Tag: EDPB Guidelines

EDPB released a new Guidance on Virtual Voice Assistants

31. March 2021

In recent years, Virtual Voice Assistants (VVA) have enjoyed increased popularity among technophile consumers. VVAs are integrated in modern smartphones like Siri on Apple or Google Assistant on Android mobile devices, but can also be found in seperate terminal devices like Alexa on the Amazon Echo device. With Smart Homes trending, VVAs are finding their ways into many homes.

However, in light of their general mode of operation and their specific usage, VVAs potentially have access to a large amount of personal data. They furthermore use new technologies such as machine learning and artificial intelligence in order to improve their services.

As both private households and corporate businesses are increasingly using VVAs and questions on data protection arise, the European Data Protection Board (EDPB) sought to provide guidance to the relevant data controllers. Therefore, the EDPB published a guidance on Virtual Voice Assistants earlier this month.

In its guidance, the EDPB specifically addresses VVA providers and VVA application developers. It encourages them to take considerations of data protection into account when designing their VVA service, as layed out by the principle of data protection by design and default under Art. 25 GDPR. The EDPB suggests that, for example, controllers could fulfil their information obligations pursuant to Art. 13/14 GDPR using voice based notifications if the VVA works with a screenless terminal device. VVA designers could also enable users to initiate a data subject request though easy-to-follow voice commands.

Moreover, the EDPB states that in their opinion, providing VVA services will require a Data Protection Impact Assessment according to Art. 35 GDPR. The guidance also gives further advice on complying with general data protection principles and is still open for public consultation until 23 April 2021.

EDPB published Guideline on Data Breach Examples for Controllers

28. January 2021

On January 18th, 2021, the European Data Protection Board (EDPB) published their draft Guidelines 01/2021 on Examples regarding Data Breach Notification.

These Guidelines are supposed to give further support to Controllers alongside the initial Guidelines on Personal Data Breach Notification under the GDPR, adopted by the Article 29 Working Party in February 2018. These new Guidelines are meant to consider different types of situations that the Supervisory Authorities have come across in the last two and a half years since the implementation of the GDPR.

The EDPB’s intention is to assist Controllers in deciding how to handle data breaches, namely by identifying the factors that they must consider when conducting risk assessments to determine whether a breach must be reported to relevant Supervisory Authorities as well as if a notification to the affected Data Subjects is necessary.

The draft Guidelines present examples of common data breach scenarios, including:

• ransomware attacks, where a malicious code encrypts the personal data and the attacker subsequently asks the controller for a ransom in exchange for the decryption code
• data exfiltration attacks, which exploit vulnerabilities in online services offered by the controller and typically aim at copying, exfiltrating and abusing personal data for malicious purposes
• human errors resulting in data breaches that are fairly common and can be both intentional and unintentional
• lost or stolen devices and paper documents
• “mispostal” scenarios, that arise from human error without malicious intent
• social engineering, such as identity theft and email exfiltration

The draft Guidelines further emphasize key elements of data breach management and response that organizations should consider, namely:

• proactively identifying system vulnerabilities in order to prevent data breaches from happening in the first place
• assessing whether a breach is likely to result in a risk to the rights and freedoms of the Data Subject, the timing of this assessment and the importance of Controllers not delaying a notification because of unclear circumstances
• implementing plans, procedures and guidelines indicating how to handle data breaches that have clear reporting lines and persons responsible for the recovery process
• organizing regular trainings for employees to raise awareness on data breach management, and the latest developments in the area
• documenting breaches in each and every case, irrespective of the risk they pose

The Guidelines will be open for public consultation until March 2nd, 2021, during which the EDPB will gather feedback on the draft.