General Data Protection Regulation (GDPR)

“The EU’s much-vaunted data-protection legislation doesn’t cover how data can be used ‘to draw conclusions about me or to undermine democracy,'” said European Union Commissioner Margrethe Vestager,  in a speech in Copenhagen on Sept. 13.

“When a few companies control a lot of data about us, that can also help them influence the choices we

GDPR does not prohibit a company from disclosing to one company shareholder, information identifying other shareholders in the same company,  says the Higher Regional Court of Munich.

The legal basis under GDPR is that the disclosure is necessary for the performance of the contractual relationship established by the articles of association.

“For the exercise of

Asking to read an electronic ID card as a condition for the provision of a service (issuing a rewards/loyalty card) is disproportionate and in violation of GDPR, says the Belgian data protection authority.  The company was fined €10,000.

Key takeaways also relevant to authentication/collection under GDPR and CCPA:
  • Information you collect to identify an individual

Do I have to disclose documents with confidential internal correspondence, and comments from my staff as part of a GDPR data subject access request? The Court of The Hague says “Yes, you do.”

  • The right of access is not automatically blocked in advance because the relevant documents may contain confidential (internal) correspondence, including, personal thoughts

Who is responsible for putting a GDPR Article 28 Data Processing Agreement in place?

Dutch Data Protection Authority, Autoreitpersoonsgegevens, says: BOTH the data controller and the data processor.

  •  As a controller, you are in violation if you cooperate with a processor but have not made any written agreements on this. In that case, you cannot

If you condition participation in a sweepstakes on receiving advertising on a particular topic from the provider of the sweepstakes or from other third parties — this is still valid consent under GDPR, says the Higher Regional Court of Frankfurt, Germany.

Key takeaways:
  • Requiring consent to marketing as a condition to participation in a sweepstakes

Ireland’s privacy regulator is weighing potential probes into how some online companies handle children’s data.

The Irish privacy office is “scoping” children’s privacy enforcement actions

“There will absolutely have to be changes and will be changes in terms of how” online companies handle children’s data… It’s a “big area of importance” for the commission –

A German investigation into Facebook Inc. shows that multinational companies could face probes from multiple data-protection regulators in Europe over the same missteps.

If you are a non-EU entity subject to GDPR, or are a part of a group of companies, the GDPR one stop shop mechanism may not help you.

Thinking through the role