The International Lawyers Network is an association of 91 high-quality, full-service law firms with over 5,000 lawyers worldwide. The Network provides clients with easily accessible legal services in 67 countries on six continents. Learn More
Home > Newsletters > IS STORING DATA IN THE CLOUD OR THE USE OF WEB-BASED APPS NON-COMPLIANT AFTER SCHREMS II?
IS STORING DATA IN THE CLOUD OR THE USE OF WEB-BASED APPS NON-COMPLIANT AFTER SCHREMS II?
Most, if not all organisations using state-of-the-art technologies in business or other processes transfer personal data to countries outside of the European Union and the European Economic Area (third countries). Many are already aware that it is mandatory to provide appropriate safeguards for such transfers as the Court of Justice of the European Union (CJEU) emphasised in the so-called Schrems II  decision on 16 July 2020, invalidating one of the most commonly used mechanisms for transferring personal data to the United States of America (U.S.)—the European Commission’s (Commission) decision 2016/1250 on the adequacy of the level of protection for the transmission of data to the U.S. or the so-called “Privacy Shield”.
While those who already have done the Schrems II homework may face the next level challenge (deciding on supplemental measures to ensure compliance with the EU level of protection of personal data), those yet unfamiliar with the concept of data transfers, are exposed to a comparatively higher and increasing risk of non-compliance due to complete lack of safeguards.
In the Baltics, the cybersecurity and data breaches narrative has received huge waves of attention in the past months. Contemporary entrepreneurs and business stakeholders start to realize that data and IT systems have grown into focal assets of companies and there is no place for “non-IT/non-data companies” in the modern economy.
Thus, data and information security are gradually shifting from a “nice to have” feature to the “necessary for survival” imperative. Of course, the majority of businesses in the Baltics still naively hope that “they are too small to suffer a meaningful data incident“ or that “nothing will happen to them”.
At the EU level, one may easily identify several general and sector-specific laws which lay down the key principles of data security and impose requirements for businesses engaged in data-driven or data-related business activities. One of such generic pieces of EU-wide legislation is the GDPR, which introduces a universal personal data protection framework within the EU.
WHO AM I? THE EVER MORE COMPLICATED DEFINITION OF ROLES IN PROCESSING PERSONAL DATA
Joint controllership is not among the top novelties introduced by the GDPR, although its authors have further elaborated the concept with more detailed and thorough wording. Nevertheless, joint controllership has been among the topics which have brought about some controversy lately. The Court of Justice of the European Union (CJEU) has recently rendered several judgements where this concept was at the core of the legal merits, whereas the European Data Protection Board (EDPB) has issued guidelines on the matter.
In practice, the question of roles, and especially joint controllership, quite often arises in corporate group structures where personal data are shared between different group entities for various purposes. Although personal data exchanges within the group usually provide more certainty than data sharing with third parties, the companies should be aware that the GDPR rules apply equally to data transfers within the group.
We would like to draw your attention to the concepts of the different roles in processing personal data and especially that of joint controllership. Of course, the below applies universally, not only to group structures.
CAN I SEND MARKETING E-MAILS TO ANYONE? A SHORT REMINDER OF DIRECT MARKETING RULES
It should be noted that electronic direct marketing (e.g., marketing done via e-mail and SMS) should be distinguished from other marketing activities (e.g., marketing done via phone and mail and profiling for marketing purposes) because electronic direct marketing is regulated by a special regulation—the e-Privacy Directive (soon to be replaced by the e-Privacy Regulation)—which takes precedence over the GDPR. Read more
OVERVIEW OF AND RECENT DEVELOPMENTS IN THE BALTIC DATA PROTECTION LANDSCAPE
ESTONIA: overview of the landscape; concept of administrative fines; usage of surveillance cameras; personal data of employees; personal data in economic information portals.
LATVIA: overview of the landscape; sanctions; personal data security breaches; trends in personal data processing.
LITHUANIA: overview of the landscape; personal data security breaches; sanctions; prior consultations; methodological assistance to the market.