The European Data Protection Board (“EDPB”) has recently released new draft guidelines on personal data breach notification.
These new guidelines complement the previous and more general guidelines on the same subject that were issued by the EDPB, then the article 29 Working Party, in October 2017 (see here for more details)
Although quite comprehensive, the previous guidelines lacked practical details in certain regards as they were drafted at a time where the authorities and organisations did not have much experience of personal data breach notification. More than two years later, the EDPB has decided to provide guidelines made up of practical examples taken from their experiences.
During its 40th and 41st plenary sessions that took place in November, the European data protection board (EDBP) adopted the following recommendations: – Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal
The European Data Protection Board (EDPB), a Board reuniting all the EU data protection authorities, met for its 40th plenary session on October 21. During this meeting, the EDPB : adopted the final version of the Guidelines on Data Protection
During this 37th plenary session, the Board adopted Guidelines on the concepts of controller and processor and Guidelines on the targeting of social media users. The EDPB also created a taskforce focusing complaints following the CJEU Schrems II judgement and
On 23 July 2020, the European Data Protection Board (EDPB) released a FAQ on the consequences of the CJEU’s judgement of 16 Juley 2020 (Schrems 2)
This judgment invalidates the Privacy Shield, an EU-US data transfer mechanisms, and conditions the validity of the Standards contractual clauses (SCCs), another transfer mechanisms, to the prior analysis of the level of protection provided by the third country recipient and the implementation of additional measures where necessary.
This FAQ provides a glimpse of the position of the Authorities following the CJEU Decision that calls into question the possibility to transfer any personal data to the US. However, the EDPB remains relatively unspecific as it is currently working on more detailed guidance that should be released shortly.