The Conference of the independent Data Protection Authorities of Germany (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder; DSK) published its generally applicable principles on imposing GDPR fines on companies. By publishing its concept, the DSK follows the Dutsch…

GDPR provides various legal basis for data processing activities, including consent, legitimate interest, mandatory processing. One option is the legal basis that can be applicable to contractual relationships. According to the Preamble to the Regulation:  Processing should be lawful where it is…

The data controller is a central player in data protection regulation. The data controller is the one who determines the purposes and means of data processing and makes substantive decisions about the data processing activities. However, the data controller can not only act independently of a given…

Article 29 Working Party (WP29) has published several guidelines under the GDPR and such guidelines contain recommendations regarding best practices that are regarded by the authorities as compliant with the requirements of the GDPR. In this post, I have collected such recommendations. 

Data protection rules such as the EU's new General Data Protection Regulation (GDPR) apply to personal data. But what does personal data mean? According to the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable…

In connection with the operation of a group of companies, there is a very frequent need to transfer personal data within the company group, even when some of the group companies operate outside the EU. In cases where certain members of a group of companies operate in third countries for which there…

Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR) were published at the end of October by the Article 29 Working Party (WP 29). In my previous post, I have outlined the principles set out in the Guidelines. In this post, I give a…

The high amount of the administrative fine, which can reach a maximum amount of EUR 20 million or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, makes it extremely important for data controllers and data processors to be prepared for…

The concept of personal data breaches was not introduced by the GDPR, but the GDPR contains a number of provisions relating to personal data breaches that data controllers (and processors) must also be aware of. What is a personal data breach? The concept of personal data breaches is closely…

Many data controllers consider consent as the primary or preferred legal basis for data processing. Although in many cases it would be justified to use another legal basis instead of the consent, data controllers often obtain consents from the data subjects. Not only data controllers have this…