Adequacy decisions adopted

Adequacy decisions adopted for EU-UK data transfers

Adequacy decisions adopted by the European Union for the UK regarding data transfers.


The European Commission has recently adopted adequacy decisions for the United Kingdom. Since Brexit there has been some question as to the UK’s adequacy, or rather the level of protection afforded to data transfers between the EU and the UK. With the adoption of these adequacy decisions- one under the General Data Protection Regulation or GDPR, and the other for the Law Enforcement Directive, data transfers can now freely flow between the European Union and the United Kingdom. This data will be considered as having the equivalent level of protection that is guaranteed under EU law when being transferred to the UK.


The adequacy decisions adopted came after a thorough assessment process, during which data transfers occurred based on a Trade and Cooperation agreement. 


Since the draft adequacy decisions for the UK were published in February, the UK’s practices and laws regarding personal data protection have been carefully assessed. In April, the EDPB gave its opinion on UK adequacy, which was then followed by a comitology procedure which included a vote from EU Member States. In the absence of an adequacy decision, and while in the process of establishing one, data transfers flowed between the EU and the UK, based on a Trade and Cooperation agreement. This agreement expired on June 30, 2021, and provided that, in the absence of an adequacy decision, all data transfers carried out in the context of its implementation would comply with the GDPR and Law Enforcement Directive. 


UK data protection laws still very much resemble the laws under which the country operated as an EU Member State.


The UK, as a former EU Member State, had a data protection system which was still based on the very same rules under which UK data protection functioned while the UK was still an EU Member State. The principles, rights and obligations of the GDPR and Law Enforcement Directive have been fully incorporated into UK law. This has made, not only the Trade and Cooperation agreement, but also the adequacy decisions easier and more feasible.  The UK provides strong safeguards regarding access to personal data by public authorities. In principle, The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body. 


The adequacy decisions include a sunset clause which causes them to expire after four years.


These adequacy decisions include a ‘sunset clause’. This is the first of its kind and strictly limits the duration of the validity of these adequacy decisions. What this means is that these decisions will automatically expire in four years, after which adequacy findings may be renewed. However, this is subject to the UK continuing to ensure an adequate level of data protection. The European Commission will continue to monitor the legal situation in the UK and at any point, reserves the right to intervene if the UK deviates from the current level of data protection provided. After the four year duration of these recently adopted adequacy decisions, if the European Commission decides to renew the adequacy decisions, the adoption process would start over.


GDPR adequacy related to immigration control has been excluded from this decision, to be reassessed pending judgments from the England and Wales Court of Appeal.


Due to a recent judgment of the England and Wales Court of Appeal, data transfers for the purposes of UK immigration control have been excluded from the scope of the GDPR adequacy decision. The judgment affects the validity and interpretation of certain data protection rights related to immigration and control and therefore the Commision, once this matter has been dealt with under UK law, will reassess the necessity of this exclusion. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Ireland’s DPC issues guidance

Ireland’s DPC issues guidance on vaccination statuses in the context of employment

Ireland’s DPC issues guidance on the collection of data regarding vaccination statuses  in the context of employment. 


As the world slowly opens up again, and employees are being encouraged, in certain industries to move back into the workplace setting, employers are seeking guidance on what approach is best taken with regard to employee vaccination and employee data. Can, or should employees be required or encouraged to get vaccinated? Can employers lawfully collect and process employee vaccination statuses? What can be done with any information on employee vaccination status? As vaccination programmes develop throughout the EU and several persons are at least partially, or fully vaccinated, public health authorities and data protection authorities are giving guidance to employers on whether they require specific information, how much information they can lawfully collect and what exactly they are allowed to do with this information. DPC, the Irish supervisory authority, has recently issued a statement, guiding employers on how best to deal with employee vaccination data. 


The processing of health data should be in line with governmental public health policies. 


The processing of health data should be guided by the government’s public health policies. The work safety protocol suggests that there are very few circumstances in which vaccination should be offered as a health and safety measure in the workplace. This is set out in the Health and Welfare at Work Regulations of 2013 and 2020. There are exceptions to this, for example in healthcare, for frontline workers, vaccination can be considered necessary for safety. In these situations,employers are lawfully allowed to process vaccine data for employees. Regardless of the vaccine rollout however, in a general workplace setting, measures like physical distancing, wearing masks, and working from home unless absolutely necessary should remain in place. These should all be considered and enforced before considering whether the knowledge of employees’ vaccination status is a necessary measure. The principle of data minimisation suggests that these measures should be implemented, avoiding the need to process employee data unless absolutely necessary. 


Under the GDPR, health data is considered special category data, and afforded protection. 


Long term efficacy of vaccination is currently not clear. With the possibility of new variants being spread, or the possible necessity for regular, or semi regular vaccine top-ups to maintain immunity, the processing of data concerning vaccine status cannot currently be considered necessary across the board at this time. In addition, a person’s vaccination status is part of their personal health record, and considered special category personal data as per the GDPR. This category of information is afforded certain protection under EU data protection law. The requirement for processing of personal data by an employer may create a situation where there is an imbalance between the data subject and data controller, with the controller being an employer, with control over the data subject’s employment status. Employees should not be asked to consent to having their vaccine data processed, as in this instance, this data is not likely to be freely given. 


Even in situations where certain information may be required from employees in the context of the pandemic, personal health data remains protected. 


There are certain situations in which an employer, or a medical officer may need to request certain categories of health data from employees. In the COVID-19 context, for example, if an employee were to travel in this current climate, an employer may need to know when an employee may be available to work following their trip. In some cases, a period of isolation or quarantine will be required following travel. The information to be requested or recorded from employees in this instance is not limited or specific to their vaccination status, however. Employees should instead be asked to indicate the date on which they would be available to return to the workplace. As public health advice and information regarding the nature of the virus is updated, protocols may change. However, in sectors where the collection of vaccine information may be necessary, employers should remain up to date on public health guidance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New German law

New German law regulating eprivacy and data protection

New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.


Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify. 


The new German law implements the ePrivacy directive with regard to the use of cookies.


The ePrivacy directive, which became EU law in 2009, states that websites are obligated to collect visitors’ informed consent to the use of cookies. The new German legislation implements the cookie consent rules of the 2009 ePrivacy Directive with a view to GDPR and the 2019 EU Court judgment in Planet49, Case C-673/17. Failure to obtain explicit consent to the use of cookies from internet users is incompatible with EU law, as rulings from both the EU court of justice and the German High Court demonstrate. The recently amended telecommunications act had been challenged by the opposition, who claimed that it did not contain sufficient data protection provisions. 


Fibre optics use and development stand to benefit from this new German law.


Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the  country is being driven forward. The benchmark is set and  reviewed annually in collaboration with the country’s network agency. 


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.