Eiropas Datu aizsardzības kolēģija

Eiropas Datu aizsardzības kolēģijas jaunumi

03 April 2020

The European Data Protection Board is speeding up its guidance work in response to the COVID-19 crisis. Its monthly plenary meetings are being replaced by weekly remote meetings with the Members of the Board.
 
Andrea Jelinek, Chair of the EDPB, said: "The Board will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working. The EDPB will adopt a horizontal approach and plans to issue general guidance with regard to the appropriate legal bases and applicable legal principles."

The agenda of today's remote meeting is available here

23 March 2020

Following a decision by the EDPB Chair, the EDPB April Plenary Session has been cancelled due to safety concerns surrounding the outbreak of the Coronavirus (COVID-19). The EDPB hereby follows the example of other EU institutions, such as the European Parliament, which have restricted the number of large-scale meetings.

The April Plenary Session was scheduled to take place on 20 and 21 April. Earlier, the EDPB March Plenary was also cancelled for the same reasons. You can find an overview of upcoming EDPB Plenary Meetings here

20 March 2020

On March 19th, the European Data Protection Board adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak via written procedure. The full statement is available here

16 March 2020

Governments, public and private organisations throughout Europe are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of personal data.  

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The GDPR is a broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19. Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.

For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (“cartography”).  

When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security *. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.

Update:

On March 19th, the European Data Protection Board adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak. The full statement is available below.

* In this context, it shall be noted that safeguarding public health may fall under the national and/or public security exception.

10 March 2020

Following a decision by the EDPB Chair, the EDPB March Plenary Session has been cancelled due to safety concerns surrounding the outbreak of the Coronavirus (COVID-19). The EDPB hereby follows the example of other EU institutions, such as the European Parliament, which have restricted the number of large-scale meetings.

The March Plenary Session was scheduled to take place on 19 and 20 March. You can find an overview of upcoming EDPB Plenary Meetings here

20 February 2020

Briselē, 20. februārī – 18. un 19. februārī norisinājās Eiropas Datu aizsardzības kolēģijas (turpmāk – EDAK)  astoņpadsmitā plenārsesija, kurā tikās EEZ uzraudzības iestādes un Eiropas Datu aizsardzības uzraudzītājs. Plenārsesijas laikā tika apspriest plašs tematu loks.

EDAK un atsevišķas EEZ uzraudzības iestādes piedalījās VDAR novērtēšanā un pārskatīšanā, kā noteikts VDAR 97. pantā. EDAK uzskata, ka VDAR piemērošana pirmajos 20 mēnešos ir bijusi sekmīga. Lai gan nepieciešamnība pēc pietiekamiem resursiem joprojām rada bažas visām uzraudzības iestādēm un joprojām pastāv izaicinājumi, ko rada, piemēram, valstu procedūru sadrumstalotība, Kolēģija ir pārliecināta, ka uzraudzības iestāžu sadarbība radīs kopīgu datu aizsardzības kultūru un konsekventu praksi. EDAK izskata iespējamos risinājumus šo problēmu pārvarēšanai un esošo sadarbības procedūru uzlabošanai. Tā arī aicina Eiropas Komisiju pārbaudīt, vai valstu procedūras ietekmē sadarbības procedūru efektivitāti, un uzskata, ka  arī likumdevējam var būt nozīme turpmākas saskaņošanas nodrošināšanā. Savā novērtējumā EDAK pievēršas arī tādiem jautājumiem kā starptautiskie nodošanas līdzekļi, ietekme uz maziem un vidējiem uzņēmējiem, Uzraudzības iestāžu resursi un jaunu tehnoloģiju izstrāde. EDAK secina, ka šobrīd pārskatīt VDAR ir pāragri.

EDAK pieņēma vadlīniju projektu, lai sniegtu detalizētāku skaidrojumu par VDAR 46. panta 2. punkta a) apakšpunkta un 46. panta 3. punkta b) apakšpunkta piemērošanu. Šie panti attiecas uz personas datu nosūtīšanu no EEZ valsts iestādēm vai struktūrām publiskām struktūrām trešajās valstīs vai starptautiskām organizācijām, ja uz šādu nosūtīšanu neattiecas lēmums par aizsardzības līmeņa pietiekamību (adekvātuma lēmums). Vadlīnijas noteic ieteikumus, kādus aizsardzības pasākumus ieviest juridiski saistošos instrumentos (46. panta 2. punkta a) apakšpunkts) vai administratīvos pasākumos (46. panta 3. punkta b) apakšpunkts), lai nodrošinātu, ka tiek sasniegts un netiek apdraudēts Vispārīgajā datu aizsardzības regulā noteiktais fizisku personu aizsardzības līmenis. Vadlīnijas tiks iesniegtas publiskajai apspriešanai.

Ziņojums par apvienošanās ietekmi uz privātumu
Pēc paziņojuma par Google LLC nodomu iegādāties Fitbit, EDAK pieņēma ziņojumu, kurā uzsvēra, ka iespējama turpmāka sensitīvu personas datu par cilvēkiem Eiropā apvienošana un uzkrāšana, ko veic liels tehnoloģiju uzņēmums, kas varētu radīt augstu risku pamattiesībām uz privātumu un datu aizsardzību. EDAK saskaņā ar pārskatatbildības principu pie ierosinātās apvienošanās atgādina pusēm par to pienākumiem saskaņā ar VDAR - pārredzamā veidā veikt pilnīgu novērtējumu par datu aizsardzības prasībām un apvienošanās ietekmi uz privātumu. Kolēģija arī aicināja puses mazināt iespējamos apvienošanās riskus attiecībā uz tiesībām uz privātumu un datu aizsardzību, pirms par apvienošanos tiek paziņots Eiropas Komisijai. EDAK apsvērs, kā šī apvienošanās varētu ietekmēt personas datu aizsardzību Eiropas Ekonomikas zonā, un ir gatava turpmāk pēc pieprasījuma sniegt Komisijai ieteikumus par ierosināto apvienošanos.

Piezīme redaktoriem
Lūdzam ņemt vērā, ka visiem Eiropas Datu aizsardzības kolēģijas plenārsēdē pieņemtajiem dokumentiem tiek veiktas nepieciešamās juridiskās, lingvistiskās un formatēšanas pārbaudes un tie būs pieejami EDAK tīmekļa vietnē pēc minēto pārbaužu pabeigšanas.

18 February 2020

On February 18th and 19th, the eighteenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Eighteenth Plenary

30 January 2020

On January 28th and 29th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventeenth plenary session. During the plenary, a wide range of topics was discussed.
 
The EDPB adopted its opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs). These opinions aim to ensure consistency and the correct application of the criteria among EEA SAs.

The EDPB adopted draft Guidelines on Connected Vehicles. As vehicles become increasingly more connected, the amount of data generated about drivers and passengers by these connected vehicles is growing rapidly. The EDPB guidelines focus on the processing of personal data in relation to the non-professional use of connected vehicles by data subjects. More specifically, the guidelines deal with the personal data processed by the vehicle and the data communicated by the vehicle as a connected device. The guidelines will be submitted for public consultation.

The Board adopted the final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation. The guidelines aim to clarify how the GDPR applies to the processing of personal data when using video devices and to ensure the consistent application of the GDPR in this regard. The guidelines cover both traditional video devices and smart video devices. The guidelines address, among others, the lawfulness of processing, including the processing of special categories of data, the applicability of the household exemption and the disclosure of footage to third parties. Following public consultation, several amendments were made.

The EDPB adopted its opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs. These are the first opinions on accreditation requirements for Certification Bodies adopted by the Board. They aim to establish a consistent and harmonised approach regarding the requirements which SAs and national accreditation bodies will apply when accrediting certification bodies. 

The EDPB adopted its opinion on the draft decision regarding the Fujikura Automotive Europe Group’s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.

Letter on unfair algorithms
The EDPB adopted a letter in response to MEP Sophie in’t Veld’s request concerning the use of unfair algorithms. The letter provides an analysis of the challenges posed by the use of algorithms, an overview of the relevant GDPR provisions and existing guidelines addressing these issues, and describes the work already undertaken by SAs.

Letter to the Council of Europe on the Cybercrime Convention
Following the Board’s contribution to the consultation process on the negotiation of a second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), several EDPB Members actively participated in the Council of Europe Cybercrime Committee’s (T-CY) Octopus Conference. The Board adopted a follow-up letter to the conference, stressing the need to integrate strong data protection safeguards into the future Additional Protocol to the Convention and to ensure its consistency with Convention 108, as well as with the EU Treaties and Charter of Fundamental Rights.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

28 January 2020

On January 28th and 29th, the seventeenth plenary session of the European Data Protection Board is taking place in Brussels. For further information, please consult the agenda.

Agenda of Seventeenth Plenary