Comité Européen de la Protection des Données

EDPB News

2019

15 March 2019

On February 26, the EDPB Chair and Vice-Chair addressed the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) on GDPR implementation. You can read the full report here:  EDPB LIBE Report

14 March 2019

Brussels, 13 March - On March 12th and 13th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their eighth plenary session. During the plenary a wide range of topics were discussed. 
 
Interplay ePrivacy Directive and GDPR

The EDPB adopted its opinion on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The opinion seeks to provide an answer to the question whether the fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limits the competences, tasks and powers of data protection authorities under the GDPR. The EDPB opines that data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.

An infringement of the GDPR may at the same time constitute an infringement of national ePrivacy rules. SAs may take this into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principles).  

Statement on the future ePrivacy Regulation
The EDPB adopted a statement calling upon EU legislators to intensify efforts towards the adoption of the ePrivacy Regulation, which is essential to complete the EU's framework for data protection and the confidentiality of electronic communications.

The future ePrivacy Regulation should under no circumstance lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for all types of electronic communications.

DPIA Lists 

The EDPB adopted two opinions on the Data Protection Impact Assessment (DPIA) lists submitted to the Board by Spain and Iceland. These lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities shall establish and make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. These two opinions follow the 28 opinions adopted during previous plenary meetings, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Statement on the use of personal data in the course of political campaigns

In light of the upcoming European elections and other elections taking place across the EU and beyond in 2019, the EDPB has adopted a statement on the use of personal data during election campaigns. Data processing techniques for political purposes can pose serious risks, not just with regard to the rights to privacy and data protection, but also to the integrity of the democratic process. In its statement, the EDPB highlights a number of key points which need to be taken into consideration when political parties process personal data in the course of electoral activities.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

12 March 2019

On March 12 & 13, the European Data Protection Board's eighth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Eighth Plenary

13 February 2019

Bruxelles, le 13 février - Le 12 février, les autorités de l’EEE chargées de la protection des données et le contrôleur européen de la protection des données, rassemblés au sein du CEPD, se sont réunis à l’occasion de la septième séance plénière dudit comité. Au cours de cette séance, un large éventail de sujets a été examiné.
 
Programme de travail 2019-2020 du CEPD
Le CEPD a adopté son programme de travail sur deux ans pour la période 2019-2020, conformément à l’article 29 de son règlement intérieur. Le programme de travail du CEPD est fondé sur les besoins que les membres estiment prioritaires pour les particuliers, les parties prenantes et les activités prévues par le législateur de l’Union.

Projet d'arrangement administratif dans le domaine de la surveillance des marchés financiers
Le CEPD a adopté, sur la base de l’article 46, paragraphe 3, point b), du règlement général sur la protection des données (RGPD), son premier avis sur un arrangement administratif (AA) relatif aux transferts de données à caractère personnel entre les autorités de surveillance financière de l’EEE, dont l’Autorité européenne des marchés financiers (AEMF), et leurs homologues hors de l’UE. Cet arrangement sera soumis aux autorités de surveillance compétentes pour autorisation au niveau national. Les autorités de surveillance compétentes contrôleront l’AA et surveilleront son application pratique afin de s'assurer que les personnes concernées disposent en pratique de droits effectifs et opposables, et qu’il existe des possibilités de recours et des moyens de surveillance appropriés.

Brexit
Le CEPD a adopté une note d’information à l’attention des entités commerciales et des pouvoirs publics, relative aux transferts de données au titre du RGPD dans l’éventualité d’un Brexit sans accord.

Flux de données de l’EEE vers le Royaume-Uni
En l’absence d'accord entre l’Union européenne et le Royaume-Uni («Brexit sans accord»), le Royaume-Uni deviendra un pays tiers à partir du 30 mars 2019 à 00 h 00 (HEC). En conséquence, le transfert de données à caractère personnel de l’EEE vers le Royaume-Uni devra être fondé sur l’un des instruments suivants: clauses types ou ad hoc de protection des données, règles d’entreprise contraignantes, codes de conduite et mécanismes de certification, et instruments de transfert spécifiques dont disposent les pouvoirs publics. En l’absence de clauses types de protection des données ou d'autres garanties appropriées, des dérogations pourront être utilisées sous certaines conditions.

Flux de données du Royaume-Uni vers l’EEE
En ce qui concerne les transferts de données du Royaume-Uni vers l’EEE, selon le gouvernement britannique, la pratique actuelle, qui permet la libre circulation des données à caractère personnel depuis le Royaume-Uni vers l’EEE, continuera d’exister dans l'éventualité d’un Brexit sans accord.
    
Lignes directrices sur les codes de conduite
Le CEPD a adopté des lignes directrices sur les codes de conduite. L'objectif de ces lignes directrices est de fournir des orientations pratiques et une aide à l’interprétation en ce qui concerne l’application des articles 40 et 41 du RGPD. Les lignes directrices visent à clarifier les procédures et les règles relatives à la soumission, à l’approbation et à la publication de codes de conduite, tant au niveau national qu'au niveau européen. Ces lignes directrices devraient également offrir un cadre clair permettant à toutes les autorités de surveillance compétentes, au CEPD et à la Commission d'évaluer les codes de conduite de manière cohérente et de rationaliser les procédures associées au processus d’évaluation. Les lignes directrices feront l’objet d’une consultation publique.

Note aux éditeurs

Veuillez noter que tous les documents adoptés dans le cadre de la séance plénière du comité européen de la protection des données font l'objet des contrôles juridiques, linguistiques et de formatage nécessaires, et seront publiés sur le site web du comité européen de la protection des données une fois ces contrôles effectués.

12 February 2019

On February 12, the European Data Protection Board's seventh plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Seventh Plenary

 

24 January 2019

Brussels, 24 January - On January 22nd and 23rd, the European Data Protection Authorities, assembled in the European Data Protection Board, met for their sixth plenary session. During the plenary a wide range of topics were discussed.
 
Privacy Shield
The Board Members adopted the EDPB’s report on the Second Annual Review of the EU-US Privacy Shield. The EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts  to publish a number of important documents, in part by declassification (such as decisions by the FISA Court), the appointment of a new Chair as well as of three new members of the Privacy and Civil Liberties Oversight Board (PCLOB) and the recently announced appointment of a permanent Ombudsperson.

In view of the findings of the second joint review, the following concerns about the implementation of the Privacy Shield still remain. This includes concerns already expressed by the EDPB’s predecessor WP29 on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. Also, based on the information provided so far, the EDPB cannot currently consider that the Ombudsperson is vested with sufficient powers to remedy non-compliance. In addition, the Board points out that checks regarding compliance with the substance of the Privacy Shield’s principles are not sufficiently strong.

Moreover, the EDPB has some additional concerns with regard to the necessary checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, as well as to a list of remaining issues raised after the first joint review which are still pending.

Brexit

The EDPB discussed possible consequences of Brexit in the area of data protection. Members agreed to cooperate and exchange information regarding their preparations and the tools available to transfer data to the UK, once the UK will no longer be part of the EU.

Clinical trials Q&A

Following a request from the European Commission (DG SANTE), the EDPB adopted its opinion on the clinical trials Q&A. The opinion addresses in particular the aspects related to the adequate legal bases in the context of clinical trials, and the secondary uses of clinical trial data for scientific purposes. The opinion will now be transmitted to the European Commission.

DPIA lists
The EDPB adopted opinions on the Data Protection Impact Assessment (DPIA) lists, submitted to the Board by Liechtenstein and Norway. These lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities shall establish and make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. These two opinions follow the 22 opinions adopted during the September plenary, and the four opinions adopted during the December plenary, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Guidelines on certification
The EDPB adopted the final version of the guidelines on certification following public consultation. Additionally, the Board also adopted a new annex. A draft version of the guidelines had been adopted during the EDPB’s first plenary in May. The primary aim of these guidelines is to identify overarching criteria which may be relevant to all types of certification mechanisms issued in accordance with art. 42 and art. 43 GDPR. As such, the guidelines explore the rationale for certification as an accountability tool, provide explanations for the key concepts of the certification provisions in art. 42 and art. 43, explain the scope of what can be certified and outline the purpose of certification. The guidelines will help Member States, supervisory authorities and national accreditation bodies (NAB) when reviewing and approving certification criteria in accordance with art. 42 and art. 43 GDPR. The annex will be subject to public consultation.

Response to Australian Supervisory Authority on data breach notification

In October 2018, the EDPB Chair received a written request from the Office of the Australian Information Commissioner regarding the publication of the data breach notifications by supervisory authorities. The EDPB welcomes the Australian Commissioner’s interest in cooperating with the European Data Protection Board on this issue and stresses the importance of international collaboration. In its response, the EDPB provides further information on whether and how supervisory authorities handle the publication of information regarding data breach notifications.

22 January 2019

On January 22 and 23, the European Data Protection Board's sixth plenary is taking place in Brussels. For further information, please consult the agenda.

Agenda of Sixth Plenary