GDPR : International Data Transfers

GDPR : International Data Transfers

Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:

the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;

adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);

a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).

Google Analytics – GDPR : The EDPS & Austrian DPA Consider Data Transfers to Google LLC (US) Illegal

Google Analytics – GDPR : The EDPS & Austrian DPA Consider Data Transfers to  Google LLC (US) Illegal

The European Data Protection Supervisor (“EDPS”) and the Austrian Data Protection Authority have both recently issued a decision ruling that the transfers of personal data to Google LLC (US) entailed by the use of Google Analytics tool on the European Parliament and by a company located in Austria (the “website operator”) websites, were not GDPR compliant.

Cookies – FR : The CNIL Imposes Fines of € 60 Million and € 150 Million on Facebook and Google for Non-Compliant Cookies Refusal Mechanism

Cookies – FR : The CNIL Imposes Fines of € 60 Million and € 150 Million on Facebook and Google for Non-Compliant Cookies Refusal Mechanism

On 30 and 31 December 2021, the CNIL sanctionned :

FACEBOOK IRELAND LIMITED with a  € 60 million fine ; and

GOOGLE with a fine totalling €150 million  (€ 90 million for GOOGLE LLC and € 60 million for GOOGLE IRELAND LIMITED)

because they did not allow users of the social network facebook.com and the websites google.fr and youtube.com residing in France to refuse cookies as easily as to accept them.

CJEU: Displaying an advertisement in the guise of an e-mail without users’ consent is an unfair commercial practice

CJEU: Displaying an advertisement in the guise of an e-mail without users’ consent is an unfair commercial practice

By a decision of November 25, 2021, the Court of Justice of the European Union (CJEU) ruled that the practice of displaying an advertisement under the appearance of an e-mail in the users’ e-mail box is subject to the prior information and consent of the users (as required under directive 2002/58/EC), without which it also constitutes an unfair commercial practice insofar as this practice corresponds to the notion of “repeated and unwanted solicitations” within the meaning of the Directive 2005/29/EC (“Unfair Commercial Practices Directive”) .