The European Data Protection Board has issued issued final guidelines on the “necessary for the performance of a contract” legal basis for processing data under the General Data Protection Regulation (GDPR). To use this legal basis, you need to show: The processing is carried out in the context of a valid contract with the individual. The purpose for the processing in question is clearly specified and communicated to the relevant individual, in line with the…

On the heels of the Planet49 decision, the Spanish data protection authority AEPD has fined Vueling Airlines €30,000 (reduced to €18,000 for payment in full) for failure to provide a compliant cookie disclosure/consent under GDPR. Key takeaways (pertaining to cookies that require consent under GDPR): You need to provide the individual with the ability to reject cookies. You should have a button or another mechanism (like a cookie management platform) that allows individuals to accept or…

Here are the key data protection provisions of the proposed Brexit deal that was announced Thursday: What it says: The EU will start assessing adequacy of the UK for the purpose of cross-border transfers with the aim of finalizing by end of 2020. The UK will establish a regime recognizing transfers to the EU during the same time frame. What we think this means for 2020: From now until December 2020, cross-border transfers to and…

Sen. Ed Markey , D-Mass., has introduced a bill (S. 2577) imposing considerable obligations on data brokers regarding their handling of personal information. Key provisions: Don’t collect personal information under false pretenses. Have policies and procedures to ensure the accuracy of the information. Provide an individual a means to review any personal information that you collect/maintain. Upon a verified request, disclose to the requesting individual information about the information collected, time of collection, who it…