Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Follow:

European Commission Adopts EU-U.S. Adequacy Decision

By Carsten A. Kociok & Gretchen A. Ramos on July 10, 2023

Posted in EEA, EU E-Privacy Directive, European Court of Juctice, European Union, Featured, GDPR, Privacy, privacy framework, SCC

On July 10, 2023, the European Commission adopted its long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (the “Framework”) thereby concluding that the United States ensures an adequate level of protection for personal data that are transferred from the European Union to companies in the U.S. that participate in the Framework.

The…

Under the GDPR, does a company that uses personal information to train an AI need to allow individuals to request that their information be removed from the training data?

By David A. Zetoony & Carsten A. Kociok on June 28, 2023

Posted in Artificial Intelligence (AI), Data Privacy Law, EEA, European Data Protection Board, European Union, GDPR, Personal information, Privacy

Europe’s General Data Protection Regulation (GDPR) allows individuals to request that their information be deleted in the following situations:[1]

Companies must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that companies may process data based on six alternate lawful grounds.[2] One of these is where

…

Under the GDPR, what lawful purposes can a company rely upon when using personal information to train an AI?

By David A. Zetoony & Carsten A. Kociok on June 27, 2023

Posted in Artificial Intelligence (AI), Data collection, Data Privacy Law, EEA, European Data Protection Board, European Union, GDPR

Data typically is needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – in order to recognize patterns and predict results.

The EU’s General Data Protection Regulation (GDPR) permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]…

What GDPR requirements does a company that uses personal information to train an artificial intelligence (AI) need to meet?

By David A. Zetoony & Carsten A. Kociok on June 22, 2023

Posted in Artificial Intelligence (AI), Data collection, EEA, EU E-Privacy Directive, European Data Protection Board, European Union, GDPR, Personal information, Privacy

Data typically is needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – to recognize patterns and predict results.

Companies that utilize personal information to train an AI may either be acting as a controller or a processor depending on the degree of discretion that they exercise…

Under the GDPR, are companies that utilize personal information to train artificial intelligence (AI) controllers or processors?

By David A. Zetoony & Carsten A. Kociok on June 21, 2023

Posted in Artificial Intelligence (AI), Data Privacy Law, European Data Protection Board, European Union, GDPR, Personal information, Privacy

The EU’s General Data Protection Regulation (GDPR) applies to two types of entities – “controllers” and “processors.”

A “controller” refers to an entity that “determines the purposes and means” of how personal information will be processed.[1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not necessitate…

The Complete Handbook for Cross Border Transfers of Personal Information Utilizing the New European Standard Contractual Clauses

By David A. Zetoony, Carsten A. Kociok & Andrea C. Maciejewski on December 8, 2022

Posted in Data, Data collection, Data Privacy Law, EEA, EU E-Privacy Directive, European Data Protection Board, European Union, Featured, GDPR, Germany, Personal information, SCC

All contracts that used the traditional Standard Contractual Clauses must be updated and repapered by 27 December 2022. To help companies comply with the deadline, Greenberg Traurig’s Data Privacy & Cybersecurity Group has compiled a 90-page guide explaining how to apply the new Standard Contractual Clauses in over 40 different transfer scenarios – ranging from…

Deadline: ‘Old’ Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger, Carsten A. Kociok & Gretchen A. Ramos on December 2, 2022

Posted in Data Privacy & Cybersecurity, EEA, European Union, Featured, GT Alert, SCC, Transfer Impact Assessment (TIA)

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA). To avoid compliance risks associated with illegal transfers of personal data, any old SCCs should be updated to…

Transfers from a European Data Subject: Data Subject → Controller (US) → Processor (non-EEA)

By David A. Zetoony, Carsten A. Kociok & Andrea C. Maciejewski on March 29, 2022

Posted in Data collection, EEA, European Union, GDPR, Online tracking, SCC

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual	Description and Implications
	The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

…

Transfers from a European Data Subject: Data Subject→Controller (US)→Processor (US)

By David A. Zetoony, Carsten A. Kociok & Andrea C. Maciejewski on March 24, 2022

Posted in Data collection, EEA, European Data Protection Board, European Union, GDPR, Online tracking, SCC

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual	Description and Implications
	The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

…

Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (non-EEA)

By David A. Zetoony, Carsten A. Kociok & Andrea C. Maciejewski on March 23, 2022

Posted in Data collection, EEA, European Data Protection Board, European Union, GDPR, Online tracking, SCC

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual	Description and Implications
	The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

…

Data Privacy Dish

Carsten A. Kociok

Deadline: ‘Old’ Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

About Greenberg Traurig