On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).
EDPB
EDPB clarifies territorial scope of the GDPR
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.
Dispute resolution mechanisms for SAs and individuals are key part of proposed EU regulation
This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency mechanism applicable to supervisory authorities. In this Part we look at the application of sanctions by the lead SA across the EU, disagreements between SAs, complaints and litigation for affected data subjects, the application of foreign laws by the lead SA, and matters of language and culture.
Application of sanctions by lead SA across the EU
A Council debate note of 26 May 2014 flagged that at least one EU Member State had raised constitutional problems regarding the legal effect of applying measures decided by the lead SA in other EU Member States.
The Italian Presidency of the Council has addressed these concerns by clarifying that the lead SA would be competent in applying its supervisory powers, deciding on the case and directing the decision, on its own territory, to the main establishment of the controller or processor. It would then be for the data controller or data processor to implement the decision as regards all its establishments in the EU.
EU regulation proposal seeks to encourage consistency in data protection enforcement
This is Part 4 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it …
EU focuses on authority of SAs to enforce “One Stop Shop,” proposes a replacement for WP29
This is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it…