Support Centre

Europe

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

In this Insight Article, Dr. Tim Walree, of Freshfields Bruckhaus Deringer LLP, provides a compact roadmap for conducting a Legitimate Interests Assessment (LIA) based on the General Data Protection Regulation (GDPR), Court of Justice case law, and EDPB guidelines.

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

The Personal Data Protection Law No. 6698 (the Law) was amended in March 2024, with the new regime taking effect in June 2024. Melis Mert, Managing Associate at BTS & Partners, provides an overview of the updates.

The Personal Data Protection Law No. 6698 (the Law) is the main piece of legislation concerning the protection of personal data in Turkey, which covers the processing of personal data belonging to identified or identifiable individuals and governs the obligations imposed on individuals or legal entities processing such personal data. Deniz Tuncel, Partner at Hergüner Bilgen Üçer, looks at recent amendments to the Law and their impact on data transfers.

Digitalization has significantly changed the world of work in recent years. More and more processes are becoming data-driven, and the use of artificial intelligence (AI) is creating new opportunities but also significant uncertainties and challenges for employers and employees.

The draft of the Employee Data Protection Act (Beschäftigtendatengesetz - BeschDG) from the Federal Ministry of Labor and Social Affairs is currently being coordinated between the departments and must then still be passed in the German Parliament (Bundestag) before it can come into force. In this Insight article, Dr. Jessica Jacobi, Partner at KLIEMT.Arbeitsrecht Part­ner­schaft von Rechts­an­wäl­ten mbB, discusses the most important new provisions of the draft, specific examples of implementation in everyday life, and what the draft could mean in practice.

Employee data protection has been the topic of several legislative attempts already, and it will likely remain a target in the future. However, with the new election (ending February 2025) outcome unclear, it is not certain if and when the Employee Data Protection Act, or something similar, will become law.

In this Insight article, Dr. Mira Suleimenova, from Jentis GmbH, discusses the role of synthetic data in online marketing to protect users' privacy and comply with the relevant EU legislation.

The Network and Information Security Directive (EU) 2022/2555) (NIS 2 Directive) is a significant new law enacted to bolster cybersecurity across the European Union. It is an update of the original NIS Directive (Directive (EU) 2016/1148), which was adopted to address the increasing threats to network and information security. The aim of the NIS 2 Directive is to further harmonize, benchmark, and enhance cybersecurity measures that apply to network and information systems across the EU. The NIS 2 Directive seeks to create a more robust cybersecurity regulatory framework.

These new cybersecurity rules have been introduced as a directive, meaning that each Member State must enact laws reflecting these new rules and empowering regulators in their countries to supervise and enforce these laws. Individual countries can add to the NIS 2 Directive rules, provided any additional rules or requirements introduced are consistent with the Directive. The specific requirements and enforcement mechanisms can and do vary between Member States.

In this Insight article, Deirdre Kilroy, from Bird & Bird LLP, discusses the key elements of the NIS 2 Directive and how in-scope entities can ensure compliance.

We are all aware artificial intelligence (AI) systems and AI-powered products are categorized as products, and that is what was respected in the EU Artificial Intelligence Act (the AI Act). AI is being deployed in multiple sectors of society and becoming an essential component for products, without which these would not be able to operate, but also AI applications have not fallen short of accidents and misuses.

In this Insight article, Spiros Tassis and Paolo Quattrone, from POTAMITISVEKRIS Law Partnership, will try to explain how the current and the scheduled EU product liability framework will interact with AI systems and the AI Act and explore how the AI Act Regulation deals with the topic of product liability. This is done to determine what is currently leading the EU's choices. Additionally, to understand the relationship of the AI Act with product liability, we shall explore the changes in the legislative landscape of the Union and the threat AI poses to consumers, as well as the focus points the EU Commission should consider.

Laws governing technology have historically focused on the regulation of information privacy and digital communications. However, governments and regulators around the globe have increasingly turned their attention to artificial intelligence (AI) systems. As the use of AI becomes more widespread and AI changes how business is conducted across industries, there are signs that existing declarations of principles and ethical frameworks for AI, and the first AI regulations (including those established in the EU), may soon be followed by other AI-specific legal frameworks in other jurisdictions1.

On June 16, 2022, the Canadian Government tabled Bill C-27, the Digital Charter Implementation Act, 2022. Bill C-27 proposes to enact, among other things, the Artificial Intelligence and Data Act (AIDA). In this Insight, Christopher Ferguson, Summer Lewis, and Dongwoo Kim, from Fasken Martineau DuMoulin LLP, provide a comparison between AIDA and the EU's Artificial Intelligence Act (the EU AI Act), looking specifically at both laws' approach to key definitions, the use of data, requirements for AI systems, and penalties, among other things2.

ISO 42005 is an emerging standard poised to play a pivotal role in the global artificial intelligence (AI) governance ecosystem. As AI continues to rapidly evolve, businesses face increasing pressure to align with regulations, standards, and best practices, ensuring ethical, transparent, and risk-conscious AI deployments. In this Insight article, Sean Musch, CEO of AI & Partners, and Charles Kerrigan, Partner at CMS Cameron McKenna Nabarro Olswang LLP, aim to help businesses understand ISO 42005, its significance, and how they can integrate it into their operations to stay ahead of regulatory demands and competitive pressures.

The Data (Use and Access) Bill was introduced to the House of Lords of the UK Parliament on October 3, 2024. The Bill aims to amend the UK's data protection regime by including provisions on recognized legitimate interests for lawful processing, automated decision-making, international data transfers, and cookies.

OneTrust DataGuidance Research provides an overview of the Bill, with expert insights by Philip James, Partner at Eversheds Sutherland's Global Privacy & Cybersecurity Group and AI Task Force, and Victoria Hordern, Partner at Taylor Wessing.