European Data Protection Board

EDPB News

2020

20 February 2020

European Data Protection Board - Eighteenth Plenary session: Evaluation of the GDPR; Guidelines on Art 46.2 (a) and 46.3 (b) GDPR for transfers personal data between EEA and non-EEA public authorities a bodies; Statement on privacy implications of mergers

Brussels, 20 February - On February 18th and 19th, the EEA Supervisory Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their eighteenth plenary session. During the plenary, a wide range of topics was discussed.
 
The EDPB and the individual EEA Supervisory Authorities (SAs) contributed to the evaluation and review of the GDPR as required by Art. 97 GDPR. The EDPB is of the opinion that the application of the GDPR in the first 20 months has been successful. Although the need for sufficient resources for all SAs is still a concern and some challenges remain, resulting, for example, from the patchwork of national procedures, the Board is convinced that the cooperation between SAs will result in a common data protection culture and consistent practice. The EDPB is examining possible solutions to overcome these challenges and to improve existing cooperation procedures. It also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures and considers that, eventually, legislators may also have a role to play in ensuring further harmonisation. In its assessment, the EDPB also addresses issues such as international transfer tools, impact on SMEs, SA resources and development of new technologies. The EDPB concludes that it is premature to revise the GDPR at this point in time.

The EDPB adopted draft guidelines to provide further clarification regarding the application of Articles 46.2 (a) and 46.3 (b) of the GDPR. These articles address transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, where these transfers are not covered by an adequacy decision. The guidelines recommend which safeguards to implement in legally binding instruments (art. 46.2 (a)) or in administrative arrangements (Art. 46.3 (b)) to ensure that the level of protection of natural persons under the GDPR is met and not undermined. The guidelines will be submitted for public consultation.

Statement on privacy implications of mergers
Following the announcement of Google LLC’s intention to acquire Fitbit, the EDPB adopted a statement highlighting that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to privacy and data protection. The EDPB reminds the parties to the proposed merger of their obligations under the GDPR and to conduct a full assessment of the data protection requirements and privacy implications of the merger in a transparent way. The Board urges the parties to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commission. The EDPB will consider any implications for the protection of personal data in the EEA and stands ready to contribute its advice to the EC if so requested.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

18 February 2020

On February 18th and 19th, the eighteenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Eighteenth Plenary

30 January 2020

On January 28th and 29th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventeenth plenary session. During the plenary, a wide range of topics was discussed.
 
The EDPB adopted its opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs). These opinions aim to ensure consistency and the correct application of the criteria among EEA SAs.

The EDPB adopted draft Guidelines on Connected Vehicles. As vehicles become increasingly more connected, the amount of data generated about drivers and passengers by these connected vehicles is growing rapidly. The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. More specifically, the guidelines deal with the personal data processed by the vehicle and the data communicated by the vehicle as a connected device. The guidelines will be submitted for public consultation.

The Board adopted the final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation. The guidelines aim to clarify how the GDPR applies to the processing of personal data when using video devices and to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. The guidelines address, among others, the lawfulness of processing, including the processing of special categories of data, the applicability of the household exemption and the disclosure of footage to third parties. Following public consultation, several amendments were made.

The EDPB adopted its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs. These are the first opinions on accreditation requirements for Certification Bodies adopted by the Board. They aim to establish a consistent and harmonised approach regarding the requirements which SAs and national accreditation bodies will apply when accrediting certification bodies. 

The EDPB adopted its opinion on the draft decision regarding the Fujikura Automotive Europe Group’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.

Letter on unfair algorithms
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s request concerning the use of unfair algorithms. The letter provides an analysis of the challenges posed by the use of algorithms, an overview of the relevant GDPR provisions and existing guidelines addressing these issues, and describes the work already undertaken by SAs.

Letter to the Council of Europe on the Cybercrime Convention
Following the Board’s contribution to the consultation process on the negotiation of a second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), several EDPB Members actively participated in the Council of Europe Cybercrime Committee’s (T-CY) Octopus Conference. The Board adopted a follow-up letter to the conference, stressing the need to integrate strong data protection safeguards into the future Additional Protocol to the Convention and to ensure its consistency with Convention 108, as well as with the EU Treaties and Charter of Fundamental Rights.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

28 January 2020

On January 28th and 29th, the seventeenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Seventeenth Plenary