During this 37th plenary session, the Board adopted Guidelines on the concepts of controller and processor and Guidelines on the targeting of social media users.
The EDPB also created a taskforce focusing complaints following the CJEU Schrems II judgement and a taskforce devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data to a third country.
Guidelines on the concepts of controller and processor
Following a stakeholder event that took place in 2019, the EDPB understood the need for more practical guidance and allowed the Board to better understand the needs and concerns in the field.
The new Guidelines is made up of two main parts: one explaining the different concepts; the other including detailed guidance on the main consequences of these concepts for controllers, processors and joint controllers.
The Guidelines are subject to public consultation (see here).
In this regard, we will update the “Controller or Processor ?” article shortly.
Guidelines on the targeting of social media users
The Guidelines provide practical guidance and various practical examples of different situations.
The main purpose of the Guidelines is to clarify the roles and responsibilities of the social media provider and other stakeholders.
To this end, the Guidelines, among others:
- identify the potential risks for the freedoms of the targeted individuals, the main actors and their roles, the application of key data protection requirements;
- provides details about the different targeting mechanisms, the processing of special categories of data in this context and the obligation for joint controllers to put in place an appropriate arrangement.
These guidelines are also subject to public consultation (see here)
Setting up of two task forces to look into the 101 complaints filed following the CJEU Schrems II judgement and provide guidelines on the additional guarantees to implement when transferring data to the US
According to the EDPB, 101 identical complaints have been lodged with EEA Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data.
The complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses (which are no longer provide sufficient guarantees to transfer data to the US).
The task force will analyse the matter and ensure close cooperation among the members of the Board.
As a follow-up to the FAQ adopted on 23 July, another taskforce will prepare recommendations to clarify the need for controllers and processor to identify and implement appropriate supplementary measures when transferring data to certain third countries.