The National Council's State Policy Committee (SPK-NR) has concluded its deliberations on the bill for the total revision of the Data Protection Act(17.059). However, the bill was only narrowly adopted, by the casting vote of the president, after nine votes to nine with seven abstentions. It shows that there is still no agreement among the various interest groups and that the revision of the law will therefore take longer than originally planned. In addition, the Commission decided that the new law should only come into force after a transitional period of two years. This would mean that we will probably not have a new data protection law until around 2022/2023.
Read moreFashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.
The ECJ has ruled that Facebook's "Like" button was not implemented in a data protection-compliant manner and that the website operator bears joint responsibility for such plugins.
Read moreA Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).
Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.
Read moreUntil now, EU Data Protection Laws have only applied to companies with a presence in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, with the consequence that the new law not only affects companies within the EU, but also countries outside of its borders. In certain situations, the GDPR is also applicable to companies (controllers) outside of the EU.
The potential cross-border applicability has left many companies outside the EU confused, and it has led to uncertainty.
Read more
Until now, EU data protection law only applied to companies that had an establishment in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, which means that the new law potentially affects not only companies in the EU. The scope of the law also covers companies outside the EU under certain conditions. In particular, Swiss companies that are often active in the EU could be affected by the GDPR.
This cross-border applicability has led to uncertainty for many companies outside the EU.
Read more