Insights & news

Belgian DPA Approves First European Code of Conduct

  • 01/06/2021
  • Articles

On 20 May 2021, the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données – the DPA) approved the first transnational code of conduct to be adopted within the European Union since the entry into force of General Data Protection Regulation (EU) 2016/679 (the GDPR). The “EU Data Protection Code of Conduct for Cloud Service Providers” (the EU Cloud CoC) aims to establish good data protection practices for cloud service providers and wishes to contribute to a better protection of personal data processed in the cloud in Europe. One day earlier, on 19 May 2021, the European Data Protection Board issued a favourable opinion, allowing the DPA to approve the first transnational code of conduct.

In its approval decision, the DPA underlines the importance of codes of conduct as voluntary accountability tools to tailor data protection rules to the specificities of a sector. By adhering to the code, companies will ensure that data handling is in line with the GDPR. Adherence to the EU Cloud CoC is also achievable for small and medium enterprises that are active in this sector.

Please click below to read our note on the Code of Conduct.


Key contacts

Related practice areas

Related insights

Sign up for updates
    • 08/12/2021
    • Articles

    EDPB Voices Concerns on EU’s Digital Services Package and Data Strategy

    On 18 November 2021, the European Data Protection Board (EDPB) adopted a statement on the Digital Services Package and Data Strategy. The Digital Services Package and Data Strategy is a package of legislative proposals, including the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Regulation on a European approach for Artificial Intelligence and the forthcoming Data Act, which will soon be announced. The proposals aim to: (i) facilitate the further use and sharing of personal data between a greater number of public and private parties; (ii) bolster the use of specific technologies, such as big data and artificial intelligence; and (iii) regulate online platforms and gatekeepers. Please click on the link below to read our note on the matter.

    Read more
    • 30/11/2021
    • Newsletters

    VBB on Belgian Business Law, Volume 2021, No. 10

    The October 2021 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 25/11/2021
    • Articles

    EDPB Explains Concept of International Transfers under GDPR and Discusses Interplay with Territorial

    On 19 November 2021, the European Data Protection Board (the EDPB) published Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the General Data Protection Regulation (the GDPR) (the Guidelines) for public consultation. The Guidelines are intended to clarify which international transfers of data fall within the scope of Chapter V of the GDPR and therefore require safeguards or other measures to ensure protection of the personal data that are being transferred. In addition, the EDPB calls on the European Commission to adopt a new set of Standard Contractual Clauses for cases where the importer established in a third country is already subject to the GDPR on the basis of the application of GDPR to non-EU based organisations under Article 3(2) of the GDPR. First, the Guidelines set out when a processing constitutes a “transfer of personal data to a third country or to an international organisation” (a Transfer) which triggers the application of the provisions of Chapter V of the GDPR. The Guidelines provide three cumulative criteria that, when satisfied, means a processing qualifies as a Transfer: thus, data must be sent or made available: (i) by a controller or a processor (i.e., an exporter), which, regarding the given processing, is subject to the GDPR pursuant to Article 3 (i.e., the territorial application of GDPR); (ii) to a different controller, joint controller or processor (i.e., an importer); (iii) which is in a third country, regardless of whether or not this importer is subject to the GDPR in respect of the given processing. The Guidelines further describe each criterion, providing some practical examples. Moreover, the Guidelines stress that Chapter V of the GDPR also applies to transfers or disclosures of personal data carried out by controllers or processors which are not established in the European Union (EU) but are subject to the GDPR pursuant to Article 3(2) because they: (a) offer goods or services to data subjects in the EU; or (b) monitor the behaviour of data subjects in the EU, to another controller or processor. By contrast, if the three cumulative criteria identified by the Guidelines are not met, there is no Transfer and Chapter V of the GDPR does not apply. For instance, the Guidelines explain that a situation whereby a controller in a third country collects data directly from data subjects in the EU does not constitute a Transfer. However, in such a case, the EDPB makes it clear that the controller or processor which is subject to the GDPR under Article 3 is still accountable for all processing that it controls, regardless of where such processing takes places, and that the risks of data processing in third countries must still be managed in order to comply with the GDPR. Second, the Guidelines outline that where all the above criteria are met, the processing will be considered to be a Transfer and the exporter must comply with the conditions laid down in Chapter V of the GDPR. This means that the controller or processor must use the instruments that aim to protect personal data after they have been transferred to a third country or to an international organisation. These instruments include: • the existence of an adequate level of protection in the third country or international organisation, pursuant to Article 45 of the GDPR or, in the absence of such adequate level of protection; • the implementation by the exporter of appropriate safeguards, pursuant to Article 46 of the GDPR (i.e., standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses, international or administrative agreements); or • derogations under Article 49 of the GDPR. In that regard, the Guidelines explain that the content of these safeguards must be customised based on each situation. When controllers and processors develop relevant transfer tools, such as Standard Contractual Clauses, they must take account of Article 3(2) so as not to duplicate the GDPR obligations, but rather to address what is missing and hence, fill the gaps. For example, such tools must address the measures to be taken in cases of a conflict of laws between third country legislation and the GDPR. In line with this approach, the EDPB encourages the development of a transfer tool for those cases where the importer is subject to the GDPR for a given processing pursuant to Article 3(2). The Guidelines can be consulted here and are subject to public consultation until the end of January 2022.

    Read more

Subscribe to our updates

Please select the practice areas you are interested in: *