In its recent decision of June 15, 2021, involving Facebook and the Belgium Data Protection Authority (“DPA”), the European Court of Justice (the “ECJ” or the “Court”) clarified the conditions under which the non-lead supervisory authorities may exercise their powers
Record of Processing Activities
Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.
However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.
Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).
Data Protection Impact Assessment (DPIA)
Under the General Gata Protection Regulation (GDPR), controllers must now now:
Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.
CJEU: Combating Crime Does Not Justify General Retention and Unrestricted Access to Location and Traffic Data
In its decision of December 21, 2016 (Joined Cases C-203/15 and C-698/15) the Court of Justice of the European Union (CJEU) ruled that national legislation may not provide for general and indiscriminate retention of all traffic and location data of