On 19 October 2016, the European Court of Justice rendered a decision in the infamous Breyer case, which provided more clarification as to the qualification of personal data in our continuously growing digital economy. The Court ruled that dynamic IP addresses can constitute personal data even when the data controller must seek additional information from a third party in order to truly identify a person. The implications of this outcome are not to be underestimated, especially given the liability and compliance obligations of controllers, which are a lot more lenient when the data in question is not considered "personal" data. It also remains to be seen how this decision will relate to the harmonization attempts of the GDPR as Breyer seems to leave the door open for interpretation depending on other national laws that affect the concept of personal data. Dynamic IP addresses The case was referred to the CJEU … Continue Reading ››
As part of our GDPR readiness webinar series, in this session we will look at the implications on the Executive Search and Recruitment Industry and challenges that the new Regulation (set to apply from 25 May 2018) presents.  In particular we will look at the following:
  • Who is caught by the Regulation
  • What "consent" means and when do you need to get it. How this fits with existing marketing consent rules
  • Rules on processing publicly available data as part of the recruitment process
  • Notification obligations – what you need to tell candidates and potential candidates and when
  • The risks of non-compliance
  • Email correspondence
  • Q&A Session
Speakers: Jenny Grogan (Senior Associate, Employment, Olswang), Joseph Blass (NotActivelyLooking.com) and Elle Todd (Partner and Head of Digital and Data, Olswang) Date: Tuesday 8 November 2016 Time: 10am – 11am GMT To register for this webinar please click here If you have any questions regarding the webinar please contact the events team events@olswang.com
The General Data Protection Regulation ("GDPR") comes into force on 25 May 2018. It is binding for all member states and provides for a harmonisation of the data protection regime throughout the EU. However, various opening clauses provide member states with discretion to introduce additional national provisions to further specify the application of the GDPR. The German legislator has been among the first to draft such provisions supplementing the GDPR. What areas does the General Federal Data Protection Act cover? Recently a draft of the German Federal Ministry of the Interior for a General Federal Data Protection Act (Allgemeines Bundesdatenschutzgesetz, "GFDPA") has been leaked. This is meant to replace the current Federal Data Protection Act (Bundesdatenschutzgesetz, "FDPA"). The draft includes new provisions in areas that are subject to the opening clauses of the GDPR. For example:
What is the new code and what does it recommend? The Information Commissioner's Office (ICO) on 7 October 2016 has published a new code of practice on privacy notices, following its consultation back in February of this year. It provides guidance to organisations on how to make privacy notices more engaging and effective for individuals while emphasising the importance of greater choice and control over what is done with their data. The ICO has also published a useful checklist of the information that needs to be included in the privacy policy. You can check the ICO's privacy notice checklist here. The code rightly states that current privacy notices tend to be "too long, overly legalistic, uninformative and unhelpful" and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how … Continue Reading ››
As part of our GDPR readiness webinar series, in this session we will look at the jurisdictional changes and challenges that the new Regulation (set to apply from 25 May 2018) presents.  In particular we will look at the following:
  • Does the Regulation provide for a uniform law across the EU or will different Member States have different provisions?
  • If not, which Member State’s law will apply in different circumstances?
  • What will be the extra-territorial application of GDPR to non-European entities – who is caught?
  • Which will be the lead regulatory authority and what will be its powers of enforcement?
  • What will the co-operation procedures be and what will be the role of the new European Data Protection Board?
  • What will be the effect of Brexit?
  • Q&A Session
Speakers: Dan Tench (Partner, Litigation), Anya Proops QC (11KBW) and Elle Todd (Partner and Head of Digital and Data) Olswang. Date: Thursday 20 October 2016 Time: 3pm – 4pm GMT To register for this webinar … Continue Reading ››
Security breaches always get a lot of press attention but to date there haven't been that many large fines imposed by the Information Commissioner's Office (the "ICO") in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA's seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk's failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/ This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656. When imposing … Continue Reading ››