The EU Commission’s proposal for a data governance regulation was published in November 2020 and completed its process, becoming a European law (EU Regulation 2022/868) with its publication in the Official Journal of the European Union on June 3, 2022. The figure below outlines the

The European Data Protection Board (EDPB) released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022. The General Regulation made significant changes in the area of administrative fines that Directive 95/46/EC, on the other

On May 25, 2022, the European Commission published a set of questions and answers on the two sets of standard contractual clauses: (1) one for the use between controllers and processors (Art. 28 GDPR) and (2) one for the transfer of personal data to countries

As part of the European data strategy, the EU Commission has released the first proposal for a European data space in a specific area, focusing on health data, in particular on electronic health data. These are the main objectives of this proposal: Enable more transparency,

Around May-June of each year the supervisory authorities release their annual report for their activities carried out in the previous year: this has already been done by the CNIL (press version), among others, and likewise by the EDPB, while the Italian Garante’s report is expected soon.

More and more, legislators, both supranational and national, are recognizing a right of access for individuals to information held by third parties that affects them in some way or that is functional to the exercise of their rights under the law. The GDPR is no

The several complaints lodged with national supervisory authorities, by international non-profits such as NoyB, La Quadrature du Net, Privacy International and others, are a practical example of the provisions of Article 80(1) of the GDPR, which allows data subjects to exercise their remedies recognized by

The data economy is based on “data sharing”, that is, the sharing of data with third parties. The EU strategy on the data economy, aimed at stimulating its development and eliminating the barriers that stand in its way, has promoted a series of legislative acts,

Let’s resume our analysis of the reform of the Italian “Do-not-call” Register (Registro Pubblico delle Opposizioni), completed with the publication in the Official Gazette of the implementing regulation (Presidential Decree no. 26/2022), replacing the previous Presidential Decree no. 178/2010. In the meantime, the Ministry of

The EDPB has released the Guidelines 02/2022 on the application of Article 60 of the GDPR, i.e., the procedural modalities of the cooperation mechanism, known as the “one-stop-shop.” The document, at first glance, would appear to be aimed primarily at supervisory authorities, but offers useful

The official gazette of March 29, 2022 (no. 74) – the editorial body that publishes with official value the regulations of the Italian Republic – has published the long-awaited regulation of the Italian “Do Not Call” Register (Registro Pubblico delle Opposizioni). The Italian Do-not-call Register

On the sidelines of the European and global level meetings held in Brussels, the joint press conference of the President of the United States and the President of the EU Commission on March 25, 2022, broke the news that an agreement “in principle” had been

The business of the American company – consisting in the web scraping of images of internet users, in the matching with metadata identifying the subjects and in the comparison with photos provided by the customers of the application in order to obtain their identification – has been

EU Data Strategy The proposal for an Artificial Intelligence Regulation is part of the broader EU data strategy that has already produced a large number of regulations aimed at creating a single European data market:    the Data Governance Act and the Data Act, which aim

The EDPB Guidelines 01/2022 on the “privacy” right of access contain indications that can be also applied generally with regard to the exercise of other GDPR rights. In this roundup, for example, we will discuss two aspects that are common to the exercise of any right under the regulation: the matter of

The European Commission has published the long-awaited proposal for a regulation on data law (“Data Act“). This is, after the Data Governance Act, the second most important regulatory measure crossing all sectors of the EU Data Strategy (see Bulletin of 22/7, 9/9, 11/11 and 23/12/2021).   EU Data Strategy

If it is true that data – and “personal” data in particular – are the lifeblood of the digital economy, it is equally true that their availability is essential for the performance of any type of activity, whether of a commercial or non-profit nature. Entering

A complex investigation into the GDPR compliance of the Transparent and Consent Framework platform of the IAB Europe federation, which brings together stakeholders in the field of behavioral advertising, has come to an end with a €250,000 sanctioning decision adopted by the Belgian authority. Measure of the

The European Data Protection Board has released Guidelines 01/2022 on the right of access subjecting them, as is customary, to public consultation; any comments should be sent by March 11, 2022. The guidelines contain an explanatory flow chart, which we will use to better describe

The disputes between the French supervisory authority and the Californian company are still going on for alleged violations of European regulations on the protection of personal data and privacy in electronic communications. On December 31, 2021, the CNIL fined for a total of 150 million

The Italian authority intervened once again regarding telemarketing activities that did not comply with the applicable regulations, imposing one of the largest fines of 26.5 million euros. The measure – which also regarded violations of a different nature – was issued at the end of

The case in which the Norwegian supervisory authority (Datatilsynet) sanctioned the American company Grindr LLC, supplying the mobile application Grindr, the world’s largest social networking app for the LGBTQ community, offers elements to be considered both from the point of view of the strategy for

If the employer has the right to check the worker’s performance, the latter does not lose confidentiality margins for the sole fact of working in the company.   European Court of Human Rights According to the European Court of Human Rights (ECtHR), the protection of

In the context of the implementation of advertising campaigns, in reference to the topic of the identification of subjective privacy roles, we’ll discuss the specific role assumed by the advertiser. The latter, hired by the client, implements the campaign using personal data in his exclusive

One of the main regulations in the EU data strategy is the proposed Data Governance Act. In the bulletin of November 11th, we described its general aspects; in this one, we will focus on its relative impacts on the discipline dictated by the GDPR, in

Data relating to criminal convictions and offenses receive heightened protection under the GDPR because of the sensitivity of the information they cover and the high impact they can have on the rights and freedoms of data subjects. According to the CJEU, this type of information

On March 9, 2021, the European Data Protection Board (EDPB), following the public consultation phase, adopted the final version (v.2.0) of Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications. Considering the wide context of reference, the topic

The European Union’s data strategy takes shape through an articulated complex of regulatory acts, some already enacted and others in the course of completing the legislative process among the European institutions.   EU Regulations for data sharing   Once the data protection regime has been

On April 13, 2021, the European Data Protection Board (EPDB) adopted the final version (v. 2.0) of the 8/2020 Guidelines on targeting of social media users following the conclusion of the public consultation phase.  Subsequently, on July 7, 2021, the same EDPB released a new

Let’s take a closer look at “lead generation”, that is, the preliminary step of advertising campaigns consisting of promotional solicitation aimed at collecting the names of customers who express their general interest in the particular product or service to be promoted.   Solicitations of leads

In the European strategy for data, an important step is the proposal for a regulation known as the Data Governance Act or DGA. It complements other initiatives that aim to achieve developmental conditions for the data economy while respecting the platform of safeguards and measures

In the event that an organization under the jurisdiction of a country outside the EU/EEA processes personal data that falls within the scope of the GDPR and does not have its own establishment in the EU, it must designate, in writing, a Representative established in

The expression “social engineering”, in the domain of information security, usually groups together all those cases of artifices and deceptions aimed at manipulating the human predisposition to trust. In fact, unlike to what might appear at first sight, the human being is inclined to have

Anticipated by the work of the High-Level Expert Group on AI (Ethics Guidelines for Trustworthy AI of April 2019 and Policy and Investment Recommendations for Trustworthy AI of June 2019) and the EU Commission’s own White Paper on AI (19/2/2020), the proposed Artificial Intelligence Act

On June 18, 2021, the European Committee released the updated version (v.2.0) of Recommendations 1/2020 on additional measures to be adopted in the event that those provided by Article 46 of the GDPR to legitimize data transfers to third countries, are not sufficient following the

The discipline of the use of the green pass, as indicated by the Legislative Decree 52/2021 and 127/2021 and as reiterated by the regulation 2021/953, inevitably involves the processing of personal data so, within these areas, you must make sure to comply with both disciplines.

The Covid pandemic has forced us to a difficult exercise of new balances between fundamental rights and freedoms, some synergistic – such as public and private health as well as protection of personal data – others where there was more evidence of a backward step

Often, even in the course of this Covid-19 pandemic, we have witnessed uncertainties on the part of the legislators of individual EU member states in identifying ways to intervene in issues and rights already governed by European law. Especially in the field of personal data

The appointment of the EU Representative is required if the company in question is subject to the law of a country which is not a member of the European Union and only under certain circumstances and conditions.   Summary     How to determine if

We resume our analysis of the European data strategy and the main purpose of promoting the development of a “data driven” economy of the union.  In the Alert of July 22nd, 2021, we highlighted the strategic value of “data” and examined the ranking of the

After two years since its approval on June 12, 2019 (see Editorial of 6/27/2019), on May 27, 2021, the “Code of Conduct prepared by the National Association between Business Information and Credit Management Companies (Ancic)” (“Code on commercial information”) came into force in Italy through

The Legal Information Service will be paused for the month of August and will recommence with the bulletin of September 2nd. We complete the analysis of the EU Commissione 2021/915 decision which adopts the standard clauses between data controllers and data processors, considering their structure

The European Commission, with the publication of the “European data strategy” document of 2020, launched the five-year strategic plan for the creation of the European Common Data Space and the Data-based digital economy. The plan starts from the observation that the two major “players” of

The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR. Although they come out in the middle of the negotiation of the trilogue between

Let’s go back to examining the new standard clauses adopted by the EU Commission aimed at legitimizing the transfer of personal data to third countries (see Alert of 10/6/2021). The transfer of personal data to a third country (i.e. neither belonging to the EU nor

The sentence of 29 March 2021 of the Italian Council of State (in Italian) – which concluded the first group of the charges made by the Antitrust (“AGCM”) to Facebook for the unfair commercial practices carried out in relation to the use of the personal

There is an aphorism in the world of information security that says “do not ask yourself if you will ever have a data breach, but rather when it will be your turn”. In the domain of personal data protection, data security is a principle of

The first round of the Italian antitrust (“AGCM”) litigation case against Facebook, started on 6 April 2018 to challenge alleged unfair commercial practices implemented by the social provider in the use of personal data of its users / consumers, has come to a conclusion. The

The second round in the confrontation between the AGCM and Facebook also came to an end with the imposition of a new overall fine of € 7 million against Facebook Ireland Ltd. and Facebook Inc. jointly and severally. The story shows how the current business

The EU Commission’s proposal for the new ePrivacy regulation did not explicitly refer to the circumstances that practice has identified with the terms “cookie banner”, “cookie barrier” and “cookie wall”.  The version of Parliament approved by the LIBE commission provides for the prohibition of “cookie

Individual advertising or “direct” promotion, in a broad sense, is that promotional operations that address the advertising message directly to the potential customer (therefore also called “direct marketing”); this aspect distinguishes it from general advertising which, on the other hand, is aimed at a general

Within a few days, answers were given, albeit not definitive, to the stringent expectations that followed the decision of the CJEU on the Schrems II case.  The decision of the Court, as is known, invalidated the Privacy Shield agreement and considered the standard or “SCC”

The EU Cyber Security Agency (ENISA) has published the 2019-2020 threat scenario. This is the eighth edition but also the first since the entry into force of the Cybersecurity Act which strengthened the role and competences of the agency by giving it a permanent mandate.

Following a major security incident that caused the breach of sensitive personal data of over 400,000 individuals (passengers), the British Information Commissioner (“ICO”) the 08/07/2019 communicated to the airline the intention to sanction it for the significant sum of 183.39 million pounds (€ 204M) for

After an initial postponement in February 2020, on 26th of August the Brazilian Senate approved the entry into force of the Brazilian law on the protection of personal data “Lei Geral de Proteção de Dados Pessoais” (LGPD) with effect from 15 August 2020, ie two

Learning from previous cases The provisions of the national supervisory authorities, together with the guidelines and opinions of the EDPB, if read in watermark allow us to obtain important information on how to operate in organizations in order to respond adequately to the principle of

On 16 July 2020, the Court of Justice of the European Union issued the expected decision on the preliminary ruling in the case known as Schrems II (C-311/18) which deemed the Privacy Shield instrument invalid, with immediate effect and clarified some aspects regarding the scope

Last week’s Alert pointed out hacker opportunism taking advantage of emergencies, as recorded in these Coronavirus times. There are many profiles of increased vulnerability in this situation: work outside the corporate context, where the level of protection – physical and logical – is certainly higher