ECJ: Storing Cookies Requires User’s Active Consent
On 1 October 2019, the European Court of Justice (the “ECJ”) handed down its long-awaited preliminary ruling on the meaning of consent regarding cookies following a request from the German Federal Court of Justice during a case between the Federation of Consumer Organisations and the lottery services provider Planet49 GmbH (Case C673/201, Planet49 GmbH v. Bundersverband der Verbraucherzentralen und Verbraucherverbaende – Verbraucherzentrale Bunderverband e.V). In a nutshell, Planet49 GmbH operated an online lottery scheme which (i) asked via a pre-ticked box for user’s consent for placing web analytics cookies and (ii) required users to provide mandatorily their consent to receiving marketing emails by third parties as a precondition for their participation in the lottery.
Advantages of Serbia’s New Data Protection Law
BDK Advokati has contributed to the Serbia chapter in the 2020 edition of Getting the Deal Through – Data Protection & Privacy (August 2019). The chapter presents the regulatory frameworks both under the data protection law from 2008 and under the law which became applicable in August 2019. The exposition of the two laws allows the reader to understand the changes which the new law brings into the legal regime governing the processing of personal data in Serbia.
The new law is modelled under the EU General Data Protection Regulation. As the Serbia chapter shows, the law dispenses with most of the unnecessary restrictions on the processing of personal data. At the same time, the law strengthens the individuals’ rights and introduces new, but realistic, requirements from the data controllers and data processors
Clarity Needed on Data Protection Compliance Audit
For the second consecutive time, CEE Legal matters organised Balkan GC Summit in Belgrade. The event gathered general counsels, compliance officers and lawyers from the region to discuss vibrant topics in the legal industry.
BDK Advokati’s partner Bogdan Ivanisevic held a presentation in which he addressed the issue of misunderstandings that often occur between companies and law firms concerning data protection compliance audits. Law firms consider such audit as a complex legal task which requires a comprehensive approach, while some companies believe it can be performed fairly quickly, or prefer a partial approach.
BDK Advokati Holds a Seminar on Data Processing in the Workplace
Milica Basta, senior associate at BDK Advokati, has held a seminar on the processing of personal data in the employment context for the representatives of Serbian companies. The event took place on 26 September 2019 in Belgrade and was hosted by Forum Media.
New Data Protection Law Discussed at the Serbian Chamber of Commerce
Bogdan Ivanisevic, partner at BDK Advokati, spoke on 23 September 2019 about Serbia’s new Data Protection Act to representatives of the leading Serbian companies. The event took place in the packed conference hall of the Serbian Chamber of Commerce. The Chamber co-organised the event with the Ministry of Justice.
Greece Enters Officially the GDPR Era by Implementing Law 4624/2019
Greek Parliament finally adopted the long-awaited New Data Protection Law 4624/2019 “on the Greek Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (Government Gazette A/137/29.08.2019). The territorial scope of the new Law extends to Greek Public authorities, as well as private entities, which either: i. have an establishment in Greece or ii. process personal data within the territory of Greece or iii. process personal data of Greek citizens. Such new Law, structured mainly on the German Data Protection Law (DSAnpUG-EU) aims to adapt Greece's current data protection law to the General Data Protection Regulation (GDPR) by making use of opening clauses in order to complement the GDPR, to transpose the Law Enforcement Directive into Greek law and to regulate the establishment and functioning of the competent supervisory authority.
A Misguided Call to Put Serbian Data Protection Law on Hold
In the past two days, the recently appointed head of Serbian data protection supervisory authority announced one radical move and sharply criticised some provisions in Serbia’s new data protection law. The commitment and audacity of Milan Marinovic should be encouraging to those who feared that the new data protection tsar would be the exact opposite of his very vocal predecessor, Rodoljub Sabic. However, when examined on the merits, Marinovic’s statements give a reason for concern.
The main point Marinovic made in his appearance on the state-run television and in a statement to a news portal is that, in his opinion, implementation of the Data Protection Act 2018 should be postponed. The law, adopted in November last year, provided for a nine-month grace period. Therefore, the implementation of the law should commence on 21 August 2019. Marinovic is now calling for an additional one-year deferral. To strengthen his case, Marinovic made a few policy and legal arguments which are of dubious validity.
First GDPR Fines in Romania
NNDKP's head of the Data Protection practice, Roxana Ionescu, published two articles in relation to the first two fines notified by the Romanian Data Protection Authority (DPA).
In applying its first fine, the Romanian DPA has reinforced its past practice on minimising the processing of personal numeric codes (equivalent to social security numbers) while making use of new concepts under the General Data Protection Regulation, like the accountability principle and data protection by design and by default. The second fine was imposed due to a data breach.
Milica Basta Speaks at AmCham’s Data Protection Briefing Session
AmCham Serbia hosted on 5 July 2019 a session on the main aspects of the new Serbian Data Protection Act. The topic attracted a significant number of attendees, mainly general counsels and IT specialists from the local companies – members of AmCham Serbia. Milica Basta, senior associate at BDK Advokati, was one of the speakers.
CNIL’s Primer on Video Surveillance at Work: Uniontrad Company Decision
On 18 June 2019, the French data protection supervisory authority (“CNIL”) issued a decision on video surveillance at work. The Uniontrad Company case demonstrates that a law specifically regulating the processing of images is not an indispensable prerequisite for reaching a decision. Instead, CNIL relied on the general GDPR rules on proportionality, fair notices, and security of processing.
That does not mean that every detail of the video surveillance legal regime obviously flows from the general data protection rules. For example, data protection authorities may differ as regards the format of a data processing notice. But the fundamental rules governing video surveillance at work are clear, even in the absence of a specific regulation.
One Year of GDPR in the EU Countries of SEE Legal
Marking the first anniversary of the introduction of General Data Protection Regulation 2016/679 (the “GDPR”) in the EU, SEE Legal EU members provide a short overview on the current standing of the GDPR application in their respective jurisdictions – Bulgaria, Croatia, Greece, Romania and Slovenia.
BDK Advokati at Tarabica IT conference
Partner Bogdan Ivanisevic and senior associate Milica Basta represented BDK Advokati at this year’s edition of Tarabica IT conference, held on 25 May in Belgrade. The event is traditionally dedicated to topics relevant to the IT industry and as such, it mainly gathers IT professionals from major Serbian companies and institutions.
