Included in this edition of data & privacy news: Join our Data Download Webinar on Tuesday 1 December; the EC has published new SCCs; ICO issues Ticketmaster UK Limited with £1.25 million GDPR fine and more...

Data Download Webinar on International Data Transfers Post Schrems II: New Rules, New Challenges & Brexit implications

Join our Data Management team on Tuesday 1 December at Midday as they discuss the new EU data transfer regime – draft EDPB recommendations and Standard Contractual Clauses (SCCs). Sign up here. For an overview of these recent developments, see our client briefing "International Data Transfers: The EU Responds to Schrems II" here.

European Commission publishes new Standard Contractual Clauses (SCCs)

The European Commission (EC) has published new SCCs designed to be used by a controller or a processor in order to provide appropriate safeguards for the transfer of personal data to a processor or a controller established in a third country. 

The SCCs can also be used in the transfer of personal data by a controller or processor outside the EU where the processing falls within the extra-territorial effect of the GDPR, as well as for the transfer of personal data by a processor to a sub-processor. 

The EC is seeking feedback on the new SCCs until 10 December 2020 (midnight Brussels time).

ICO releases statement on recommendations adopted by EDPB following Schrems II case

The ICO has released an updated statement addressing the two recommendations (supplementary measures in the context of international safeguards and the European Essential Guarantees for surveillance measures) published by the European Data Protection Board (EDPB) following the Schrems II case. 

The ICO has stated that it is currently reviewing the recommendations and will consider whether it needs to publish its own guidance in the future. 

In addition, the ICO is reviewing the European Commission's new SCCs, currently under consultation.

Organisations have been advised to take stock of their international transfers, updating their practices as more guidance becomes available.

ICO issues Ticketmaster UK Limited with £1.25 million GDPR fine

The ICO has issued Ticketmaster UK Limited with a fine of £1.25 million for failing to keep its customers personal information secure, a breach of the GDPR. 

The company failed to implement appropriate security measures, allowing for a cyber-attack on a chat-bot installed on the companies online payment page. 

Names, payment card numbers and CVV numbers of up to 9.4 million of Tickemaster's European customers were affected by the data breach.

ICO publishes detailed guidance on criminal offence data aimed at those with data protection responsibilities

The ICO has published detailed guidance on criminal offence data aimed at data protection officers or those in larger organisations with specific data protection responsibilities. The guidance includes information on what criminal offence data is, what the rules on criminal offence data are and what the conditions for processing are. 

Under the GDPR, "personal data relating to criminal convictions and offences or related security measures" is given extra protection. The ICO refers to this as "criminal offence data", which covers wide range of information such as criminal activity, allegations, investigations and proceedings. 

ICO publish summary of audits on several political parties

The ICO has published a summary of audits it carried out on several UK political parties, which includes specific actions required to improve transparency and practice when handling individuals' personal data. 

All the political parties audited engaged positively with the process and are committed to making the improvements necessary to comply with data protection law.