With the official enactment of the NIS-2 Implementation Act, Germany has taken a major step toward modernizing its cybersecurity framework. Starting from 6 December 2025, stricter requirements will apply to both federal administration and thousands of private companies. This law revises the BSI Act (BSIG) and introduces comprehensive obligations for IT security and risk
Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Continue Reading German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries
On February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) initiated its first public consultation procedure on the anonymization of personal data, with a particular focus on providers of electronic communication services. As the European Commission Communication in A European Strategy for Data recognized, anonymized data may be used for many purposes and bring enormous benefits to citizens, for example, by improving mobility and road safety.
Continue Reading Anonymization of Personal Data with Focus on Traffic Data: First Public Consultation Procedure by the Federal German Data Protection Office
At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection authorities have published guidance (e.g. the CNIL in France and the UK Information Commissioner’s Office, whose updated draft right of access guidance is in public consultation until Feb. 12), it is not certain that regulators in other EU countries will take a similar position. Even within one jurisdiction, i.e., in Germany, regulators’ interpretation of what constitutes a proper response to, for example, a data subject access request may differ from one supervisory authority to another.
Continue Reading Absent Guidelines, Many Questions on Facilitating DSARs
Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests.
The Wording of Art. 15 para. 3 GDPR is Ambiguous
As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle with the requirement and the meaning of issuing a copy of the underlying processing as stipulated by Art. 15 para. 3 GDPR.
Continue Reading Data Subject Access Rights – and the Requirement to Issue a Copy of the Undergoing Processing
“Are we prepared for the GDPR?” Not nearly as many companies as should be are asking themselves this question. As such, we have prepared this short post for those that are barely or not at all prepared for General Data Protection Regulation (GDPR) compliance – as 25 May 2018, the day GDPR will enter into force, is just around the corner. This article is not meant to be complete, however, and the action steps outlined below are not necessarily sufficient for GDPR compliance, but they may provide some direction and ideas for a last-minute quick fix to “look good” on 25 May 2018.
Continue Reading Last-Minute Quick Fixes for GDPR Compliance – Recommended Action Steps