“TOMs,” for those unversed in GDPR acronyms, refers to the “technical and organizational measures” for keeping personal data secure required under the GDPR (Art. 32) as well as under the standard contractual clauses (Annex II). Compared with the EU Data Protection Directive it replaced, the GDPR takes a more granular approach to security requirements. While … Read More » about Drafting Robust TOMs
Blog
Top Five Pain Points in Data Processing Agreements
Drafting a GDPR-compliant data processing agreement (DPA) should be dead simple. After all, GDPR Art. 28 provides a specific roadmap of what to include. Yet DPAs – which are required under the GDPR whenever a processor is processing personal data on behalf of a controller – can sometimes be the tail that wags the dog … Read More » about Top Five Pain Points in Data Processing Agreements
India Flirts with Data Localization
Data localization is a pernicious trend in national data protection laws . Unlike the laws of the EU, for example, where only “appropriate safeguards” (or an adequacy decision) are required under the GDPR for personal data to be transferred across national borders, data localization laws require that certain data be retained within national boundaries. Notably, … Read More » about India Flirts with Data Localization
Developments and Deadlines under the Standard Contractual Clauses
In the last couple of years, there’s been a flurry of activity around standard contractual clauses (clauses permitting the transfer of personal data to countries that haven’t been determined to provide an “adequate” level of protection). Just to recap: A lot to keep track of! If you’re behind the curve, don’t worry – you have … Read More » about Developments and Deadlines under the Standard Contractual Clauses
Those Pesky Transfer Impact Assessment Questionnaires
If you have a strange sense of humor (like I do), you may be amused (like I am) at how a few simple lines from the Court of Justice of the European Union’s Schrems II decision have created an entire cottage industry – employing lawyers, consultants, security experts, etc. – aimed at satisfying the court’s … Read More » about Those Pesky Transfer Impact Assessment Questionnaires
A “New” Privacy Shield?
If you’ve been in the privacy business for long enough, you may recall when the Safe Harbor Framework permitted the free flow of personal data between the EU and the United States. Those halcyon days lasted from 2009 until 2015. In 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor … Read More » about A “New” Privacy Shield?