deadline for compliance is fast approaching, on September 1, 2023.
The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation implemented in the European Union (EU) in May 2018. It aims to protect the personal data of EU citizens and residents and ensure that businesses and organisations are held accountable for the way they collect, process, and store this data. It sets out strict requirements for data protection and privacy, and failure to comply can result in significant fines and other penalties – up to €20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher – a valid reason to check your data processing practices.
The General Data Protection Regulation (GDPR) has been in place for several years, yet many businesses still struggle to understand whether they can process personal data. While the GDPR provides six lawful bases for data processing, there is a lack of understanding among businesses on which basis they can rely to process data. As a result, companies often add unnecessary consent requests to all their documents, which can cause confusion and frustration for their customers.
Data processing has become an integral part of business operations. With the increased use of cloud-based services and outsourcing, companies must understand the roles of data controllers and data processors and the legal agreement between them, known as a Data Processing Agreement (DPA).
Earlier in our Data Protection Series, we shared some tips on how to obtain valid consent in accordance with the General Data Protection Regulation (GDPR). Today, we want to explore cookies consent banners in light of the latest Report issued by Cookie Banner Taskforce.
Although the General Data Protection Regulation (GDPR) has been in place for over four years, some concepts and notions are still a topic of hot discussion and continue to confuse stakeholders. Earlier in our data protection series of articles, we addressed the European regulation of cross-border data transfers. In this article, we will shed some light on data controllers’ obligation to implement appropriate technical and organisational measures when processing personal data.
Although the General Data Protection Regulation (GDPR) has been in place for over four years, some concepts and notions are still a topic of hot discussion and continue to confuse stakeholders. Earlier in our data protection series of articles, we addressed the European regulation of cross-border data transfers. In this article, we will shed some light on data controllers’ obligation to implement appropriate technical and organisational measures when processing personal data.
Although the General Data Protection Regulation (GDPR) has been in place for over four years, some concepts and notions are still a topic of hot discussion and continue to confuse stakeholders. Earlier in our data protection series of articles, we addressed the European regulation of cross-border data transfers. In this article, we will shed some light on data controllers’ obligation to implement appropriate technical and organisational measures when processing personal data.
As the world recovers from COVID-19, international travel has picked up again causing airport havoc across the globe. However, some international transfers have continued without interruption –invisible, but significant flows. These are the cross-border personal data transfers that happen every day …
Shortly after Brexit, the UK Government re-evaluated its data protection regime and cross-border data processing. The Government concluded that the EU General Data Protection Regulation (EU-GDPR) was incompatible with the UK and represented an unreasonable administrative burden on businesses, particularly small businesses, including start-ups.
Any company doing business in California (regardless of where it is located) that meets certain thresholds with respect to its gross revenue or revenue from personal information it sells or the amounts of personal information that it buys/receives/sells or shares for commercial purposes must comply with the CCPA.
The CCPA and GDPR both aim to increase consumers’/data subject’s knowledge about the use of their personal information and their rights with respect to that personal data.
Consumers/ data subjects have certain rights regarding their personal data/information under both the GDPR and the CCPA.
The increasing role of technology, data, and sharing of personal information has heightened consumers’ risk of the unauthorized use or disclosure of their personal information. Governments have passed legislation to protect consumers from these risks. In the European Union, the General Data Protection Regulation (GDPR) protects data subjects. In California, the California Consumer Privacy Act (CCPA) provides protection for consumers.
Email marketing campaigns need to be addressed to recipients who have previously given their express consent to receive promotional messages from you.
On May 25 the General Data Protection Regulation comes into effect. The GDPR, as it’s known, aims to protect the fundamental privacy rights of data subjects in a world increasingly driven by data.