October is the European CyberSecurity Month! Together with ENISA, we discuss various topics that any individual or organisation should not missed out!
1 Have a listen!In this episode, we welcome Frances Haugen, advocate for accountability and transparency in social media. She will bring a wealth of knowledge and experience to today’s discussion.
Frances Haugen is an expert in algorithmic product management, with extensive experience working on ranking algorithms at major tech companies such as Google, Pinterest, Yelp, and Facebook. At Facebook, she led the Civic Misinformation team, where she became concerned about the platform's impact on vulnerable communities.
1 Watch the interviewBrussels, 09 October - During its latest plenary, the European Data Protection Board (EDPB) adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s), Guidelines on legitimate interest, a Statement on laying down additional procedural rules for GDPR enforcement and the EDPB work programme 2024-2025.
First, the EDPB adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s) following an Art. 64(2) GDPR request to the Board by the Danish Data Protection Authority (DPA). Art. 64(2) GDPR provides that any DPA can ask the Board to issue an opinion on matters of general application or producing effects in more than one Member State.
The Opinion is about situations where controllers rely on one or more processors and sub-processors. In particular, it addresses eight questions on the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Art. 28 GDPR.
The Opinion explains that controllers should have the information on the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available at all times so that they can best fulfil their obligations under Art. 28 GDPR. Besides, the controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary, notably on the basis of the risks associated with the processing.
The Opinion also states that while the initial processor should ensure that it proposes sub-processors with sufficient guarantees, the ultimate decision and responsibility on engaging a specific sub-processor remains with the controller.
The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check if data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.
In addition, where transfers of personal data outside of the European Economic Area take place between two (sub-)processors, the processor as data exporter should prepare the relevant documentation, such as relating to the ground of transfer used, the transfer impact assessment and the possible supplementary measures. However, as the controller is still subject to the duties stemming from Art. 28(1) GDPR on ‘sufficient guarantees’, besides the ones under Art. 44 to ensure that the level of protection is not undermined by transfers of personal data, it should assess this documentation and be able to show it to the competent Data Protection Authority.
Next, the Board adopted Guidelines on the processing of personal data based on legitimate interest.
Data controllers need a legal basis to process personal data lawfully. Legitimate interest is one of the six possible legal bases.
These Guidelines analyse the criteria set down in Art. 6(1) (f) GDPR that controllers must meet to lawfully process personal data on the basis of legitimate interest. It also takes into consideration the recent ECJ ruling on this matter (C-621/22, 4 October 2024).
In order to rely on legitimate interest, the controller needs to fulfil three cumulative conditions:
First of all, only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate. For example, such legitimate interests could exist in a situation where the individual is a client or in the service of the controller.
Second, if there are reasonable, just as effective, but less intrusive alternatives for achieving the interests pursued, the processing may not be considered to be necessary. The necessity of a processing should also be examined with the principle of data minimisation.
Third, the controller must ensure that its legitimate interest is not overridden by the individual's interests, fundamental rights or freedoms. In this balancing exercise, the controller needs to take into account the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards which could limit the impact on the individual.
In addition, these Guidelines explain how this assessment should be carried out in practice, including in a number of specific contexts such as fraud prevention, direct marketing and information security. The document also explains the relationship between this legal basis and a number of data subject rights under the GDPR.
The Guidelines will be subject to public consultation until 20 November 2024.
Next, the Board adopted a Statement following the amendments made by the European Parliament and the Council to the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR.
The Statement generally welcomes the modifications introduced by the European Parliament and the Council, and recommends further addressing specific elements in order for the new regulation to achieve the objectives of streamlining cooperation between authorities and improving the enforcement of the GDPR.
The Statement makes practical recommendations that may be used in the context of the upcoming trilogues. In particular, the EDPB reiterates the need for a legal basis and harmonised procedure for amicable settlements and it makes recommendations in view of ensuring that consensus on the summary of key issues is reached in the most efficient manner. The Board also welcomes the inclusion of additional deadlines while recalling that they need to be realistic and urges the co-legislators to remove the provisions related to the relevant and reasoned objections and the ‘statement of reasons’ in the dispute resolution procedure.
While the Statement welcomes the objective of achieving increased transparency, the introduction of a joint case file, as proposed by the European Parliament, would require complex changes to the document management and communication systems used at European and national levels. The technical solutions for its implementation should be carefully assessed, and the modalities for granting access to it should be further clarified.
The EDPB welcomes the Council’s amendment allowing the lead DPA to opt-out from the so-called enhanced cooperation in simple and straightforward cases, but it highlights the need to clarify further the scope of this opt-out.
EDPB Chair Anu Talus said: “The draft regulation has the potential to greatly streamline GDPR enforcement by increasing the efficiency of case handling. More harmonisation is needed at EU level, in order to maximise the full effectiveness of the GDPR’s cooperation and consistency mechanisms.”
During its latest plenary, the Board adopted its work programme for 2024-2025. This is the first one of two work programmes which will implement the EDPB strategy for 2024-2027 adopted in April 2024. It is based on the priorities set in the EDPB strategy and it also takes into account the needs identified as most important for stakeholders.
Finally, the EDPB members agreed to grant the status of observer to the EDPB’s activities to the Kosovan Information and Privacy Agency (Kosovan DPA), in line with Art. 8 EDPB Rules of Procedure.
In this episode, we welcome Amba Kak. She has spent the last fifteen years designing and advocating for technology policy in the public interest, ranging from network neutrality to privacy to algorithmic accountability, across government, industry, and civil society – and in many parts of the world.
1 Watch the interviewIn this episode, our guest is Hellen Mukiri-Smith, Researcher/Advisor on AI and Human Rights at Amnesty Tech.
0Meet Finley, a cybercriminal and Amari, an employee of a big public organisation; as the dangers of pretexting creep up, what will happen between our two protagonists? Read comic to find out.
0Ransomware starts with cybercriminals taking control of your systems, how do you react to prevent this and what should you do if you are a victim of ransomware? Check our factsheet.
0What are common cyber threats that lead to personal data breaches? Read Factsheet
0This European Cybersecurity Month, we focus on 4 positives and 4 challenging aspects of AI in cybersecurity. Check the factsheet.
019 years of cooperation with International Organisations on data protection.
1 Read blogpostIn this episode, we discover news and updates on Artificial Intelligence, highlight key point of IPEN workshop on human oversight of automated decision making, how can authorities combat crime and protect people's personal information and much more on neurodata. Don't miss our tip and trick of September.
1 Have a listenSeptember can mark the season of new beginnings! Here at the EDPS we are getting ready for AI! This month we’ve also provided our advice on an agreement for judicial cooperation and its impact on data protection. You can also swing by our latest work on international data protection transfers and lots more!
1 Read moreUpdate on 17/09/24: The call is now closed.
Thank you to all those who expressed an interest in taking part in the EDPB stakeholder event on upcoming guidelines on ‘Consent or Pay’. We will carefully review all applications and communicate the results of the process to those who applied in the coming weeks.
The European Data Protection Board (EDPB) organises a remote stakeholder event, taking place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed), in order to collect stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models.
The aim of the event is to gather relevant insights from organisations that have expertise in ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee . This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application.
How to take part?
The EDPB launches a call for expression of interest in order to select participants for the EDPB’s stakeholder event on ‘Consent or Pay’. You can find further information on this event and instructions to register here. If you have technical problems submitting the application, we invite you to refresh the page or open the form in a different browser.
The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
The Commission services in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB) have agreed to work together to clarify and give guidance on the interplay between DMA and GDPR.
This enhanced dialogue between Commission’s services and the EDPB will focus on the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR, as there is a need to ensure the coherent application to digital gatekeepers of the applicable regulatory frameworks.
Developing a coherent interpretation of the DMA and GDPR while respecting each regulators’ competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives.
The DMA established a High Level Group to provide the Commission with advice and expertise to ensure that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner. The Commission and representatives from the EDPB and EDPS already engaged on data-related and interoperability obligations in the High Level Group. This project builds on this engagement and deepens the cooperation in relation to the two specific regulatory frameworks.
Read more information about:
Read the story of this special partnership in this blogpost by EDPS Secretary General, available here.
0The European Data Protection Board (EDPB) is organising a remote stakeholder event aimed at collecting stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models. The event will take place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed).
The aim of the event is to collect relevant insights from organisations that have expertise in ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee. This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application.
Individuals representing European sector associations, organisations or NGOs and individual companies, law firms or academics are invited to take part in this event (one participant per organisation). A limited number of participants will be allowed to take part, to permit a meaningful discussion in a remote setting. The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of this topic.
Do you wish to participate to make your voice heard? Stay tuned:
The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
The call will be launched on the EDPB website.