Cookies and other Trackers : How to Comply

Cookies and other Trackers : How to Comply

Following the hundreds  of million fines imposed Amazon, Google and Facebook by the CNIL and other authorities relating to their use of cookies, this article aims to review the CNIL’s practical recommendations in this area so that to help organisations to understand the requirements in France and to some degree, to the rest of the European Union.

The CNIL reminds in its recommandations that it constitutes only examples which are neither prescriptive nor exhaustive and that although they are focused on the web and mobile environment, they can also be applied to other environments (connected TV etc.).

GDPR : International Data Transfers

GDPR : International Data Transfers

Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:

the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;

adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);

a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).

One-Stop-Shop under the GDPR: how does that work?

One-Stop-Shop under the GDPR: how does that work?

Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority.  This appointed Supervisory Authority  will act as their main point of contact.

Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.  

Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.