Tag: EDPB

EDPB adopts Guidelines on processing of personal data through video devices

13. August 2019

Recently, the EDPB has adopted its Guidelines on processing of personal data through video devices (“the guidelines”). The guidelines provide assistance on how to apply the GDPR in cases of processing through video devices with several examples, which are not exhaustive but applicable for all areas of using video devices.

In a first step, the guidelines set the scope of application. The GDPR is only applicable for the use of video devices if

  • personal data is collected through the video device ( e.g. a person is identifiable on basis of their looks or other specific elements)
  • the processing is not carried out by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or,
  • the so-called “household exemption” does not apply (processing by a natural person in the course of personal or household activity).

Before processing personal data through video devices, controllers must specify their legal basis for it. According to the guidelines, every legal ground under Article 6 (1) can provide a legal basis. The purposes for using video devices for processing personal data should be documented in writing and specified for every camera in use.

Another subject of the guidelines is the transparency of the processing. The controllers have to inform data subjects about the video surveillance. The EDPB recommends a layered approach and combining several methods to ensure transparency. The most important information should be written on the warning sign itself (first layer) and the other mandatory details may be provided by other means (second layer). The second layer must also be easily accessible for data subjects.

The guidelines also deal with storage periods and technical and organizational measures (TOMs). In some member states may be specific provisions for storing video surveillance footage, but it is recommended to – ideally automatically – delete the personal data after a few days. As with any kind of data processing, the controller must adequately secure it and therefore must have implemented technical and organizational measures. Examples provided are masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons, when providing video footage to data subjects.

Until September 9th 2019, the guidelines will be open for public consultation and a final and revised version is planned for the end of 2019.

EDPB: One year – 90.000 Data Breach Notifications

20. May 2019

Because of the GDPR’s first anniversary the EDPB published a new report that looks back on the first year GDPR.

Besides other findings of the report, the EDPB states that the national supervisory authorities received in total 281.088 complaints. 89.271 data breach notifications, 144.376 GDPR-related complaints and 47.441 other. Three month ago the number of received complaints were in total 206.326, 64.484 data breach notifications, 94.622 GDPR-related complaints from data subjects and 47.020 other. These number of complaints prove that the complaints have (on average) increased in the last three month.

At the time of the EDPB report 37% of the complaints are ongoing and 0,1% of the fined companies appealed against the decision of the supervisory authority. The other 62,9% were already closed. This proves that in contrast to the report after nine month, 2/3 of the complaints have been processed in the meantime. Three month ago only 52% were closed.

Referring to the EDPB report from three month ago, fines totalling € 55.955.871 were awarded for the detected violations by 11 authorities. With this high sum, however, it must be noted that € 50 million was imposed on Google alone. The current EDPB-report does not include a passage on fines.

All in all, the increase in queries and complaints, compared to the previous years, confirm the risen awareness on data protection. According to the Eurobarometer 67% of EU citizens have heard of the GDPR, 36% indicated that they are aware of the GDPR entails and 57% know about the existence of a public authority.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

EDBP: Guidelines on the territorial scope of the GDPR

29. November 2018

As the European Data Protection Board (EDPB) announced, the board adopted new draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR). The goal of the guidelines is to “provide a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR in various situations”. The territorial scope is laid down in Article 3 GDPR.

In the meantime, the EDPB published a version of the guidelines for public consultation.

The guidelines cover the following topics:

  • Application of the establishment criterion – Art 3 (1)
  • Application of the targeting criterion – Art 3 (2)
  • Processing in a place where Member State law applies by virtue of public international law
  • Representative of controllers or processors not established in the Union

The guidelines not only describe and clarify the regulatory content of Article 3 GDPR. It also provides various examples from a practical point of view in order to simplify the issue. For controllers and processors of personal data, it is of significant relevance to know whether one falls under the scope of the GDPR considering the legal and possible financial consequences.

Therefore, legal terms should be as clear as possible. Already on the first pages, an example for the necessity to clarify and specify the regulatory content of Art 3 GDPR can be found. The EDPB points out, that the notion “establishment” (unlike the notion “main establishment”, which is defined in Article 4 (16) GDPR) is not defined in Article 3 GDPR, resulting in an attempt to clarify the term.

Category: GDPR
Tags: , ,