New Guidance on the Territorial Scope of the GDPR

We previously posted about the territorial scope of the EU’s General Data Protection Regulation (“GDPR”). Last month, the European Data Protection Board issued draft Guidelines to help companies outside of the EU determine whether the GDPR applies to them. Here are some key provisions: Establishment in the EU Under Article 3(1), controllers and processors established… Continue reading New Guidance on the Territorial Scope of the GDPR

GDPR Non-Compliance: Enforcement and Penalties

The GDPR sets out a new investigation and enforcement scheme for supervisory authorities that contains both enumerated and discretionary powers. Supervisory authorities will now possess broad investigative and enforcement powers, including the ability to issue penalties to data controllers and processors for non-compliance. Depending on the type of violation, these penalties can be severe. The… Continue reading GDPR Non-Compliance: Enforcement and Penalties

72-Hour Breach Notification Rule

One of the most talked-about provisions in the GDPR is a new 72-hour breach notification requirement. Article 33 of the GPDR mandates that “in the case of a personal data breach, data controllers shall without undue delay” notify the supervisory authority “not later than 72 hours after having become aware of” the breach. The Article… Continue reading 72-Hour Breach Notification Rule

GDPR and the Privacy Shield

As we previously discussed, the GDPR sets forth new regulations governing the cross-border transfer of personal data. For U.S. companies that might fall within the GDPR’s scope, one particular concern regarding cross border data transfers is how the GDPR affects the applicability and enforcement of the EU–U.S. Data Privacy Shield, which is the current mechanism… Continue reading GDPR and the Privacy Shield

Cross-Border Transfers under the GDPR

The GDPR generally prohibits data transfers to non-EU countries unless the data can expect an “adequate level of protection” abroad. The GDPR provides various mechanisms for permitting data transfers and establishes a clear hierarchy among those mechanisms. The first is whether there is an adequate level of protection in place. If there is no adequate… Continue reading Cross-Border Transfers under the GDPR

The GDPR and Special Category Data

The GDPR articulates certain principles governing the processing of personal data, which is broadly defined to include any information that can be used to directly or indirectly identify a particular person. Beyond these general provisions however, the GDPR, like its predecessor the Data Protection Directive, enumerates certain restrictions and requirements for the processing of certain… Continue reading The GDPR and Special Category Data