GDPR

06 Mar 2024

Navigating GDPR Compliance: Analysis of Article 30 and the Record of Processing Activities (ROPA)

Introduction In the contemporary legal landscape, data privacy stands as a paramount concern, with the General Data Protection Regulation (GDPR) serving as the cornerstone legislation governing the processing of personal data within the European Union (EU) and beyond.  Article 30 of the GDPR imposes a pivotal obligation on data controllers and processors to maintain a meticulous Record of Processing Activities (ROPA).  This article endeavors to elucidate the intricacies surrounding Article 30, offering practical insights and dissecting the evolving practices of Data Privacy Authorities concerning ROPA compliance. Understanding Article 30 of GDPR GDPR Recital 82 states: “In order to demonstrate compliance […]

Details
01 Aug 2023

EU-U.S. Data Privacy Framework: A New Adequacy Decision for Transatlantic Data Flows

On July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”).   The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“). What does this mean for EU Individuals and Businesses? The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years.  The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether […]

Details
07 Jul 2023

Data Protection and Dominant Market Positions: Court Ruling Explores GDPR Compliance

On July 4, 2023, the Court of Justice of the European Union (“CJEU“) pronounced a momentous judgment in Meta Platforms and Others.  For the first time, the CJEU ruled that national competition authorities may determine GDPR infringements when examining an abuse of a dominant position.  The CJEU’s decision clarifies the relationship between the General Data Protection Regulation (“GDPR“) and EU competition law, establishing that they can coexist and complement each other without conflict.  The case centered on Meta Platforms Ireland, which runs Facebook in the EU. The ruling has its roots in a decision issued by Germany’s antitrust regulator, the […]

Details
05 Jul 2023

Enhancing Cross-Border Cooperation: A Proposed Regulation to Strengthen Data Protection Enforcement under the GDPR

On July 4, the EU Commission introduced a new Procedural Regulation aimed at enhancing cooperation among data protection authorities (“DPAs“) when enforcing the General Data Protection Regulation (“GDPR“) in cross-border cases.  The Procedural Regulation focuses on establishing clear guidelines for DPAs handling cases involving individuals in multiple Member States without impacting any substantial elements of the GDPR, including the rights of data subjects, obligations of data controllers and processors, or the lawful grounds for processing personal data. A notable aspect of the Procedural Regulation is a provision that mandates the lead DPA to share a “summary of key issues” with […]

Details
22 Jun 2023

Who’s Responsible? Addressing Liability in the Age of AI

In the realm of modern technology, the association with Artificial Intelligence (AI) has become increasingly present.  AI has reached various segments of human activity, both private and business.  However, like any innovation or human creation, AI is imperfect and carries inherent risks.  It is susceptible to biases, errors, security breaches, and a growing level of autonomy, all of which entail potential liabilities associated with artificial intelligence. Consider the scenario of an autonomous vehicle causing an accident.  Who should bear responsibility in such a case?  Likewise, if an AI-powered medical diagnosis tool misdiagnoses a patient, who should be held accountable – […]

Details
27 Sep 2022

Spanish Agency Confirms – GDPR Applies to All

In August, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, hereinafter: “Agency“) fined an NN person the sum of EUR 1,500 for violating the norms stipulated by the GDPR (General Data Protection Regulation), through the illegal collection and processing of personal data using a video surveillance system. (In the Decision issued by the Agency, the names of the parties involved were not disclosed, so the following terms will be used in the rest of this text: Injured party – person 1, Tortfeasor- person 2) What happened? The proceedings in front of the Agency were initiated by Person […]

Details
28 Jul 2022

The Personal Data Protection Act Revisited

Although the Personal Data Protection Act (“Act“) has been in effect for four years, it seems that its provisions have not yet been fully implemented in practice, nor have all companies in Serbia fully adapted to them. Non-compliance with the obligations prescribed by the Act especially starts hurting when inspections are carried out by the Commissioner, and a new round is being announced. So, let’s take a moment to revise what companies should pay attention to when it comes to complying with the Act. Back to basics The general obligations of companies are contained in the principles of the Act. […]

Details
23 Aug 2021

Schrems, Facebook and Data Privacy

Why Schrems?  The EU’s trust in the processing of personal data seems to be shaken. With the famous case Maximillian Schrems v Facebook Ireland Limited pending before the Austrian Supreme Court (“Court“) for a while now, Maximillian Schrems requested the Court to refer four questions to the Court of Justice of the European Union (“CJEU“) concerning the lawful use of personal data of all Facebook users from the EU.   So, who is Maximilian Schrems? Maximillian Schrems is a law student from Austria and a personal data protection activist who has been extremely vocal about data protection before EU authorities. […]

Details
02 Apr 2021

EU Digital Saga Continues – Digital Services Act: A Service to Consumers, but a Disservice to Businesses?

After a short break from our previous reflections on the EU’s new set of regulations concerning digital markets (more details available here), we are back with an even more vivid and thorough breakdown of the proposed regulation. To pick up where we left off, we will be taking a closer look at the Digital Services Act (“DSA“ or „Act“). As we have already familiarized ourselves with the EU’s goals and ambitions regarding new digital market regulation, we can now fully indulge ourselves by taking a closer look at the Act.  We hope that you managed to catch your breath because […]

Details
23 Nov 2020

Are Major High-Tech Companies “Skirting the Law” in Serbia Regarding Personal Data Protection?

Although it has been more than a year since the new Personal Data Protection Act (“Act”) entered into force in Serbia, some of its provisions are not yet fully applicable.  One clear-cut example is Article 44 of the Act, which requires foreign companies (therefore those who does not have a registered business seat in Serbia) to appoint a Personal Data Protection Representative for Serbia (“Representative”). Who is the Representative? This provision, (as well as the majority of the Act’s provisions), was adopted from Article 27 of the General Data Protection Regulation (“GDPR”) and refers to any personal data controller and […]

Details
07 Feb 2019

German Competition Authority: Facebook is a dominant company in the social networks market

The German Competition Authority (“Bundeskartellamt”) issued a decision which will have significant impact on both Facebook’s data policy and competition issues in relation to social networks.  The decision came after an almost three-year investigation into the practices of this social network. Internal divestiture of Facebook’s data The Bundeskartellamt has imposed far-reaching restrictions on Facebook, concerning its data processing practices.  So far, Facebook users have only been able to use the platform if they agreed to the terms and conditions which provide that user data can be collected outside the platform, including from websites and apps owned by Facebook, as well […]

Details
23 Jan 2019

YouTube, Netflix and Others Accused of GDPR Violations

Friday is widely regarded as a day marked by joy and happiness. However, last Friday did not produce such emotions for data protection officers working in the online streaming services (“OSS”) industry, that is in Amazon, Apple, DAZN, Flimmit, Netflix, SoundCloud, Spotify and Youtube. Namely, the Austrian campaign group None of Your Business (“NOYB”) filed 10 complaints with the Austrian Data Protection Authority and asked for an investigation of an alleged breach of Article 15 of the General Data Protection Regulation (“GDPR”). NOYB accused OSS for violating the “Right to access by the data subjects” (which provides that the data […]

Details
14 Nov 2018

Gecić Law at the Law Firm Marketing Summit 2018 in London!

Bogdan Gecić, managing partner at Gecić Law, a top tier law firm from Belgrade, gave a lecture on the importance of social media and communication at the Law Firm Marketing Summit held in London. “Social media are an important tool to cement presence on the Internet and share the values of your firms with the public”, said Mr. Gecić. “We do not only embrace social media as a medium of promotion of our firm and corporate life within the office, but we also share the successes of our partners and clients because we believe in the idea, as we dubbed […]

Details
05 Nov 2018

The First Major GDPR Case Is Underway!

Not so long ago, on May 25, 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR has been a subject of great interest and discussion, even prior to its implementation, due to its application on entities all over the world – inside or outside the European Union (EU). Although the GDPR has, practically, changed the legal framework in relation to the rules on data protection, and introduced a whole set of new obligations while imposing massive fines for non-compliance, the real implications of the application of the GDPR are yet to be seen, especially on non-EU entities. […]

Details
22 Jun 2018

GDPR in Serbia (and Other Non-EU Countries) – A Foreign Investors’ Perspective

General Data Protection Regulation (GDPR) is currently a global hot topic – and for a good reason. It practically revamps the legal framework concerning Data Protection rules, introduces a whole set of new obligations while imposing massive fines for non-compliance.  While the GDPR came into the force recently, it is no surprise that many are worried how it will affect their organizations as the legislation, under certain conditions, is to be applied worldwide —both inside and outside of the EU. Given that compliance with the GDPR will be no mean feat, requiring vast amount of time and resources, no matter how […]

Details