Photo of Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

No.

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity within a country recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”) that imposes many of the

No.

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity within a country recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”) that imposes many of

On 04 June 2021, the EU Commission adopted two new sets of standard contractual clauses (SCC): one set for the transfer of personal data from the EU to third countries (Cross-Border SCC) and another set addressing certain clauses in controller-processor data processing agreements (DPA-SCC). The adoption was made some seven months after initial drafts

After more than four years of negotiations, the Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the ePrivacy Directive (2002/58/EC), appears to be at a turning point. On Feb. 10, 2021, the Council of the European Union announced it has adopted a consolidated version (the “Council’s Position”) which will be the basis

It depends.

Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”

On 12 November 2020 the Commission of the European Union (EU) published two draft implementing decisions – one containing a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the Cross-Border SCCs), and one containing a draft of new standard contractual clauses for certain clauses in

* Please note, post publication the EDPB extended the deadline for public comments on the Supplementary Transfer Measures Recommendations to Dec 21, 2020.

On Nov. 11, the European Data Protection Board (EDPB) published Supplementary Transfer Measures Recommendations and Surveillance Recommendations.

Click here to read the full GT Alert, “EDPB Guidance on Supplementary Transfer

On August 27, 2020 the Dutch Data Protection Authority (Dutch DPA) announced that it approved the first ‘code of conduct’ in the Netherlands, the Data Pro Code. The Data Pro Code was drafted by NL Digital, the Dutch industry association for organizations in the ICT sector in the Netherlands.

What is a ‘Code of

The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. After several EU data protection authorities (DPAs) published their reactions, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, presented its guidance in form of an FAQ.

At the time of its publication, the guidance comprises 12 FAQs. It will be updated with further analysis. While the EDPB notes that supplementary measures may be necessary when using standard contractual clauses (SCCs), it fails to specify what that means but promises to provide more guidance in the future. Summarized below are the key takeaways from the EDPB’s guidance.
Continue Reading EDPB Issues Data Transfer FAQs in the Post Privacy Shield Area