Comité Européen de la Protection des Données

EDPB News

11 July 2019

Brussels, 11 July - On July 9th and 10th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their twelfth plenary session. During the plenary a wide range of topics were discussed.
 
Guidelines on Video Surveillance
The Board adopted Guidelines on Video Surveillance, which clarify how the GDPR applies to the processing of personal data when using video devices and aim to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. For the latter, the guidelines focus on the rules regarding processing of special categories of data. In addition, the guidelines cover, among others, the lawfulness of processing, the applicability of the household exemption and the disclosure of footage to third parties. The guidelines will be subject to public consultation.

EDPB-EDPS joint reply to the LIBE Committee on the implications of the US CLOUD Act
The EDPB adopted a joint EDPB-EDPS reply to the European Parliament Committee on Civil Liberties, Justice and Home Affairs’ (LIBE) request for a legal assessment regarding the impact of the US CLOUD Act on the EU legal data protection framework and the mandate for negotiating an EU-US agreement on cross-border access to electronic evidence for judicial cooperation in criminal matters. The CLOUD Act allows US law enforcement authorities to require the disclosure of data by service providers in the US, regardless of where the data is stored.

The EDPB and EDPS emphasize that a comprehensive EU-US agreement regarding cross-border access to electronic evidence, containing strong procedural and substantial safeguards for fundamental rights, appears the most appropriate instrument to ensure the necessary level of protection for EU data subjects and legal certainty for businesses.

Art.64 GDPR Opinion on Standard Contractual Clauses for processors under Art.28.8 GDPR by DK SA
The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for framing the processing by a processor submitted to the Board by the Danish Supervisory Authority (SA). The opinion, which is the first one on this topic, aims to ensure the consistent application of Art 28 GDPR, relating to processors. In it, the Board made several recommendations that need to be taken into account in order for the draft SCCs of the Danish SA to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Danish SA will be able to use this draft agreement as Standard Contractual Clauses pursuant to article 28.8 GDPR.

Art. 64 GDPR Opinion on Accreditation Criteria for monitoring bodies of Codes of Conduct by AT SA
Following submission by the Austrian SA of its draft decision on the Accreditation Criteria for Codes of Conduct monitoring bodies, the Board adopted its opinion. The Board agreed that all codes covering non-public authorities and bodies are required to have accredited monitoring bodies in accordance with the GDPR.

Art. 64 GDPR Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment
The Board adopted an opinion on the competence of a supervisory authority when the circumstances relating to the main or single establishment change. This can occur when the main establishment is relocated within the EEA, a main establishment is moved to the EEA from a third country, or when there no longer is a main or single establishment in the EEA. In such circumstances, the Board is of the opinion that the competence of the lead supervisory authority (LSA) can switch to another SA. In this case, the cooperation procedure set forth under Art. 60 will continue to apply and the new LSA will be obligated to cooperate with the former LSA and with the other concerned SAs in an endeavour to reach consensus. The switch can take place as long as no final decision has been reached by the competent supervisory authority.

EDPB-EDPS Joint Opinion on the eHDSI
The Board adopted a joint EDPB-EDPS opinion on the personal data protection aspects of the processing of patients’ data in the eHealth Digital Service Infrastructure (eHDSI). It is the first joint opinion by the EDPB and the EDPS adopted in response to a request from the European Commission under Article 42(2) of Regulation 2018/1725 on data protection for EU institutions and bodies. In their opinion, the EDPB and EDPS consider that, in this specific situation, and for the concrete processing of patients’ data within the eHDSI, there is no reason to dissent from the European Commission’s assessment of its role as a processor within the eHDSI. Furthermore, the joint opinion stresses the need to ensure that all the processor duties of the Commission, in this processing operation, as specified in the applicable data protection legislation, are clearly set out in the relevant Implementing Act.  

DPIA List Cyprus
The EDPB adopted an opinion on the Data Protection Impact Assessment (DPIA) list submitted to the Board by Cyprus. DPIA lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals.

Art. 64 GDPR Opinion on Art 35.5 lists FR, ES & CZ (DPIA exemption)
The EDPB adopted its opinion on the Art. 35.5 lists submitted to the Board by the French, Spanish and Czech SAs.

Recommendation on EDPS list pursuant to Art. 39.4 Regulation 2018/1725 (DPIA list)
The Board has adopted a recommendation on the Art. 39.4 list submitted to the Board by the EDPS. The EDPS has to consult the EDPB prior to adoption of these lists insofar as these “refer to processing operations by a controller acting jointly with one or more controllers other than Union institutions and bodies” (Article 39(6) of Regulation (EU) 2018/1725). Similar to GDPR DPIA lists, the EDPS list informs controllers about processing activities which require a DPIA.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

09 July 2019

On July 9th & 10th, the twelfth plenary session of the European Data Protection Board takes place in Brussels. For further information, please consult the agenda.

Agenda of twelfth plenary

05 June 2019

Bruxelles, le 5 juin - Le 4 juin, les autorités de l’EEE chargées de la protection des données et le contrôleur européen de la protection des données, rassemblés au sein du Comité européen de la protection des données, se sont réunis à l’occasion de leur onzième séance plénière. Au cours de cette séance, un large éventail de sujets a été examiné.

Lignes directrices sur les codes de conduite
Le Comité européen de la protection des données a adopté la version finale des lignes directrices concernant les codes de conduite. À la suite d’une consultation publique, des éclaircissements ont été intégrés dans le texte. L’objectif de ces lignes directrices est de fournir des orientations pratiques et une aide à l’interprétation en ce qui concerne l’application des articles 40 et 41 du RGPD. Les lignes directrices visent à clarifier les procédures et les règles relatives à la soumission, à l’approbation et à la publication de codes de conduite, tant au niveau national qu’au niveau européen. Ces lignes directrices devraient également offrir un cadre clair permettant à toutes les autorités de contrôle compétentes, au Comité européen de la protection des données et à la Commission d’évaluer les codes de conduite de manière cohérente et de rationaliser les procédures associées au processus d’évaluation.

Annexe des lignes directrices sur l’agrément
Le Comité européen de la protection des données a adopté la version finale de l’annexe des lignes directrices sur l’agrément, à la suite d’une consultation publique. Le texte a été revu pour plus de clarté. L’objectif des lignes directrices est de fournir des orientations sur l’interprétation et la mise en œuvre des dispositions de l’article 43 du RGPD. Ces lignes directrices visent notamment à aider les États membres, les autorités de contrôle et les organismes nationaux d’accréditation à mettre en place des normes de référence cohérentes et harmonisées pour l’agrément des organismes de certification qui délivrent une certification conformément au RGPD. L’annexe fournit des orientations sur les exigences supplémentaires relatives à l’agrément des organismes de certification que les autorités de contrôle doivent établir. Ces exigences supplémentaires, avant d’être adoptées par les autorités de contrôle, doivent être soumises au Comité européen de la protection des données pour approbation, en application de l’article 64, paragraphe 1, point c).*

Annexe des lignes directrices sur la certification
Le Comité européen de la protection des données a adopté la version finale de l’annexe 2 des lignes directrices sur la certification. À la suite d’une consultation publique, certains aspects ont été ajoutés dans plusieurs sections, par exemple la question de savoir si les critères mentionnent l’obligation faite au responsable du traitement/sous-traitant de désigner un DPD et l’obligation de tenir un registre des activités de traitement. Le but primordial de ces lignes directrices est de définir des critères généraux pouvant s’appliquer à tous les types de mécanisme de certification mis en place conformément aux articles 42 et 43 du RGPD. L’annexe recense les thèmes que les autorités de contrôle de la protection des données et le Comité européen de la protection des données examineront et appliqueront pour l’approbation des critères de certification pour un mécanisme de certification. La liste n’est pas exhaustive, mais présente les thèmes minimaux à prendre en considération.*

Note aux éditeurs

* À titre d’étape suivante, avant que des dossiers spécifiques concernant la certification et l’agrément puissent être examinés au niveau du Comité européen de la protection des données, le Comité européen de la protection des données est en train d’élaborer une procédure visant à faciliter l’émission, en temps utile, d’avis cohérents sur les projets de décisions des autorités de contrôle et à approuver les labels européens de protection des données.

Veuillez noter que tous les documents adoptés dans le cadre de la séance plénière du Comité européen de la protection des données font l’objet des contrôles juridiques, linguistiques et de formatage nécessaires, et seront publiés sur le site web du comité européen de la protection des données une fois ces contrôles effectués.

04 June 2019

On June 4th, the eleventh plenary session of the European Data Protection Board takes place in Brussels. For further information, please consult the agenda.

Agenda of eleventh plenary

22 May 2019

1 year ago, the GDPR entered into application, but what has changed for you? Where can you go to address your data protection concerns? And what is the EDPB's role in all this?

The video below provides an answer to these questions in a nutshell:

22 May 2019

Brussels, 22 May - Just a few days short of the GDPR’s first anniversary, the European Data Protection Board surveyed the Supervisory Authorities (SAs) of the EEA and takes stock of the Board’s achievements.

From the very first day of application, the first cross-border cases were logged in the EDPB’s IMI case register, leading to a current total of 446 cross-border. 205 of these have led to One-Stop-Shop (OSS) procedures. So far, there have been 19 final OSS outcomes.

    

Number of procedures initiated by SAs from 21 EEA countries
Germany: Number of procedures initiated by SAs from 7 Regional SAs

    

At a national level, most Supervisory Authorities (SAs) report an increase in queries and complaints received compared to 2017. Over 144.000 queries and complaints* and over 89.000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing.

Based on information provided by SAs from 27 EEA countries
Germany: Based on information provided by The Federal and 17 Regional SAs

Based on information provided by SAs from 27 EEA countries (Case status information provided for 164633 cases)
Germany: Based on information provided by The Federal and 11 Regional SAs

    

The increase in queries and complaints confirms the perceived rise in awareness about data protection rights among individuals, as shown in the Eurobarometer of March 2019. 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results**.

The EEA SAs have reported that, while the cooperation procedures are robust and efficient works, they are time and resource intensive: SAs need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities.

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments:

It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace. Earlier this year, the EDPB adopted its work program for 2019 and 2020. We will also see several cross-border cases carried out by SAs leading to a final outcome in the coming months. Last but not least, we want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.

   

*At the time of the survey, the notion of complaint had not yet been analysed by the EDPB. Up to then, the interpretation of the notion was done by the national supervisory authorities, which may have an impact on the statistics.

**Source European Commission.

15 May 2019

Bruxelles, le 15 mai - Les 14 et 15 mai, les autorités de l’EEE chargées de la protection des données et le Contrôleur européen de la protection des données, rassemblés au sein du Comité européen de la protection des données, se sont réunis à l’occasion de la dixième séance plénière dudit Comité. Au cours de cette séance, un large éventail de sujets a été abordé.

Élection d’un nouveau vice-président
Les membres du Comité ont élu M. Aleid Wolfsen, président de l’Autorité de contrôle néerlandaise, en tant que nouveau vice‑président, en remplacement de M. Willem Debeuckelaere, que la présidente, Mme Andrea Jelinek, a remercié pour le travail qu’il a accompli. Dans les années à venir, avec l’autre vice‑président, M. Ventsislav Karadjov, M. Wolfsen assistera la présidente du Comité européen de la protection des données dans ses tâches au sein du Comité. Mme Jelinek a déclaré à cet égard: «Le public ne s’est jamais autant intéressé à la protection des données. Je me réjouis à la perspective de collaborer avec MM. Aleid et Ventsislav afin de nouer le dialogue avec l’ensemble de la communauté des acteurs du domaine de la protection des données.»

Et M. Wolfsen a ajouté: «Dans les prochaines années, il nous incombera, en tant que Comité, de fournir des orientations faisant autorité et des conseils avisés. En ma qualité de vice-président, je veillerai à ce que nous parlions d’une seule voix, après avoir dûment pris en considération l’avis de chacun.»

Réponse à la députée européenne Sophie in’t Veld concernant les véhicules connectés
Le Comité européen de la protection des données a adopté une lettre en réponse à la lettre de Mme in’t Veld datée du 17 avril 2019 concernant le partage des données à caractère personnel des conducteurs avec le constructeur automobile et des tiers, sans consentement explicite, spécifique et éclairé du conducteur, et en l’absence de base juridique appropriée. Dans sa réponse, le Comité souligne que ses membres et leurs homologues internationaux ont adopté en 2017 une résolution ICDPPC sur la protection des données dans les véhicules automatisés et connectés, et que le Groupe de Travail «Article 29» a adopté l’avis 3/2017 sur le traitement des données à caractère personnel dans le contexte des systèmes de transport intelligents coopératifs (les «STI-C»). Cette question sera également traitée conformément au programme de travail du Comité européen de la protection des données pour la période 2019‑2020.

Troisième révision annuelle du bouclier de protection des données (« Privacy Shield »)
Le Comité européen de la protection des données a désigné ses représentants en vue de la troisième révision annuelle du bouclier de protection des données.  L’Autriche, la Bulgarie, la France, l’Allemagne, la Hongrie et le Contrôleur européen de la protection des données représenteront le Comité dans le cadre de cette révision.

14 May 2019

On May 14 & 15, the European Data Protection Board's tenth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of tenth plenary

10 April 2019

Brussels, 10 April - On April 9th and 10th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their ninth plenary session.

During the plenary, the EDPB adopted guidelines on the scope and application of Article 6(1)(b)* GDPR in the context of information society services. In its guidelines, the Board makes general observations regarding data protection principles and the interaction of Article 6(1)(b) with other lawful bases. In addition, the guidelines contain guidance on the applicability of Article 6(1)(b) in case of bundling of separate services and termination of contract.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.


* Article 6 (1) (B)

“1. Processing shall be lawful only if and to the extent that at least one of the following applies:

...

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; ”

09 April 2019

On April 9 & 10, the European Data Protection Board's ninth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of ninth plenary

09 April 2019

Your personal information is collected, shared, used and stored by individuals, organisations and public authorities every day. Recruitment activities, video surveillance and health data collection are just a few examples of this. The European Data Protection Board (EDPB) ensures the consistent application of the GDPR throughout the European Economic Area (EEA), and promotes cooperation between the EEA data protection authorities. The European Data Protection Supervisor (EDPS) monitors and ensures the protection of personal data and privacy when EU institutions and bodies process personal data.

The EDPB and EDPS stand will be at the European Commission as part of the EU institutions' Europe Day celebrations.

Located on the ground floor of the Berlaymont building, EDPB and EDPS staff will be on hand to answer questions about your privacy rights and how to protect your personal information. Free goodies and information will be on offer, as well as fun and interactive activities for both children and adults to enjoy. You will also have a chance to win one of 20 USB sticks, simply by taking part in our fun, simple quiz!

Whether shopping online, using a smartphone or applying for jobs, data protection affects us all, so be sure to visit our stand to find out more!

For more information visit http://europeday.europa.eu and http://ec.europa.eu/belgium/events/europe-day_en

For more information on the EDPS visit: https://edps.europa.eu/data-protection/our-work/publications/events/eu-open-day-2019-brussels_en 

15 March 2019

On February 26, the EDPB Chair and Vice-Chair addressed the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) on GDPR implementation. You can read the full report here:  EDPB LIBE Report

14 March 2019

European Data Protection Board - Eighth Plenary session: Interplay ePrivacy Directive and GDPR, statement on ePrivacy Regulation, DPIA Lists ES & IS, Statement on Elections

Brussels, 13 March - On March 12th and 13th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their eighth plenary session. During the plenary a wide range of topics were discussed. 
 
Interplay ePrivacy Directive and GDPR

The EDPB adopted its opinion on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The opinion seeks to provide an answer to the question whether the fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limits the competences, tasks and powers of data protection authorities under the GDPR. The EDPB opines that data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.

An infringement of the GDPR may at the same time constitute an infringement of national ePrivacy rules. SAs may take this into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principles).  

Statement on the future ePrivacy Regulation
The EDPB adopted a statement calling upon EU legislators to intensify efforts towards the adoption of the ePrivacy Regulation, which is essential to complete the EU's framework for data protection and the confidentiality of electronic communications.

The future ePrivacy Regulation should under no circumstance lower the level of protection offered by the current ePrivacy Directive and should complement the GDPR by providing additional strong guarantees for all types of electronic communications.

DPIA Lists 

The EDPB adopted two opinions on the Data Protection Impact Assessment (DPIA) lists submitted to the Board by Spain and Iceland. These lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities shall establish and make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. These two opinions follow the 28 opinions adopted during previous plenary meetings, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Statement on the use of personal data in the course of political campaigns

In light of the upcoming European elections and other elections taking place across the EU and beyond in 2019, the EDPB has adopted a statement on the use of personal data during election campaigns. Data processing techniques for political purposes can pose serious risks, not just with regard to the rights to privacy and data protection, but also to the integrity of the democratic process. In its statement, the EDPB highlights a number of key points which need to be taken into consideration when political parties process personal data in the course of electoral activities.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

12 March 2019

On March 12 & 13, the European Data Protection Board's eighth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Eighth Plenary

13 February 2019

Bruxelles, le 13 février - Le 12 février, les autorités de l’EEE chargées de la protection des données et le contrôleur européen de la protection des données, rassemblés au sein du CEPD, se sont réunis à l’occasion de la septième séance plénière dudit comité. Au cours de cette séance, un large éventail de sujets a été examiné.
 
Programme de travail 2019-2020 du CEPD
Le CEPD a adopté son programme de travail sur deux ans pour la période 2019-2020, conformément à l’article 29 de son règlement intérieur. Le programme de travail du CEPD est fondé sur les besoins que les membres estiment prioritaires pour les particuliers, les parties prenantes et les activités prévues par le législateur de l’Union.

Projet d'arrangement administratif dans le domaine de la surveillance des marchés financiers
Le CEPD a adopté, sur la base de l’article 46, paragraphe 3, point b), du règlement général sur la protection des données (RGPD), son premier avis sur un arrangement administratif (AA) relatif aux transferts de données à caractère personnel entre les autorités de surveillance financière de l’EEE, dont l’Autorité européenne des marchés financiers (AEMF), et leurs homologues hors de l’UE. Cet arrangement sera soumis aux autorités de surveillance compétentes pour autorisation au niveau national. Les autorités de surveillance compétentes contrôleront l’AA et surveilleront son application pratique afin de s'assurer que les personnes concernées disposent en pratique de droits effectifs et opposables, et qu’il existe des possibilités de recours et des moyens de surveillance appropriés.

Brexit
Le CEPD a adopté une note d’information à l’attention des entités commerciales et des pouvoirs publics, relative aux transferts de données au titre du RGPD dans l’éventualité d’un Brexit sans accord.

Flux de données de l’EEE vers le Royaume-Uni
En l’absence d'accord entre l’Union européenne et le Royaume-Uni («Brexit sans accord»), le Royaume-Uni deviendra un pays tiers à partir du 30 mars 2019 à 00 h 00 (HEC). En conséquence, le transfert de données à caractère personnel de l’EEE vers le Royaume-Uni devra être fondé sur l’un des instruments suivants: clauses types ou ad hoc de protection des données, règles d’entreprise contraignantes, codes de conduite et mécanismes de certification, et instruments de transfert spécifiques dont disposent les pouvoirs publics. En l’absence de clauses types de protection des données ou d'autres garanties appropriées, des dérogations pourront être utilisées sous certaines conditions.

Flux de données du Royaume-Uni vers l’EEE
En ce qui concerne les transferts de données du Royaume-Uni vers l’EEE, selon le gouvernement britannique, la pratique actuelle, qui permet la libre circulation des données à caractère personnel depuis le Royaume-Uni vers l’EEE, continuera d’exister dans l'éventualité d’un Brexit sans accord.
    
Lignes directrices sur les codes de conduite
Le CEPD a adopté des lignes directrices sur les codes de conduite. L'objectif de ces lignes directrices est de fournir des orientations pratiques et une aide à l’interprétation en ce qui concerne l’application des articles 40 et 41 du RGPD. Les lignes directrices visent à clarifier les procédures et les règles relatives à la soumission, à l’approbation et à la publication de codes de conduite, tant au niveau national qu'au niveau européen. Ces lignes directrices devraient également offrir un cadre clair permettant à toutes les autorités de surveillance compétentes, au CEPD et à la Commission d'évaluer les codes de conduite de manière cohérente et de rationaliser les procédures associées au processus d’évaluation. Les lignes directrices feront l’objet d’une consultation publique.

Note aux éditeurs

Veuillez noter que tous les documents adoptés dans le cadre de la séance plénière du comité européen de la protection des données font l'objet des contrôles juridiques, linguistiques et de formatage nécessaires, et seront publiés sur le site web du comité européen de la protection des données une fois ces contrôles effectués.

12 February 2019

On February 12, the European Data Protection Board's seventh plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Seventh Plenary

 

24 January 2019

Brussels, 24 January - On January 22nd and 23rd, the European Data Protection Authorities, assembled in the European Data Protection Board, met for their sixth plenary session. During the plenary a wide range of topics were discussed.
 
Privacy Shield
The Board Members adopted the EDPB’s report on the Second Annual Review of the EU-US Privacy Shield. The EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts  to publish a number of important documents, in part by declassification (such as decisions by the FISA Court), the appointment of a new Chair as well as of three new members of the Privacy and Civil Liberties Oversight Board (PCLOB) and the recently announced appointment of a permanent Ombudsperson.

In view of the findings of the second joint review, the following concerns about the implementation of the Privacy Shield still remain. This includes concerns already expressed by the EDPB’s predecessor WP29 on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. Also, based on the information provided so far, the EDPB cannot currently consider that the Ombudsperson is vested with sufficient powers to remedy non-compliance. In addition, the Board points out that checks regarding compliance with the substance of the Privacy Shield’s principles are not sufficiently strong.

Moreover, the EDPB has some additional concerns with regard to the necessary checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, as well as to a list of remaining issues raised after the first joint review which are still pending.

Brexit

The EDPB discussed possible consequences of Brexit in the area of data protection. Members agreed to cooperate and exchange information regarding their preparations and the tools available to transfer data to the UK, once the UK will no longer be part of the EU.

Clinical trials Q&A

Following a request from the European Commission (DG SANTE), the EDPB adopted its opinion on the clinical trials Q&A. The opinion addresses in particular the aspects related to the adequate legal bases in the context of clinical trials, and the secondary uses of clinical trial data for scientific purposes. The opinion will now be transmitted to the European Commission.

DPIA lists
The EDPB adopted opinions on the Data Protection Impact Assessment (DPIA) lists, submitted to the Board by Liechtenstein and Norway. These lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities shall establish and make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. These two opinions follow the 22 opinions adopted during the September plenary, and the four opinions adopted during the December plenary, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Guidelines on certification
The EDPB adopted the final version of the guidelines on certification following public consultation. Additionally, the Board also adopted a new annex. A draft version of the guidelines had been adopted during the EDPB’s first plenary in May. The primary aim of these guidelines is to identify overarching criteria which may be relevant to all types of certification mechanisms issued in accordance with art. 42 and art. 43 GDPR. As such, the guidelines explore the rationale for certification as an accountability tool, provide explanations for the key concepts of the certification provisions in art. 42 and art. 43, explain the scope of what can be certified and outline the purpose of certification. The guidelines will help Member States, supervisory authorities and national accreditation bodies (NAB) when reviewing and approving certification criteria in accordance with art. 42 and art. 43 GDPR. The annex will be subject to public consultation.

Response to Australian Supervisory Authority on data breach notification

In October 2018, the EDPB Chair received a written request from the Office of the Australian Information Commissioner regarding the publication of the data breach notifications by supervisory authorities. The EDPB welcomes the Australian Commissioner’s interest in cooperating with the European Data Protection Board on this issue and stresses the importance of international collaboration. In its response, the EDPB provides further information on whether and how supervisory authorities handle the publication of information regarding data breach notifications.

22 January 2019

On January 22 and 23, the European Data Protection Board's sixth plenary is taking place in Brussels. For further information, please consult the agenda.

Agenda of Sixth Plenary