Happy Data Protection Day! Listen to our Q&A with the EDPS' Data Protection Officer1 Listen now
The EDPS makes a series of recommendations on four key issues in the proposed Regulation that could have an important impact on individuals’ personal data and privacy. To found out the EDPS' detailed advice to the EU's co-legislators, read Press Release and Opinion.0
Each year on 28 January, we celebrate Data Protection Day. This date commemorates the anniversary of the Council of Europe’s Convention 108, the first binding international law securing individuals' rights to protection of their personal data.1 Read our factsheets to learn more about your rights
The EDPS publishes the results of its survey on the role, responsibilities and tasks of data protection officers in the EU institutions, bodies, offices and agencies (EUIs).
Since 2004, the EDPS protects the personal data of EU citizens and guides EU institutions, bodies, offices and agencies so that they are exemplary in upholding data protection principles. The celebration of these two decades is an opportunity to reflect on past, present, and future challenges for a modern regulator in order to pave the way forward for the next 20 years.
Discover dedicated website for the 20th Anniversary and learn about the four pillars mapping out our ambitions for the years to come.
Newsletter Digest Podcast - episode #9 is out. Have a listen now!0
Read the latest news, activities and actions of the European Data Protection Supervisor.0
Join us on 25 January 2024 in Brussels at the Computers, Privacy, Data Protection conference organised by the EDPS, the Privacy Salon, CPDP colleagues, and the Council of Europe to mark Data Protection Day. More information on the topics to be discussed and registration details here: cpdp-dataprotectionday.eu.0
Episode 2 of our podcast TechDispatch Talks is now available! Delve into the world of AI: how do these systems operate, make decisions, use data. Learn about Explainable AI: its benefits and its challenges.0
New TechDispatch is delving into the intricacies of Explainable Artificial Intelligence, unraveling the complexities to make AI understandable and transparent.1 Read more
Today the EDPS publishes the summary report of the EDPS Seminar on the CSAM Proposal: “The Point of No Return?”
EDPS publishes the “Study on the essence of fundamental rights to privacy and to protection of personal data”.
Listen to our latest episode of the Newsletter Digest Podcast!0
In this issue, CSAM: the point of no return? EDPS actions on Artificial Intelligence, the digital euro, how to be smarter than a hacker? And more diverse topics to read now.0
The EDPB has published a thematic one-stop-shop case digest on Security of Processing (Art. 32 GDPR) and Data Breach Notification (Art. 33 & 34 GDPR).
Since the entry into force of the GDPR, data protection authorities (DPAs) have closely cooperated to adopt a growing number of one-stop-shop decisions on data security and data breaches.
The case digest offers valuable insights on how DPAs have interpreted and applied GDPR provisions in diverse scenarios, such as hacking, ransomware, or accidental data disclosure.
Case handlers working within DPAs now have a rich pool of analyses of security incidents, along with the corresponding security measures found to be appropriate or not in the specific context.
The summary and analysis of these decisions are useful for organisations (both controllers and processors) when assessing whether their security measures are appropriate, both before and following a data breach.
This is the second instalment of the EDPB’s case digests, which look at a selection of one-stop-shop decisions taken from the EDPB’s public register. The one-stop-shop case digest are produced within the framework of the EDPB Support Pool of Experts, a strategic initiative that helps DPAs increase their capacity to supervise and enforce.
Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role.
Anu Talus, EDPB Chair said: “The Coordinated Enforcement Framework (CEF) enables data protection authorities (DPAs) to cooperate more closely on selected topics in order to achieve better efficiency and more consistency. DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights. Through the CEF, DPAs investigated whether DPOs have the means to fulfil their tasks, as required by the GDPR. The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges.”
In the course of 2023, 25 DPAs across the European Economic Area (EEA) (including the EDPS) launched coordinated investigations into this topic. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR.
Despite some concerns and challenges faced by some DPOs (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position.
In order to address the challenges identified, the report lists some recommendations for organisations, DPOs and DPAs to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks. Among others, the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.
The report is accompanied by two appendices: the statistics gathered during this action and the national reports of each participating DPA.
The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among DPAs. The CEF 2024 action will be on the implementation of the right of access by data controllers.
Further information on national designation and position of DPO:
- AT SA: Bekanntmachungen der Datenschutzbehörde - ORF-Beitrag (vormals: GIS-Rundfunkgebühren)
- CZ SA: EDPB šetřil postavení pověřenců pro ochranu osobních údajů
- DA SA: EDPB vedtager rapport om databeskyttelsesrådgiverens rolle
- DE SA, BayLDA - Das Bayerische Landesamt für Datenschutzaufsicht: Europaweite Prüfung zu Stellung und Aufgaben von Datenschutzbeauftragten ergibt gemischte Bilanz
- EDPS: EDPS publishes results of the Coordinated Enforcement Action on data protection officers
- EL SA: Ολοκληρώθηκε η συντονισμένη δράση των εποπτικών Αρχών για τον ρόλο των Υπευθύνων Προστασίας Δεδομένων – Σε εξέλιξη οι έλεγχοι σε δημόσιους φορείς από την Αρχή
- ES SA: Resultados de la acción europea que ha analizado la designación y situación de los delegados de protección de datos
- FI SA: Euroopan tietosuojaneuvosto julkaisi raportin tietosuojavastaavien asemaa koskevasta selvityksestä – moni tietosuojavastaava kohtaa edelleen haasteita tehtävässään
- FR SA: Rôle et moyens du délégué à la protection des données : bilan des contrôles de la CNIL (FR), The role and resources of the data protection officer: results of CNIL investigations (EN)
- IT SA: Il Comitato europeo per la protezione dei dati identifica le aree di miglioramento per promuovere il ruolo e il riconoscimento dei RPD
- PT SA: Comité Europeu aprova relatório sobre o papel dos EPD
- PL SA: Wyznaczanie i pozycja inspektorów ochrony danych - sprawozdanie EROD z badań CEF
- SI SA: Pooblaščene osebe za varstvo osebnih podatkov: izsledki usklajene skupne akcije nadzora
- SE SA: EDPB publicerar rapport om dataskyddsombudens roll och ställning
During its latest plenary, the EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative. The EDPB welcomes the Commission’s initiative, which aims to help protect the fundamental rights and freedoms of users, to empower them to make effective choices, and to increase transparency towards users
The cookie pledge initiative was developed by the European Commission in response to concerns regarding the so-called “cookie fatigue” phenomenon and consists of a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft pledge principles would be contrary to the GDPR and the ePrivacy Directive.
The draft pledging principles would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused, this is an important step towards reducing cookie fatigue.
Furthermore, the EDPB flags that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive. The data protection authorities remain competent to exercise their powers when necessary.
EDPB: Application of the GDPR successful, but sufficient resources are necessary to tackle the challenges of the future
Brussels, 15 December - During its latest plenary, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. While a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this point in time and calls on the co-legislators to swiftly adopt the new Regulation laying down additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that the DPAs and the EDPB need sufficient resources to continue carrying out their tasks.
EDPB Chair Anu Talus said: “The GDPR has strengthened, modernised and harmonised data protection principles across the EU. The EDPB guidance played a key role in making individuals and businesses aware of their rights and responsibilities under the GDPR. We will keep on supporting the implementation of the GDPR in particular by SMEs, and more generally raising awareness of the GDPR. In addition, cooperation among DPAs and enforcement of the GDPR has gained momentum. More than ever, the EDPB is committed to ensure effective and consistent enforcement of the GDPR.”
The EDPB has consolidated its position as the EU body in charge of ensuring the consistent application of the GDPR, making use of the full set of instruments at its disposal. It has built a comprehensive library of guidance documents to help promote compliance among controllers and processors and consistent enforcement by DPAs. In addition, it has supplied a framework for the practical application of compliance tools such as codes of conduct and certification mechanisms, which has enabled them to become operational in a consistent manner across the EU. Furthermore, the EDPB has aptly played its unique role in settling disputes in cross-border cases, thereby ensuring the consistent application of the GDPR.
Regarding enforcement, the EDPB is convinced that effective and efficient cooperation between DPAs leads to a common data protection culture. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way.
The EDPB and the DPAs will continue their efforts to further enhance enforcement cooperation and to achieve more efficient and consistent results within the current legal framework.
Given the importance of streamlining national procedural rules, the EDPB submitted in October 2022 a ‘wish list’ to the European Commission, on procedural aspects that could be harmonised at EU level. The EDPB-EDPS joint opinion of 19 September 2023 on the Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR, welcomed that the proposal aims to foster effective enforcement of data protection rules and intends to give effect to many of the suggestions contained in the ‘EDPB wish list’; it also made a number of recommendations to ensure the greatest possible efficiency of this upcoming Regulation.
Moreover, the EDPB calls on Member States to make sure that all DPAs have the necessary resources to carry out their tasks effectively, as there are considerable challenges ahead. First and foremost, the continuously evolving technological landscape presents new data protection challenges every day. New legislation is also considered or has been introduced, providing additional rules to create a safer digital space and to establish a level playing field for businesses in the digital economy, such as the DMA, the DSA, the DGA or the proposal for an AI Act. These new legislations may place additional responsibilities on DPAs or the EDPB with regard to enforcement and supervision. However, there is a discrepancy between this increasing workload, and the available resources. In addition, both the EDPB’s and DPAs’ tasks under the GDPR continue at an increased intensity. Moreover, increased enforcement cooperation among DPAs, which in turn leads to higher involvement of the EDPB, has had a significant impact on the workload. The success in the performance of these tasks relies largely on the resources available to the DPAs and to the EDPB, including via its Secretariat. It is therefore essential to ensure that the EDPB Secretariat is provided with the necessary resources, as it plays a key role in the preparation and execution of many of the tasks entrusted to the EDPB.
Regarding international transfers, the EDPB underlines the importance of continuing to develop adequacy decisions with third countries and international organisations, and expects the Commission to finalise its work on the review of the adequacy decisions adopted under Directive 95/46/EC.
In addition, the EDPB encourages the Commission to continue developing international cooperation and stresses the importance of effective enforcement cooperation with third countries.
During the plenary, the EDPB also held a general discussion on the ‘pay or ok’ model. It was decided that a request for mandate for guidelines on this topic will be prepared.
Brussels, 7 December 2023 - Following the EDPB’s urgent binding decision of October 27th 2023, the Irish data protection authority (IE DPA) adopted its final decision on 10 November 2023, imposing a ban on Meta Ireland Limited (Meta IE) for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest. The EDPB urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to order final measures in this matter which would have effect in the entire European Economic Area (EEA).
EDPB Chair Anu Talus said: “After careful consideration, the EDPB considered it necessary to instruct the IE DPA to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising. In addition, Meta has been found by the IE DPA to not have demonstrated compliance with the orders imposed at the end of last year. This has led to the use of the Art. 66 urgency procedure - a derogation from the usual cooperation procedure which can only be used in exceptional circumstances.”
On 14 July 2023, the NO DPA adopted an order imposing a temporary ban under Art. 66 (1) GDPR on Meta IE and Facebook Norway AS (“Facebook Norway”) regarding the processing of personal data of Norwegian data subjects for behavioural advertising relying on the legal bases of contract or legitimate interest. This ban was limited in time and geographic scope: it was valid for three months and only applicable in Norway. On 26 September 2023, the NO DPA submitted a request to the EDPB for an urgent binding decision to order the adoption of final measures applicable for users in all EEA states.
Following its analysis of the file, the EDPB concluded that there are ongoing infringements of the GDPR and there is an urgent need to act in light of the risks for the rights and freedoms of the data subjects.
Based on the evidence provided, the EDPB found that there was an ongoing infringement of art. 6 (1) GDPR because of the inappropriate use of the legal bases of contract and legitimate interest for the processing of personal data collected by Meta IE for the purpose of behavioural advertising.
In addition, the EDPB concluded that there was also an ongoing infringement of Meta’s duty to comply with decisions by DPAs, most notably the IE DPAs final decisions of December 2022.
Regarding the existence of urgency, the EDPB concluded that the regular cooperation mechanisms cannot be applied in their usual manner and that the urgent need to order final measures is clear in light of the risks of serious and irreparable harm caused to data subjects without the adoption of final measures.
Furthermore, the EDPB found that the IE DPA failed to address a request for mutual assistance from the NO DPA within the timeframe set out in the GDPR. The presumption of urgency set by Art. 61 (8) GDPR therefore applies, which further corroborates the need to derogate from the regular cooperation and consistency mechanisms.
The EDPB therefore decided that final measures needed to be adopted by the IE DPA. It considered it appropriate, proportionate and necessary to instruct the IE DPA to impose a ban on processing addressed to Meta IE for processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of contract and legitimate interest.
This urgent binding decision was addressed to the IE DPA, the NO DPA and the other concerned DPAs and the IE DPA adopted its final decision on 10 November 2023.
What is Art. 66 GDPR?
In exceptional circumstances, when a DPA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects within its territory, it can adopt provisional measures that have a legal effect on their own territory for a maximum of three months.
These measures are adopted by way of derogation from the GDPR's consistency mechanism (Art. 63 GDPR) or the One-Stop-Shop mechanism (Art.60 GDPR). This tool was designed so that authorities are always in a position to protect the rights and freedoms of individuals in their respective Member State, in all circumstances.
The DPA that issues such provisional measures must communicate these measures and the reasons for adopting them without undue delay to the other DPAs concerned, the European Data Protection Board and the European Commission.
If the DPA that has taken such provisional measures considers that final measures need to be adopted urgently, it can request an urgent opinion or an urgent binding decision from the EDPB, providing the reasons for the urgent need to order the adoption of final measures by derogation to the standard cooperation and consistency procedures.
The Coordinated Supervision Committee (CSC) has re-elected Sebastian Hümmeler from the German Federal data protection authority as its Deputy Coordinator for a term of two years.
The CSC ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. It was created within the framework of the European Data Protection Board (EDPB) and brings together the EU data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS), as well as the data protection authorities of the Non-EU Schengen Member States, when foreseen under EU law.
The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO) and Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (SIS, ECRIS-TCN) and the next generation Prüm. You can find more information on the Committee here: https://edpb.europa.eu/csc/about-csc/who-we-are-coordinated-supervision-committee_en
Update: Public Consultation deadline changed to 18 January 2024
Brussels, 15 November - The EDPB adopted Guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.
EDPB Chair Anu Talus said: “It is no secret that tracking the activities of users online can seriously harm people’s privacy. The ambiguities regarding the scope of application of Art. 5(3) ePrivacy Directive and the emergence of new techniques, in addition to or as an alternative to traditional cookies, have given rise to new privacy risks. These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented.”
In order to clarify the scope of the article, the Guidelines analyse the key notions referred to in this article, such as 'information', 'terminal equipment of a subscriber or user', 'electronic communications network', 'gaining access' and 'stored information/storage'. The Guidelines also include a set of practical use cases featuring common tracking techniques.
The Guidelines only address the scope of the application of Art. 5(3) ePrivacy Directive. They do not address how consent should be collected, or the exemptions set out in the article.
The Guidelines will be submitted for public consultation until 18 January 2024