EU Archives - Discerning Data

CJEU Rules on Dismissal of DPOs and Conflict of Interest

In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.

Background to Ruling

In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.

Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”

AI Regulation in the U.K. — New Government Approach

On July 18, 2022, the U.K. Government published a paper on its proposals for AI regulation “Establishing a pro-innovation approach to regulating AI” (the AI Paper). This was published alongside the Government’s AI Action Plan, the first update provided since the Government published its National AI Strategy in September 2021.

The AI Paper provides for an alternative approach to AI regulation in the U.K. when compared with the recently proposed draft legislation for AI regulation in the EU (the EU AI Act). The U.K. Government favours a more decentralised and less regimented approach: guidance, rather than legislation; sector-based, rather than cross-sector application; regulated at sector level, rather than centrally; and with a looser definition of what constitutes AI for the purposes of regulatory application. This is intended to make the U.K. an attractive environment for AI innovation, with more flexible and pragmatic regulation, although AI businesses operating in multiple sectors will potentially need to review and comply with more than one set of principles and address conflicts between them.

Continue reading “AI Regulation in the U.K. — New Government Approach”

European Union Adopts Adequacy Decision For Safe Data Flows With Japan

On January 23, 2019, the European Commission announced its decision to adopt adequacy status with Japan for transfers of personal data. Pursuant to the European Union’s (EU) General Data Protection Regulation (GDPR), this decision will allow personal data to flow freely between the 28 EU countries, three additional European Economic Area member countries (Norway, Liechtenstein, and Iceland), and Japan, without the need for additional data protection safeguards or derogations. Japan adopted an equivalent decision with the EU on January 22, 2019. These reciprocal findings of adequacy will create the largest area of safe data flows in the world.

Continue reading “European Union Adopts Adequacy Decision For Safe Data Flows With Japan”

EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done

The EU Commission published its second annual review of the functioning of the EU-US Privacy Shield, which focused on the commercial issues, human resources and data automated individual decision-making and developments in the U.S. legal framework. This report follows the same general structure as the report on the first annual EU-US Privacy Shield review that we reported on last year.

Continue reading “EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done”

Recap of Our General Data Protection Regulation Webinar Series

In preparation for the General Data Protection Regulation (GDPR), set to take effect in the EU on May 25, 2018, we have hosted a series of webinars to help attendees navigate the changing data protection landscape. The GDPR is the EU’s most important change in data privacy regulation in 20 years, replacing the 1995 Data Protection Directive, and will affect any company that processes data pertaining to individuals in the EU. Please find more information on the presentations below:

Overview of Preparing for the General Data Protection Regulation (GDPR): A high-level plan for preparing for GDPR implementation.
Conducting a Data Inventory and Mapping: The process of conducting a data inventory and mapping.
Establishing a Data Protection Officer: The requirements and considerations concerning the appointment of a Data Protection Officer.
Conducting Data Protection Impact Assessments: The requirements and considerations for conducting a data protection impact assessment.
Determining Your Lead Data Protection Authority: Determining a lead data protection authority and options for companies whose existing structures do not allow them to take advantage of this mechanism.
Right to Data Portability: Determining the scope of the new data subject right to data portability, when it applies and what it means in practice.
Legal Bases for Processing: The provisions of legal bases for the processing of personal data.
Transparency: The provisions of the GDPR transparency requirement and its effects on data subject rights.
Automated Processing and Profiling: Understanding the automated processing and profiling rights of data subjects under the new GDPR.
Data Breach Notification: Circumstances in which notification is required and how to implement effective incident response plans.
International Data Transfers: The key requirements for international data transfers, including actual and potential changes to existing transfer mechanisms.

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Category: EU

CJEU Rules on Dismissal of DPOs and Conflict of Interest

Background to Ruling

AI Regulation in the U.K. — New Government Approach

EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done