Brussels, 9 July 2025 - The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued today a Joint Opinion on the European Commission’s Proposal for a Regulation amending certain regulations, including the GDPR. 

The Proposal, part of the fourth simplification Omnibus, aims to simplify EU rules and reduce administrative burden, extending certain mitigating measures available for small and medium sized enterprises (SMEs) to small mid-cap enterprises (SMCs), and includes further simplification measures.  

The Proposal aims to modify Art.30 (5) GDPR, providing a derogation to the obligation to keep a record of data processing operations. Currently, this derogation only applies to enterprises and organisation under 250 employees, except in certain cases. Under the Proposal, the derogation would apply to an enterprise or organisation employing fewer than 750 people, unless the processing operation carried out is likely to result in a high risk to individuals’ rights and freedoms, within the meaning of Art.35 GDPR. 

In addition, the Proposal introduces a definition of SME and SMC in Art.4 GDPR and extends the scope of Art.40 (1) and 42 (1) GDPR to the SMCs, which refer to codes of conduct and certification. These tools are currently designed to help enterprises and organisations demonstrate compliance with the GDPR focusing on the specific needs of SMEs. 

Wojciech Wiewiórowski, EDPS, said: “We support the general objective of the Proposal to reduce the administrative burden for SMEs and SMCs as long as this does not lower the protection of individuals’ fundamental rights, in particular the rights to privacy and to the protection of personal data. To this end, we welcome that the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR.”  

Anu Talus, EDPB Chair, said: “The EDPB supports the Proposal’s general objective to reduce the administrative burden for SMEs and SMCs and to ensure that, in practice, they can enjoy a derogation from the duty to keep records of processing activities. The current derogation did not always achieve its goal. At the same time, the record of processing activities is a useful tool to support compliance with other duties, such as the one of transparency or to give effect to data subject rights. The simplification will offer greater flexibility to SMEs and SMCs to choose the most appropriate method to be compliant.”

As regard the organisations being subject to the derogation, considering that the Proposal impacts legislation in other policy areas, the EDPB and the EDPS expect further clarifications on why the new threshold of enterprises or organisations employing fewer than 750 persons would be more appropriate under the GDPR, rather than the threshold of 500 employees initially considered. In addition, the new exemption in Art. 30 (5) refers to ‘enterprises employing fewer than 750 employees’ without referring to the newly introduced definitions of SME and SMC, which also includes financial criteria. In order to ensure that the exemption will benefit SMEs and SMCs, the EDPB and the EDPS’s Joint Opinion recommends referring to the newly introduced definitions of SME and SMC. 

The EDPB and EDPS also ask the co-legislators to clarify in the Proposal that the term ‘organisation’, falling within the scope of the proposed derogation under Art.30 (5) GDPR, does not include public authorities and bodies.  
 

A fundamental rights approach to innovation and competitiveness

Helsinki, 3 July 2025 – At a high-level meeting in Helsinki on 1–2 July 2025, the European Data Protection Board (EDPB) adopted a landmark Statement on enhanced clarity, support and engagement.

The Statement outlines new initiatives to make GDPR compliance easier, in particular for micro, small and medium organisations, strengthen consistency and boost cross-regulatory cooperation. 

EDPB Chair Anu Talus said: “The EDPB aims to ensure that compliance with the GDPR can be more easily achieved. By placing fundamental rights into the core of their digital transformation, organisations can ensure that technological advancements and the respect for European values go hand in hand, ultimately building a stronger and more resilient digital economy.”

Across its efforts, the EDPB will strengthen its dialogue with stakeholders, holding proactive and early engagement to identify areas where further support and clarification is required, and providing the opportunity for stakeholders to flag possible inconsistencies and give feedback. The EDPB will publicly report on the main outcomes of the public consultations. 

The EDPB will launch a series of direct and practical resources to simplify GDPR application.

EDPB Chair Anu Talus said: “The EDPB is committed to helping organisations in achieving GDPR compliance with greater ease and efficiency. Through timely and concise guidance and ready-to-use tools, like a common data breach notification template, checklists, how-tos and FAQs, we will continue to make GDPR alignment achievable and accessible for all.”

Among the measures agreed upon to ensure consistent GDPR interpretation and enforcement across Europe, EDPB Members will make continuous efforts to align national and EDPB guidance. They will also develop common practices, methods, tools and common actions review guidelines to ensure their real-world effectiveness. The EDPB will also publish positions by DPAs on priority issues to help organisations understand and act on regulatory expectations.

The EDPB recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering structured cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.
 

Brussels, 05 June - During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 GDPR about data transfers to third country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR. 

Data transfers to third country authorities 

Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (i.e. authorities from non-European countries).

The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe. 

Upskilling and reskilling on AI and data protection

During its June’s plenary, the EDPB also presented two new Support Pool of Experts (SPE) projects*: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.

The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like data protection officers (DPO) or privacy professionals.

The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.

The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.

The Board decided to publish both documents as PDF files. Taking into account the very fast evolution of AI, the EDPB also decided to launch a new innovative initiative as a one-year pilot project consisting of a modifiable community version of the reports. The EDPB will start working with the authors of both reports to import them in its Git repository** to allow, in a near future, any external contributor, with an account on this platform and under the condition of the Creative Commons Attribution-ShareAlike license, to propose changes or add comments to the documents.

Simplification of record-keeping obligation under the GDPR ***

Finally, the Board discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks. 

Note to editors:

* The Support Pool of Experts (SPE) is an initiative included in the EDPB strategy 2024-2027 to help Data Protection Authorities (DPAs) increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.  

As part of the SPE programme, the EDPB may commission experts to provide reports and tools on specific topics. The views expressed in the deliverables are those of their authors and they do not necessarily reflect the official position of the EDPB.

** The reports will be available in the following months on the repository page.

***On 8 May 2025, the EDPB and the EDPS adopted a letter, addressed to the European Commission, to share preliminary views on the Commission’s proposal on the simplification of record-keeping obligation under the GDPR.

Brussels, 08 May - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a letter, addressed to the European Commission, on the upcoming proposal on the simplification of record-keeping obligation under the GDPR, amounting to a targeted amendment of Art. 30(5) GDPR.

The joint letter replies to the letter sent by the European Commission to the EDPB and the EDPS on 6 May 2025 where the Commission explained how it intends to introduce specific modifications to the GDPR. The EDPB and EDPS understand that a formal consultation will take place after the publication of the proposed legislative change.  

The EDPB and EDPS shared that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. Nevertheless, the EDPB and EDPS asked the Commission to better evaluate the impact on the organisations subject to this change, to assess whether the draft proposal ensure a proportionate and fair balance between the protection of personal data and the interests of organisations with less than 500 employees.

Brussels, 06 May - During its latest plenary, the European Data Protection Board (EDPB) adopted an opinion on the European Commission’s draft adequacy decision under the GDPR concerning the European Patent Organisation (EPO). In addition, the Board adopted an opinion on the European Commission’s proposal to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive (LED). Finally, the EDPB agreed to grant the status of observer to the Personal Data Protection Agency of Bosnia and Herzegovina.

Adequate protection of personal data by the EPO

At the European Commission’s request, the Board adopted an opinion on the Commission’s draft adequacy decision regarding the European Patent Organisation (EPO). Once formally adopted by the Commission, this will be the first adequacy decision concerning an international organisation and not a country or a region.
An adequacy decision is a key-mechanism in EU data protection legislation which allows the European Commission to determine whether a third country or an international organisation offers an adequate level of data protection. The effect of such a decision is that personal data can flow freely from Europe to that third country or international organisation.

EDPB Chair, Anu Talus, said: “The EDPB welcomes the Commission’s initiative to work on the first adequacy decision concerning an international organisation. This decision shows how the legal framework of such organisations can be recognised as ensuring an adequate level of protection on the basis of Art.45 GDPR.

The EDPB underlines the importance of ongoing dialogue between the Commission and international organisations, with a view to developing this category of adequacy decisions in addition to those relating to third countries.”

In its opinion, the Board positively notes that the EPO data protection framework is largely aligned with the European Union data protection framework, including on data protection rights and principles.

This shows that the GDPR and, in particular, its transfer provisions, can facilitate safe data flows from Europe to international organisations, while taking into account their status.

Six-month extension of the UK adequacy decisions

The EDPB opinion, requested by the European Commission, addresses the proposed extension of the two UK adequacy decisions under the GDPR and the LED, which are set to expire on 27 June 2025.

The opinion only concerns the proposed 6-month extension of these adequacy decisions and does not address the level of protection for personal data afforded in the UK, which will be examined by the EDPB following the Commission’s assessment, and if the renewal of the UK adequacy decisions is proposed.

Since the UK‘s data protection reform is still pending in the UK parliament, the EDPB recognises the need for a technical and time-limited extension of the adequacy decisions until 27 December 2025.This will give the European Commission sufficient time to evaluate the updated UK legal framework once it has been adopted.  

The EDPB stresses that this extension is exceptional and is due to the ongoing legislative developments in the UK. It should not, in principle, be further prolonged.

The Board recalls the validity of its opinions 14/2021 and 15/2021 on the two UK adequacy decisions, adopted in April 2021, and invites the European Commission to take them into account in its future assessments. 
The Board also recalls the Commission’s obligation to monitor all relevant developments in the UK during the extension period.

New observer to the EDPB’s activities

Finally, EDPB members agreed to grant observer status to the EDPB’s activities to the Bosnia and Herzegovina Data Protection Authority, in line with Art. 8 EDPB Rules of Procedure.
 

Every year, on 9 May, people across Europe celebrate the anniversary of the Schuman Declaration, which was a milestone to bring peace and solidarity in Europe. This year is particularly special as it marks the 75th anniversary of this historic moment.

Let’s celebrate together

To celebrate this occasion, the EDPB takes part in the EU Open Day, with an interactive stand hosted by volunteers from the EDPB Secretariat and national Data Protection Authorities (DPAs). Come and visit us to learn more about data protection and the EDPB’s activities.

You will find the EDPB and EDPS stands at the European Commission’s headquarters - the Berlaymont building - Village 1 “A Democratic Union”, on Saturday 10 May from 10:00 to 18:00. 

Do you want to learn more about privacy and data protection — and test your knowledge?
Come visit us for fun activities and quizzes designed just for you!

Further information about Europe Day 2025
 

Brussels, 23 April - The European Data Protection Board (EDPB) has published its 2024 Annual Report. The report provides an overview of the EDPB work carried out in 2024 and reflects on important milestones, such as the adoption of the 2024-2027 strategy, the increase in Art. 64(2) consistency opinions and the continued efforts to provide guidance and legal advice.

EDPB Chair Anu Talus said: “As I look back on the work carried out over the past year, I am proud to present our achievements. In 2024, we reaffirmed our commitment to safeguarding individuals’ fundamental rights to privacy and data protection in a fast-changing digital landscape.

We adopted a new strategy and continued to play a central role in providing guidance and ensuring a consistent application of the General Data Protection Regulation (GDPR) across Europe. To support understanding and implementation of data protection rights and duties, we expanded our outreach activities by devoting special attention to businesses and non-expert individuals. In addition, we acquired new roles in the framework of the new digital legislations.”

A new EDPB strategy

The EDPB strategy 2024-2027 outlines key priorities and actions to strengthen and modernise data protection across Europe, ensure consistent enforcement of the GDPR, and address emerging challenges, including cross-regulatory cooperation. The strategy also helps strengthen the EDPB’s global presence by engaging with global partners and representing the EU data protection model in key international fora.

EDPB’s central role in providing guidance and legal advice

The number of consistency opinions adopted under Art. 64(2) GDPR significantly increased. In 2024, the Board adopted eight Art. 64 (2) GDPR opinions, including on ‘Consent or Pay’ models used by large online platforms, the use of facial recognition at airports, and the use of personal data to train AI models. These opinions address a matter of general application and ensure consistency prior to enforcement.

The EDPB actively participated in legislative discussions by issuing statements highlighting data protection considerations and impacts. For example, the Board adopted statements on the draft procedural regulation for GDPR enforcement, and on the DPAs role in the AI Act framework.

The EDPB has also expanded its general guidance to help organisations achieve and maintain GDPR compliance. To this end, the Board adopted four new guidelines in 2024, such as the guidelines on legitimate interest and on data transfers to third country authorities.

Proactive engagement with stakeholders

In 2024, the EDPB continued to engage with stakeholders to foster open dialogue and mutual understanding between regulators, industry representatives, civil society organisations, and academic institutions.  To collect relevant insights from organisations that have expertise on data protection-related topics, the Board launched public consultations on its adopted guidelines and organised two stakeholder events, related to the upcoming guidelines on “Consent or Pay” models and to the preparation of the Opinion on AI models.

Contributing to cross-regulatory cooperation

New digital legislations, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act, the Data Governance Act (DGA) and the Data Act, build on GDPR. To ensure consistency of application between the GDPR and these acts, the EDPB actively contributed to cross-regulatory cooperation by engaging with European and international partners, including the EU AI Office and the high-level group on the DMA.

Making the GDPR understandable and practical for all

Finally, the EDPB continued its efforts to provide information on the GDPR to a broader and non-expert audience by presenting it in a clear and non-technical language. To this end, the EDPB made the Data Protection Guide for Small Business available in 18 languages. In addition, the Board has launched a series of summaries of EDPB guidelines to help non-expert individuals and organisations identify in an easier way the most important points to consider. 
 

Brussels, 14 April - During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.
In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.
 

Brussels, 14 March - During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19*. 

In its second statement on the implementation of the PNR Directive, which follows the one of 15 December 2022, the Board gives further guidance to the Passenger Information  Units (PIUs)** on the necessary adaptions and limitations to the processing of PNR data, following the PNR judgment. PNR data is personal information provided by passengers, and collected and held by air carriers that includes the names of the passengers, travel dates, itineraries, seats, baggage, contact details and means of payment.

The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. According to the Board, the retention period of all PNR data should not exceed an initial period of six months. After this period, European countries may only store PNR data as long as needed and proportionate to the objectives of the PNR Directive.

EDPB Chair Anu Talus said: “The EDPB recognises the importance of the PNR Directive in improving the security of passengers across Europe and in helping prevent, detect and prosecute terrorist offences and serious crime. The transfer of PNR data in Europe should take place in a harmonised way and in full respect of data protection principles.”

The Board is aware that some European countries have already started the adaptation process, but there is still a substantial lack of implementation efforts throughout the Member States. Therefore, in its statement, the EDPB outlines the urgent need to implement the necessary changes and to amend national laws by taking into account the PNR judgment as soon as possible.

Note to editors
* On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment C-817/19 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.
** The PIUs are specific entities in European countries which are responsible for the collection, storage, and processing of PNR data.
 

Brussels, 05 March - The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025. Following a year-long coordinated action on the right of access in 2024, the CEF's focus this year will shift to the implementation of another data protection right, namely the right to erasure or the “right to be forgotten” (Art.17 GDPR).

The Board selected this topic during its October 2024 plenary as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals.
 

Next steps

During 2025, 30 Data Protection Authorities (DPAs) across Europe, as well as the European Data Protection Supervisor (EDPS), will take part in this initiative.

Participating DPAs will soon contact a number of controllers from different sectors across Europe, either by opening new formal investigations or doing fact-finding exercises. In the latter case, they might also decide to undertake additional follow-up actions if needed. 

DPAs will check how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right. 

DPAs will also stay in close contact to share and discuss their findings throughout this year. The results of these national actions will be aggregated and analysed together to generate deeper insight into the topic, allowing for targeted follow-ups on both national and EU levels.
 

Background

The CEF is a key action of the EDPB under its 2024-2027 strategy, aimed at streamlining enforcement and cooperation among DPAs.
In the past three years, three previous CEF actions on different topics were carried out: 

1. the use of cloud-based services by the public sector,
2. the designation and position of Data Protection Officers, and
3. the implementation of the right of access by controllers.

For further information:

• AT DPA: Coordinated Enforcement Framework 2025 (CEF 2025) - EDSA
• BG DPA: Започва координирано действие по изследване на приложението на правото на изтриване (право „да бъдеш забравен“)
• CS DPA: Evropský sbor pro ochranu osobních údajů zahájil další společnou koordinovanou dozorovou akci
• DA DPA: EDPB igangsætter koordineret indsats om retten til sletning
• DE DPA (Baden-Wuerttemberg): Europaweite Aktion zum Recht auf Löschung
• DE DPA (Berlin):  PRESSEMITTEILUNG der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 5. März 2025
• DE DPA (Brandenburg): Brandenburgische Datenschutzaufsicht beteiligt sich an europaweiter Prüfung zum Recht auf Löschung mit Schwerpunkt Wohnungsunternehmen
• EDPS: EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data
• EL DPA: Έναρξη συντονισμένης δράσης του ΕΣΠΔ 2025 σχετικά με το δικαίωμα διαγραφής
• ES DPA: La AEPD participa en una acción europea para analizar la aplicación del derecho de supresión
• FI DPA: Tietosuojavaltuutetun toimisto selvittää henkilötietojen poisto-oikeuden toteutumista osana EU:n laajuista toimenpidettä
• HR DPA: Započela nova koordinirana akcija EDPB-a: pravo na brisanje
• IE DPA: Launch of coordinated enforcement action on the right to erasure
• IT DPA: GDPR, il Garante italiano partecipa al CEF 2025 sul diritto alla cancellazione
• LI DPA: Europäische Initiative zum Recht auf Löschung
• LU DPA: Lancement d’un sondage sur le droit à l’effacement (French), Umfrage zum Recht auf Löschung (German), Launch of a survey on the right to erasure (English)
• MT DPA: Launch of Coordinated Enforcement Action on the Right to Erasure
• SI DPA: Informacijski pooblaščenec bo v letu 2025 nadzoroval upoštevanje pravice do izbrisa

The European Data Protection Board (EDPB) has published a new register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 European General Data Protection Regulation (GDPR)) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up until early June, LSAs have adopted 110 final OSS decisions. The register includes access to the decisions as well as  summaries of the decisions in English prepared by the EDPB Secretariat. The register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice. The information in the register has been validated by the LSAs in question and in accordance with the conditions provided by its national legislation.

The register is accessible here

During its 32nd Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:

• EDPB statement on the interoperability of contact tracing applications
• EDPB statement on the processing of personal data in the context of reopening the Schengen borders
• EDPB letter to MEP Körner on the relevance of encryption bans in third countries for assessing the level of data protection
• EDPB letter to MEP Körner on laptop camera covers
• EDPB letter to the Committee of European Auditor Oversight Bodies

During its 31st Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:

• EDPB response to MEP Körner regarding TikTok
• EDPB response to MEPs regarding Clearview AI
• EDPB response to ENISA regarding EDPB representative to the ENISA Advisory Group
• EDPB response to open letter from NYOB

During its 32nd plenary session, the European Data Protection Board (EDPB) adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 European General Data Protection Regulation (GDPR) - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

The agenda of the 32nd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

During its 31st plenary session, the European Data Protection Board (EDPB) decided to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU, and adopted a letter with regard to the use of Clearview AI by law enforcement authorities. In addition, the EDPB adopted a response to the ENISA advisory group and a letter in response to an Open Letter from NOYB.

The EDPB announced its decision to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU.

In response to MEP Körner’s request regarding TikTok, the EDPB indicates that it has already issued guidelines and recommendations that should be taken into account by all data controllers whose processing is subject to the European General Data Protection Regulation (GDPR), in particular when it comes to the transfer of personal data to third countries, substantive and procedural conditions for access to personal data by public authorities or the application of the GDPR territorial scope, in particular when it comes to the processing of minors’ data. The EDPB recalls that the GDPR applies to the processing of personal data by a controller, even if it is not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union.

In its response to MEPs regarding Clearview AI, the EDPB shared its concerns regarding certain developments in facial recognition technologies. The EDPB recalls that under the Law Enforcement Directive (EU) 2016/680, law enforcement authorities may process biometric data for the purpose of uniquely identifying a natural person only in accordance with the strict conditions of Articles 8 and 10 of the Directive.

The EDPB has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI. Therefore, as it stands and without prejudice to any future or pending investigation, the lawfulness of such use by EU law enforcement authorities cannot be ascertained.

Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.

Finally, the EDPB refers to its guidelines on the processing of personal data through video devices and announces upcoming work on the use of facial recognition technology by law enforcement authorities.

In response to a letter from the European Union Agency for Cybersecurity (ENISA) requesting that the EDPB nominate a representative to the ENISA Advisory group, the Board appointed Gwendal Le Grand, Deputy Secretary-General CNIL, as representative. The Advisory Group assists the Executive Director of ENISA with drawing up an annual work programme and ensuring communication with the relevant stakeholders.

The EDPB adopted a response to an Open Letter by NOYB regarding cooperation between the Supervisory Authorities and the consistency procedures. In its letter, the Board indicates it has been working constantly on the improvement of the cooperation between the Supervisory Authorities and the consistency procedures. The Board is aware that there are issues requiring improvement, such as the differences in national administrative procedural laws and practices, together with the time and resources needed to resolve cross-border cases. The Board reiterates it is committed to finding solutions, where these lie within its competence.

The agenda of the 31st plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

During its 26th, 28th and 30th plenary session, the European Data Protection Board (EDPB) adopted the following documents:

26th plenary session:

• EDPB response to MEPs Metsola and Halicki

28th plenary session:

• EDPB opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority

30th plenary session:

• EDPB response to NGOs on Hungarian government decrees
• Statement on Art 23 GDPR

During its 30th plenary session, the European Data Protection Board (EDPB) adopted a statement on data subject rights in connection to the state of emergency in Member States. The Board also adopted a letter in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union (HCLU) regarding the Hungarian Government’s Decree 179/2020 of 4 May.

The EDPB recalls that, even in these exceptional times, the protection of personal data must be upheld in all emergency measures, thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded.

In both the statement and the letter the EDPB reiterates that the European General Data Protection Regulation (GDPR) remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data-processing operations necessary to contribute to the fight against the COVID-19 pandemic.

The statement recalls the main principles related to the restrictions on data subject rights in connection to the state of emergency in Member States:

•    Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified.
•    Under specific conditions, Article 23 GDPR allows national legislators to restrict via a legislative measure the scope of the obligations of controllers and processors and the rights of data subjects when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as in particular public health.
•    Data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances.
•    Restrictions must be provided for ‘by law’, and the law establishing restrictions should be sufficiently clear as to allow citizens to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
•    The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.  
•    The emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. Thus, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must fully apply.
•    Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.

Furthermore, the EDPB announced it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months.

The agenda of the 30th pleanry is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Brussels, 20 May - During its 28th European Data Protection Board (EDPB) plenary session, the EDPB adopted an Art. 64 European General Data Protection Regulation (GDPR) opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing ‘one-stop-shop’ decisions.

The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority. The opinion aims to ensure the consistent application of Article 28 GDPR, which imposes an obligation on controllers and processors to enter into a contract or other legal act stipulating the parties’ respective obligations. According to Article 28(6) GDPR, these contracts or other legal acts may be based, in whole or in part, on standard contractual clauses adopted by a Supervisory Authority. In the opinion, the Board makes several recommendations that need to be taken into account in order for these draft SCCs to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.

The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up to end of April 2020, LSAs have adopted 103 final OSS decisions. The EDPB intends to publish summaries in English prepared by the EDPB Secretariat. The information will be made public after the validation of the LSA in question and in accordance with the conditions provided by its national legislation.

The agenda of the 28th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

During its 26th plenary session, the European Data Protection Board (EDPB) adopted a letter in response to requests from MEPs Metsola and Halicki regarding the Polish presidential elections taking place via postal vote. Additionally, an exchange of information took place on the recent Hungarian government decrees in relation to the coronavirus during the state of emergency
 
In its response to the MEPs Metsola and Halicki, the EDPB indicates that it is aware that data of Polish citizens was sent from the national PESEL (personal identification) database to the Polish Post by one of the Polish ministries and acknowledges that this issue requires special attention.

The Board underlines that, according to the European General Data Protection Regulation (GDPR), personal data, such as names and addresses, and national identification numbers (such as the Polish PESEL ID), must be processed lawfully, fairly and in a transparent manner, for specified purposes only. Public authorities may disclose information on individuals included in electoral lists, but only when this is specifically authorised by Member State law. The EDPB underlined that the disclosure of personal data – from one entity to another – always requires a legal basis in accordance with EU data protection laws. As previously indicated in the EDPB statement on the use of personal data in political campaigns (2/2019), political parties and candidates - but also public authorities, particularly those responsible for public registers - must stand ready to demonstrate how they have complied with data protection principles. The EDPB also underlined that, where elections are conducted by the collection of postal votes, it is the responsibility of the state to ensure that specific safeguards are in place to maintain the secrecy and integrity of the personal data concerning political opinions.

EDPB Chair, Andrea Jelinek, added: “Elections form the cornerstone of every democratic society. That is why the EDPB has always dedicated special attention to the processing of personal data for election purposes. We encourage data controllers, especially public authorities, to lead by example and process personal data in a manner which is transparent and leaves no doubt regarding the legal basis for the processing operations, including disclosure of data.”

However, the EDPB stresses that enforcement of the GDPR lies with the national supervisory authorities. The EDPB is not a data protection supervisory authority in its own right and, as such, does not have the same competences, tasks and powers as the national supervisory authorities. In the first instance, the assessment of alleged GDPR infringements falls within the competence of the responsible and independent national supervisory authority. Nevertheless, the EDPB will continue to pay special attention to the developments of personal data processing in connection to democratic elections and remains ready to support all members of the Board, including the Polish Supervisory Authority, in such matters.

During the plenary, the Hungarian Supervisory Authority provided the Board with information on the legislative measures the Hungarian government has adopted in relation to the coronavirus during the state of emergency. The Board considers that further explanation is necessary and has thus requested that the Hungarian Supervisory Authority provides further information on the scope and the duration, as well as the Hungarian Supervisory Authority’s opinion on the necessity and proportionality of these measures. The Board will discuss this further during its plenary session next Tuesday.

The agenda of the 26th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

During its 24th Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:

• EDPB response to the US Mission to the EU on the transfer of personal data for the purpose of scientific research and the development of vaccines and treatments to combat COVID-19
• EDPB response MEPs Ďuriš Nicholsonová and Jurzyca on common guidance in the fight against the COVID-19
• EDPB Response to MEP Sophie in't Veld on the use of apps in fight against COVID-19

During its 24th plenary session, the European Data Protection Board (EDPB) adopted three letters, reinforcing several elements from its earlier guidance on data protection in the context of fighting the COVID-19 outbreak.

In reply to a letter from the United States Mission to the European Union, the EDPB looks into transfers of health data for research purposes, enabling international cooperation for the development of a vaccine. The US Mission enquired into the possibility of relying on a derogation of Art. 49 European General Data Protection Regulation (GDPR) to enable international flows.

The EDPB tackled this topic in detail in its recently adopted guidelines (03/2020) on the processing of health data for scientific research. In its letter, the EDPB reiterates that the GDPR allows for collaboration between EEA and non-EEA scientists in the search for vaccines and treatments against COVID-19, while simultaneously protecting fundamental data protection rights in the EEA.

When data are transferred outside of the EEA, solutions that guarantee the continuous protection of data subjects’ fundamental rights, such as adequacy decisions or appropriate safeguards (included in Article 46 GDPR) should be favoured, according to the EDPB.  

However, the EDPB considers that the fight against COVID-19 has been recognised by the EU and Member States as an important public interest, as it has caused an exceptional sanitary crisis of an unprecedented nature and scale. This may require urgent action in the field of scientific research, necessitating transfers of personal data to third countries or international organisations.
 
In the absence of an adequacy decision or appropriate safeguards, public authorities and private entities may also rely upon derogations included in Article 49 GDPR

Andrea Jelinek, the Chair of the EDPB, said: “The global scientific community is racing against the clock to develop a COVID-19 vaccine or treatment. The EDPB confirms that the GDPR offers tools giving the best guarantees for international transfers of health data and is flexible enough to offer faster temporary solutions in the face of the urgent medical situation.”

The EDPB also adopted a response to a request from MEPs Lucia Ďuriš Nicholsonová and Eugen Jurzyca.

The EDPB replies that data protection laws already take into account data processing operations necessary to contribute to fighting an epidemic, therefore - according to the EDPB - there is no reason to lift GDPR provisions, but to observe them. In addition, the EDPB refers to the guidelines on the issues of geolocation and other tracing tools, as well as the processing of health data for research purposes in the context of the COVID-19 outbreak.

Andrea Jelinek, Chair of the EDPB, added: “The GDPR is designed to be flexible. As a result, it can enable an efficient response to support the fight against the pandemic, while at the same time protecting fundamental human rights and freedoms. When the processing of personal data is necessary in the context of COVID-19, data protection is indispensable to build trust, to create the conditions for social acceptability of any possible solution and, therefore, to guarantee the effectiveness of these measures”.

The EDPB received two letters from Sophie In 't Veld MEP, raising a series of questions regarding the latest technologies that are being developed in order to fight the spread of COVID-19.

In its reply, the EDPB refers to its recently adopted guidelines (04/2020) on the use of location data and contact tracing apps, which highlight – among other elements - that such schemes should have a voluntary nature, use the least amount of data possible, and should not trace individual movements, but rather use proximity information of users.

The agenda of the 23rd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

During its 23rd Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:

• Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak
• Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak

During its 23rd plenary session, the European Data Protection Board (EDPB) adopted guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak and guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.

The  guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak aim to shed light on the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.

The guidelines state that the European General Data Protection Regulation (GDPR) contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the respective national legislations. The GDPR foresees the possibility to process certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.

In addition, the guidelines address legal questions concerning international data transfers involving health data for research purposes related to the fight against COVID-19, in particular in the absence of an adequacy decision or other appropriate safeguards.  

Andrea Jelinek, Chair of the EDPB, said: “Currently, great research efforts are being made in the fight against COVID-19. Researchers hope to produce results as quickly as possible. The GDPR does not stand in the way of scientific research, but enables the lawful processing of health data to support the purpose of finding a vaccine or treatment for COVID-19”.

The guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:

1. using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
2. using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.

The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.

The EDPB stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.

Dr. Jelinek added: “Apps can never replace nurses and doctors. While data and technology can be important tools, we need to keep in mind that they have intrinsic limitations. Apps can only complement the effectiveness of public health measures and the dedication of healthcare workers that is necessary to fight COVID-19. At any rate, people should not have to choose between an efficient response to the crisis and the protection of fundamental rights.”

In addition, the EDPB adopted a guide for contact tracing apps as an annex to the guidelines. The purpose of this guide, which is non-exhaustive, is to provide general guidance to designers and implementers of contact tracing apps, underlining that any assessment must be carried out on a case-by-case basis.

Both sets of guidelines will exceptionally not be submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.

The agenda of the 23rd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

On April 17th, the European Data Protection Board (EDPB) held its 22nd Plenary Session. For further information, please consult the agenda:

Agenda of Twenty-second Plenary

Following a request for consultation from the European Commission, the European Data Protection Board (EDPB) adopted a letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic. This Guidance on data protection and privacy implications complements the European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.
 
Andrea Jelinek, Chair of the EDPB, said: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”
 
In its letter, the EDPB specifically addresses the use of apps for the contact tracing and warning functionality, because this is where increased attention must be paid in order to minimise interferences with private life while still allowing data processing with the goal of preserving public health.
 
The EDPB considers that the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms. In addition, the source code should be made publicly available for the widest possible scrutiny by the scientific community.
 
The EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility.
 
Finally, the EDPB underlined the need for the Board and its Members, in charge of advising and ensuring the correct application of the European General Data Protection Regulation (GDPR) and the E-Privacy Directive, to be fully involved in the whole process of elaboration and implementation of these measures. The EDPB recalls that it intends to publish Guidelines in the upcoming days on geolocation and tracing tools in the context of the COVID-19 out-break.

The EDPB’s letter is available here: https://edpb.europa.eu/letters_en
 
The agenda of the 21th plenary session is available here: https://edpb.europa.eu/our-work-tools/agenda/2020_en#agenda_490

During its 20th plenary session on April 7th, the European Data Protection Board (EDPB) assigned concrete mandates to its expert subgroups to develop guidance on several aspects of data processing in the fight against COVID-19. This follows the decision made on April 3rd during the EDPB's 19th plenary session.

1. geolocation and other tracing tools in the context of the COVID-19 outbreak – a mandate was given to the technology expert subgroup for leading this work;
2. processing of health data for research purposes in the context of the COVID-19 outbreak – a mandate was given to the compliance, e-government and health expert subgroup for leading this work.

Considering the high priority of these 2 topics, the EDPB decided to postpone the guidance work on teleworking tools and practices in the context of the COVID-19 outbreak, for the time being.

Andrea Jelinek, Chair of the EDPB, said: “The EDPB will move swiftly to issue guidance on these topics within the shortest possible notice to help make sure that technology is used in a responsible way to support and hopefully win the battle against the corona pandemic. I strongly believe data protection and public health go hand in hand."

The agenda of the 20th plenary session is available here

During its April Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:

• Mandate on the processing of health data for research purposes in the context of the COVID-19 outbreak — 07/04/2020
• Mandate on geolocation and other tracing tools in the context of the COVID-19 outbreak — 07/04/2020

The European Data Protection Board (EDPB) is speeding up its guidance work in response to the COVID-19 crisis. Its monthly plenary meetings are being replaced by weekly remote meetings with the Members of the Board.

Andrea Jelinek, Chair of the EDPB, said: "The Board will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working. The EDPB will adopt a horizontal approach and plans to issue general guidance with regard to the appropriate legal bases and applicable legal principles."

The agenda of today's remote meeting is available here

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.

The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.

Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).

The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.

Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.

In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the European General Data Protection Regulation (GDPR) with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.

Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.

In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.

To read the press release is Polish, click here

To read the full decision in Polish, click here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.

Following a decision by the European Data Protection Board (EDPB) Chair, the EDPB April Plenary Session has been cancelled due to safety concerns surrounding the outbreak of the Coronavirus (COVID-19). The EDPB hereby follows the example of other EU institutions, such as the European Parliament, which have restricted the number of large-scale meetings.

The April Plenary Session was scheduled to take place on 20 and 21 April. Earlier, the EDPB March Plenary was also cancelled for the same reasons. You can find an overview of upcoming EDPB Plenary Meetings here

On March 19th, the European Data Protection Board (EDPB) adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak via written procedure. The full statement is available here

Governments, public and private organisations throughout Europe are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of personal data.  

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as European General Data Protection Regulation (GDPR)) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The GDPR is a broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19. Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.

For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (“cartography”).  

When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security *. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.

Update:

On March 19th, the European Data Protection Board adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak. The full statement is available below.

* In this context, it shall be noted that safeguarding public health may fall under the national and/or public security exception.

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the European General Data Protection Regulation (GDPR). Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.

In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.

– The GDPR increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.

The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.

When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.

– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.

Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.

What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se  

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA: dt@datatilsynet.dk

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the European General Data Protection Regulation (GDPR).

When determining the fine, the SA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA: postur@dpa.is

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.

The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings have shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.

In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.

The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The Dutch DPA imposed a fine of EUR 525,000 on tennis association KNLTB for selling the personal data of its Members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors.

Boete voor tennisbond vanwege verkoop van persoonsgegevens

De Autoriteit Persoonsgegevens (AP) legt tennisbond KNLTB een boete op van 525.000 euro voor het verkopen van persoonsgegevens. De KNLTB heeft in 2018 onrechtmatig tegen betaling persoonsgegevens van een paar honderdduizend van zijn leden verstrekt aan twee sponsoren.

De Koninklijke Nederlandse Lawn Tennisbond (KNLTB) verstrekte de sponsoren persoonsgegevens zoals naam, geslacht en adres, zodat zij een selectie van KNLTB-leden konden benaderen met tennisgerelateerde en andere aanbiedingen. De ene sponsor ontving persoonsgegevens van 50.000, de andere van meer dan 300.000 leden. Die sponsors benaderden een deel van die KNLTB-leden per post of telefoon.

Verkoop van persoonsgegevens

Voor elke verwerking van persoonsgegevens moet de organisatie die ze verwerkt zich kunnen beroepen op één van de zes grondslagen uit de AVG. Bijvoorbeeld dat degene om wie het gaat toestemming heeft gegeven voor die verwerking. Verkoop van persoonsgegevens zonder toestemming van de persoon achter de gegevens is doorgaans verboden. De KNLTB vond dat hij een gerechtvaardigd belang had bij verkoop van de gegevens. De AP is het daarmee niet eens en heeft geoordeeld dat KNLTB geen grondslag had om die persoonsgegevens door te geven aan de sponsoren.

Klacht KNLTB over AP
Tijdens het onderzoek naar de KNLTB diende de tennisbond een klacht in tegen de AP, die de AP gegrond verklaarde. Die klacht ging over het optreden van AP-voorzitter Aleid Wolfsen in Nieuwsuur, op 17 december 2018. Daarin gaf Wolfsen aan dat de AP ‘een sportbond’ onderzocht. De AP heeft in reactie op deze klacht erkend dat zij in die uitzending de indruk heeft gewekt dat de handelwijze van KNLTB niet correct was, terwijl het onderzoek daarnaar nog liep. De KNLTB zag in die uitlatingen de schijn van vooringenomenheid en dat betreurt de AP. Op aanbeveling van de Nationale Ombudsman laat de AP hierbij weten dat de uitlatingen van Wolfsen ten onrechte vooruitliepen op de uitkomsten van het onderzoek.

Bezwaar KNLTB
De KNLTB heeft bezwaar gemaakt tegen het boetebesluit. De AP zal dit gaan beoordelen.

To read the full decision, click here

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

Following a decision by the European Data Protection Board (EDPB) Chair, the EDPB March Plenary Session has been cancelled due to safety concerns surrounding the outbreak of the Coronavirus (COVID-19). The EDPB hereby follows the example of other EU institutions, such as the European Parliament, which have restricted the number of large-scale meetings.

The March Plenary Session was scheduled to take place on 19 and 20 March. You can find an overview of upcoming EDPB Plenary Meetings here