Happy Birthday, GDPR!

25.05.2021 Happy Birthday, GDPR!

On 25 May 2021, the EU General Data Protection Regulation (GDPR) turned 3! A colleague from the U.S. recently compared the GDPR to a 3-year-old baby’s developmental milestones. Compared to some milestones, the GDPR indeed is ahead of its age. For example, it speaks way more than 250-500 words. Compared to some, it still has a lot to learn. Whereas a 3-year-old child should be able to answer simple questions and speak clearly, the GDPR tends to raise difficult questions and, at times, sounds anything but clear.

As birthdays should be celebrated, the data protection team of TGS Baltic from Estonia, Latvia, and Lithuania bring to you some of the subject matters which have recently become especially topical for our clients—data transfers outside the EU post-Schrems (not only to the U.S. but also to countries like Ukraine and Russia), dealing with data breaches, and determining the roles in processing (especially the somewhat scary and confusing joint controllership). Additionally, we will remind you of the rules for sending commercial communication and provide you with an overview of the data protection landscape in each of the Baltic States.

Let the celebrations begin! Should you have any questions or comments, our team is happy to answer them. Please find our contacts below.

1 v2

Most, if not all organisations using state-of-the-art technologies in business or other processes transfer personal data to countries outside of the European Union and the European Economic Area (third countries). Many are already aware that it is mandatory to provide appropriate safeguards for such transfers as the Court of Justice of the European Union (CJEU) emphasised in the so-called Schrems II [1] decision on 16 July 2020, invalidating one of the most commonly used mechanisms for transferring personal data to the United States of America (U.S.)—the European Commission's (Commission) decision 2016/1250 on the adequacy of the level of protection for the transmission of data to the U.S. or the so-called “Privacy Shield”.

While those who already have done the Schrems II homework may face the next level challenge (deciding on supplemental measures to ensure compliance with the EU level of protection of personal data), those yet unfamiliar with the concept of data transfers, are exposed to a comparatively higher and increasing risk of non-compliance due to complete lack of safeguards.

Read more about the following topics here:

  • What kind of processing may involve personal data transfer to third countries?
  • What are “standard contractual clauses” and are they enough?
  • How to assess the law of a third country?
  • What are the “supplementary measures”?
2 v2

In the Baltics, the cybersecurity and data breaches narrative has received huge waves of attention in the past months. Contemporary entrepreneurs and business stakeholders start to realize that data and IT systems have grown into focal assets of companies and there is no place for “non-IT/non-data companies” in the modern economy. Thus, data and information security are gradually shifting from a “nice to have” feature to the “necessary for survival” imperative. Of course, the majority of businesses in the Baltics still naively hope that “they are too small to suffer a meaningful data incident“ or that “nothing will happen to them”.

At the EU level, one may easily identify several general and sector-specific laws which lay down the key principles of data security and impose requirements for businesses engaged in data-driven or data-related business activities. One of such generic pieces of EU-wide legislation is the GDPR, which introduces a universal personal data protection framework within the EU.

Read more about the following topics here:

  • Cyber incident vs. personal data security breach
  • What are the obligations in the case of a data breach?
  • What are the lessons learned?
  • Why record and notify?
  • Personal data breaches in the Baltics in 2020

3 v5

Joint controllership is not among the top novelties introduced by the GDPR, although its authors have further elaborated the concept with more detailed and thorough wording. Nevertheless, joint controllership has been among the topics which have brought about some controversy lately. The Court of Justice of the European Union (CJEU) has recently rendered several judgements where this concept was at the core of the legal merits, whereas the European Data Protection Board (EDPB) has issued guidelines on the matter (Guidelines 07/2020 on the concepts of controller and processor in the GDPR).

In practice, the question of roles, and especially joint controllership, quite often arises in corporate group structures where personal data are shared between different group entities for various purposes. Although personal data exchanges within the group usually provide more certainty than data sharing with third parties, the companies should be aware that the GDPR rules apply equally to data transfers within the group.

Against this background, we would like to draw your attention to the concepts of the different roles in processing personal data and especially that of joint controllership. Of course, the below applies universally, not only to group structures.

Read more about the following topics here:

  • Key elements of joint controllership
  • Independent controllers and processors
  • Key take-aways 

4 v2

First, it should be noted that electronic direct marketing (e.g., marketing done via e-mail and SMS) should be distinguished from other marketing activities (e.g., marketing done via phone and mail and profiling for marketing purposes) because electronic direct marketing is regulated by a special regulation—the e-Privacy Directive (soon to be replaced by the e-Privacy Regulation)—which takes precedence over the GDPR. Read more

5 v2

Read about all three Baltic States here:


6 v2

TGS Baltic’s data protection team has extensive experience in advising clients from various sectors (e.g., healthcare, financial, IT, retail, e-commerce, employment, real estate, industrial, etc.) on legal matters about personal data protection and privacy, with comprehensive know-how in effectively addressing, documenting, and managing the EU General Data Protection Regulation (GDPR), e-privacy, and national data protection frameworks.

One of the main strengths of the team is its great synergy with other teams and departments in TGS and with each other across the Baltics. The team works closely with Banking & Finance, FinTech, Mergers & Acquisitions, and Healthcare & Life Sciences colleagues, advising clients from those sectors on various data protection questions.

Our team conducts personal data protection compliance audits designed to identify non-compliance and points of improvement and provides customised action plans with practical guidance on how to eliminate any inconsistencies identified. The team also offers far-reaching legal assistance in the implementation of action plans to achieve legal compliance. That includes drafting the requisite documentation (e.g., privacy and cookie notices, consents, records of processing activities, internal procedures, data processing and data transfer agreements, data protection impact assessments, etc.) and day-to-day consulting on various issues (e.g., determining the legality of and legal bases for processing personal data and the roles in processing personal data, defining data retention periods, regulating cross-border transfers of personal data, appointing data protection officers, managing data breaches and data subjects’ access requests, etc.).

Additionally, the team conducts data protection training, the content and scope of which depend on the target group and needs of the client, supports the work of data protection officers and in-house lawyers, and represents clients before supervisory authorities and courts.

Get in touch with us with any questions!