On Friday, the European Commission published its draft decisions in respect of the UK’s adequacy for transfers of data from the EU to the UK under both the GDPR and the Law Enforcement Directive. This is the first major step on the path to the UK achieving “adequacy” with 2 further steps to be carried out before the adequacy decision is finalised – these are: to obtain a “non-binding opinion” from the European Data Protection followed by formal approval from the EU member states.
As part of the Brexit negotiations the UK and EU agreed an “interim period”, which was a period of 4 months ending on 30th April but with an option to extend until 30th June 2021. During this interim period EU organisations can continue to send personal data to organisations in the UK without a formal adequacy decision from the EU. If no adequacy decision has been reached before the end of the interim period then additional measures will need to be taken by EU organisations to permit them to continue sending personal to the UK.
We are already nearly half way through the initial 4 month interim period, so completion of this first step is very good news. The UK government has issued a press release welcoming the drafts but urging the EU to “fulfil its declared commitment to complete the technical approval process quickly”. There is no mandated timetable for the completion of the process, but we certainly hope that there is enough benefit to both sides to make this a high priority for all.
The Information Commissioner’s Office (“ICO”) has made a provisional decision to fine a software provider more than £6 million. If the provisional decision is confirmed, it would mark the first case where the ICO impose a monetary penalty notice on a processor under the UK General Data Protection…
Data breaches: Is personal data held in your systems secure?
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…
The Court of Appeal has held that an individual can claim for compensation under section 13 of the Data Protection Act 1998 where a breach of the DPA results in a “loss or diminution of a right to control” their personal data. A claim of compensation would not require the…