[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59690":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":13,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":70,"imageUrl":71,"imageThumbUrls":72,"id":80},false,"The **French Chapter of the International Association of Privacy Professionals (IAPP)** once again brought together privacy and data protection professionals for a **remarkable event**, rich in discussion, insights, and collaboration. This time, under the \"Grand(iose) KnowledgnNet event\" of October 7th.\r\n\r\n**Dastra** was honored to participate as a one of the **sponsors** of this major privacy gathering, which offered a platform to exchange practical experiences and explore emerging regulatory challenges.\r\n\r\n---\r\n\r\n### A day of insightful & constructive dialogue\r\n\r\nFrom the **future of international data transfers** to the complexities of **pseudonymisation**, **Privacy-Enhancing Technologies (PETs)**, and **privacy in HR,** the panels covered a wide spectrum of issues central to data protection and compliance.\r\n\r\nSpeakers shared pragmatic and forward-thinking perspectives on how organizations can reconcile **legal compliance, technological innovation, and the protection of fundamental rights**.Each session provided actionable takeaways for professionals navigating an increasingly intricate regulatory landscape.\r\n\r\n---\r\n\r\n## What we learned\r\n\r\n### 1. Cross-Border Data Transfers : between global vision and operational reality\r\n\r\nFrom a **U.S. perspective**, panelists emphasized that while certain developments such as the Latombe case bring a sense of certainty, it is still possible for things to take a turn especially with a potential appeal. Organizations must therefore prepare for multiple scenarios and maintain contingency plans — **Transfer Impact Assessments (TIAs)** remain a critical tool. Recent enforcement actions, such as the **Irish DPA’s decision in the TikTok case**, demonstrate that supervisory authorities scrutinize both **the assessment process and the evidence of compliance**.\r\n\r\nIn the **U.K.**, changes primarily concern **onward transfers**, with the previous “essentially equivalent” test evolving into a **lower-threshold “data protection test” in which** safeguards in third countries must **not be materially lower** than those in the UK.\r\n\r\nAt a broader level, discussions touched on the **EU’s evolving data sovereignty strategy**, with certain Member States, such as the Netherlands, adopting more cautious or restrictive approaches toward U.S. transfers.\r\n\r\n**Key takeaways:**\r\n\r\n- Maintain clear communication with clients and stakeholders; transparency remains the best safeguard in periods of legal uncertainty.\r\n\r\n- Strengthen **encryption** and **data residency** measures to ensure better control within the EU.\r\n\r\n- Monitor evolving jurisprudence and regulatory positions closely.\r\n\r\n---\r\n\r\n### 2. Privacy-Enhancing Technologies (PETs)\r\n\r\nOptimism was palpable regarding **Privacy-Enhancing Technologies as they are gradually gaining traction on the market**. These tools hold significant potential to reconcile innovation with data protection, yet their **concepts and use cases still require clarification**, especially for **SMEs** seeking practical compliance solutions.The underlying **technology still needs to be demystified**, and **use cases better understood**, particularly from a sector-specific perspective. \r\n\r\nAlthough the term “PETs” lacks a single legal definition, frameworks such as those developed by the **OECD** provide a useful starting point. Examples already embedded in EU legislation include **anonymisation**, **encryption**, and mechanisms under the GDPR or the Data Governance Act.\r\n\r\nEmerging trends in PETs such as **synthetic data** and **federated learning** were discussed. \r\n\r\n### 3.CJUE's clarifications on pseudonymized transfers: personal data or not?\r\n\r\nThe **CJEU ruling in EDPS v. SRB**,  which shed light on whether **pseudonymised data** should be considered **personal data**, has raised many questions, both in terms of **legal interpretation** and **practical implications**. The Court’s approach emphasized the importance of documentation: controllers must be able to demonstrate why certain datasets are not re-identifiable from the recipient’s standpoint.\r\n\r\nIts **operational impact** could be significant, touching on **data transfers**, the **application of the Data Act**, **GDPR Article 28** requirements, and even the potential **relevance of criminal sanctions**. \r\n\r\nFor now, **prudence** remains the guiding principle as the community awaits regulators’ analysis and its effects on **pseudonymization guidelines**. \r\n\r\n**Practical advice:**\r\n\r\n- Incorporate **contractual clauses** explicitly prohibiting re-identification of data subjects by third parties or vendors.\r\n\r\n- As a pragmatic safeguard, some organizations choose to treat **all pseudonymised data as personal data**.\r\n\r\n- Note that in certain jurisdictions, such as the **U.K.**, **re-identification of anonymised or pseudonymised data** constitutes a **criminal offence**, interpreted strictly.\r\n\r\n- The **Singaporean DPA’s guidance** on anonymisation and pseudonymisation was also cited as a helpful benchmark for operational compliance.\r\n\r\n---\r\n\r\n### 4. Privacy in HR: the complexities of employee access requests\r\n\r\n**Privacy in HR** also sparked deep reflection, particularly regarding **access requests** from (former) employees. \r\n\r\nThe discussion revealed eye-opening figures about the **costs and time** involved in handling such requests. Speakers explored the growing trend of employees, and former employees, using access requests strategically, prompting discussion on the fine line between **legitimate rights and abuse of process or as a form of pressure or retaliation.** \r\n\r\nWhile DSARs often lead to **litigation and resource-intensive procedures**, panellists agreed that organizations should not hesitate to **engage in dialogue** with the data subject to **clarify the scope** of the request, for instance, by defining timeframes or relevant keywords.\r\n\r\nWhatever the approach, companies should ensure their **policy is consistent and non-discriminatory**, avoiding unequal treatment of similar requests.\r\n\r\n---\r\n\r\n### A word from Dastra\r\n\r\nThis edition of **IAPP KnowledgeNet France** was a resounding success, thanks to the dedication and expertise of the **chapter co-chairs and volunteers**, who continue to strengthen the privacy community across France.\r\n\r\nAt **Dastra**, we believe the real value of professional gatherings lies not only in the quality of the presentations but also in the **informal moments between them**: a conversation over coffee, a lunch discussion, or a cocktail debate that sparks new ideas and collaborations.\r\n\r\nWe are proud to have co-sponsored this event with Salesforce, and remain committed to fostering **dialogue, trust, and innovation** within the **French & European privacy ecosystem**.","\u003Cp>The \u003Cstrong>French Chapter of the International Association of Privacy Professionals (IAPP)\u003C/strong> once again brought together privacy and data protection professionals for a \u003Cstrong>remarkable event\u003C/strong>, rich in discussion, insights, and collaboration. This time, under the \"Grand(iose) KnowledgnNet event\" of October 7th.\u003C/p>\r\n\u003Cp>\u003Cstrong>Dastra\u003C/strong> was honored to participate as a one of the \u003Cstrong>sponsors\u003C/strong> of this major privacy gathering, which offered a platform to exchange practical experiences and explore emerging regulatory challenges.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"a-day-of-insightful-constructive-dialogue\">A day of insightful & constructive dialogue\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\nFrom the \u003Cstrong>future of international data transfers\u003C/strong> to the complexities of \u003Cstrong>pseudonymisation\u003C/strong>, \u003Cstrong>Privacy-Enhancing Technologies (PETs)\u003C/strong>, and \u003Cstrong>privacy in HR,\u003C/strong> the panels covered a wide spectrum of issues central to data protection and compliance.\u003C/p>\r\n\u003Cp>Speakers shared pragmatic and forward-thinking perspectives on how organizations can reconcile \u003Cstrong>legal compliance, technological innovation, and the protection of fundamental rights\u003C/strong>.\u003Cbr />\r\nEach session provided actionable takeaways for professionals navigating an increasingly intricate regulatory landscape.\u003C/p>\r\n\u003Chr />\r\n\u003Ch2 id=\"what-we-learned\">What we learned\u003C/h2>\r\n\u003Ch3 id=\"cross-border-data-transfers-between-global-vision-and-operational-reality\">1. Cross-Border Data Transfers : between global vision and operational reality\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\nFrom a \u003Cstrong>U.S. perspective\u003C/strong>, panelists emphasized that while certain developments such as the Latombe case bring a sense of certainty, it is still possible for things to take a turn especially with a potential appeal. \u003Cbr />\r\n\u003Cbr />\r\nOrganizations must therefore prepare for multiple scenarios and maintain contingency plans — \u003Cstrong>Transfer Impact Assessments (TIAs)\u003C/strong> remain a critical tool. Recent enforcement actions, such as the \u003Cstrong>Irish DPA’s decision in the TikTok case\u003C/strong>, demonstrate that supervisory authorities scrutinize both \u003Cstrong>the assessment process and the evidence of compliance\u003C/strong>.\u003C/p>\r\n\u003Cp>In the \u003Cstrong>U.K.\u003C/strong>, changes primarily concern \u003Cstrong>onward transfers\u003C/strong>, with the previous “essentially equivalent” test evolving into a \u003Cstrong>lower-threshold “data protection test” in which\u003C/strong> safeguards in third countries must \u003Cstrong>not be materially lower\u003C/strong> than those in the UK.\u003C/p>\r\n\u003Cp>At a broader level, discussions touched on the \u003Cstrong>EU’s evolving data sovereignty strategy\u003C/strong>, with certain Member States, such as the Netherlands, adopting more cautious or restrictive approaches toward U.S. transfers.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key takeaways:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Maintain clear communication with clients and stakeholders; transparency remains the best safeguard in periods of legal uncertainty.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Strengthen \u003Cstrong>encryption\u003C/strong> and \u003Cstrong>data residency\u003C/strong> measures to ensure better control within the EU.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Monitor evolving jurisprudence and regulatory positions closely.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch3 id=\"privacy-enhancing-technologies-pets\">2. Privacy-Enhancing Technologies (PETs)\u003C/h3>\r\n\u003Cp>Optimism was palpable regarding \u003Cstrong>Privacy-Enhancing Technologies as they are gradually gaining traction on the market\u003C/strong>. These tools hold significant potential to reconcile innovation with data protection, yet their \u003Cstrong>concepts and use cases still require clarification\u003C/strong>, especially for \u003Cstrong>SMEs\u003C/strong> seeking practical compliance solutions.\u003Cbr />\r\n\u003Cbr />\r\nThe underlying \u003Cstrong>technology still needs to be demystified\u003C/strong>, and \u003Cstrong>use cases better understood\u003C/strong>, particularly from a sector-specific perspective.\u003C/p>\r\n\u003Cp>Although the term “PETs” lacks a single legal definition, frameworks such as those developed by the \u003Cstrong>OECD\u003C/strong> provide a useful starting point. Examples already embedded in EU legislation include \u003Cstrong>anonymisation\u003C/strong>, \u003Cstrong>encryption\u003C/strong>, and mechanisms under the GDPR or the Data Governance Act.\u003C/p>\r\n\u003Cp>Emerging trends in PETs such as \u003Cstrong>synthetic data\u003C/strong> and \u003Cstrong>federated learning\u003C/strong> were discussed.\u003C/p>\r\n\u003Ch3 id=\"cjues-clarifications-on-pseudonymized-transfers-personal-data-or-not\">3.CJUE's clarifications on pseudonymized transfers: personal data or not?\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\nThe \u003Cstrong>CJEU ruling in EDPS v. SRB\u003C/strong>,  which shed light on whether \u003Cstrong>pseudonymised data\u003C/strong> should be considered \u003Cstrong>personal data\u003C/strong>, has raised many questions, both in terms of \u003Cstrong>legal interpretation\u003C/strong> and \u003Cstrong>practical implications\u003C/strong>. \u003Cbr />\r\n\u003Cbr />\r\nThe Court’s approach emphasized the importance of documentation: controllers must be able to demonstrate why certain datasets are not re-identifiable from the recipient’s standpoint.\u003C/p>\r\n\u003Cp>Its \u003Cstrong>operational impact\u003C/strong> could be significant, touching on \u003Cstrong>data transfers\u003C/strong>, the \u003Cstrong>application of the Data Act\u003C/strong>, \u003Cstrong>GDPR Article 28\u003C/strong> requirements, and even the potential \u003Cstrong>relevance of criminal sanctions\u003C/strong>.\u003C/p>\r\n\u003Cp>For now, \u003Cstrong>prudence\u003C/strong> remains the guiding principle as the community awaits regulators’ analysis and its effects on \u003Cstrong>pseudonymization guidelines\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cstrong>Practical advice:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Incorporate \u003Cstrong>contractual clauses\u003C/strong> explicitly prohibiting re-identification of data subjects by third parties or vendors.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>As a pragmatic safeguard, some organizations choose to treat \u003Cstrong>all pseudonymised data as personal data\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Note that in certain jurisdictions, such as the \u003Cstrong>U.K.\u003C/strong>, \u003Cstrong>re-identification of anonymised or pseudonymised data\u003C/strong> constitutes a \u003Cstrong>criminal offence\u003C/strong>, interpreted strictly.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The \u003Cstrong>Singaporean DPA’s guidance\u003C/strong> on anonymisation and pseudonymisation was also cited as a helpful benchmark for operational compliance.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Chr />\r\n\u003Ch3 id=\"privacy-in-hr-the-complexities-of-employee-access-requests\">4. Privacy in HR: the complexities of employee access requests\u003C/h3>\r\n\u003Cp>\u003Cbr />\r\n\u003Cstrong>Privacy in HR\u003C/strong> also sparked deep reflection, particularly regarding \u003Cstrong>access requests\u003C/strong> from (former) employees.\u003C/p>\r\n\u003Cp>The discussion revealed eye-opening figures about the \u003Cstrong>costs and time\u003C/strong> involved in handling such requests. \u003Cbr />\r\n\u003Cbr />\r\nSpeakers explored the growing trend of employees, and former employees, using access requests strategically, prompting discussion on the fine line between \u003Cstrong>legitimate rights and abuse of process or as a form of pressure or retaliation.\u003C/strong>\u003C/p>\r\n\u003Cp>While DSARs often lead to \u003Cstrong>litigation and resource-intensive procedures\u003C/strong>, panellists agreed that organizations should not hesitate to \u003Cstrong>engage in dialogue\u003C/strong> with the data subject to \u003Cstrong>clarify the scope\u003C/strong> of the request, for instance, by defining timeframes or relevant keywords.\u003C/p>\r\n\u003Cp>Whatever the approach, companies should ensure their \u003Cstrong>policy is consistent and non-discriminatory\u003C/strong>, avoiding unequal treatment of similar requests.\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"a-word-from-dastra\">A word from Dastra\u003C/h3>\r\n\u003Cp>This edition of \u003Cstrong>IAPP KnowledgeNet France\u003C/strong> was a resounding success, thanks to the dedication and expertise of the \u003Cstrong>chapter co-chairs and volunteers\u003C/strong>, who continue to strengthen the privacy community across France.\u003C/p>\r\n\u003Cp>At \u003Cstrong>Dastra\u003C/strong>, we believe the real value of professional gatherings lies not only in the quality of the presentations but also in the \u003Cstrong>informal moments between them\u003C/strong>: a conversation over coffee, a lunch discussion, or a cocktail debate that sparks new ideas and collaborations.\u003C/p>\r\n\u003Cp>We are proud to have co-sponsored this event with Salesforce, and remain committed to fostering \u003Cstrong>dialogue, trust, and innovation\u003C/strong> within the \u003Cstrong>French & European privacy ecosystem\u003C/strong>.\u003C/p>\r\n","Highlights from the IAPP France Event | Dastra","Explore the main insights from the IAPP France KnowledgeNet — a day of privacy discussions, innovation, and collaboration with Dastra.",901,5,"Dastra Recap: Insights from the IAPP France KnowledgeNet",0,"Dastra reviews the main takeaways from the IAPP France KnowledgeNet: cross-border data transfers, PETs, pseudonymisation, and DSARs.","en","dastra-recap-insights-from-the-iapp-france-knowledgenet","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":21,"blogUrl":21,"color":21,"userId":18,"creationDate":22},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png",null,"2025-03-03T11:08:22","2025-10-30T14:01:00","2025-10-29T16:01:14.403423","2025-10-30T15:27:35.1375361",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":21,"count":21,"imageUrl":21,"parent":21,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","article","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43,48],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":21,"count":21,"imageUrl":21,"parent":21,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},{"id":49,"name":50,"description":51,"url":52,"color":53,"parentId":27,"count":21,"imageUrl":21,"parent":54,"order":59,"translations":60},20,"Inside Dastra","Go behind the scenes at Dastra: company news, culture, events, team highlights, and the people driving our GDPR solution.","dastra-life","#e3cf68",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":21,"count":21,"imageUrl":21,"parent":21,"order":12,"translations":55},[56,57,58],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},3,[61,64,67],{"lang":34,"name":62,"description":63},"Vie de Dastra","Plongez dans les coulisses de Dastra : actualités internes, culture d’entreprise, événements, équipes et engagements. Découvrez qui se cache derrière notre solution RGPD.",{"lang":40,"name":65,"description":66},"Innerhalb von Dastra","Eintauchen in das Unternehmen",{"lang":37,"name":68,"description":69},"Dentro de Dastra","Sumérjase en la empresa",[],"https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-original.jpg",[73,74,75,76,77,78,79],"https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-1000.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-1500.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-800.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-600.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-300.webp","https://static.dastra.eu/content/1b34a536-5902-4a44-b343-8e820dee8af5/iapp-100.webp",59690]