Technical and Organisational Measures

Data protection regulation refers numerous times to ‘technical and organisational measures’.  These relate to the measures which an organisation is taking to protect personal data and in all cases should take into account; state of the art, cost of implementation and the scope, nature and purposes of the processing.  In other words, an organisation should […]

Contractual Clauses

A contract with a data processor is essential in order to remain compliant with the regulation, there are specific requirements for any contract including contractual clauses which need to be present in order for it to be compliant.  These are summarised as: The processor should only process personal data on documented instruction from the data […]

Contract Addendum

A contract with a data processor is essential in order to remain compliant with the regulation, however you may have entered into a contract prior to the commencement of the new rules.  In these circumstances it is recommended that a contract addendum is agreed between all parties, to retrospectively add the required contractual obligations to […]

Transferring Data to a Data Processor

Transferring personal data to a data processor requires an element of due diligence to have taken place, in particular all processing by a data processor must be governed by a contract, which stipulates a number of specified clauses.  These clauses ensure a legal obligation exists to protect the data subject’s data and their rights and […]

US Privacy Shield

Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place.  In general, the EU does not list the US as one of the countries that meets this requirement and therefore a data transfer to the US requires further safeguards. The Privacy Shield is a certification for US companies which the […]

Derogations

Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place.  When neither of these exist then an organisation needs to look at possible derogations or to halt the data transfer. A derogation is an exception specified within the regulation for transferring data internationally without […]

Legally Binding Instruments

Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place.  One such safeguard is a legally binding instrument, which needs to be in place between public authorities or bodies. The legally binding instrument safeguard only applies to data transfers between public bodies or authorities. […]

Certifications

Certification mechanisms will enable organisations to demonstrate compliance to other organisations through the use of data protection seals or marks.  They might also demonstrate the existence of appropriate safeguards for practices required under data protection regulation, such as international data transfers. Certification mechanisms must remain voluntary and by their nature, will be a measure based […]

Codes of Conduct

Codes of conducts are often used by industry bodies to undertake a procedure which is standardised and has control built in.  A code of conduct for data protection purposes must include safeguards which protect the rights of the data subject and must be approved by the supervisory authority. Codes of Conduct for International Data Transfer […]

Standard Data Protection Clauses

Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place.  One such safeguard is standard data protection clauses for an international data transfer. Standard data protection clauses are a series of clauses which can be added to contracts between the transferring parties, which provide […]