Photo of Oliver Heinisch

Oliver Heinisch

Subscribe to Oliver Heinisch's Posts

Oliver Heinisch is a partner in the Antitrust and Competition Practice Group in the firm's London office.

Contact:Read more about Oliver Heinisch

The EU Regulation on horizontal cybersecurity requirements for products with digital elements, the so-called Cyber Resilience Act, has been officially adopted on 10 October 2024 and will be published in the EU’s official journal in the coming weeks. This law will impose important obligations on manufacturers of connected products and those placing them onto the EU market. Implementation will begin in 2026 for certain portions of the law, and continue until 2027/2028 for some provisions. There are several elements for a company to keep in mind, which we have outlined below.Continue Reading EU Cybersecurity Regulation Adopted, Impacts Connected Products

The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).Continue Reading CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.
Continue Reading Free Data Flow to the UK May Continue – EU Adopts Adequacy Decision

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions