European Data Protection Board

News

Generic image
20 July 2018

Brussels, 19 July – An important innovation of the General Data Protection Regulation (GDPR) is the new way in which the supervisory authorities of the Member States closely cooperate to ensure a consistent application as well as a consistent protection of individuals throughout the EU.

During its second plenary meeting on 4 and 5 July the EDPB discussed the consistency and the cooperation systems, sharing first experiences on the functioning of the One-Stop Shop mechanism, the performance of the Internal Market Information System (IMI), the challenges the authorities are facing and the type of questions received since 25 May. Most data protection authorities reported a substantial increase in complaints received. The first cross-border cases were initiated in IMI on 25 May. Currently, around 100 cross-border cases in IMI are under investigation.

The EDPB Chair Andrea Jelinek said: “Despite the sharp increase in the number of cases in the last month, the Members of the EDPB report that the workload is manageable for the moment, in large part thanks to a thorough preparation in the past two years by the Article 29 Data Protection Working Party. However, we should only expect the first results of the new procedures to deal with cross-border cases in a few months from now. To handle complaints lead supervisory authorities will have to carry out investigations, observe procedural rules, and coordinate and share information with other supervisory authorities. The GDPR sets specific deadlines for each phase of the procedure. All of this takes time. During this time, complainants are entitled to be kept informed on the state of play of a case. The GDPR does not offer a quick fix in case of a complaint but we are confident the procedures detailing the way in which the authorities work together are robust and efficient.”

 

Generic press release pictures
05 July 2018

Brussels, 5 July 2018 - The European data protection authorities, assembled in the European Data Protection Board (EDPB), met on the 4th and 5th of July for the EDPB’s second plenary meeting. During this meeting, the European Data Protection Authorities addressed a wide range of topics. 

 

Cooperation and constistency procedures – state of play

The EDPB discussed the consistency and the cooperation mechanisms, sharing experiences on the functioning of the One-Stop Shop mechanism, the performance of the Internal Market Information System (IMI), which serves as IT platform for exchanges on cross-border issues, the challenges the authorities are facing and the type of questions received since 25 May. Most data protection authorities reported a substantial increase of complaints received. The first cases were initiated in IMI on the 25th of May. Currently, around 30 cross-border complaints in IMI are under investigation. The EDPB Chair Andrea Jelinek said: “Despite the sharp increase in the number of cases in the last month, the Members of the EDPB report that the workload is manageable at the moment, in large part thanks to a thorough preparation of the WP29 in the past two years. The GDPR does not offer a quick fix in case of a complaint but we are confident the procedures detailing the way in which the authorities work together under the consistency mechanism are robust and efficient.”

 

ICANN

The EDPB adopted a letter on behalf of the EDPB Chair addressed to the Internet Corporation for Assigned Names and Numbers (ICANN), providing guidance to enable ICANN to develop a GDPR-compliant model for access to personal data processed in the context of WHOIS.

The letter addresses the issues of purpose specification, collection of “full WHOIS data”, registration of legal persons, logging of access to non-public WHOIS data, data retention and codes of conduct and accreditation.

The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.

The EDPB expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.

 

PSD2 Directive

The EDPB adopted a letter on behalf of the EDPB Chair addressed to Sophie in’t Veld MEP regarding the revised Payments Services Directive (PSD2 Directive). In its reply to Sophie in’t Veld the EDPB sheds further light on ‘silent party data’ by Third Party Providers, the procedures with regard to giving and withdrawing consent, the Regulatory Technical Standards, the cooperation between banks and the European Commission, EDPS and WP29 and what remains to be done to close any remaining data protection gaps.

 

Privacy Shield

The US Ombudsperson responsible for handling national security complaints under the Privacy Shield, Ambassador Judith Garber, was invited to the plenary meeting of the EDPB for an exchange with the Board Members. The EDPB was particularly interested in the concerns addressed to the US by the EDPB’s predecessor WP29, especially the appointment of a permanent Ombudsperson, formal appointments to the Privacy and Civil Liberties Oversight Board (PCLOB), and the lack of additional information on the Ombudsperson mechanism and further declassification of the procedural rules, in particular on how the Ombudsperson interacts with the intelligence services.

 

The EDPB pointed out that the meeting with the Ombudsperson was interesting and collegial but did not provide a conclusive answer to these concerns and that these issues will remain on top of the agenda during the Second Annual Review (scheduled for October 2018). In addition, it calls for supplementary evidence to be given by the US authorities in order to address these concerns. Finally, the EDPB notes that the same concerns will be addressed by the European Court of Justice in cases that are already pending, and to which the EDPB offers to contribute its view, if invited by the CJEU.

Generic image for fintech
05 July 2018

The EDPB adopted a letter on behalf of the EDPB Chair addressed to Sophie in’t Veld MEP regarding the revised Payments Services Directive (PSD2 Directive). In its reply to Sophie in’t Veld the EDPB sheds further light on ‘silent party data’ by Third Party Providers, the procedures with regard to giving and withdrawing consent, the Regulatory Technical Standards, the cooperation between banks and the European Commission, EDPS and WP29 and what remains to be done to close any remaining data protection gaps.

ICANN generic letter image
05 July 2018

The EDPB adopted a letter on behalf of the EDPB Chair addressed to the Internet Corporation for Assigned Names and Numbers (ICANN), providing guidance to enable ICANN to develop a GDPR-compliant model for access to personal data processed in the context of WHOIS.

The letter addresses the issues of purpose specification, collection of “full WHOIS data”, registration of legal persons, logging of access to non-public WHOIS data, data retention and codes of conduct and accreditation.

The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.

The EDPB expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.

Generic image of plenary
04 July 2018

On 4 and 5 July the second plenary of the European Data Protection Board is taking place in Brussels. Please consult the agenda for more information.

Generic IMI Picture
27 June 2018

It has been just a month ago that the General Data Protection Regulation (GDPR) entered into application, the long awaited revamp of the EU’s data protection rules. Under the GDPR, the supervisory authorities of the Member States closely cooperate to ensure a consistent application of the GDPR throughout the European Union, as well as consistent protection of individuals. They assist each other and coordinate decision-making in these cross-border data protection cases. Via the so-called consistency mechanism the European Data Protection Board issues opinions and takes binding decisions to arbitrate different positions on cross border cases between national data protection authorities.

 

IMI (Internal Market Information System) was chosen as the IT platform to support cooperation and consistency procedures under the GDPR. IMI helps public authorities across the EU to cooperate and exchange information. The GDPR is the 13th legal area supported by the system.

IMI has been developed by the European Commission’s DG GROW and was adapted to cater for the needs of the GDPR, in close cooperation with the Secretariat of the European Data Protection Board and the national supervisory authorities.

 

On 25 May, the first case was initiated in IMI, and shortly afterwards the supervisory authorities started to cooperate via the system. Currently, more than 30 cross-border cases are under investigation.

14 IMI modules, 19 forms and more than 10.000 data fields were put in place to address the needs of data protection authorities and the GDPR procedures. 

Generic picture derogation guidelines
30 May 2018

During its first plenary meeting, the EDPB adopted the final version of the Guidelines on derogations applicable to international transfers (art 49). The Article 29 Working Party conducted a public consultation on a draft of these guidelines. The EDPB took into consideration the replies received and integrated the appropriate changes into the adopted version. 

Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

Generic picture certification guidelines
30 May 2018

During its first plenary meeting, the EDPB adopted a draft version of the Guidelines on certification. A public consultation is available for 6 weeks. If you are interested to contribute, please go to the “Public Consultations” section of our website or click the link bellow:

Public consultation: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Generic picture
28 May 2018

During its first plenary meeting of 25 May, the EDPB adopted a statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications.

This statement includes a call for a swift adoption of the new ePrivacy Regulation and some suggestions on some specific issues relating to proposed amendments by the co-legislators.

EDPB Statement on ePrivacy

Generic picture Icann
27 May 2018

The European Data Protection Board endorsed the statement of the WP29 on ICANN/WHOIS during its first plenary meeting on 25 May.

 

WP29 statement regarding WHOIS

 

“WP29 recognizes the important functions fulfilled by the WHOIS service. 
 
WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003 (see WP29 opinion of 2003 available here). ICANN’s GDPR compliance process appears to have been formally initiated in the course of 2017, which may be part of the reason why stakeholders are concerned over the entry into application of the GDPR on 25 May 2018.
 
The GDPR does not allow national supervisory authorities nor the European Data Protection Board (the WP29 will become the EDPB on 25 May 2018) to create an “enforcement moratorium” for individual data controllers. Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated. 
 
Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints.


As expressed also in earlier correspondence with ICANN (including this letter of December 2017 and this letter of April 2018),  WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.

 

The WP29 recognizes the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system. The WP29 will continue to monitor ICANN’s progress closely and its members may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed.

Generic picture Press release
25 May 2018

Transparency and awareness are two core principles of the Board. Therefore, following the first plenary meeting of the Board, the newly elected EDPB Chair will hold a press conference on 25 May at 12.30 in the Brussels Press Club (Rue Froissart 95, Brussels). The press conference will be broadcast in EbS: http://ec.europa.eu/avservices/ebs/live.cfm?page=2 

Generic picture Secretariat
25 May 2018

The European Data Protection Board needs to rely on an effective Secretariat to be able to effectively accomplish all the tasks it is required to carry out under the GDPR. The EDPB Secretariat is composed of legal experts, communication and IT officers and administrative staff.

This brand-new team has worked hard to make the launch of the EDPB possible.  They will, without a doubt, have busy months ahead to organise the meetings of the Board and answer questions on the Board’s tasks and responsibilities.   

 

Generic picture Press release
25 May 2018

Brüssel, 25. Mai – Heute fand die erste Plenarsitzung des Europäischen Datenschutzausschusses statt. Dieses neue unabhängige EU-Entscheidungsgremium mit Rechtspersönlichkeit wurde durch die Datenschutz-Grundverordnung geschaffen, die seit heute gilt. Der Europäische Datenschutzausschuss, Nachfolger der Artikel-29-Datenschutzgruppe, bringt den Europäischen Datenschutzbeauftragten und die Aufsichtsbehörden der Mitgliedstaaten zusammen, um eine einheitliche Anwendung der Datenschutz-Grundverordnung in der gesamten Europäischen Union sowie den konsequenten Schutz jedes Einzelnen sicherzustellen.  Zudem überwacht der Ausschuss die Umsetzung der Richtlinie für den Datenschutz bei Polizei und Justiz.

Andrea Jelinek, Vorsitzende des Europäischen Datenschutzausschusses: „Diese seit Langem erwarteten Rechtsvorschriften geben Einzelpersonen mehr Kontrolle über ihre personenbezogenen Daten und bieten ein einheitliches Regelwerk für alle, die in der EU personenbezogene Daten von natürlichen Personen verarbeiten. In einer Welt, in der Daten wie eine Währung gehandelt werden, wurden die Rechte des Einzelnen oft vernachlässigt oder sogar missachtet. Wir sollten die Tatsache nicht aus den Augen verlieren, dass personenbezogene Daten dem Menschen innewohnend sind. Ich bin davon überzeugt, dass die Datenschutz-Grundverordnung dem Einzelnen und den Aufsichtsbehörden die Mittel zur Verfügung stellt, um dieses Grundrecht effektiv zu schützen und durchzusetzen.“

„Die neuen Datenschutzanforderungen wurden oft auf das Risiko hoher Geldbußen reduziert, doch die Datenschutz-Grundverordnung ist viel mehr als das. Es geht darum, die Rechte des Einzelnen obenan zu stellen und die EU-Datenschutzvorschriften so auszubauen, dass sie effizienter und zukunftstauglich werden. Zugleich werden auch in Europa tätige Unternehmen von der Datenschutz-Grundverordnung profitieren, weil diese Rechtssicherheit schafft und es leichter macht, im gesamten Binnenmarkt agieren. Zudem wird die Einhaltung der Datenschutz-Grundverordnung zum guten Ruf eines Unternehmens beitragen. In unserer datengesteuerten Wirtschaft kann ein guter Ruf binnen weniger Tage zerstört sein, wenn die Menschen Zweifel haben, ob ein Unternehmen ihre Daten mit Sorgfalt behandelt.“

Abschließend hob Jelinek hervor, wie wichtig Zusammenarbeit für den Erfolg der Datenschutz-Grundverordnung ist: „Es ist von größter Wichtigkeit, dass wir als Europäischer Datenschutzausschuss mit vereinten Kräften für ein hohes und einheitliches Datenschutzniveau für jeden Einzelnen sorgen – ganz gleich, wo in der EU er ansässig ist. Außerdem werden wir das Bewusstsein für Datenschutzrechte in der Öffentlichkeit fördern. Der Europäische Datenschutzausschuss ist ein neu geschaffenes Entscheidungsgremium der EU mit einem neuen Lenkungs- und Kooperationsmodell und der Befugnis, verbindliche Entscheidungen zu treffen. Das ermöglicht uns, unserem Auftrag effizient nachzukommen, indem wir Leitlinien für die Auslegung der Datenschutz-Grundverordnung geben.“

Die Datenschutz-Grundverordnung ist ein neues europäisches Gesetz, das die Kontrolle des Einzelnen darüber stärkt, wie Menschen und Organisationen die personenbezogenen Daten verwenden und weitergeben. Sie gilt auch für Organisationen außerhalb Europas, die sich an Einzelpersonen in der EU richten oder deren Verhalten beobachten. Die Datenschutz-Grundverordnung ersetzt die EU-Datenschutzrichtlinie aus dem Jahr 1995 – einer Zeit, in der das Internet noch in den Anfängen steckte. Sie ersetzt ein Patchwork nationaler Rechtsvorschriften durch eine einzige EU-Verordnung mit dem Zweck, die Rechenschaftspflicht von Organisationen zu erhöhen, Einzelpersonen mehr Kontrolle über ihre eigenen Daten zu geben und die Rechtssicherheit für Unternehmen zu verbessern, um so Innovation und die künftige Entwicklung des digitalen Binnenmarkts zu fördern.  

Generic picture MoU
25 May 2018

A Memorandum of Understanding was signed between the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) during the first plenary meeting of the EDPB. This MoU outlines the way in which the EDPB and EDPS will cooperate.

Memorandum of Understanding

generic picture guidelines
25 May 2018

During its first plenary meeting the European Data Protection Board endorsed the GDPR related WP29 Guidelines(Corrigendum: In document nr 8 reference to the WP 259 has been replaced by the correct WP 244).

Generic picture Plenary
25 May 2018

On 25 May 2018, the greatly anticipated General Data Protection Regulation (GDPR) entered into application and its pre-decessor Directive 95/46/EC was repealed. On that date, the Article 29 Working Party, the body bringing together the independent data protection authorities, ceased to exist and was replaced by a new body: the European Data Protection Board or EDPB.

The Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS). The Board also includes a representative of the European Commission who, however, does not have a right to vote.

The Board’s primary role is to safeguard the consistent application of the GDPR, but it has additional competences. It advises the European Commission on, for example, the level of data protection offered by third countries. In addition, the Board promotes cooperation between the national supervisory authorities and plays a role in conciliation procedures for disputes between national supervisory authorities. In exercising its powers, the Board issues guidelines, recommendations and statements of best practice on myriad topics.

During its first plenary meeting on 25 May the Board elected its Chair and two Vice-Chairs. The EDPB Chair will lead the Board for the coming five years and will exert an important influence on data protection in Europe and beyond. The Chair’s role will be crucial for the success and effectiveness of the GDPR.

Generic picture Cocktail
24 May 2018

A new regulation and a new EU Body need to be celebrated! To do so, a cocktail reception took place on the 24th of May. Within the beautiful venue of the Bibliotheque Solvay in Brussels, Commissioner Vera Jourova, Jan Philipp Albrecht MEP, European Data Protection Supervisor Giovanni Buttarelli and WP29 Chair Andrea Jelinek held speeches looking back at the coming into application of the GDPR and the challenges ahead. Many of those who played an active role in the negotiations of the GDPR were present and proud to see the achievement of such a long process.