GDPR

Subscribe to GDPR

Article 29Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus.

The guidance notes that, although data protection law does not stop employers taking measures that are required to protect their staff and the public during the coronavirus pandemic, personal data must be handled carefully.
Continue Reading UK Information Commissioner Issues New Guidance for Employers on Workplace Testing for Coronavirus

lockThe European Data Protection Board (EDPB) has updated its Guidelines on GDPR consent to clarify that making access to a website conditional on accepting cookies – so-called “cookie walls” – does not constitute valid consent and that scrolling or swiping through a webpage cannot constitute consent either, under any circumstances.

Updated Guidelines

“Guidelines on consent under Regulation 2016/679” were first published in November 2017 by the EDPB’s predecessor, the Article 29 Working Party, and formally adopted in April 2018. The EDPB has now produced a slightly updated version of those Guidelines which, apart from two important clarifications, essentially remain the same. The clarifications appear in the sections of the Guidelines on “Conditionality” and “Unambiguous indication of wishes” and concern, respectively, the validity of consent provided by individuals when interacting with “cookie walls” and the question of scrolling or swiping through a webpage or similar user activity to indicate consent.
Continue Reading European Data Protection Board Updates Guidelines on GDPR Consent

GDPRThe COVID-19 pandemic has forced organizations to reconsider their working arrangements and how employees interact with both internal and external clients and stakeholders. In the pursuit of maintaining a “business as usual” approach, many UK employers have questioned whether they can continue to effectively monitor their non-furloughed employees’ performance when all but those in essential roles are working remotely.

Continue Reading Employee Monitoring During the COVID-19 Lockdown GDPR Considerations Revisited

Computer keyboard button with blue fingerprint

The rapid spread of the coronavirus is causing alarm around the world.  This almost unprecedented global event is leading to various unforeseen consequences, including the collection, use and sharing of personal data of affected individuals – and, in some cases, persons connected to them – in ways not envisaged only a few weeks ago.  The processing of personal data of this nature can potentially have serious, albeit sometimes unintended, consequences.
Continue Reading Thoughts on the Use of Personal Data in the Fight Against Coronavirus

Judge gavel with Justice lawyers having team meeting at law firm in background. Notary with client in office

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalized, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarized below, including new guidance on in-app advertising and direct marketing on social media platforms.
Continue Reading UK’s ICO Publishes Draft Direct Marketing Code of Practice

The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.
Continue Reading Schrems II and Standard Contractual Clauses – the Advocate-General’s Opinion

The UK Information Commissioner recently published a consultation paper inviting views on the ICO’s proposal that it should be granted investigation and asset recovery powers under the Proceeds of Crime Act 2002 (“POCA”).

The powers the Information Commissioner is seeking at this time are:

  • To apply to the court for Restraint Orders (under Part 2 of POCA);
  • To apply to the court for Confiscation Orders (under Part 2 of POCA);
  • Cash seizure, detention and forfeiture from premises (under Part 5, Chapter 3 of POCA);
  • Asset seizure and forfeiture from premises (under Part 5, Chapter 3A of POCA);
  • To undertake investigations (including search and seizure warrants) to support the proceedings sought above (under Part 8 of POCA); and
  • Access to information relevant to the investigation of money laundering offences.

The ICO is also seeking relevant authorisation powers that will enable it to exercise the powers referred to above.Continue Reading UK Information Commissioner’s Office Seeks Further Criminal Powers

7_GDPR_one year_SS_1400805215

The Information Commissioner’s Office has published GDPR: One Year On, describing its experiences and giving insights into the impact of the GDPR since 25 May 2018. The document reaffirms the ICO’s risk-based approach to enforcement focussing on GDPR breaches involving highly sensitive information, large groups of individuals and vulnerable individuals. A key message, however, is that there is “still a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation.
Continue Reading GDPR: One Year On

8_UK predictions_SS_1183353586

This article by partner Rohan Massey and associate Edward Machin was published by Law360 on February 25, 2019.

2018 was the year that data protection went mainstream. Having once been a topic that most folks treated with a combination of ignorance and inconvenience — “I have to read another privacy policy?” — by the year’s end the concept of privacy had firmly entered the public consciousness. Widely viewed congressional hearings on the misuse of personal data, a series of high-profile security breaches at Fortune 500 companies and an episode of “60 Minutes” dedicated to how a European law is influencing U.S. legislators all helped privacy and data security rise to the top of the public, corporate and legislative agendas.Continue Reading Five UK Privacy and Data Protection Predictions for 2019