Europeiska dataskyddsstyrelsen

Nyheter från Europeiska dataskyddsstyrelsen

03 February 2021

EDPB adopts Recommendations on Art. 36 LED – Adequacy referential, Opinion on the H3C/PCAOB Administrative Arrangement, Statement on new draft provisions on a protocol to Cybercrime Convention, Response to EC questionnaire on processing personal data for scientific research & discussion on Whatsapp privacy polic.

During its 45th plenary session, the EDPB adopted a wide range of documents. In addition, the Board discussed Whatsapp’s updated privacy policy. 

The EDPB adopted Recommendations on the adequacy referential under the Law Enforcement Directive (LED). The EDPB ensures the consistent application of EU data protection law in the EU, including of the Law Enforcement Directive (LED), which deals with the processing of personal data for law enforcement purposes. The aim of the Recommendations is to provide a list of elements to be examined when assessing the adequacy of a third country under the LED. The document recalls the concept and procedural aspects of adequacy according to the LED and the case law of the CJEU, and lays down the EU standards for data protection for police and judicial cooperation in criminal matters.

The EDPB adopted an opinion on the draft Administrative Arrangement (AA) for transfers of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB). This AA will be submitted to the French SA for authorisation at national level. The French SA will monitor the application of the AA in practice and, if necessary, suspend any transfer performed by the H3C, if the AA ceases to provide data subjects with an essentially equivalent level of protection.

The EDPB adopted a Statement on the draft provisions on a protocol to the Cybercrime Convention. This statement complements the EDPB contribution to the draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention) and follows the publication of the new draft provisions. 
In this statement, the EDPB recalls that the provisions currently being discussed are likely to affect the conditions for access to personal data in the EU for law enforcement purposes and calls for a careful scrutiny of the ongoing negotiation by the relevant EU and national institutions. In addition, the EDPB stresses the need to guarantee full consistency with the EU acquis in the field of personal data protection. 

The EDPB adopted its response to the European Commission questionnaire on processing personal data for scientific research, focusing on health related research. The answers provided by the EDPB form a preliminary position on this topic and aim to provide clarity as to the application of the GDPR in the domain of scientific health research. The EDPB is currently developing guidelines on processing personal data for scientific research purposes that will elaborate on these issues. 

Finally, the Members of the Board had an exchange of views on WhatsApp's recent Privacy Policy update. The EDPB will continue to facilitate this exchange of information between authorities, in order to ensure a consistent application of data protection law across the EU in accordance with its mandate.

The agenda of the forty-fifth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2021_1

28 January 2021


On the occasion of the 15th annual Data Protection Day, the Members of the EDPB bring you a joint message. Today is an opportunity to reflect on the efforts we make day after day to empower individuals, encourage business to be compliant and to enable trust.  From all of us at the EDPB, we wish you a very happy Data Protection Day.

18 January 2021

The EDPB adopted guidelines on examples regarding data breach notification. These guidelines complement the WP 29 guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), such as ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. Per case category, the guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as inform in which cases the controller should notify the SA and/or notify the data subjects. The guidelines will be submitted for public consultation for a period of six weeks.


The guidelines and more information about the public consultation are available here

EDPB_Press Release_statement_2021_02


15 January 2021

The EDPB and EDPS have adopted joint opinions on two sets of contractual clauses (SCCs). One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries.

The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.

Andrea Jelinek, Chair of the EDPB, said: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

Several amendments were requested in order to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors. These include the interplay between the two documents, the so-called "docking clause" which allows additional entities to accede to the SCCs, and other aspects relating to obligations for processors. Additionally, the EDPB and EDPS suggest that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity - any ambiguity would make it more difficult for controllers or processors to fulfil their obligations under the accountability principle.

Wojciech Wiewiórowski, EDPS, said: “We are convinced these SCCs can facilitate the compliance of controllers and processors with their obligations, both under the GDPR and under the legal framework of EU institutions and bodies (EUIs). Moreover, we hope these SCCs will ensure further harmonisation and legal certainty for individuals and their personal data. It is in this context that we aim to make these documents as future-proof as possible.”

The draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) (c) GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.

Wojciech Wiewiórowski, EDPS, said: “Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place. We believe these suggestions and amendments are crucial in order to achieve these aims in practice.”

In general, the EDPB and the EDPS are of the opinion that the draft SCCs present a reinforced level of protection for data subjects. In particular, the EDPB and the EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II judgment. Nevertheless, the EDPB and EDPS are of the view that several provisions could be improved or clarified, such as the scope of the SCCs; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding access to public data by public authorities; and the notification to the SA.

EDPB Chair Andrea Jelinek added: "The conditions under which SCCs can be used must be clear for organisations and data subjects should be provided with effective rights and remedies. In addition, the SCCs should include a clear distribution of roles and of the liability regime between the parties. As regards the need, in certain cases, for ad-hoc supplementary measures in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the new SCCs will have to be used along with the EDPB Recommendations on supplementary measures.”

The EDPB and the EDPS invite the Commission to refer to the final version of the EDPB Recommendations on supplementary measures, should the final version of the recommendations be adopted before the Commission’s SCC decision. This document was submitted for public consultation until 21 December 2020 and is still subject to possible further modifications on the basis of the results of the public consultation.

The agenda of the EDPB's 44th plenary session is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.


EDPB_Press Release_statement_2021_01