Data Protection

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

  • g-digital, Garrigues’ digital business division, rounds off 2025 with new digital trust products and increases its eIDAS offering

    With solutions designed to be integrated into all types of real-world client processes (evidence, signature, storage and certified notifications), it is gearing up for a 2026 marked by the entry into force of the European Digital Identity (EUDI) Wallet and the new compliance challenges faced by businesses 

  • Is pseudonymized data personal data? Key points following the European Court of Justice's judgment in the EDPS v SRB case

    The judgment delivered by the European Court of Justice (CJEU) on September 4, 2025 in the EDPS v SRB case (case C 413/23 P) is an important landmark in the field of data protection, because it deals with the concept of “personal data” which is at the heart of the practice.

  • Proposal by the European Commission to amend the GDPR: a critical review and practical suggestions

    The European Commission has recently presented a proposal to amend the GDPR with a view to reducing the bureaucratic burden on small and medium-sized companies. The main measure that has been introduced is to expand the exceptions to the obligation to keep a Record of Processing Activities (RoPA). Although the intention behind the amendment is positive, the approach taken has been criticized because it fails to bear in mind the essence of compliance with the Regulation. We analyze what this implies (not necessarily an improvement for small and medium-sized companies) and propose various alternatives to facilitate compliance with the GDPR.

  • Everything you need to know about the plan to implement new whistleblowing legislation in Portugal

    By June 18, 2022, companies (whether public or private) and public entities, especially those employing 50 or more workers, are obliged to implement a whistleblowing channel so that workers, shareholders, members of corporate bodies, service providers, suppliers and other reporting parties, including within the context of a professional relationship that has since ended, might report breaches of the legislation referring to various areas. 

  • New guidelines on direct marketing issued by the Portuguese Data Protection Authority: what has to change in the way companies do marketing?

    On 25 January 2022, the CNPD issued its first guidelines on the processing of personal data in the context of direct marketing electronic communications.

  • China’s Personal Information Protection Law: things you need to know

    Recently, China formally passed the Personal Information Protection Law (PIPL), which is the first comprehensive national level personal data protection law of this country. PIPL will become effective as of November 1, 2021, leaving a short time for the companies operating in China (and even certain foreign companies) to become fully compliant to the new personal data protection regime.

  • China’s Supreme People’s Court sets rules for facial recognition technology

    On July 28, 2021, China’s Supreme People’s Court (the top judicial authority) published the 'Provisions on Relevant Issues on the Application of Laws in Hearing Civil Cases Related to the Application of Facial Recognition Technology in Processing Personal Information'. The provisions came into force as of August 1, 2021. They provided guidance for the courts to apply the rules scattered in Civil Code, Cybersecurity Law, Consumer Rights Protection Law, E-Commerce Law, etc. on personal data processing by using facial recognition technology, and have also set specific rules based on the recent practices of the Chinese courts. In this article we provide our comments on several highlights in the provisions.

  • China sets new rules on security vulnerability of network products

    China’s Ministry of Industry and Information Technology (MIIT), Cybersecurity Administration of China (CAC) and Ministry of Public Security (MPS) jointly published the Provisions on Administration of Security Vulnerability of Network Products (Provisions), which will be in force as of September 1, 2021. The Provisions have established rules for the detection, collection, publication and other activities in relation to the security vulnerability of network products. 

  • China to enhance cybersecurity review measures

    A few days ago, Cyber Administration of China (CAC) has shaken the online business sector with the cybersecurity review on Didi (world’s biggest online ride-hailing company) and other three online business companies to prevent data security risks, citing the Cybersecurity Review Measures.

  • China’s Shenzhen City Enacted Regional Data Regulation

    Shenzhen, the leading financial and production center for China and home of many Chinese internet and tech giants such as Huawei, Tencent and DJI, enacted its regional data protection law, Data Regulation of the Shenzhen Special Economic Zone (Shenzhen Data Regulation) on June 29, 2021. Shenzhen Data Regulation will become effective as of January 1, 2022.