DPO in the spotlight II – coordinated enforcement action commences

Remember this post? October last year, we posted that the data protection authorities of Europe would be focussing on the position and designation of data protection officers (DPO) in 2023. Today, the European Data Protection Board published a news post stating that its coordinated enforcement action concerning DPO’s has officially commenced. In brief, national data protection authorities will (among other things) send questionaires to DPO’s to “aid fact-finding exercises or questionnaires to identify if a formal investigation is warranted.” A formal investigation could lead to enforcement actions…

Keep reading

Long story short: DPO’s in supervision spotlight

Controllers and processors that are required by law to appoint a data protection officer, but who have failed to do so, as well as all companies that have either voluntarily or unvoluntarily appointed a data protection officer should take notice. The European Data Protection Board (EDPB) has announced the focus of its second coordinated enforcement action: the designation and position of the data protection officer across the European Economic Area. This newly mentioned coordinated enforcement action follows from an EDPB update about the European Commission’s proposal for…

Keep reading

Long story short: deletion can also be a personal data breach

A hacker accessing personal data or an employee leaving a confidential list with patient data in its shopping cart are very obvious examples of personal data breaches under the GDPR. However, less obtrusive examples of personal data breaches may fly under the radar due to companies not recognizing them as personal data breaches. Last week, a Dutch hospital encountered a less recognizable personal data breach, namely accidental deletion of data. Lessons can be learned from this personal data breach. By Cécile van der HeijdenThe Albert Schweitzer hospital…

Keep reading

To (privacy) shield or not to shield.

The EU and US have entered into a preliminary political deal about a new transatlantic data transfer agreement between them, necessary due to the invalidation of the Safe Harbor agreement and Privacy Shield. The legal text for the so-called ‘Trans-Atlantic Data Privacy Framework’ is yet to be published, but Max Schrems (instigator of the Schrems II judgement of the European Court of Justice) appears to be warming up for another round against the replacement of Privacy Shield. He also made some very valid points to temper overeager…

Keep reading

New standard contractual clauses – new roads or old ways?

On June 4th 2021, the European Commission published the final working documents of the new standard contractual clauses (SCC). Since then, the new SCC have been published in the official journal of the European Union. Since the Schrems II decision of the European Court of Justice set stringent criteria for the use of the existing SCC, privacy professionals and businesses alike have eagerly awaited publication of new standard contractual clauses. Now that the new SCC have been published, the question arises: were these standard contractual clauses worth…

Keep reading

About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law and healthcare law in the life sciences sector and Floris van der Laan, a paralegal with interest in technology and its connection to EU privacy and data protection law. Both are based in Amsterdam, the Netherlands.

This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.

DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via: