November

The European General Data Protection Regulation (GDPR) will go into effect in May 2018 and while global organizations are required to demonstrate compliance of their security and privacy practices, it goes beyond just the internal organization: the GDPR also extends to the third-party vendors of GDPR-applicable companies.


While you are working diligently to help ensure your own organization is compliant with GDPR, your organization is explicitly responsible for the readiness and conduct of the third parties that store or process your EU citizen 's personal information.

We see that there are three priorities for third-party management: understanding the different roles defined in GDPR, key contract elements to consider for GDPR processors, and assessing the applicable processors for compliance.

The German Ministry of Interior Affairs has published an English translation of the new Federal Data Protection Act (BDSG), which will provide for the European Union General Data Protection Regulation (GDPR).
 
The new BDSG replaces a 40-year-old national predecessor and is the first step toward adapting national German member State law to the provisions of the GDPR. Effective in May 2018, the changes include specific processing situations, data protection officers, video surveillance, documentation, and aggravated compliance controls, among other key highlights.
 
It will be important for companies to determine how the changes may affect their specific business model and data processing.

The Member States in Luxembourg have numerous options when it comes to implementing the General Data Protection Regulation (GDPR) and recently submitted a new bill to parliament that seeks to abolish the Act of Aug. 2, 2002 on the Protection of Persons with regard to the Processing of Personal Data.

The bill designates the current data protection authority - the CNPD - as the competent authority for enforcement of the GDPR and increases the number of effective members from three to four. It also focuses on investigation and enforcement, and an internal separation between investigation and decision-making powers.

Clarification is offered regarding the GDPR 's fines and includes administrative fees to public authorities, and penalties to compel compliance with CNPD decisions. Specific provisions for journalistic-, research- and healthcare-related data processing also will apply.