An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the maximum available to the Commissioner, under the Data Protection Act 1998, who in her findings observed that “but for the…

When A.B. 1202 was signed into law last fall, it was expected that the data broker registration requirement would not go into effect until 2021. However, the California Attorney General’s Office has taken the position that organizations that qualify as data brokers must register on or before January 31, 2020. Our Client Alert on this topic delves into this requirement as well as the definition of a data broker, definitions of what constitutes “Sale” of…

In recent days, all eyes have been on the escalating tension between Iran and the US.  While we wait and watch politics unfold, the Department of Homeland Security (DHS), New York’s Department of Financial Services and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued notices concerning the heightened risk of an Iranian cyberattack. Given these warnings, it is important for organizations to take the appropriate steps necessary to protect themselves against cyberattacks.   Our…

Russia’s Federal Law No. 242-FZ, On the Introduction of Amendments to Certain Legislative Acts of the Russian Federation with regard to the Clarification of the Procedure for the Processing of Personal Data in Data Telecommunications Networks, took effect on September 1, 2015 and requires that Russian citizens’ personal data gathered by operators, be stored by servers/data centers located in the Russian Federation (the “Localization Requirement”).  The fine for violation of the Localization Requirements was relatively…

In just a few short weeks (January 1, 2020), the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees.  Is your organization ready? We have prepared a number of client alerts and blog posts to help you determine if your organization is subject to the CCPA and, if so, the steps necessary to comply.…

Article 3(2) of the GDPR and the second criterion: Targeting criterion   Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”. Two Types of Targeting Activities Relating to Data Subjects in the EU Under this criterion,…

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR. The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines …