In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled
On February 15, 2022, the European Data Protection Board (“EDPB”) issued a press release announcing the launch of its first coordinated enforcement action, under the Coordinated Enforcement Framework (“CEF”) established in 2020 (see section 3 below). The initiative will focus on the use of Cloud based services by the public sector and will involve 22…
The European Data Protection Board (“EDPB”), a body with members from all EEA supervisory authorities (and the European Data Protection Supervisor), has recently established a taskforce to coordinate the response to complaints concerning compliance of cookie banners filed with several European Economic Area (“EEA”) Supervisory Authorities (“SAs”) by a non-profit organisation NOYB. NOYB believes that many cookie banners, including those of ‘major’ companies, engage in “deceptive designs” and “dark patterns”.
Continue Reading EDPB Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs
Article 3(2) of the GDPR and the second criterion: Targeting criterion
Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.
Two Types of Targeting Activities Relating to Data Subjects in the EU
Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.
Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required
There are two important issues in this respect:
- Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
- It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.
The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.
The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.
Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.Continue Reading Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)
Updated Black List of Processing Operations Requiring DPIA
On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.
As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:Continue Reading Data Protection Update for Poland