By Jennifer Ruehr and Susan Lyon-Hintze

Non-EU organizations that process personal data as data controllers or processors frequently ask whether they are subject to the General Data Protection Regulation (“GDPR”). The answer depends in part on the “territorial scope” provisions in Article 3 of the GDPR. Organizations fall under the territorial scope of the GDPR when they meet one of two main criteria: the “establishment” criterion under Article 3(1) or the “targeting” criterion under Article 3(2). On November 16, 2018, the European Data Protection Board (“EDPB”) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)-Version for public consultation.” These guidelines provide interpretation and clarification of the Article 3 criteria that can help organizations understand and evaluate how the GDPR applies to their data processing. 

Next Tuesday, November 8, 2016, Hintze Law partner Mike Hintze will present his new paper, "Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance," at the Brussels Privacy Symposium. 

By Carolyn Krol

On February 2, 2016, following the announcement of the EU-U.S. Privacy Shield Agreement, the U.S. Department of Commerce distributed a fact sheet about the new data-transfer agreement with the European Union. The fact sheet provides further detail on the elements of the agreement described in the EU Commission's press release.

By Carolyn Krol

On February 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flows, referred to as the “EU-U.S. Privacy Shield.” This long awaited announcement follows the October 6, 2015, decision by the EU Court of Justice invalidating the EU-U.S. Safe Harbor agreement.