Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent.
Stringent and uncertain … Continue Reading
Pseudonymisation enters the stage
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. In exchange for the lower level of privacy intrusion, the applicable requirements … Continue Reading
On 24 March, the French data protection authority (Commission Nationale de l’Informatique et Libertés – the “CNIL”) announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals … Continue Reading
