Compliance Check: China – changes to how employers handle personal data

The Chinese Cybersecurity Law (CSL) introduced in 2017 is the nation’s first comprehensive privacy and security regulation for cyberspace, setting out strict controls on companies operating in China over their online activities, data storage and handling of personal information. The National Standard (GB/T 35273–2017) provided detailed guidance on the collection, use and storage of personal … Read more

UK: DSAR ruling confirms that descriptions of the purposes of processing and recipients of personal data can be general, but actual identity of sources must be provided

The recent High Court judgment in Rudd v Bridle & J&S Bridle Ltd provides some useful guidance on subject access requests under the Data Protection Act 1998 (equally relevant to the new GDPR regime). Dr Rudd, a medical expert on exposure to asbestos, was the subject of a campaign by a lobbyist for the asbestos … Read more

France: Recent and Upcoming Labour Reforms

Several important employment law reforms have come into force recently or will come into force shortly, both at the EU and French level. Below are some of the changes to expect for 2019: Read more

EU: draft guidelines on GDPR extra-territoriality published

On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation. The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing … Read more

UK: new resources on criminal record checks, mental health and dyslexia

Unlock has published new guidance for employers on criminal record checks, to which the ICO has contributed. The guidance states that checks at the application stage are unlikely to be necessary for most jobs and therefore likely to be a breach of the GDPR. In relation to checks at the job offer stage, the guidance … Read more

UK: first enforcement notice under GDPR shows extra-territorial reach

The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the General Data Protection Regulation (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU. The ICO found that the … Read more