Privacy Shield

Recital 108

Recital 106

Recital 104

Article 45

Transfers on the basis of an adequacy decision

Recital 112

HvJ EU 9 januari 2025, C‑394/23 (Mousse).

CJEU

HvJ EU 9 januari 2025, C‑394/23 (Mousse). Artikelen: 5(1)(c), 6(1), en 21 AVG Onderwerp : Beginsel van minimale gegevensverwerking Gek genoeg verwijst het HvJ EU zelf niet naar HvJ EU 1 augustus 2022, C‑184/20 (Vyriausioji tarnybinės etikos komisija), maar dat had hier ook heel logisch geweest.

VB v Natsionalna agentsia za prihodite

C-340/21 (VB v Natsionalna agentsia)

Data breach alone does not establish inadequate security measures. Burden on controller to prove adequacy.

Österreichische Datenschutzbehörde v CRIF

C-487/21 (Österreichische Datenschutzbehörde)

Right of access includes obtaining a copy in commonly used electronic form.

UI v Österreichische Post AG

C-300/21 (Österreichische Post)

Right to compensation under GDPR Article 82 requires proof of actual damage.

HvJ EU: Privacy Shield ongeldig verklaard (Schrems II)

Het Hof van Justitie verklaart het Privacy Shield-akkoord ongeldig wegens onvoldoende waarborgen voor Europese burgers tegen toegang door Amerikaanse inlichtingendiensten.

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must […] be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter.

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

C-311/18 (Schrems II)

Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.

Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems

Schrems II

“[…] the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contrac

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain s

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t

Maximillian Schrems v Data Protection Commissioner

C-362/14 (Schrems I)

Invalidated Safe Harbor adequacy decision. National supervisory authorities can examine adequacy decisions.

Data Protection Commissioner v. Schrems and Facebook

Schrems I

Interference with fundamental right: Decision 2000/520 enables interference with the fundamental right to respect for private life of persons whose personal data is or could be transferred from the EU to the US. (¶87)

PARLIAMENT V. COUNCIL (PNR)

PNR

Transfers: Where the transfers of personal data are authorized under an agreement that was adopted ultra vires, the authorization is void.

Guidelines 02/2022 on the application of Article 60 GDPR

Guidelines on the application of Article 60 GDPR

With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

Guidelines on the concepts of controller and processor in the GDPR

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...

Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

Guidelines on the criteria of the right to be forgotten in the search engines cases under the GDPR (part 1)

Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement

Guidelines on the use of facial recognition technology in the area of law enforcement

More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...

Versiegeschiedenis

guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER

Versiegeschiedenis

guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG

De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...

Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

Guidelines on derogations of Article 49

Version history

Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on transparency

Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679

guidelines afwijkingen van artikel 49

Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving

guidelines gebruik gezichtsherkenning bij rechtshandhaving

Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...

Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG

guidelines voor de toepassing van artikel 60 AVG

Richtsnoeren 07/2022 voor certificering als doorgifte-instrument

Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...

Richtsnoeren 04/2021 voor gedragscodes als instrumenten voor doorgifte

Volgens artikel 46 van de AVG moeten verwerkingsverantwoordelijken/verwerkers passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die organisaties op grond van artikel 46 kunnen gebruiken voor doorgiften aan derde landen, onder meer door gedragscodes in te voeren als nieuw doorgiftemechanisme (artikel 40, lid 3, en artikel 46, lid 2, punt ...

Guidelines 07/2022 on certification as a tool for transfers

Guidelines on certification and identifying certification criteria

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...

Guidelines 04/2021 on Codes of Conduct as tools for transfers

Guidelines on codes of conduct and monitoring bodies

The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...

Guidelines 03/2021 on the application of Article 65(1)(a) GDPR

Guidelines on the application of Article 60 GDPR

Richtsnoeren 07/2022 voor certificering als doorgifte-instrument

guidelines certificering

Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...

Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG

guidelines voor de toepassing van artikel 60 AVG

Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...

Guidelines 02/2024 on Article 48 GDPR

Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...

Telecommunications operator (operator of electronic communications networks and services): Non-compliance with general data processing principles

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Uber Technologies Inc., Uber B.V.: Non-compliance with general data processing principles

€290,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the 'Ligue des droits de l'Homme'. The DPA's investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years.

ENDESA ENERGÍA, S.A.U.: Non-compliance with general data processing principles

€6,100,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals. The DPA found that the controller had f

Tele2 Sverige Aktiebolag: Insufficient technical and organisational measures to ensure information security

€1,000,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1 million on Tele2 Sverige Aktiebolag. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses, as no adequacy decision had been issued by the EU Com

CDON AB: Insufficient technical and organisational measures to ensure information security

€25,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 25,000 on CDON AB. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses in the absence of an EU Commission adequacy decision for the USA. In the c

Meta Platforms Ireland Limited: Insufficient legal basis for data processing

€1,200,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) al

Portuguese National Statistical Institute: Non-compliance with general data processing principles

€4,300,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that

Bocconi University: Non-compliance with general data processing principles

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t

UK adequacy decision: a risk for the future and a lesson to be learnt

As the UK adequacy renewal comes to an end, EDRi member Open Rights Group reflects on its outcome and the broader implications for the future of EU-UK relatiopnships. The post UK adequacy decision: a risk for the future and a lesson to be learnt appeared first on European Digital Rights (EDRi).

EU and Brazil agree a mutual adequacy decision

The EU and Brazil adopted, on 27 January, mutual adequacy decisions which confirm that their levels of data protection are comparable. This recognition allows for personal data to flow freely between the EU and Brazil

Strengthening data protection globally: The European Data Protection Board (EDPB) is meeting with countries and organizations that have an adequacy decision.

Brussels, December 3rd - During its plenary meeting in December, the European Data Protection Board (EDPB) held an online meeting yesterday with commissioners and representatives from national data protection authorities (DPAs) from the countries and organizations that have made a decision regarding adequate protection within the EU. This meeting was the second of its kind, following the first meeting in October 2024. A decision on adequate protection is an important instrument in EU data protection legislation, enabling the free flow of personal data from within the EU.

Strengthening data protection worldwide: EDPB meets with the countries and organisation with an adequacy decision

Brussels, 3 December - As part of its December’s plenary meeting, the European Data Protection Board (EDPB) held yesterday an online meeting with Commissioners and representatives of Data Protection Authorities (DPAs) from the countries and the organisation with an EU adequacy decision. This meeting marked the second of its kind, following the first gathering in October 2024. An adequacy decision is a key-mechanism in EU data protection legislation which allows free flow of personal data from Eu

Decision in principle regarding the adequacy of data protection in Brazil: The European Data Protection Board has adopted an opinion.

Brussels, November 5th - During its latest plenary meeting, the EDPB (European Data Protection Board) issued an opinion on the draft decision by the European Commission regarding the adequate level of protection for personal data in Brazil.* Once this decision is adopted, it will ensure that personal data can be freely transferred from Europe to Brazil, and that individuals can maintain control over their data. In this opinion, which was prepared at the request of the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules regarding government access to personal data...

Draft adequacy decision for Brazil: EDPB adopts opinion

Brussels, 5 November - During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data. In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal da

Draft UK adequacy decisions: EDPB adopts opinions

Brussels, 20 October - During its latest plenary, the EDPB adopted two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) until December 2031.* The EDPB opinions, requested by the Commission as per Art. 70(1) (s) GDPR and Art. 51(1) (g) LED, address the proposed six-year extension of the two UK adequacy decisions which are set to expire in D

The United Kingdom's draft decisions regarding adequate protection: The EDPB issues opinions.

Brussels, October 20th - During its latest plenary meeting, the EDPB (European Data Protection Board) adopted two opinions on the draft decisions of the European Commission regarding the extension of the validity of the decisions on the adequacy of the United Kingdom, as stipulated in the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), until December 2031. The EDPB opinions, requested by the Commission under Article 70(1)(s) of the GDPR and Article 51(1)(g) of the LED, address the proposed six-year extension of the two decisions on the adequacy of the United Kingdom, which are currently due to expire.

A reassessment of the GDPR: lessons learned from the experience in the United Kingdom.

News from the European Union.

There is a growing movement for reforms in data protection. The European Commission is proposing specific changes to make compliance easier for small and medium-sized enterprises, and the United Kingdom is implementing significant reforms. The reforms in the United Kingdom are focused on...

Hunton summarises two articles from the new SCCs: the 'local laws and government access' section

Under Clause 14 of the Data Transfer SCCs, the data importer must carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. If the risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-e

Hunton geeft een samenvatting van twee artikelen uit de nieuwe SCC-richtlijnen: het onderdeel over "lokale wetgeving en toegang tot overheidsinstanties".

Volgens artikel 14 van de Standaard Contractuele Bepalingen (SCC's) voor gegevensuitwisseling, moet de partij die de gegevens importeert een risicoanalyse uitvoeren om te verifiëren of de wet- en regelgeving en praktijken van het ontvangende derde land de mogelijkheid van de gegevensimporteur om te voldoen aan de SCC's voor gegevensuitwisseling, kunnen belemmeren. Indien de risicoanalyse aantoont dat de SCC's voor gegevensuitwisseling op zichzelf niet voldoende zijn om een in wezen gelijkwaardig beschermingsniveau te garanderen voor de persoonsgegevens in het ontvangende derde land, moeten aanvullende waarborgen worden geïmplementeerd, zoals end-to-end-versleuteling.

Het EU-VS privacyakkoord vereist een grondige en kritische beoordeling.

De Commissie heeft met enthousiasme een recent Amerikaans besluit gesteund om een nieuw kader te implementeren ter bescherming van de privacy van persoonlijke gegevens die worden uitgewisseld tussen de VS en Europa. Dick Roche is het daar niet mee eens. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

EU-US Privacy Framework needs a long hard look

The Commission has endorsed enthusiastically a recent US order to implement a new framework to protect the privacy of personal data shared between the US and Europe. Dick Roche begs to differ. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/

Privacy activists warn against removing compensation for data protection breaches

> The Advocate General of the Court of Justice of the European Union (CJEU) issued a non-binding opinion, which privacy advocates fear could further limit users’ possibilities to enforce their privacy rights under the GDPR. > According to [the opinion](https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110) delivered last week, Europeans would hardly get compensated if t

Privacyactivisten waarschuwen tegen het afschaffen van de compensatie voor inbreuken op de bescherming van persoonlijke gegevens.

De Advocaat-Generaal van het Gerechtshof van de Europese Unie (HvJEU) heeft een niet-bindend advies uitgebracht, waar privacyactivisten zich zorgen over maken, omdat dit de mogelijkheden van gebruikers om hun privacyrechten op te eisen onder de AVG (Algemene Verordening Gegevensbescherming) verder zou kunnen beperken. Volgens het [advies](https://curia.europa.eu/juris/document/document.jsf;jsessionid=79F0B703F7CD84C2DE01BF340FD03C29?text=&docid=266842&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=244110), dat vorige week is uitgebracht, zouden Europeanen nauwelijks enige compensatie ontvangen als...

The EU-US Data Privacy Framework: A new era for data transfers?

> Legally, until an adequacy determination is granted, companies should continue to follow the European Data Protection Board’s recommendations on measures that supplement transfer tools. But, once the EU is named as a “qualifying state” (assuming it will be) and complaints can be summited, this should become less daunting. The EDPB recommendations state that companies must “assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appro

Wat is er gebeurd met de risicogebaseerde aanpak voor de overdracht van gegevens?

De AVG (Algemene Verordening Gegevensbescherming) omvat de verantwoordingsplicht (RBA) voor alle verplichtingen van de verantwoordelijke partij zoals die in de AVG zijn vastgelegd. Waar de overdrachtsregels worden beschreven als verplichtingen van de verantwoordelijke partij (in plaats van als absolute principes), is de verantwoordingsplicht van artikel 24 dus van toepassing. Volgens Lokke Moerel, professor in het internationaal ICT-recht aan de Universiteit van Tilburg en expert op het gebied van cyberbeveiliging, wordt dit niet tegengesproken door het vonnis van het Europees Hof van Justitie in de zaak Schrems II, noch door de aanbevelingen van het EDPB (European Data Protection Board) over aanvullende maatregelen na het vonnis Schrems II.

What Happened to the Risk-Based Approach to Data Transfers?

The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security

De Deense beschermingsautoriteit (SA) heeft verklaard dat het gebruik van Google Analytics onrechtmatig is zonder aanvullende maatregelen.

De Deense Autoriteit voor Persoonsgegevens heeft onderzoek gedaan naar het instrument Google Analytics en de bijbehorende instellingen, evenals de voorwaarden waaronder het instrument wordt aangeboden. Op basis van dit onderzoek concludeert de Deense Autoriteit voor Persoonsgegevens dat het instrument, zonder aanvullende maatregelen, niet op een wettelijke manier kan worden gebruikt. Wettelijk gebruik vereist de implementatie van aanvullende maatregelen, naast de instellingen die door Google worden aangeboden.

Danish SA Declares Use of Google Analytics Unlawful Without Supplementary Measures

The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.