Tag: edpb

Breaking news: EDPB has published the “one-stop-shop” decision register.

by

26 June 2020

20:56

2 Comments on Breaking news: EDPB has published the “one-stop-shop” decision register.

Uncategorized

, , ,

Being a great tool for privacy pros to keep up to date with extensive case law, it also increases the overall awareness of how data protection laws are applied in cooperation between the lead DPA and the other DPAs concerned (the GDPR Article 60).

As I expect more comments on this occasion in the days/weeks to come, for now just two interesting points:

– most cases published so far are related to data subject rights and lawfulness of the processing;

– so far, lead DPAs issued more compliance orders and reprimands than fines.

To read more – see below.

https://edpb.europa.eu/news/news/2020/edpb-publishes-new-register-containing-one-stop-shop-decisions_en

Status of non-EU processors under Article 3(2) GDPR

by

16 June 2020

17:23

Leave a comment on Status of non-EU processors under Article 3(2) GDPR

Uncategorized

, , , ,

A thorough analysis of clear things and grey zones of the EDPB Guidelines 3/2018 on territorial scope.

My attention was, in particular, drawn by a friendly reminder that a status of a non-EU processor is dual as per Article 3(2):

  • it is indirectly influenced by the GDPR if carries out processing on behalf of a EU controller (through the data processing agreement under Article 28 and Chapter V obligations);
  • It is directly caught by the GDPR if the respective processing activities carrying out on behalf of a controller meet the ‘targeting criterion’ in a sense of Articles 3(2)(a) and 3(2)(b).

More to read – see below.

https://www.globalprivacyblog.com/gdpr/edpb-guidelines-what-is-the-territorial-reach-of-the-gdpr/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GlobalPrivacyAndSecurityComplianceLawBlog+%28Global+Privacy+and+Security+Compliance+Law+Blog%29#page=1

Ticking time-bomb in the EDPB Guidelines on consent?

by

14 June 2020

11:23

1 Comment on Ticking time-bomb in the EDPB Guidelines on consent?

Uncategorized

, , , ,

An old issue each privacy pro learnt by heart: “risk of negative consequences (e.g. substantial extra costs)” for data subject = no freely-given consent. 

Substantial. But what if extra costs are not substantial? What if, say, 10$ turns into 11$ if you refuse to consent? Is it ok? 

At leats, German watchdog seems to say yes. Some privacy pros agree (see below).

One can say that I am picky, indeed, 1$ or even 10$ surcharge will unlikely lead to bankruptcy. But what will happen if this practice becomes commonplace? Right, data subject will overpay every time he/she is requested to give consent. 1$ per one requested consent will turn into 10$ per ten requests. How long could that ‘receipt’ be a year after? 5 years after?

You got to the crux of the matter. While EDPB considers substantiality in the context of a one-off consent request, it does not address the aftermaths when overcharging becomes a rule.

https://www.bclplaw.com/en-GB/insights/does-the-gdpr-prohibit-charging-more-to-consumers-that-do-not-consent-to-certain-types-of-processing.html