Skip to main content

EDPS News

EDPS

CPDP - Data Protection Day 2025

1 day 7 hours ago
CPDP - Data Protection Day 2025 miriam Mon, 11/04/2024 - 12:10 Mon, 11/04/2024 - 12:00

On 28 January 2025 in Brussels, to mark Data Protection Day, European Data Protection Supervisor (EDPS) together with Council of Europe (CoE) and Computers, Privacy and Data Protection, organises a one-day hybrid event focused on exploring the current and future landscape of data protection. 

The full programme and registration are available at https://cpdp-dataprotectionday.eu/

1 Register now
European Data Protection Supervisor

20 Talks with Dr. Michaela Musilová - Astrobiologist and Analog Astronaut

6 days ago
20 Talks with Dr. Michaela Musilová - Astrobiologist and Analog Astronaut miriam Wed, 10/30/2024 - 19:31 Thu, 10/31/2024 - 12:00

With a strong background in planetary science and a passion for the search for life beyond Earth, our guest has been instrumental in advancing research on extreme environments, often considered analogs for other planets. Watch it with us. 

1 Watch the interview
European Data Protection Supervisor

EDPS issues the Supervisory opinion on the draft Europol Management Board Decision on retention of administrative data

2 weeks 6 days ago
EDPS issues the Supervisory opinion on the draft Europol Management Board Decision on retention of administrative data miriam Wed, 10/16/2024 - 11:56 Thu, 10/17/2024 - 12:00

EDPS issues the Supervisory opinion on the draft Europol management board decision laying down rules to determine time limits for the storage of administrative personal data.

1 Read our recommendations here
European Data Protection Supervisor

Oral history of data protection - Interview with Hon. Michael Kirby

2 weeks 6 days ago
Oral history of data protection - Interview with Hon. Michael Kirby miriam Wed, 10/16/2024 - 11:22 Wed, 10/16/2024 - 12:00

He is interviewed by Prof. Lee A. Bygrave, Director of the Norwegian Research Center for Computers and Law (NRCCL) at the University of Oslo, and Prof. Gloria González Fuster, Director of the Law, Science, Technology and Society (LSTS) Research Group at the Vrije Universiteit Brussel (VUB).

Mini video series is a collaborative project of the European Data Protection Supervisor and LSTS Research Group at the Vrije Universitet Brussel. This series features in-depth interviews with leading experts in the field of data protection who shed light on how the landscape of data protection has transformed over time and what lies ahead. 

1 Watch the video
European Data Protection Supervisor

G7 Roundtable 2024: Data Protection Authorities Collaborate to Shape the Future of AI and Privacy

3 weeks 5 days ago
G7 Roundtable 2024: Data Protection Authorities Collaborate to Shape the Future of AI and Privacy miriam Thu, 10/10/2024 - 16:23 Fri, 10/11/2024 - 12:00

With our participation in the G7 DPA Roundtable this year, we aim to help shape the global debate on the importance of data protection in the development of ethical and trustworthy AI. Collaborating with our partners from like-minded G7 countries enables us also to create common approaches to privacy and data protection in this fast-moving landscape.

Read Press Release

1 Read Press Release
European Data Protection Supervisor

Bonus episode #3 is out!

3 weeks 5 days ago
Bonus episode #3 is out! miriam Thu, 10/10/2024 - 11:33 Tue, 10/15/2024 - 12:00

October is the European CyberSecurity Month! Together with ENISA, we discuss various topics that any individual or organisation should not missed out! 

1 Have a listen!
European Data Protection Supervisor

20 Talks - Frances Haugen: Advocate for accountability and transparency in social media

3 weeks 5 days ago
20 Talks - Frances Haugen: Advocate for accountability and transparency in social media estelle Thu, 10/10/2024 - 09:55 Thu, 10/10/2024 - 12:00

In this episode, we welcome Frances Haugen, advocate for accountability and transparency in social media. She will bring a wealth of knowledge and experience to today’s discussion. 

Frances Haugen is an expert in algorithmic product management, with extensive experience working on ranking algorithms at major tech companies such as Google, Pinterest, Yelp, and Facebook. At Facebook, she led the Civic Misinformation team, where she became concerned about the platform's impact on vulnerable communities.

1 Watch the interview
European Data Protection Supervisor

20 Talks - Amba Kak: Co-executive director of AI Now Institute

1 month ago
20 Talks - Amba Kak: Co-executive director of AI Now Institute miriam Thu, 10/03/2024 - 12:53 Fri, 10/04/2024 - 12:00

In this episode, we welcome Amba Kak. She has spent the last fifteen years designing and advocating for technology policy in the public interest, ranging from network neutrality to privacy to algorithmic accountability, across government, industry, and civil society – and in many parts of the world.

1 Watch the interview
European Data Protection Supervisor

Fibbing Finley: a guide to pretexting

1 month 2 weeks ago
Fibbing Finley: a guide to pretexting julia Fri, 09/20/2024 - 19:45 Mon, 10/21/2024 - 12:00

Meet Finley, a cybercriminal and Amari, an employee of a big public organisation; as the dangers of pretexting creep up, what will happen between our two protagonists? Read comic to find out.

0
European Data Protection Supervisor

Beware of Ransomware!

1 month 2 weeks ago
Beware of Ransomware! julia Fri, 09/20/2024 - 19:39 Mon, 10/28/2024 - 12:00

Ransomware starts with cybercriminals taking control of your systems, how do you react to prevent this and what should you do if you are a victim of ransomware?  Check our factsheet.

0
European Data Protection Supervisor

AI & Cybersecurity: tool or weapon?

1 month 2 weeks ago
AI & Cybersecurity: tool or weapon? julia Fri, 09/20/2024 - 19:34 Tue, 10/08/2024 - 12:00

This European Cybersecurity Month, we focus on 4 positives and 4 challenging aspects of AI in cybersecurity. Check the factsheet. 

0
European Data Protection Supervisor

Catch up on news in Newsletter Digest - Episode 14

1 month 2 weeks ago
Catch up on news in Newsletter Digest - Episode 14 miriam Tue, 09/17/2024 - 14:46 Fri, 09/20/2024 - 12:00

In this episode, we discover news and updates on Artificial Intelligence, highlight key point of IPEN workshop on human oversight of automated decision making, how can authorities combat crime and protect people's personal information and much more on neurodata. Don't miss our tip and trick of September.

1 Have a listen
European Data Protection Supervisor

Newsletter 111

1 month 3 weeks ago
Newsletter 111 miriam Fri, 09/13/2024 - 18:01 Thu, 09/19/2024 - 12:00

September can mark the season of new beginnings! Here at the EDPS we are getting ready for AI! This month we’ve also provided our advice on an agreement for judicial cooperation and its impact on data protection. You can also swing by our latest work on international data protection transfers and lots more! 

1 Read more
European Data Protection Supervisor

EDPS unveils new model for safer transfers of personal data between EU Institutions and International Organisations

3 months ago
EDPS unveils new model for safer transfers of personal data between EU Institutions and International Organisations julia Wed, 07/31/2024 - 15:14 Wed, 07/31/2024 - 12:00

One of our institution's priorities is to ensure that individuals’ personal data is protected according to EU standards both inside and outside the EU/European Economic Area.

Read Press Release

Read Model Administrative Arrangement 

0
European Data Protection Supervisor
Checked:
2 hours 2 minutes ago
Subscribe to EDPS feed

EDPB News

EDPB

EDPB adopts its first report under the EU-U.S. Data Privacy Framework and a statement on the recommendations on access to data for law enforcement

6 hours 43 minutes ago

Brussels, 05 November - During its latest plenary, the European Data Protection Board (EDPB) adopted a report on the first review1 of EU-U.S. Data Privacy Framework (DPF), as well as a statement on the recommendations of the high-level group (HLG)2 on access to data for effective law enforcement.

The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023.

Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities.

In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles.

The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome. The EDPB expresses its availability to provide feedback on these guidance documents.

Concerning the access by U.S. public  authorities  to  personal  data transferred from the EU to certified organisations, the EDPB focused; on the  effective  implementation  of  the  safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles  and  the  new  redress  mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year.

EDPB Deputy Chair Zdravko Vukić said: “We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between U.S. authorities, the EU Commission and the EDPB. At the same time, there is still space for improvement and we should continue working together to maintain a high level of data protection and safeguard the rights and freedoms of EU individuals.”

Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.

 The statement on the recommendations of the HLG on access to data for effective law enforcement underlines that fundamental rights must be safeguarded when law enforcement agencies access the personal data of individuals. While the EDPB supports the aim of effective law enforcement, it points out that some of the HLG’s recommendations could cause serious intrusiveness vis-à-vis fundamental rights, in particular the respect for privacy and family life.

 While the EDPB positively notes the recommendation may lead to the establishment of a level-playing field on data retention, it considers that a broad and general obligation to retain data in electronic form by all service providers would create a significant interference with the rights of individuals. Therefore, the EDPB questions whether this would meet the requirements of necessity and proportionality of the Charter of Fundamental Rights of the EU and the CJEU jurisprudence. 

In its statement, the EDPB also emphasizes that the recommendations concerning encryption should not prevent its use or weaken the effectivity of the protection it provides. For example, the introduction of a client-side process allowing remote access to data before it is encrypted and sent on a communication channel, or after it is decrypted at the recipient, would in practice weaken encryption. Preserving the protection and effectivity of encryption is important to avoid that the respect for private life and confidentiality is negatively impacted and to ensure that the freedom of expression and economic growth, which depend on trustworthy technologies, are safeguarded. 

 

Note to editors

1 In line with art. 3 of EU-U.S. adequacy decision, the EU Commission is required to review the adequacy decision one year after its adoption. The review meeting was held in Washington D.C. on 18-19 July 2024 and the EU Commission was accompanied by five representatives of the EDPB.

2 The HLG was launched by the European Commission in June 2023 and it is co-chaired by the EU Commission and the rotating Presidency of the Council. It was launched with the aim to explore challenges for law enforcement practitioners in connection to access to data and propose solutions and recommendations.

In June 2024, the  HLG  published  42  recommendations  for  the further development of EU policies and legislation, structured as “capacity  building  measures”,  “cooperation  with  industry  and standardisation” and “legislative measures”. The  recommendations  cover  in  particular  encryption, cooperation  with  the  industry  as  well  as  between  law  enforcement agencies, and the need for harmonised rules on data retention.
 

EDPB

EDPB stakeholder event AI models

6 hours 43 minutes ago

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics. 

 

During today’s event, the EDPB will collect input for of the preparation of a consistency opinion on AI models, requested by the Irish Data Protection Authority under Art. 64 (2) GDPR.

 

EDPB Chair Anu Talus said: “During the stakeholder event we will tackle a number of targeted questions, which will feed our reflection in the context of the preparation of our Opinion on AI models. Stakeholder input is especially valuable for these fast-moving technologies with an exceptional societal impact.”

 

The EDPB's opinion on “AI models” is due by the end of 2024.

 

EDPB

EDPB meets with adequate countries

3 weeks ago

On 8 October 2024, the European Data Protection Board met with Commissioners and representatives of Data Protection Authorities (DPAs) from the fifteen countries having been subject to an EU adequacy decision. The meeting took place in the margins of the EDPB October’s plenary and reflects the EDPB’s commitment to international engagement.

The European Commission has so far recognised the following adequate countries:  Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay and United States.

Adequacy decisions are the result of a high degree of  convergence of data protection laws and enable safer data flows. 

During the meeting, the EDPB and the DPAs from the adequate countries discussed multilateral engagement on advisory work and guidelines, and on enforcement cooperation.  

 

Note to editors
Adequacy decisions are the result of a key mechanism in the EU's data protection framework that allows the free-based flow of personal data from the EU to adequate countries, provided that the European Commission has decided that these countries ensure an adequate level of data protection. In this case, the transfer does not require any specific authorisation. Adequacy decisions promote international data transfers by not requiring companies in these countries to have Standard Contractual Clauses or Binding Corporate Rules.
 

EDPB

Stakeholder event on ‘AI models’: express your interest to participate

3 weeks ago

Update on 15/10/24: The call is now closed.
Thank you to all those who expressed an interest in taking part in the EDPB stakeholder event on ‘AI models’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.

Brussels, 15 October - The European Data Protection Board (EDPB) organises a remote stakeholder event, taking place on 5 November 2024 (time to be confirmed), aimed at collecting input from stakeholders in the context of a request for an Art. 64(2) GDPR opinion relating to artificial intelligence models (‘AI models’) submitted to the EDPB by the Irish Data Protection Authority (DPA).

How to take part?

The EDPB launches a call for expression of interest in order to select participants for the EDPB’s stakeholder event on AI models. You can find further information on this event and instructions on how to register here. If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser.

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

EDPB

Join the stakeholder event on EDPB opinion on ‘AI models’

3 weeks 4 days ago

Brussels, 11 October -The EDPB will organise a stakeholder event on ‘AI models’ on 5 November 2024 (exact time to be confirmed). 

During its latest plenary, the European Data Protection Board (EDPB) exceptionally agreed to organise a remote public event aimed at collecting input from stakeholders on issues relating to the request for an Art. 64(2) GDPR opinion on artificial intelligence ("AI") submitted to the EDPB by the Irish Data Protection Authority (DPA). 

Individuals representing European sector associations, organisations or NGOs and individual companies, law firms or academics are invited to take part in this event (one participant per organisation). The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of this topic.

As a general rule, participants will be registered on a first-come first-serve basis. Nonetheless, the EDPB reserves the right to give precedence to specific stakeholders among those who expressed their interest, in light of their relevance for the subject matter of this event with the aim to ensure relevant expertise among participants, as well as the diversity of the views expressed at the event.  

Do you wish to participate? 

The EDPB will launch a call for expression of interest to participate in the EDPB’s stakeholder event on ‘AI models’ on 15 October at 10.00 am (Brussels time).

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.

The call will be launched on the EDPB website. More details will follow on the day of the launch of the call.

EDPB

CEF 2025: EDPB selects topic for next year’s Coordinated Action

3 weeks 5 days ago

Brussels, 10 October - During its October 2024 plenary, the European Data Protection Board (EDPB) selected the topic for its fourth Coordinated Enforcement Action (CEF), which will concern the implementation of the right to erasure (‘right to be forgotten’) by controllers. Data Protection Authorities (DPAs) will join this action on a voluntary basis in the coming weeks and the action itself will be launched during the first semester of 2025.

The right to erasure (Art.17 GDPR) is one of the most frequently exercised data protection rights and one about which DPAs frequently receive complaints. The aim of this coordinated action will be, among other objectives, to evaluate the implementation of this right in practice. For example, this will be done by analysing and comparing the processes put in place by different controllers to identify the most important issues in complying with this right, but also to get an overview of best practices.

In a coordinated enforcement action, the EDPB prioritises a specific topic for DPAs to work on at national level. In the past three years, DPAs have already coordinated their national actions on different topics, namely: the use of cloud in the public sector, the designation and position of Data Protection Officers and the implementation of the right of access by data controllers.

The results of these national actions are then aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level.

In 2023, the EDPB published the report on its first coordinated action on the use of cloud-based services by the public sector.
Earlier this year, the EDPB also published the report on the outcome of the second coordinated action on the designation and position of Data Protection Officers.

The report on the outcome of the 2024 coordinated action on the right of access will be adopted at the beginning of 2025.
Coordinated actions follow the EDPB’s decision to set up a Coordinated Enforcement Framework (CEF) in October 2020. The CEF is a key action of the EDPB under its 2024-2027 Strategy, together with the Support Pool of Experts (SPE). The two initiatives aim to streamline enforcement and cooperation among DPAs.
 

EDPB

EDPB adopts Opinion on processors, Guidelines on legitimate interest, Statement on draft regulation for GDPR enforcement, and work programme 2024-2025

3 weeks 6 days ago

Brussels, 09 October - During its latest plenary, the European Data Protection Board (EDPB) adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s), Guidelines on legitimate interest, a Statement on laying down additional procedural rules for GDPR enforcement and the EDPB work programme 2024-2025.

First, the EDPB adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s) following an Art. 64(2) GDPR request to the Board by the Danish Data Protection Authority (DPA). Art. 64(2) GDPR provides that any DPA can ask the Board to issue an opinion on matters of general application or producing effects in more than one Member State.

The Opinion is about situations where controllers rely on one or more processors and sub-processors. In particular, it addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Art. 28 GDPR. 

The Opinion explains that controllers should have the information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Art. 28 GDPR. Besides, the controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary, notably on the basis of the risks associated with the processing. 

The Opinion also states that while the initial processor should ensure that it proposes sub-processors with sufficient guarantees, the ultimate decision and responsibility on engaging a specific sub-processor remains with the controller. 
The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check if data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.

In addition, where transfers of personal data outside of the European Economic Area take place between two (sub-)processors, the processor as data exporter should prepare the relevant documentation, such as relating to the ground of transfer used, the transfer impact assessment and the possible supplementary measures. However, as the controller is still subject to the duties stemming from Art. 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Art. 44 to ensure that the level of protection is not undermined by transfers of personal data, it should assess this documentation and be able to show it to the competent Data Protection Authority.

Next, the Board adopted Guidelines on the processing of personal data based on legitimate interest.

Data controllers need a legal basis to process personal data lawfully. Legitimate interest is one of the six possible legal bases.

These Guidelines analyse the criteria set down in Art. 6(1) (f) GDPR that controllers must meet to lawfully process personal data on the basis of legitimate interest. It also takes into consideration the recent ECJ ruling on this matter (C-621/22, 4 October 2024).

In order to rely on legitimate interest, the controller needs to fulfil three cumulative conditions:

  1. The pursuit of a legitimate interest by the controller or by a third party;
  2. The necessity to process personal data for the purposes of  pursuing the legitimate interest;
  3. The interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest(s) of the controller or of a third party (balancing exercise).

First of all, only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate. For example, such legitimate interests could exist in a situation where the individual is a client or in the service of the controller.

Second, if there are reasonable, just as effective, but less intrusive alternatives for achieving the interests pursued, the processing may not be considered to be necessary. The necessity of a processing should also be examined with the principle of data minimisation. 

Third, the controller must ensure that its legitimate interest is not overridden by the individual's interests, fundamental rights or freedoms. In this balancing exercise, the controller needs to take into account the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards which could limit the impact on the individual. 

In addition, these Guidelines explain how this assessment should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security. The document also explains the relationship between this legal basis and a number of data subject rights under the GDPR.

The Guidelines will be subject to public consultation until 20 November 2024.

Next, the Board adopted a Statement following the amendments made by the European Parliament and the Council to the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR.

The Statement generally welcomes the modifications introduced by the European Parliament and the Council, and recommends further addressing specific elements in order for the new regulation to achieve the objectives of streamlining cooperation between authorities and improving the enforcement of the GDPR. 

The Statement makes practical recommendations that may be used in the context of the upcoming trilogues. In particular, the EDPB reiterates the need for a legal basis and harmonised procedure for amicable settlements and it makes recommendations in view of ensuring that consensus on the summary of key issues is reached in the most efficient manner. The Board also welcomes the inclusion of additional deadlines while recalling that they need to be realistic and urges the co-legislators to remove the provisions related to the relevant and reasoned objections and the ‘statement of reasons’ in the dispute resolution procedure.  

While the Statement welcomes the objective of achieving increased transparency, the introduction of a joint case file, as proposed by the European Parliament, would require complex changes to the document management and communication systems used at European and national levels. The technical solutions for its implementation should be carefully assessed, and the modalities for granting access to it should be further clarified. 

The EDPB welcomes the Council’s amendment allowing the lead DPA to opt-out from the so-called enhanced cooperation in simple and straightforward cases, but it highlights the need to clarify further the scope of this opt-out. 

EDPB Chair Anu Talus said: “The draft regulation has the potential to greatly streamline GDPR enforcement by increasing the efficiency of case handling. More harmonisation is needed at EU level, in order to maximise the full effectiveness of the GDPR’s cooperation and consistency mechanisms.”

During its latest plenary, the Board adopted its work programme for 2024-2025. This is the first one of two work programmes which will implement the EDPB strategy for 2024-2027 adopted in April 2024. It is based on the priorities set in the EDPB strategy and it also takes into account the needs identified as most important for stakeholders.

Finally, the EDPB members agreed to grant the status of observer to the EDPB’s activities to the Kosovan Information and Privacy Agency (Kosovan DPA), in line with Art. 8 EDPB Rules of Procedure.
 

EDPB

Express your interest to take part in the EDPB stakeholder event on upcoming guidelines on ‘Consent or Pay’

1 month 3 weeks ago

Update on 17/09/24: The call is now closed. 
Thank you to all those who expressed an interest in taking part in the EDPB stakeholder event on upcoming guidelines on ‘Consent or Pay’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.

The European Data Protection Board (EDPB) organises a remote stakeholder event, taking place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed), in order to collect stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models. 

The aim of the event is to gather relevant insights from organisations that have expertise in  ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee . This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application. 

How to take part?

The EDPB launches a call for expression of interest in order to select participants for the EDPB’s stakeholder event on ‘Consent or Pay’. You can find further  information on this event and instructions to register here. If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser.

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
 

EDPB

EDPB to work together with European Commission to develop guidance on interplay GDPR and DMA

1 month 3 weeks ago

The Commission services in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB) have agreed to work together to clarify and give guidance on the interplay between DMA and GDPR.

This enhanced dialogue between Commission’s services and the EDPB will focus on the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR, as there is a need to ensure the coherent application to digital gatekeepers of the applicable regulatory frameworks. 

Developing a coherent interpretation of the DMA and GDPR while respecting each regulators’ competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives.

The DMA established a High Level Group to provide the Commission with advice and expertise to ensure that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner. The Commission and representatives from the EDPB and EDPS already engaged on data-related and interoperability obligations in the High Level Group. This project builds on this engagement and deepens the cooperation in relation to the two specific regulatory frameworks.
 

Read more information about:

EDPB

Take part in the EDPB stakeholder event on upcoming guidelines on ‘Consent or Pay’

2 months ago

The European Data Protection Board (EDPB) is organising a remote stakeholder event aimed at collecting stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models. The event will take place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed).

The aim of the event is to collect relevant insights from organisations that have expertise in  ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee. This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application. 

Individuals representing European sector associations, organisations or NGOs and individual companies, law firms or academics are invited to take part in this event (one participant per organisation). A limited number of participants will be allowed to take part, to permit a meaningful discussion in a remote setting. The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of this topic.

Do you wish to participate to make your voice heard? Stay tuned:

The EDPB will launch a call for expression of interest to participate in the EDPB’s stakeholder event on ‘Consent or Pay’ on 12 September at 10.00 (Brussels time). 

The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders. 

The call will be launched on the EDPB website.

EDPB

EDPB adopts statement on DPAs role in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal

3 months 2 weeks ago

Brussels, 17 July - During its latest plenary, the European Data Protection Board (EDPB) adopted a statement on the Data Protection Authorities’ (DPAs) role in the Artificial Intelligence Act (AI Act) framework.

According to the EDPB, DPAs already have experience and expertise when dealing with the impact of AI on fundamental rights, in particular the right to protection of personal data, and should therefore be designated as Market Surveillance Authorities (MSAs) in a number of cases. This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.

According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.

In its statement, the EDPB recommends that:

  • As already indicated in the AI Act, DPAs should be designated as MSAs for high-risk AI systems used for law enforcement, border management, administration of justice and democratic processes;
  • Member States should consider appointing DPAs as MSAs also for other high-risk AI systems, taking account of the views of the national DPA, particularly where those high-risk AI systems are in sectors likely to impact natural persons rights and freedoms with regard to the processing of personal data;
  • DPAs, where appointed as MSAs, should be designated as the single points of contact for the public and counterparts at Member State and EU levels;
  • Clear procedures should be established for cooperation between MSAs and the other regulatory authorities which are tasked with the supervision of AI systems, including DPAs. In addition, appropriate cooperation should be established between the EU AI Office and the DPAs/EDPB.

EDPB Deputy Chair Irene Loizidou Nicolaidou said: “DPAs should play a prominent role in enforcing the AI Act as most AI systems involve processing of personal data. I strongly believe that DPAs are suitable for this role because of their full independence and deep understanding of the risks of AI for fundamental rights, based on their existing experience.”

Next, the Board adopted two Frequently Asked Questions (FAQ) documents concerning the EU-U.S. Data Privacy Framework (DPF), aimed at providing more clarification on the functioning of the DPF.

The FAQ for individuals provides information on the functioning of the DPF: how to benefit from it, how to lodge a complaint and how this complaint will be handled.

Likewise, the FAQ for businesses explains which U.S. companies are eligible to join the DPF: what to do before transferring personal data to a company in the U.S. which is DPF-certified, and where to find further guidance.

Finally, the EDPB adopted an opinion approving the EuroPriSe Criteria Catalogue for  the  certification of processing activities by processors, resulting in a European Data Protection Seal.* European Data Protection Seals serve as important tools contributing to GDPR compliance.

In September 2022, the EDPB had adopted an opinion on the EuroPriSe certification criteria, enabling their recognition in Germany as certification criteria for processing operations by processors. Following an update of the scheme, this new opinion approves the criteria as being applicable in the whole EU/EEA, and as a European Data Protection Seal.

GDPR certification contributes to the demonstration of compliance efforts and to increased transparency and trust. It allows for better assessment of the degree of protection offered by products, services, processes or systems used by organisations that process personal data.

Note to editors:

*The EuroPrise European Data Protection Seal will be added to the register of certification mechanisms and data protection seals in accordance with Article 42(8) GDPR.

The opinion on the approval of the EuroPriSe certification scheme as European Data Protection Seal, adopted during the EDPB Plenary, is subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once it has been completed.

EDPB
Checked:
2 hours 2 minutes ago
Subscribe to EDPB feed