Bord Ewropew għall-Protezzjoni tad-Data

EDPB News

2019

22 May 2019

1 year ago, the GDPR entered into application, but what has changed for you? Where can you go to address your data protection concerns? And what is the EDPB's role in all this?

The video below provides an answer to these questions in a nutshell:

15 May 2019

Brussels, 15 May - On May 14th and 15th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their tenth plenary session. During the plenary a wide range of topics were discussed.

Election of a new Deputy Chair

The Members of the Board elected Aleid Wolfsen, Chairman of the Dutch Supervisory Authority, as new Deputy Chair, replacing Willem Debeuckelaere, whom EDPB Chair Andrea Jelinek thanked for his work. Along with fellow Deputy Chair Ventsislav Karadjov, Mr. Wolfsen will support the EDPB Chair in her work for the Board over the coming years. Dr. Jelinek added: “Public interest in data protection is at an all-time high. I look forward to working with Aleid and Ventsislav to engage with the wider community of data protection stakeholders.”

Mr. Wolfsen added: “In the years to come, it is our responsibility as Board to deliver authoritative guidance and sound advice. I will make it my responsibility as Deputy Chair that we take on board all opinions, and ultimately speak with one voice.”

Response to MEP Sophie In’t Veld regarding connected vehicles

The EDPB adopted a letter in response to MEP Sophie In’t Veld’s letter of 17 April 2019 regarding the sharing of car drivers’ personal data with the car producer and third parties, without explicit consent, specific and informed consent of the driver, and without adequate legal basis. In its response the EDPB highlights that the Members of the Board and their international colleagues adopted an ICDPPC resolution on Data Protection in Automated and Connected Vehicles in 2017 and that the WP29 adopted its Opinion 3/2017 on the processing personal data in the context of Cooperative Intelligent Transport Systems (C-ITS). The issue will also be dealt with according to the EDPB 2019-2020 work program.

Third Annual Privacy Shield Review

The EDPB designated representatives for the third annual review of the Privacy Shield.  Austria, Bulgaria, France, Germany, Hungary and the EDPS will represent the Board during the review.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

14 May 2019

On May 14 & 15, the European Data Protection Board's tenth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of tenth plenary

10 April 2019

Brussels, 10 April - On April 9th and 10th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their ninth plenary session.

During the plenary, the EDPB adopted guidelines on the scope and application of Article 6(1)(b)* GDPR in the context of information society services. In its guidelines, the Board makes general observations regarding data protection principles and the interaction of Article 6(1)(b) with other lawful bases. In addition, the guidelines contain guidance on the applicability of Article 6(1)(b) in case of bundling of separate services and termination of contract.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.


* Article 6 (1) (B)

“1. Processing shall be lawful only if and to the extent that at least one of the following applies:

...

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; ”

09 April 2019

On April 9 & 10, the European Data Protection Board's ninth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of ninth plenary

09 April 2019

Your personal information is collected, shared, used and stored by individuals, organisations and public authorities every day. Recruitment activities, video surveillance and health data collection are just a few examples of this. The European Data Protection Board (EDPB) ensures the consistent application of the GDPR throughout the European Economic Area (EEA), and promotes cooperation between the EEA data protection authorities. The European Data Protection Supervisor (EDPS) monitors and ensures the protection of personal data and privacy when EU institutions and bodies process personal data.

The EDPB and EDPS stand will be at the European Commission as part of the EU institutions' Europe Day celebrations.

Located on the ground floor of the Berlaymont building, EDPB and EDPS staff will be on hand to answer questions about your privacy rights and how to protect your personal information. Free goodies and information will be on offer, as well as fun and interactive activities for both children and adults to enjoy. You will also have a chance to win one of 20 USB sticks, simply by taking part in our fun, simple quiz!

Whether shopping online, using a smartphone or applying for jobs, data protection affects us all, so be sure to visit our stand to find out more!

For more information visit http://europeday.europa.eu and http://ec.europa.eu/belgium/events/europe-day_en

For more information on the EDPS visit: https://edps.europa.eu/data-protection/our-work/publications/events/eu-open-day-2019-brussels_en 

15 March 2019

On February 26, the EDPB Chair and Vice-Chair addressed the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) on GDPR implementation. You can read the full report here:  EDPB LIBE Report

14 March 2019

Il-Bord Ewropew għall-Protezzjoni tad-Data - It-Tmien Sessjoni Plenarja: L-interazzjoni bejn id-Direttiva dwar il-Privatezza Elettronika u l-GDPR, dikjarazzjoni rigward ir-Regolament dwar il-Privatezza Elettronika, il-Listi ES u IS tad-DPIA, Dikjarazzjoni dwar l-Elezzjonijiet

Brussell, it-13 ta’ Marzu - Fit-12 u fit-13 ta’ Marzu, l-Awtoritajiet tal-Protezzjoni tad-Data taż-ŻEE u l-Kontrollur Ewropew għall-Protezzjoni tad-Data, flimkien fil-Bord Ewropew dwar il-Protezzjoni tad-Data, iltaqgħu għat-tmien sessjoni plenarja tagħhom. Matul is-sessjoni plenarja saret diskussjoni dwar firxa wiesgħa ta’ suġġetti.
 
Interazzjoni bejn id-Direttiva dwar il-Privatezza Elettronika u l-GDPR
Il-Bord Ewropew għall-Protezzjoni tad-Data adotta l-opinjoni tiegħu dwar l-interazzjoni bejn id-Direttiva dwar il-Privatezza Elettronika u r-Regolament Ġenerali dwar il-Protezzjoni tad-Data. L-opinjoni għandha l-għan li tipprovdi tweġiba għall-mistoqsija dwar jekk il-fatt li l-ipproċessar tad-data personali jiskatta l-kamp ta’ applikazzjoni materjali kemm tal-GDPR kif ukoll tad-Direttiva dwar il-Privatezza Elettronika, jillimitax il-kompetenzi, il-kompiti u s-setgħat tal-awtoritajiet tal-protezzjoni tad-data fl-ambitu tal-GDPR. Il-Bord Ewropew għall-Protezzjoni tad-Data huwa tal-fehma li l-awtoritajiet tal-protezzjoni tad-data għandhom il-kompetenza li jinfurzaw il-GDPR. Is-sempliċi fatt li subsett tal-ipproċessar jaqa’ fil-kamp ta’ applikazzjoni tad-Direttiva dwar il-Privatezza Elettronika, ma jillimitax il-kompetenza tal-awtoritajiet tal-protezzjoni tad-data fl-ambitu tal-GDPR.

Ksur tal-GDPR jista’ fl-istess waqt jikkostitwixxi ksur tar-regoli nazzjonali dwar il-Privatezza Elettronika. Dan jista’ jitqies mill-awtoritajiet superviżorji meta japplikaw il-GDPR (pereż. meta jivvalutaw il-konformità mal-prinċipji tal-legalità jew tal-ġustizzja).  

Dikjarazzjoni dwar il-futur tar-Regolament dwar il-Privatezza Elettronika
Il-Bord Ewropew għall-Protezzjoni tad-Data adotta dikjarazzjoni li tistieden lil-leġiżlaturi tal-UE biex jintensifikaw l-isforzi fid-direzzjoni tal-adozzjoni tar-Regolament dwar il-Privatezza tad-Data, li hija essenzjali għall-ikkompletar tal-qafas tal-UE għall-protezzjoni tad-data u għall-kunfidenzjalità tal-komunikazzjonijiet elettroniċi.

Ir-Regolament dwar il-Privatezza Elettronika m’għandu fl-ebda ċirkostanza jnaqqas il-livell ta’ protezzjoni li toffri d-Direttiva attwali dwar il-Privatezza Elettronika u għandu jikkomplementa l-GDPR billi jipprovdi garanziji addizzjonali b’saħħithom għal kull tip ta’ komunikazzjoni elettronika.
 
 
Il-listi tad-DPIA
Il-Bord Ewropew għall-Protezzjoni tad-Data adotta żewġ opinjonijiet dwar il-listi tal-Valutazzjoni tal-Impatt fuq il-Protezzjoni tad-Data (DPIA - Data Protection Impact Assessment), ippreżentati lill-Bord minn Spanja u mill-Iżlanda. Dawn il-listi jikkostitwixxu għodda importanti għall-applikazzjoni konsistenti tal-GDPR fiż-ŻEE kollha. Id-DPIA hija proċess li jgħin fl-identifikazzjoni u l-mitigazzjoni tar-riskji marbuta mal-protezzjoni tad-data li jistgħu jolqtu d-drittijiet u l-libertajiet tal-individwi. Filwaqt li b’mod ġenerali l-kontrollur tad-data jeħtieġ jivvaluta jekk DPIA tkunx meħtieġa qabel jinvolvi ruħu fl-attività tal-ipproċessar, l-awtoritajiet superviżorji nazzjonali għandhom jistabbilixxu u jagħmlu lista tat-tip ta’ operazzjonijiet ta’ pproċessar li huma soġġetti għar-rekwiżit ta’ valutazzjoni tal-impatt fuq il-protezzjoni tad-data. Dawn iż-żewġ opinjonijiet jimxu fuq il-passi tat-28 opinjoni adottati matul laqgħat preċedenti tal-plenarja, u se jkomplu jikkontribwixxu biex jiġu stabbiliti kriterji komuni għal-listi tad-DPIA fiż-ŻEE kollha.

Dikjarazzjoni dwar l-użu ta’ data personali matul il-kampanji politiċi
Fid-dawl tal-elezzjonijiet Ewropej li ġejjin u ta’ elezzjonijiet oħra li se jsiru fl-2019 fl-UE kollha u lil hinn minnha, il-Bord Ewropew għall-Protezzjoni tad-Data adotta dikjarazzjoni dwar l-użu tad-data personali matul il-kampanji elettorali. It-tekniki tal-ipproċessar tad-data għal skopijiet politiċi jistgħu joħolqu riskji serji, mhux biss fir-rigward tad-drittijiet għall-privatezza u għall-protezzjoni tad-data, iżda wkoll għall-integrità tal-proċess demokratiku. Il-Bord Ewropew għall-Protezzjoni tad-Data, fid-dikjarazzjoni tiegħu jenfasizza għadd ta’ punti ewlenin li jeħtieġ li jitqiesu meta l-partiti politiċi jipproċessaw id-data personali matul l-attivitajiet elettorali.
 
Nota lill-edituri:
 
Kunu afu li d-dokumenti kollha adottati waqt is-Sessjoni Plenarja tal-Bord Ewropew għall-Protezzjoni tad-Data huma soġġetti għall-verifiki legali, lingwistiċi u ta’ fformattjar neċessarji u se jkunu disponibbli fuq is-sit web tal-Bord Ewropew għall-Protezzjoni tad-Data ladarba dawn il-verifiki jitlestew.

12 March 2019

On March 12 & 13, the European Data Protection Board's eighth plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Eighth Plenary

13 February 2019

Brussels, 13 February - On February 12th, the EEA Data Protection Authorities and the European Data Protection Supervisor, assembled in the European Data Protection Board, met for their seventh plenary session. During the plenary a wide range of topics were discussed.
 
EDPB 2019/2020 Work program
The Board adopted its two-year work program for 2019-2020, according to Article 29 of the EDPB Rules of Procedure. The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities.

Draft administrative arrangement in the field of financial markets supervision

The EDPB adopted its first opinion on an administrative arrangement (AA), based on article 46.3.b of the GDPR, for transfers of personal data between EEA financial supervisory authorities, including the European Securities and Markets Authority (ESMA) and their non-EU counterparts. This arrangement will be submitted to the competent supervisory authorities (SAs) for authorisation at national level. The competent supervisory authorities will monitor the AA and its practical application to ensure that there are in practice effective and enforceable data subject rights and appropriate means of redress and supervision.

Brexit

The EDPB adopted an information note addressed to commercial entities and public authorities on data transfers under the GDPR in the event of a no-deal Brexit.

Data flows from the EEA to UK

In the absence of an agreement between the EU and the UK (no-deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. As a consequence, the transfer of personal data from the EEA to the UK will have to be based on one of the following instruments: Standard or ad hoc Data Protection Clauses, Binding Corporate Rules, Codes of Conduct and Certification Mechanisms and the specific transfer instruments available to public authorities. In the absence of Standard Data Protection Clauses or other alternative appropriate safeguards, derogations can be used under certain conditions.

Data flows from UK to the EEA

As regards data transfers from the UK to the EEA, according to the UK Government, the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.

                                                               

Guidelines on codes of conduct
The EDPB adopted guidelines on codes of conduct. The aim of these guidelines is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 GDPR. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both the national and the European level. These guidelines should further act as a clear framework for all competent supervisory authorities, the Board and the Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process. The guidelines will be subject to public consultation.

Note to editors:

Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

12 February 2019

On February 12, the European Data Protection Board's seventh plenary takes place in Brussels. For further information, please consult the agenda.

Agenda of Seventh Plenary

 

24 January 2019

Brussels, 24 January - On January 22nd and 23rd, the European Data Protection Authorities, assembled in the European Data Protection Board, met for their sixth plenary session. During the plenary a wide range of topics were discussed.
 
Privacy Shield
The Board Members adopted the EDPB’s report on the Second Annual Review of the EU-US Privacy Shield. The EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts  to publish a number of important documents, in part by declassification (such as decisions by the FISA Court), the appointment of a new Chair as well as of three new members of the Privacy and Civil Liberties Oversight Board (PCLOB) and the recently announced appointment of a permanent Ombudsperson.

In view of the findings of the second joint review, the following concerns about the implementation of the Privacy Shield still remain. This includes concerns already expressed by the EDPB’s predecessor WP29 on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. Also, based on the information provided so far, the EDPB cannot currently consider that the Ombudsperson is vested with sufficient powers to remedy non-compliance. In addition, the Board points out that checks regarding compliance with the substance of the Privacy Shield’s principles are not sufficiently strong.

Moreover, the EDPB has some additional concerns with regard to the necessary checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, as well as to a list of remaining issues raised after the first joint review which are still pending.

Brexit

The EDPB discussed possible consequences of Brexit in the area of data protection. Members agreed to cooperate and exchange information regarding their preparations and the tools available to transfer data to the UK, once the UK will no longer be part of the EU.

Clinical trials Q&A

Following a request from the European Commission (DG SANTE), the EDPB adopted its opinion on the clinical trials Q&A. The opinion addresses in particular the aspects related to the adequate legal bases in the context of clinical trials, and the secondary uses of clinical trial data for scientific purposes. The opinion will now be transmitted to the European Commission.

DPIA lists
The EDPB adopted opinions on the Data Protection Impact Assessment (DPIA) lists, submitted to the Board by Liechtenstein and Norway. These lists form an important tool for the consistent application of the GDPR across the EEA. DPIA is a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities shall establish and make a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. These two opinions follow the 22 opinions adopted during the September plenary, and the four opinions adopted during the December plenary, and will further contribute to establishing common criteria for DPIA lists across the EEA.

Guidelines on certification
The EDPB adopted the final version of the guidelines on certification following public consultation. Additionally, the Board also adopted a new annex. A draft version of the guidelines had been adopted during the EDPB’s first plenary in May. The primary aim of these guidelines is to identify overarching criteria which may be relevant to all types of certification mechanisms issued in accordance with art. 42 and art. 43 GDPR. As such, the guidelines explore the rationale for certification as an accountability tool, provide explanations for the key concepts of the certification provisions in art. 42 and art. 43, explain the scope of what can be certified and outline the purpose of certification. The guidelines will help Member States, supervisory authorities and national accreditation bodies (NAB) when reviewing and approving certification criteria in accordance with art. 42 and art. 43 GDPR. The annex will be subject to public consultation.

Response to Australian Supervisory Authority on data breach notification

In October 2018, the EDPB Chair received a written request from the Office of the Australian Information Commissioner regarding the publication of the data breach notifications by supervisory authorities. The EDPB welcomes the Australian Commissioner’s interest in cooperating with the European Data Protection Board on this issue and stresses the importance of international collaboration. In its response, the EDPB provides further information on whether and how supervisory authorities handle the publication of information regarding data breach notifications.

22 January 2019

On January 22 and 23, the European Data Protection Board's sixth plenary is taking place in Brussels. For further information, please consult the agenda.

Agenda of Sixth Plenary