Tag: EDPB

Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.

EDPB ratifies new Guideline on Health Data Processing during COVID-19

27. April 2020

The European Data Protection Board (EDPB) adopted a new Guideline on the processing of health data for scienon the most urgent matters and issues in relation to the processing of health data. Those matters include the tific purposes in the context of the COVID-19 pandemic on April 21, 2020. It aims at providing clarity on the most urgent matters and issues in relation to the processing of health data. Those matters include the legal basis for processing, the implementation of adequate safeguards as well as data subjects’ rights.

The Guideline states that the GDPR contains several provisions for the processing of health data in relation to scientific research. The first one would be the consent in Art. 6 (II) a GDPR in combination with Art. 9 (II) a GDPR. The EDPB emphasizes the necessity of the consent having to meet all the necessary conditions in order to be valid, notably consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement.

Further, the EDPB clarifies that Art. 6 (I) e or f GDPR in combination with the enacted derogations under Art. 9 (II) (i) or (j) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. National legislators can implement their own derogations, setting ground for national legal bases in regulation with the GDPR.

The EDPB also addresses the case of further processing of health data for scientific purposes, which means the case when health data has not been collected for the primary purpose of scientific research. In these cases, the Guideline states that the scientific research is not incompatible with the original purpose of the processing, as long as the principles of Art. 5 GDPR are being upheld.

In regards to international transfers, the Guidelines make specific emphasis on the transfer to countries with no adequacy decision by the European Commission. In such cases, it is possible for the exporter of the data to rely on the derogations of Art. 49 (I) a, explicit consent, and d, transfer necessary for important public interest, GDPR. However, these derogations do not entitle continuous or repeated transfers, and are only supposed to be used as temporary measures. The EDPB states that this is a sanitary crisis like none before, and therefore the transfer to other countries in cases of scientific research form an international emergency in which the public interest may take first priority. But the Guideline makes clear that in case of repeated transfer, safeguards according to Art. 46 GDPR have to be taken.

The Guideline further emphasizes that situations like the current pandemic outbreak do not restrict data subjects to exercise their rights. However, Art. 82 (II) GDPR gives national lawmakers the possibility to restrict data subject rights, though these restrictions should apply only as is strictly necessary.

Over all, the EDPB states that it has to be noted that any processing or transfer will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved in order to identify the appropriate measures in each case.

EDPB adopts Guidelines on processing of personal data through video devices

13. August 2019

Recently, the EDPB has adopted its Guidelines on processing of personal data through video devices (“the guidelines”). The guidelines provide assistance on how to apply the GDPR in cases of processing through video devices with several examples, which are not exhaustive but applicable for all areas of using video devices.

In a first step, the guidelines set the scope of application. The GDPR is only applicable for the use of video devices if

  • personal data is collected through the video device ( e.g. a person is identifiable on basis of their looks or other specific elements)
  • the processing is not carried out by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or,
  • the so-called “household exemption” does not apply (processing by a natural person in the course of personal or household activity).

Before processing personal data through video devices, controllers must specify their legal basis for it. According to the guidelines, every legal ground under Article 6 (1) can provide a legal basis. The purposes for using video devices for processing personal data should be documented in writing and specified for every camera in use.

Another subject of the guidelines is the transparency of the processing. The controllers have to inform data subjects about the video surveillance. The EDPB recommends a layered approach and combining several methods to ensure transparency. The most important information should be written on the warning sign itself (first layer) and the other mandatory details may be provided by other means (second layer). The second layer must also be easily accessible for data subjects.

The guidelines also deal with storage periods and technical and organizational measures (TOMs). In some member states may be specific provisions for storing video surveillance footage, but it is recommended to – ideally automatically – delete the personal data after a few days. As with any kind of data processing, the controller must adequately secure it and therefore must have implemented technical and organizational measures. Examples provided are masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons, when providing video footage to data subjects.

Until September 9th 2019, the guidelines will be open for public consultation and a final and revised version is planned for the end of 2019.

EDPB: One year – 90.000 Data Breach Notifications

20. May 2019

Because of the GDPR’s first anniversary the EDPB published a new report that looks back on the first year GDPR.

Besides other findings of the report, the EDPB states that the national supervisory authorities received in total 281.088 complaints. 89.271 data breach notifications, 144.376 GDPR-related complaints and 47.441 other. Three month ago the number of received complaints were in total 206.326, 64.484 data breach notifications, 94.622 GDPR-related complaints from data subjects and 47.020 other. These number of complaints prove that the complaints have (on average) increased in the last three month.

At the time of the EDPB report 37% of the complaints are ongoing and 0,1% of the fined companies appealed against the decision of the supervisory authority. The other 62,9% were already closed. This proves that in contrast to the report after nine month, 2/3 of the complaints have been processed in the meantime. Three month ago only 52% were closed.

Referring to the EDPB report from three month ago, fines totalling € 55.955.871 were awarded for the detected violations by 11 authorities. With this high sum, however, it must be noted that € 50 million was imposed on Google alone. The current EDPB-report does not include a passage on fines.

All in all, the increase in queries and complaints, compared to the previous years, confirm the risen awareness on data protection. According to the Eurobarometer 67% of EU citizens have heard of the GDPR, 36% indicated that they are aware of the GDPR entails and 57% know about the existence of a public authority.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

EDBP: Guidelines on the territorial scope of the GDPR

29. November 2018

As the European Data Protection Board (EDPB) announced, the board adopted new draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR). The goal of the guidelines is to “provide a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR in various situations”. The territorial scope is laid down in Article 3 GDPR.

In the meantime, the EDPB published a version of the guidelines for public consultation.

The guidelines cover the following topics:

  • Application of the establishment criterion – Art 3 (1)
  • Application of the targeting criterion – Art 3 (2)
  • Processing in a place where Member State law applies by virtue of public international law
  • Representative of controllers or processors not established in the Union

The guidelines not only describe and clarify the regulatory content of Article 3 GDPR. It also provides various examples from a practical point of view in order to simplify the issue. For controllers and processors of personal data, it is of significant relevance to know whether one falls under the scope of the GDPR considering the legal and possible financial consequences.

Therefore, legal terms should be as clear as possible. Already on the first pages, an example for the necessity to clarify and specify the regulatory content of Art 3 GDPR can be found. The EDPB points out, that the notion “establishment” (unlike the notion “main establishment”, which is defined in Article 4 (16) GDPR) is not defined in Article 3 GDPR, resulting in an attempt to clarify the term.

Category: GDPR
Tags: , ,
Pages: Prev 1 2 3
1 2 3