The Schrems II Judgement

activity board game connection desk
Photo by CQF-Avocat on

On 16th July 2020 the Court of Justice of the European Union (CJEU) delivered the landmark judgment in Case C‑311/18 Data Protection Commissioner v Facebook Ireland Ltd., and Maximillian Schrems, also known as “Schrems II”. This case will have a seismic impact on the transfer of personal data outside the European Economic Area (EEA) under GDPR.

It would be quite easy to dismiss the importance of this case. For starters, it involves a social media Data Controller. Secondly it was decided under the  ‘old’ 1995 Data Protection Directive rather than the General Data Protection Regulation (GDPR) 2016. Thirdly it is a ruling of the CJEU, that may be thought to have no relevance post 31 December when the Brexit Transition Period ends and the UK GDPR comes into force.

Firstly some basic observations:

  1. The case is not just about Facebook. It concerns international transfers of personal data between organisations in the EEA and third countries, particularly the USA. Many public authorities do this too. For example, universities may share personal data of staff and students who teach or study abroad. Some NHS Trusts, using clinical devices sourced from the US, may transfer diagnostic and monitoring data back to the States.
  2. Although the litigation started when the 1995 Data Protection Directive was in force, the CJEU makes it clear that the questions it had to consider must be answered in the light of the GDPR rather than the Directive.
  3. The end of the Brexit Transition Period, on 31st December 2020, does nothing to invalidate the decision of the CJEU in this case. The UK GDPR contains the same provisions about international transfers as GDPR.

The International Transfer Regime

To understand the judgment, it is worth recalling how the GDPR regulates the transfers of personal data from organisations within the EEA to those outside it. GDPR Article 44 lays down the general principles. Essentially, international transfers can only take place if they comply with the provisions of Articles 45-48 of GDPR. For the purpose of this blog the important provisions are Articles 45, 46 and 49.

Under GDPR Article 45, the European Commission can make a decision that a third country affords an adequate level of protection for personal data. To date 13 countries are the subject of an adequacy decision. The USA is on the list provided the company or organisation to whom personal data is transferred has signed up to the Privacy Shield Framework. The Commission adopted the EU-US Privacy Shield Decision following the CJEU’s decision in “Schrems 1” (Case-362/14) which ruled that its predecessor, the “Safe Harbour Decision” (2000/520/EEC) was invalid.

In the absence of an adequacy decision, a Data Controller (and Data Processor) can only  make an international transfer if they have in place “appropriate safeguards”. These include the use of standard contractual clauses which have been adopted by the European Commission. The Commission issued the Standard Contract Clauses (SCC) Decision in 2010 which was amended in 2016.

Where a Data Controller is transferring personal data to a third country that is not covered by an adequacy decision and appropriate safeguards are not in place, then it may still be able to make the transfer, if the transfer is covered by one of the “derogations” listed in Article 49. These include (but are not limited to) where the data subject has explicitly consented to the transfer; the transfer is necessary for important reasons of public interest; or where the transfer is necessary for the performance of a contract between the data subject and the controller.  For example, a local authority organising a visit to its twin city in China, may rely on the consent of the councillors and officers before transferring their personal details to the Chinese organisers.

Where none of the derogations apply then a transfer may only take place where it is not repetitive, concerns only a limited number of data subjects and is necessary for purposes of compelling legitimate interests of the Data Controller, which are not overridden by the interests or rights of the data subject. In addition to these hurdles the Data Controller must assess all the circumstances of the transfer and put suitable data protection safeguards in place. The European Data Protection Board (EDPB) has issued guidelines about the Article 49 derogations.

The Judgement

Max Schrems, an Austrian national, is a well-known campaigner against Facebook and its data processing activities.  In 2013 he complained to the Irish Data Protection Commissioner requesting her to prohibit Facebook Ireland (a subsidiary of Facebook Inc, in the USA) from transferring his personal data to the USA. That complaint resulted in the Irish High Court referring the case to the CJEU, which ruled in “Shrems 1” that the EU-US Safe Harbour arrangement was invalid.

In 2015 Mr Schrems reformulated his complaint to the Irish Commissioner claiming that under US law, Facebook Inc was required to make the personal data (that had been transferred to it from Facebook Ireland) available to certain US law enforcement bodies and that this personal data was used in the context of various monitoring programmes in a way that violated his privacy.  He also argued that US law did not provide EU citizens with legal remedies and so the transfers was not lawful under GDPR. Facebook Ireland argued that the transfer complied with the SCC Decision (i.e. they had standard EU clauses in place) and that was sufficient to make the transfers lawful. At the time, the EU-US Privacy Shield had not been adopted.

The Irish Commissioner agreed with Mr Schrems but she asked the High Court to refer various questions to the CJEU for a “preliminary ruling” on the validity of the SCC Decision. Although the case was primarily about the SCC Decision, the Court considered it had the right to consider the validity of the Privacy Shield Framework too.

The judgment is an extremely important one for both private and public sector organisations despite the fact that reading it is a bit like wading through treacle! Here are the key points:

  1. The CJEU declared that the EU-US Privacy Shield Decision (Decision 2016/1250) was invalid in its entirety and so the Privacy Shield Framework for transferring data to the US could not be used. The Court held that any communication of personal data with a third party (such as the relevant security organisations in the US) was an interference with fundamental privacy rights which was neither lawful nor proportionate. The relevant US legislation did not provide any limits on the powers of US authorities to process the personal data for surveillance purposes. It also decided that the availability of a Privacy Shield Ombudsperson was not sufficient to guarantee that data subjects in the EU had a right to an effective legal remedy as required by GDPR.
  2. The Court confirmed that the use of standard contractual clauses for international transfers was still lawful. Organisations can continue to incorporate these into the contractual arrangements with third country recipients. However,  the point about standard contract clauses is that they are inherently contractual in nature and therefore only bind the parties to the contract. They cannot bind the public authorities, including law enforcement agencies, in third countries. The clauses may require, depending on the situation in the country concerned, the adoption of further supplementary measures to ensure compliance with the level of protection required by the GDPR.
  3. The Court was clear that the responsibility in paragraph 2 above lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If they are not able to guarantee the necessary protection, they or the competent supervisory authority (in the UK the Information Commissioner’s Office) must suspend or end the transfer of personal data.
  4. If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security.

What next?

Organisations, including those in the public sector, that transfer personal data to the US can no longer rely on the Privacy Shield Framework. They must now consider using the Article 49 derogations  or the standard contractual clauses. If using the latter, whether for transfers to the US or other countries, the onus is on the Data Controllers to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the clauses.  At time of writing it is not clear how to make this assessment and what additional measures will be needed. The European Data Protection Board (EDPB) has announced it will be looking into this.

The ICO has posted a general statement to the effect that organisations that are currently using the Privacy Shield should continue to do so until further notice. It seems likely that they will  grant a grace period during which organisations  can implement alternative transfer mechanisms.

In our next webinar, The Schrems 2 Judgement: Implications for the Public Sector, we will cut through the legal jargon to explain the decision and its implications specifically for the public sector.


First Online FOI Practitioner Certificate Fully Booked! New Dates Added


Act Now is pleased to announce that the recently launched online FOI Practitioner Certificate course is fully booked. Delegates from a wide rage of organisations, including the NHS and local government, have booked on the first course which starts in August.

The course has been designed to mirror our classroom based course that was running successfully throughout the country before the Coronavirus lockdown.
Delegates will benefit from the same fantastic features in a live online learning environment.

Susan Wolf, who has designed this new course says:

“This is a very exciting opportunity. Despite the current difficult times and uncertainties, this online course gives FOI practitioners access to high quality training, that is cost effective and safe.”

The next course starts on 11th September 2020. Please book early to avoid disappointment. We can also deliver this course on an in-house basis customised to the needs of your staff. Please get in touch for a quote.

Recovering Personal Data After Inadvertent Disclosure: The Injunction Route


Even with the best data protection training and awareness programme, mistakes can and do happen when organisations process personal data of a sensitive nature. Personal data can be lost or simply sent to the wrong person. Two recent Hight Court cases involve local authorities seeking injunctions in an attempt to limit the impact caused by inadvertent disclosures.

In Redbridge LBC v Jennings [2020] 5 WLUK 122 (to the best of our knowledge, only reported on Westlaw) the London Borough of Redbridge was granted an injunction to prevent X from publishing highly sensitive information about another family, that the Council had inadvertently sent to X. London Borough of Lambeth v Anthony Amaebi Harry [2020] EWHC 1458 (QB) was partly about a Breach of Confidence action by Lambeth Council against the Respondent who had also received third-party personal data. Let’s consider both cases and what we can learn from them.

The Disclosures

In the Redbridge case, a council employee wrote to X regarding her family. However the employee inadvertently included documents, containing highly sensitive information about another family (Family A), in the envelope. When X received the documents, she realised that she should not have seen them and so she returned them to the council.  However, it later transpired that X had taken copies of the documents and that she planned to visit Family A to inform them about the council’s error. X also indicated that she would not destroy the copies that she had retained but she would give them to her solicitor. It is clear that X understood the confidential nature of the documents, and that she did not intend to share them with anybody else. However, it appears that she intended to retain the documents (in the hands of her solicitor) for the purpose of pursuing her own data protection claim against the council. X alleged that information about her family had been sent to a third-party who had “knocked on her door to return the documents”. At the time of writing it is uncertain whether X has brought such an action.

In the Lambeth case, Mr Harry made a subject access request (in November 2018) to the Council seeking information held about his child. It appears that another person (HJ) had made allegations to the Council about the care that Mr Harry and his wife were providing for their child. Lambeth Council provided the information to Mr Harry by electronic means. However it turned out that Mr Harry was able to manipulate the data (by removing the redactions that the Council had made) and was able to identify HJ, who had made the initial allegations. He commenced legal proceedings against HJ for defamation.

Lambeth Council sued Mr Harry for Breach of Confidence. It claimed that the information was provided to Mr Harry in circumstances where he knew it was confidential and that he had breached that confidentiality by “unredacting” the data, retaining it and using it as evidence to start court proceedings against HJ. The Council’s rationale for bringing the Breach of Confidence action was that informants have an expectation of confidentiality. The Council obtained an interim injunction in February 2019 to restrain Mr Harry from using the information he had acquired.

A Notifiable Data Breach

Both cases involve a personal data breach as defined by  GDPR Article 4 (12):

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Article 33 of GDPR requires a Data Controller to notify the Information Commissioner’s Office (ICO) about a personal data breach “without delay and where feasible, not later than 72 hours after becoming aware of it”. Notification is not required if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Disclosing highly sensitive information about one family to another is likely to be a notifiable breach. A failure to adequately redact the name of a person who makes confidential allegations is also likely to have the same result.

The problem with inadvertent and accidental disclosures is the Data Controller may not necessarily be aware of them for some time. In the Redbridge Council case, X told the Council she had received the documents by mistake. According to the Article 29 Data Protection Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/67, when a third party informs a Data Controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure, the Data Controller has become “aware” of the personal data breach. Where a Data Controller has been presented with clear evidence of a confidentiality breach then there can be no doubt that it has become “aware”. In the Redbridge case the Council took a decision to self-refer to the Information Commissioner’s Office; although interestingly the facts suggest that this happened prior to the GDPR coming into force.

In the Lambeth Case it is not entirely clear when or how the Council became aware that Mr Harry had been able to manipulate the data. However the facts, as recorded in the judgement, suggest that it became aware sometime in late 2018 when the ICO investigated complaints made by Mr Harry about the Council’s handling of his subject access request. In other words, it does not look like the Council was aware of the breach until the ICO investigated, although this is not certain from the limited factual information in the judgment.

When a Data Controller becomes aware that personal data has been unlawfully disclosed to a third party, it needs to contain the incident and assess the risk that could result from it. One way of doing this is to request the recipient to either return the information or to securely destroy it. However the Article 29 Guidelines make it clear that the Data Controller must “trust” the recipient to do this. In both cases it was quite clear that the recipients had no intention of safely destroying the personal data or returning it to the respective councils. In both cases the recipients intended to use the data as evidence in their own legal claims. In both cases the Councils sought an injunction to prevent the recipients from misusing private information and/or a Breach of Confidence.

Injunctions and Offences

Before granting an injunction, the High Court is required to consider whether an injunction would affect a person’s right to freedom of expression; for example his/her right to publish the information online or via the press. It can only grant an injunction if it is satisfied that publication should not be allowed.

In the Redbridge case the Court considered that the information was highly sensitive and that there would be a breach of confidentiality if the documents were either revealed to the press or published on-line. It therefore granted the injunction. In the Lambeth case the Court granted an interim injunction but the case concerning the Breach of Confidence has been listed for trial in July 2020 where Mr Harry will argue that he has a public interest defence.

In April 2020 the ICO decided to prosecute Mr Harry (in the Lambeth case) for the two offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the Data Controller, contrary to under s.171(1) of the Data Protection Act 2018 (“the DPA”) and the offence of  knowingly or recklessly processing re-identified personal data, without the consent of the data controller, contrary to the S.171(5). There are no further details about this prosecution at this moment in time.

Lessons Learnt

The incidents in the cases referred to above were not major cyber-attacks or large-scale disclosures. In one case personal data was inadvertently put into an envelope. In another personal data was not properly redacted. But the consequences were potentially severe and could have had significant and adverse consequences for the data subjects concerned.

Both cases show that, although breach notification goes a long way towards addressing issues of awareness and accountability, Data Controllers may need to take further legal action, in the form of an injunction, to prevent collateral damage from an accidental disclosure. The ICO can use its enforcement powers under the DPA 2018 to prosecute people who unlawfully reidentify personal data and seek to process it, but this may come too late if the damage is already done.

GDPR is going global! Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. Want a GDPR qualification  Our next online  GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the course starting at the end of August.


Data Protection Laws Around the World


Data Protection is going global! 1st of July 2020 is a key date in the development of data protection law around the world. The California Consumer Privacy Act (CCPA) became fully enforceable on this date following a six month grace period. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. All international businesses have to consider the application of CCPA to their data processing activities 

1st July 2020 is also the date when a new data protection law came into effect in Dubai, although it will not be enforced until 1st October 2020. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 regulates the collection, handling, disclosure and use of personal data and includes enhanced governance and transparency obligations. It applies to all businesses based in the DIFC as well as those processing personal data on their behalf.  

GDPR style data protection laws have also been enacted in Africa, South America, Asia and the Far East. Many other countries have new privacy laws in the pipeline. What impact will this have on your business? What are the career development opportunities for Data Protection Officers and lawyers? 

Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. He will focus on the recently enacted California Consumer Privacy Act (CCPA) and the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 as well as other GDPR style laws in force now and coming up in the future.

Act Now Dubai Micro Site Banners1

The New Dubai (DIFC) Data Protection Law

Act Now Dubai Micro Site Banners1

1st of July 2020 is a key date in the development of global data protection law.
The  California Consumer Privacy Act  (CCPA)  became fully enforceable on this date following a six month grace period.  The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. It provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

1st July 2020 is also the date when a new data protection law also came into effect in Dubai, although it will not be enforced until 1st October 2020. The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DPL2020) will regulate the collection, handling, disclosure and use of personal data and includes enhanced governance and transparency obligations. DPL2020 is closely aligned with the EU General Data Protection Regulation (GDPR) and replaces DIFC Law No. 1 of 2007.


DPL2020 is not a data protection law for the whole of the United Arab Emirates or even just the emirate Dubai. The UAE has several laws on covering data protection themes including cyber security but there isn’t yet one main national data protection law across the country. 

DPL 2020 mainly applies to businesses operating in the Dubai International Financial Centre (DIFC). This is the leading financial hub in the Middle East, Africa and South Asia region. The 110-acre DIFC district is located in the heart of Dubai where 2400 business are registered employing over 25000 professionals in, amongst others, the legal, financial, management and regulatory sectors. If a business is registered in the DIFC, or processes personal data within the DIFC as part of stable arrangements it is covered by the new law as well as any business which processes data on behalf of either of the above.

Key Provisions

Those who know about GDPR will find many familiar concepts and principles in DPL2020 including data protection principles, Data Subjects’ rights and obligations on Data Controllers and Data Processors. We set out below the notable provisions. We have included links to our blog posts explaining the similar provisions found in GDPR:

  • Records Management: Businesses will have to demonstrate compliance with DPL2020. This requires amongst other things, better record management.
  • Data Protection Impact AssessmentsThese will have to be undertaken in relation to any new High Risk Processing Activities”. This will involve assessing the impact of the proposed data processing operation on the risks to the rights of Data Subjects.
  • Privacy Notices: These will have to be updated to include more information including the legal basis for processing and the rights of Data Subjects.
  • Breach Notification: Businesses will have to notify the regulator if they suffer a personal data breach which compromises a Data Subject’s confidentiality, security or privacy. In the case of High Risk, the Data Subject must also be informed.
  • Data Processors: The new law imposes direct compliance obligations on Data Processors and also imposes mandatory contractual requirements.
  • Data Protection Officers: Some businesses will have to appoint a DPOdepending on whether they conduct High Risk Processing Activities.


Like GDPR, DPL2020 is enforced by a regulator; The Commissioner of Data Protection who has power, amongst other sanctions, to issue administrative fines for breaches.
The maximum fine is 100,000 US dollars. The DIFC Courts may also require a business to pay compensation directly to Data Subjects.

In addition, aggrieved Data Subjects but can sue for compensation which is not subject to a cap. The Commissioner can also bring a compensation claims on behalf of Data Subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim.

What Next?

Businesses in the DIFC have four months before DPL2020 is fully enforced. Considering that those covered by GDPR had four years, this is not a long period. Now is the time to put systems and processes in place to ensure compliance. Failure to do so will not just lead to enforcement action but also reputational damage.

The following should be part of an action plan for compliance:

  1. Raising awareness about DPL2020 at all levels. Our  GDPR e learning course  can be tailored for frontline staff.
  2. Carrying out a data audit and reviewing how records management and information risk  is addressed.
  3. Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly  breach notification.
  4. Revising  privacy policies  in the light of the more prescriptive transparency requirements.
  5. Writing policies and procedures to deal with new and revised Data Subject rights such as  Data Portability  and  Subject Access.
  6. Appointing and training a  Data Protection Officer.

Act Now Training can help your businesses prepare for DPL2020. We have an international reputation in delivering data protection law training  and consultancy.
In 2018 Ibrahim Hasan  travelled to Dubai to deliver a  GDPR workshop  for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.
We have also trained officials from the Government of Brunei on data protection audits.

Our GDPR Practitioner Certificate is ideal for new DPOs and is available as an online DIFC option. We can also deliver customised in house training both remotely and face to face. Please get in touch to discuss you training needs.

Act Now is pleased to announce that we have developed a training programme for those who need to learn about the new DIFC DP law. This includes a specific DIFC DPO Certificate, DIFC One Day Course and DIFC Foundation Certificate covering all the basic aspects of Information Governance.

Ibrahim Hasan will also be running the DPL2020 webinar in August where he will cover the most important aspects of the new legislation. The webinar is free for DIFC based businesses as well UK businesses doing trading in the UAE and their legal advisers. 

As data protection goes global, if you need a general awareness of the law and its implementation around the world we have a webinar in July.


The Return to Work and Data Protection


Written by Emma Garland.

Along with pubs, restaurants and places of worship, many businesses have now re-opened after the lockdown and are requiring their staff to return to work. There has been a lot of guidance about how the physical aspect of premises can facilitate a safe return, but it is also important that employers do not forget the need for good data protection practice. Much of the process of leaving the office may have been done hastily, but many of the practices that are now established will be in place for a significant time to come.

In short, the principles are the same as they always have been. Data protection does not prevent employers from using personal data in a new way to ensure both the workplace and employees are safe. However, it is important that  the risks associated with new personal data processing activities are recognised and addressed.

Whether an employer wants to create records of staff who are self-isolating, needs information to understand which staff are vulnerable or share data about staff with the NHS, Data Protection Impact Assessments (DPIAs) are an important tool for planning purposes. They will help to clarify the specified aim, the information flow and the risks associated with the processing. The DPIA will require answers to questions such as what do we want to achieve and what personal data do we need to do it? What systems are we going to use and who is responsible for the data? What are the risks to Data Subjects and how are we going to address them?

Communication is vital. The Information Commissioner’s Office (ICO) states in its blog “Be clear, open and honest with staff about their data”. There might be changes in policy and procedure which have an impact on processing employee personal data. Employers should consider if there is a need to update their privacy notices or even create additional ones

Now is also a good time to think about physical premises and the impact on data security. If employers have implemented a one-way system, does this make is easier for someone to gain access to personal data?

Whatever measures are implemented during and after the pandemic, employees must still be able to exercise their data protection rights. If personal data is not clearly organised across systems, with logical steps in an information flow, then it might not be possible to comply with subject access requests.

Other important steps include amending the organisation’s Record of Processing Activity (RoPA) and the Information Asset Register. Retention periods must also be carefully considered. This is a time of uncertainty  which makes ‘just-in-case’ retention periods tempting; but should be avoided. There is nothing wrong with telling people that information has been destroyed as it had reached the end of the retention period for the specified purpose it was collected for.

The Information Commissioner’s Office has produced some further guidance for organisations as they recover from the Coronavirus period.

Emma Garland is a Data Governance Officer at North Yorkshire County Council and a blogger on information rights. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places left  on the course starting on 6th August.


Data Protection Officers and Conflicts of Interest


In May 2018, with the implementation of GDPR, some senior managers (and many junior ones) found themselves thrown into the then unknown statutory role of Data Protection Officer (“DPO”). Two years on, some now have a better understanding of their role whilst others are still battling to manage the many different requirements of the job.

Articles 38 and 39 of the GDPR outline the role of the DPO. They should, amongst other things, be:

  • involved in data breach discussions and investigations whilst being provided with adequate resource to fulfil their obligations;
  • not dismissed for the performance of their duties as DPO;
  • able to offer secrecy and confidentiality to data subjects in relation to data protection matters within the organisation; and
  • actively involved and consulted on the data processing risks associated to proposed data processing activities within the organisation, which are usually highlighted within the Data Protection Impact Assessment (DPIA).

The law is still in its infancy, and remains largely untested in the courts, but a recent case may lead to a few DPOs feeling a little nervous about their role.

€50,000 Fine

The Belgian Data Protection Authority recently issued a €50,000 fine to an organisation after it ruled that the organisation’s DPO had a conflict of interest under Article 38(6) of GDPR. The DPO had been employed by the organisation as the Head of Compliance, Risk Management and Audit in addition to acting as DPO.

A reportable data breach lead to an investigation by the Belgian regulator who sought to dig a little deeper into the organisation’s general approach to privacy compliance.
The investigation focussed on three main potential infringements of GDPR namely:

  1. The duty to cooperate with the data protection authority
  2. The accountability obligations of the organisation in relation to data breach notifications and data protection risk assessments
  3. The requirements related to the position of the DPO

The investigation found that the organisation’s DPO appointment failed to meet the requirements of the legislation as the individual was responsible for the processing of personal data in the areas of compliance, risk and audit and therefore could not independently advise on such matters.

Many data protection experts have interpreted this ruling as preventing any employee who is a “head of department” from carrying out the DPO rule without a conflict of interest, although the situation is not as clear cut.

Conflict of Interests

Whilst the employer will pay their salary, the DPO must be able to act independently and without fear or favour. The Article 29 Working Party’s Guidelines on DPO’s makes reference to a number of roles which would be considered to pose a conflict of interests with the position of DPO namely; Chief Executive, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR and Head of IT.
All of these roles involve a significant amount of personal data processing and decision making, resulting in an impossible independent standpoint to be taken on data matters arising as a result.

This ruling presents an opportunity for organisations to review their DPO position.
Both the organisation and the individual must be clear about the role. The job description should be reviewed from time to time in the light of changing roles and responsibilities. This may flag up potential conflicts of interest.

It is common for DPOs, especially in the public sector, to wear many “hats” due to budget constraints. Whilst GDPR does allow this, if there is any doubt about a conflict of interests, the decision-making process should be documented and the position reviewed.
If any mitigating measures are to be put in place to reduce the risk of conflict these should be outlined and reviewed periodically as new risks and processing activities are presented to the organisation.

Data protection and privacy is an ever-changing area of compliance and in the coming years, more case law will be generated as the principles of the legislation are put to the test. With the end of the Brexit transition period approaching and changing uses of technology due to the global coronavirus pandemic, organisations will need to remain alert to potential issues arising from their original GDPR implementation plan.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places are left  on the course starting in August.

Act Now Launches Online FOI Practitioner Certificate


Act Now is pleased to announce the launch of its new online FOI Practitioner Certificate.

This new course has been designed to mirror our classroom based course that was running successfully throughout the country before the Coronavirus lockdown.
Delegates will benefit from the same fantastic features in a live online learning environment.

Class sizes are 50% smaller to ensure that delegates receives all the attention and support they need to get the best out of the course. They will also have plenty of opportunities to ask questions, test their skills and engage with FOI practitioners from the comfort of their home office.

The four days of training are split up into three online sessions per day. Using our online training platform, delegates will be able to see and hear the course tutors as well as the slides, exercises and case studies. We have also built in 1 to 1 tutor time at the end of each day to provide individual support.

A very comprehensive set of materials, including all legislation, will be posted to delegates in advance of the online sessions. In addition they will have access to our online Resource Lab, which now includes updated videos on key aspects of the syllabus.

This new course builds upon our wealth of experience of designing and delivering online training as well as the delegate feedback from our online GDPR Practitioner Certificate.

Susan Wolf, who has designed this new course says:

“This is a very exciting opportunity. Despite the current difficult times and uncertainties, this online course gives FOI practitioners access to high quality training, that is cost effective and safe.”

The first course starts on 20th August with a special introductory price of  £1,995  plus VAT. Places are filling up so book early to avoid disappointment. We can also deliver this course on an in-house basis customised to the needs of your staff. Please get in touch for a quote.


%d bloggers like this: