On November 12th and 13th, European Data Protection Board met for its fifteenth plenary session. During the plenary, the following topics were discussed:
- Third Annual Privacy Shield Review
- Guidelines on Territorial Scope
- Guidelines on Data Protection by Design & Default
- Response letter to LIBE on EU Information Systems
- Additional protocol to the Budapest Convention on Cybercrime
Below a summary of the press release posted by the EDBP on the first three bullet points above.
Guidelines on Territorial Scope
The EDPB adopted a final version of the Guidelines on Territorial Scope following a public consultation. The guidelines aim to provide a common interpretation when assessing whether particular processing by a controller or a processor falls within the territorial scope of the legal framework, as per Art. 3 GDPR. It also provides further clarification on the designation and role of the representative under article 27 of the GDPR.
Guidelines on Data Protection by Design & Default (Draft)
The EDPB adopted Guidelines on Data Protection by Design & Default. The guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR.
These guidelines focus on the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default and the capacity for controllers to demonstrate that any measures implemented in this regard are effective. The guidelines will be submitted for public consultation.
Third Annual Privacy Shield Review
The EDPB adopted its report on the third Annual Joint Review of the EU-US Privacy Shield.
It welcomes the efforts made by the U.S. authorities to implement the Privacy Shield. However, the Board points out that substantial compliance checks with the substance of the Privacy Shield’s principles remain concerning.
Areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR data and processors, as well as the recertification process. The EDPB points out that the members of the Review Team would benefit from broader access to non-public information, concerning commercial aspects and ongoing investigations.
As regards the collection of data by public authorities, the Board reiterates that its security-cleared experts remain ready to review further documents and discuss additional classified elements.
While the EDPB welcomes the new elements provided during this year’s review, the EDPB still cannot conclude that the Ombudsperson is vested with sufficient powers to access information and remedy non-compliance.
For a full access to the EDPB’s press release, click here