Included in this issue: AG GDPR City Series November 2019; European Commission reviewing standard contractual clauses to make them more "fit for purpose"; New guidance on key GDPR concepts issued by the EDPB and more...

European Commission reviewing standard contractual clauses to make them more "fit for purpose"

A European Commission official has confirmed that a study has been commissioned by the EU executive to analyse how companies are using 'standard contractual clauses'.

Following the review, new EU-approved model contracts for the transfer of person data may be published.

Businesses are keen to see model clauses that are 'fit for purpose' under the GDPR, as well as commission-approved clauses that allow transfers between EU-based processors and processors outside the bloc.

New guidance on key GDPR concepts issued by the EDPB

The European Data Protection Board (EDPB) has published new guidance for EU institutions and bodies on the concepts of controllers and processors to help compliance with GDPR.

The guidelines provide explanation and practical advice on controllers and processors, as well as case studies on controller-processor, separate controllership and joint controllership.

The EDPB has also adopted the final version of guidelines 3/2018 on the territorial scope of GDPR. These guidelines aid EEA data protection authorities with their assessment of whether a processing operation by a controller or a processor falls within the territorial scope of the new data protection regime. 

California’s landmark privacy act brings U.S. closer to GDPR

The Californian legislative branch has recently finalised and passed the California Privacy Rights and Enforcement Act of 2020 (CPREA), a landmark data privacy law which introduces some GDPR concepts to the US.

The CPREA is designed to enhance and strengthen existing privacy and consumer protection laws in California and in particular requires that businesses should be held accountable for data security breaches and should be obligated to inform individuals when sensitive information has been compromised.

The new laws will take effect in January 2020.

Latest updates from the ICO

The ICO has published new guidance about how organisations should approach processing special category data due to it being the most sensitive data a controller can process.

Ahead of the General Election, the Information Commissioner has reminded political parties that they must comply with the law in relation to the use of data in political campaigning.

Facebook and the ICO have reached an agreement in respect of a disputed fine issued by the ICO following an investigation into the misuse of personal data in political campaigns. Facebook has agreed to pay the £500,000 fine but has not admitted liability.