The European Commission has adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries. They reflect new requirements under the General Data Protection Regulation (GDPR) and take into account the Schrems II judgement of the Court of Justice, ensuring a high level of data protection for citizens. These new tools will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.

Values and Transparency Vice President Vera Jourová said: “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

Justice Commissioner Didier Reynders said: “In our modern digital world, it is important that data can be shared with the necessary protection - inside and outside the EU. With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”

More information is available here.

As the ongoing conflict concerning data protection reaches new highs, Europe is still struggling to finding appropriate solutions to protect itself and its citizen from the theft, use and abuse of private data.

Dutch Data Protection Authority (AP) has imposed a fine of €475,000 on Booking.com for a data breach where criminals accessed the personal data of more than 4,000 customers, including obtaining the credit card details of nearly 300 users of the popular travel site.

The criminals extracted login details to the accounts from employees of 40 hotels in the United Arab Emirates.

Phishing

"Booking.com customers ran the risk of being robbed here," said Monique Verdier, Vice President of the Dutch data protection agency. "Even if the criminals did not steal credit card information but only someone's name, contact details and information about his or her hotel booking. The scammers used that data for phishing."

"By pretending to belong to the hotel by phone or email, they tried to take money from people. That can be very credible if such a scammer knows exactly when you booked which room. And asks if you want to pay for those nights. The damage can then be considerable, "said Verdier.

Booking.com was notified of the data breach on 13 January, but didn't report it within the mandatory three day period after discovering a breach. Instead, they waited a further 22 days.

"This is a serious violation," said Verdier. "Unfortunately, a data breach can happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you must report this in time. Speed is very important."