Tag: European Data Protection Board
13. August 2019
Recently, the EDPB has adopted its Guidelines on processing of personal data through video devices (“the guidelines”). The guidelines provide assistance on how to apply the GDPR in cases of processing through video devices with several examples, which are not exhaustive but applicable for all areas of using video devices.
In a first step, the guidelines set the scope of application. The GDPR is only applicable for the use of video devices if
- personal data is collected through the video device ( e.g. a person is identifiable on basis of their looks or other specific elements)
- the processing is not carried out by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or,
- the so-called “household exemption” does not apply (processing by a natural person in the course of personal or household activity).
Before processing personal data through video devices, controllers must specify their legal basis for it. According to the guidelines, every legal ground under Article 6 (1) can provide a legal basis. The purposes for using video devices for processing personal data should be documented in writing and specified for every camera in use.
Another subject of the guidelines is the transparency of the processing. The controllers have to inform data subjects about the video surveillance. The EDPB recommends a layered approach and combining several methods to ensure transparency. The most important information should be written on the warning sign itself (first layer) and the other mandatory details may be provided by other means (second layer). The second layer must also be easily accessible for data subjects.
The guidelines also deal with storage periods and technical and organizational measures (TOMs). In some member states may be specific provisions for storing video surveillance footage, but it is recommended to – ideally automatically – delete the personal data after a few days. As with any kind of data processing, the controller must adequately secure it and therefore must have implemented technical and organizational measures. Examples provided are masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons, when providing video footage to data subjects.
Until September 9th 2019, the guidelines will be open for public consultation and a final and revised version is planned for the end of 2019.
20. May 2019
Because of the GDPR’s first anniversary the EDPB published a new report that looks back on the first year GDPR.
Besides other findings of the report, the EDPB states that the national supervisory authorities received in total 281.088 complaints. 89.271 data breach notifications, 144.376 GDPR-related complaints and 47.441 other. Three month ago the number of received complaints were in total 206.326, 64.484 data breach notifications, 94.622 GDPR-related complaints from data subjects and 47.020 other. These number of complaints prove that the complaints have (on average) increased in the last three month.
At the time of the EDPB report 37% of the complaints are ongoing and 0,1% of the fined companies appealed against the decision of the supervisory authority. The other 62,9% were already closed. This proves that in contrast to the report after nine month, 2/3 of the complaints have been processed in the meantime. Three month ago only 52% were closed.
Referring to the EDPB report from three month ago, fines totalling € 55.955.871 were awarded for the detected violations by 11 authorities. With this high sum, however, it must be noted that € 50 million was imposed on Google alone. The current EDPB-report does not include a passage on fines.
All in all, the increase in queries and complaints, compared to the previous years, confirm the risen awareness on data protection. According to the Eurobarometer 67% of EU citizens have heard of the GDPR, 36% indicated that they are aware of the GDPR entails and 57% know about the existence of a public authority.
25. February 2019
The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.
EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:
• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals
In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.
Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.
The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.
14. February 2019
On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.
The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).
The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.
The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.
Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.
17. October 2018
Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).
The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.
Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.
The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.
To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.
28. July 2016
In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.
This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”
In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.
The Court of Justice of the European Union will probably rule on this matter today.
