Data Protection Bulletins

A. I. between expectations and doubts – second part

Anticipated by the work of the High-Level Expert Group on AI (Ethics Guidelines for Trustworthy AI of April 2019 and Policy and Investment Recommendations for Trustworthy AI of June 2019) and the EU Commission’s own White Paper on AI (19/2/2020), the proposed Artificial Intelligence Act

Read more »

Additional measures in personal data transfers

On June 18, 2021, the European Committee released the updated version (v.2.0) of Recommendations 1/2020 on additional measures to be adopted in the event that those provided by Article 46 of the GDPR to legitimize data transfers to third countries, are not sufficient following the

Read more »

Green Pass, green Privacy

The Covid pandemic has forced us to a difficult exercise of new balances between fundamental rights and freedoms, some synergistic – such as public and private health as well as protection of personal data – others where there was more evidence of a backward step

Read more »

Relationship between domestic and European law

Often, even in the course of this Covid-19 pandemic, we have witnessed uncertainties on the part of the legislators of individual EU member states in identifying ways to intervene in issues and rights already governed by European law. Especially in the field of personal data

Read more »

EU Representative

The appointment of the EU Representative is required if the company in question is subject to the law of a country which is not a member of the European Union and only under certain circumstances and conditions.   Summary     How to determine if

Read more »

EU Data Strategy – 2

We resume our analysis of the European data strategy and the main purpose of promoting the development of a “data driven” economy of the union.  In the Alert of July 22nd, 2021, we highlighted the strategic value of “data” and examined the ranking of the

Read more »

Code of Conduct on commercial information

After two years since its approval on June 12, 2019 (see Editorial of 6/27/2019), on May 27, 2021, the “Code of Conduct prepared by the National Association between Business Information and Credit Management Companies (Ancic)” (“Code on commercial information”) came into force in Italy through

Read more »

Standard clauses between controllers and processors – 2

The Legal Information Service will be paused for the month of August and will recommence with the bulletin of September 2nd. We complete the analysis of the EU Commissione 2021/915 decision which adopts the standard clauses between data controllers and data processors, considering their structure

Read more »

EU data strategy – 1

The European Commission, with the publication of the “European data strategy” document of 2020, launched the five-year strategic plan for the creation of the European Common Data Space and the Data-based digital economy. The plan starts from the observation that the two major “players” of

Read more »

Cookies: new guidelines of the Italian Garante

The Privacy Garante – following the public consultation completed in 2020 – has released the new guidelines on cookies that update those of 2014 following the changes made by the GDPR. Although they come out in the middle of the negotiation of the trilogue between

Read more »

The EU Commission has adopted the new SCCs – 2

Let’s go back to examining the new standard clauses adopted by the EU Commission aimed at legitimizing the transfer of personal data to third countries (see Alert of 10/6/2021). The transfer of personal data to a third country (i.e. neither belonging to the EU nor

Read more »

Data breach: notification forms

There is an aphorism in the world of information security that says “do not ask yourself if you will ever have a data breach, but rather when it will be your turn”. In the domain of personal data protection, data security is a principle of

Read more »

Italian Antitrust against Facebook

The second round in the confrontation between the AGCM and Facebook also came to an end with the imposition of a new overall fine of € 7 million against Facebook Ireland Ltd. and Facebook Inc. jointly and severally. The story shows how the current business

Read more »

Cookie “banner”, “barrier” and “wall”

The EU Commission’s proposal for the new ePrivacy regulation did not explicitly refer to the circumstances that practice has identified with the terms “cookie banner”, “cookie barrier” and “cookie wall”.  The version of Parliament approved by the LIBE commission provides for the prohibition of “cookie

Read more »

Advertising and Data Protection

Individual advertising or “direct” promotion, in a broad sense, is that promotional operations that address the advertising message directly to the potential customer (therefore also called “direct marketing”); this aspect distinguishes it from general advertising which, on the other hand, is aimed at a general

Read more »

International data flows: the new SCCs

Within a few days, answers were given, albeit not definitive, to the stringent expectations that followed the decision of the CJEU on the Schrems II case.  The decision of the Court, as is known, invalidated the Privacy Shield agreement and considered the standard or “SCC”

Read more »

ENISA Threat scenario

The EU Cyber Security Agency (ENISA) has published the 2019-2020 threat scenario. This is the eighth edition but also the first since the entry into force of the Cybersecurity Act which strengthened the role and competences of the agency by giving it a permanent mandate.

Read more »

ICO reduces the fine on British Airways

Following a major security incident that caused the breach of sensitive personal data of over 400,000 individuals (passengers), the British Information Commissioner (“ICO”) the 08/07/2019 communicated to the airline the intention to sanction it for the significant sum of 183.39 million pounds (€ 204M) for

Read more »

Brazilian privacy law

After an initial postponement in February 2020, on 26th of August the Brazilian Senate approved the entry into force of the Brazilian law on the protection of personal data “Lei Geral de Proteção de Dados Pessoais” (LGPD) with effect from 15 August 2020, ie two

Read more »

Data Subject Requests

Learning from previous cases The provisions of the national supervisory authorities, together with the guidelines and opinions of the EDPB, if read in watermark allow us to obtain important information on how to operate in organizations in order to respond adequately to the principle of

Read more »

Schrems II

On 16 July 2020, the Court of Justice of the European Union issued the expected decision on the preliminary ruling in the case known as Schrems II (C-311/18) which deemed the Privacy Shield instrument invalid, with immediate effect and clarified some aspects regarding the scope

Read more »

The 6 rules for personal data breach

Last week’s Alert pointed out hacker opportunism taking advantage of emergencies, as recorded in these Coronavirus times. There are many profiles of increased vulnerability in this situation: work outside the corporate context, where the level of protection – physical and logical – is certainly higher

Read more »