Digital Services Act: A First Step in Regulating the Online Environment

The Digital Services Act (DSA), which entered into force on 16 November 2022, marks a milestone in the fight to create a safe online environment. As a Regulation, the Act is directly applicable and will therefore ensure there is harmonised approach throughout the EU. The Act not only tackles illegal activities but also imposes new […]

When is a data breach notifiable to the Supervisory Authority?

Article 33 of the General Data Protection Regulation (GDPR) imposes obligations on data controllers to report personal data breaches to the relevant Supervisory Authority (SA) within 72 hours of the data controller becoming aware of the breach. These obligations arise unless the personal data breach is unlikely to result in a risk to the rights and freedoms […]

Publishing house fined for data security violation under the GDPR

In late 2021, the Spanish Data Protection Authority (‘AEPD’) initiated an investigation on the data processing activities of Bayard Revistas S.A., a publishing house in Madrid, after receiving a complaint by an individual. According to this complaint, the person in charge of Bayard’s web portal notified all data subjects via e-mail that a third party […]

What Are The Risks Of Not Sharing Data For Safeguarding Children?

Child exploitation is too often hidden in plain sight which makes it hard to detect and tackle. In response, Trilateral Research has co-designed the CESIUM Application with Lincolnshire Police to identify children who are vulnerable to exploitation. CESIUM promotes intelligence collaboration for safeguarding children by using our ethical artificial intelligence (Ethical AI) to gain new […]

How to plan, deliver and maintain a robust Record of Processing Activities project

Planning for Record of Processing Activities

In addition to being a requirement under Article 30 of the GDPR, the Record of Processing Activity (RoPA) can also be a key data protection compliance driver for your organisation. In previous articles, we have provided guidance on the specific requirements of Article 30, its relevance to organisations, the implications of non-compliance and the steps […]

Draft UK Data Protection and Digital Information Bill

On July 18, 2022, the U.K. government introduced the Draft Data Protection and Digital Information Bill (hereafter referred to as the “Bill”) to the House of Commons. Publication of the Bill was the natural next step following on from the consultation in September 2021 on the reform of UK data protection law, the final response […]

Expansion of the Data Protection Commission

On the 27th of July the Department of Justice announced that the Government had approved the expansion of the Data Protection Commission by two additional Commissioners. The Data Protection Commission (DPC) since its inception, has had only one Commissioner. The appointments will be made in accordance with Section 15 of the Data Protection Act, 2018 […]

Landmark CJEU judgment confirms broad interpretation of Special Category Data 

Earlier this month, a case referred by the Regional Administrative Court of Lithuania to the CJEU OT v Vyriausioji tarnybinės etikos komisija resulted in a landmark judgment that included a broad interpretation of what constitutes special category personal data, which should give pause for thought for all organisations processing personal data. This article explains the potential […]