20 Talks - Koen Lenaerts: President of the Court of Justice of the European Union
In this episode, our guest is, Koen Lenaerts, President of the Court of Justice of the European Union.
1 Listen to this episodeIn this episode, our guest is, Koen Lenaerts, President of the Court of Justice of the European Union.
1 Listen to this episodeIn this Talk, our guest is Daniel J. Solove, Professor of Intellectual Property and Technology Law, George Washington University Law School and President & CEO of TeachPrivacy.
1 Watch the interviewOn 20 June 2024, we invite you to the European Data Protection Summit: “Rethinking Data in a Democratic Society”. This unique event brings together privacy experts, technology specialists, policy-makers, and other influential voices to discuss how data protection can safeguard our democratic society. Check the preliminary Programme
0Following its investigation, the EDPS has found that the European Commission has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.
0The EDPS is participating in the EDPB's Coordinated Enforcement Action on how individuals’ right of access is addressed specifically in the EU institutions, bodies, offices and agencies (EUIs). This right lies at the heart of data protection. Read Press Release
0In this episode, our guest is Nataša Pirc Musar, President of the Republic of Slovenia and former Information Commissioner of Slovenia.
0 Listen to this episodeOn the special occasion of Valentine’s Day, this episode of 20 Talks dives into the topic of online scams when looking for romance and love.
0Listen to this new episode where we explain how can the confidentiality of communications be protected; the privacy impact of combatting migrant smuggling; what are children's online habits and its consequences and more.
1 Listen nowIn Newsletter #107, find more information about our numerous initiatives and actions to celebrate our 20th anniversary. January also marked Data Protection Day, a time to delve deeper into the data protection issues and approaches to take to protect individuals. And more.
1 Read it now!EDPS issues Opinion on the proposed Regulation to extend the temporary derogation from certain provisions of the ePrivacy Directive to combat child sexual abuse online. Read Press Release & Opinion.
0EDPS issues Opinion on the proposed Regulation to extend the temporary derogation from certain provisions of the ePrivacy Directive to combat child sexual abuse online. Read Press Release & Opinion.
0Happy Data Protection Day! Listen to our Q&A with the EDPS' Data Protection Officer
1 Listen nowHappy Data Protection Day! Listen to our Q&A with the EDPS' Data Protection Officer
1 Listen nowThe EDPS makes a series of recommendations on four key issues in the proposed Regulation that could have an important impact on individuals’ personal data and privacy. To found out the EDPS' detailed advice to the EU's co-legislators, read Press Release and Opinion.
0Each year on 28 January, we celebrate Data Protection Day. This date commemorates the anniversary of the Council of Europe’s Convention 108, the first binding international law securing individuals' rights to protection of their personal data.
1 Read our factsheets to learn more about your rightsEach year on 28 January, we celebrate Data Protection Day. This date commemorates the anniversary of the Council of Europe’s Convention 108, the first binding international law securing individuals' rights to protection of their personal data.
1 Read our factsheets to learn more about your rightsThe EDPS publishes the results of its survey on the role, responsibilities and tasks of data protection officers in the EU institutions, bodies, offices and agencies (EUIs).
0Since 2004, the EDPS protects the personal data of EU citizens and guides EU institutions, bodies, offices and agencies so that they are exemplary in upholding data protection principles. The celebration of these two decades is an opportunity to reflect on past, present, and future challenges for a modern regulator in order to pave the way forward for the next 20 years.
Discover dedicated website for the 20th Anniversary and learn about the four pillars mapping out our ambitions for the years to come.
0Newsletter Digest Podcast - episode #9 is out. Have a listen now!
0Read the latest news, activities and actions of the European Data Protection Supervisor.
0Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in this initiative on the implementation of the right of access.
During its October 2023 plenary, the EDPB selected the right of access for its third coordinated enforcement action, as it is at the heart of data protection and one of the most frequently exercised data protection rights, and one which DPAs receive many complaints about. In particular, it enables individuals to check whether their personal data is processed in a compliant manner by organisations. In addition, it often enables the exercise of the other data protection rights, such as the right to rectification and erasure.
In 2023, the EDPB adopted Guidelines on data subject rights - Right of access to help organisations respond to data access requests from individuals in line with the requirements set out in the GDPR. To gauge how organisations are complying with the right of access in practice, participating DPAs will implement the CEF in a number of ways:
The results of the joint initiative will be analysed in a coordinated manner and the DPAs will decide on possible further supervision and enforcement actions. In addition, all results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at EU level. The EDPB will publish a report on the outcome of this analysis once the actions are concluded.
This series of actions is the third initiative under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among DPAs.
Previous coordinated actions looked into the use of cloud services by the public sector, in 2022, and the designation and position of Data Protection Officers, in 2023.
For further information:
During its January plenary, the EDPB adopted:
Coordinated Enforcement Action, Designation and Position of Data Protection Officers 17 January 2024 Publication Type: Topics: Members: English Download file 1 English Download file 2 English Download file 3 Opinion 01/2024 on the draft decision of the Dutch Supervisory Authority regarding the Processor Binding Corporate Rules of the Booking.com Group 16 January 2024 Publication Type: Topics: Members: English DownloadBrussels, 14 February - During its latest plenary, the EDPB adopted an Opinion on the notion of main establishmentand on the criteria for the application of the One-Stop-Shop mechanism, following an Art. 64(2) GDPR request by the French Data Protection Authority (DPA). The Opinion clarifies the notion of a controller’s “main establishment” in the EU, in particular for cases where decisions regarding the processing are taken outside the EU.
EDPB Chair Anu Talus said: “The notion of main establishment is one of the cornerstones of the One-Stop-Shop. It is key in determining which, if any, DPA is the lead supervisory authority in cross-border data protection cases. The EDPB Opinion sheds further light on the conditions for controllers to access the One-Stop-Shop and provides further guidance for DPAs when determining which DPA is in the lead.”
In its Opinion, the EDPB considers that a controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and if it has the power to have such decisions implemented. The EDPB further explains that the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there should be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.
This Opinion is the latest in a series of concrete actions taken by the EDPB following its Vienna Statement on cross-border enforcement, aiming to streamline enforcement and cooperation among DPAs.
Next, the EDPB adopted a Statement on the legislative developments regarding the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse. The Statement follows the EDPB-EDPS Joint Opinion on the European Commission’s Proposal for a Regulation and focuses on the latest legislative developments, in particular the position of the European Parliament of November 2023.
The EDPB welcomes the many improvements proposed by the Parliament, such as exempting end-to-end encrypted communications from detection orders. However, the EDPB regrets that the text proposed by the Parliament does not seem to fully resolve important issues flagged by the EDPB and the EDPS related to general and indiscriminate monitoring of private communications in particular in relation to the issuing of detection orders.
EDPB Chair Anu Talus said: “Child sexual abuse is a particularly heinous crime and requires effective solutions. It is important that any new legal instrument is unambiguous and respects the fundamental rights to privacy and data protection. An excessive level of access to online communications would undermine those important principles and may itself have negative impacts on the rights, and the safety, of both adults and children alike; we must be very careful of actions which ultimately do more harm than good. The EDPB is of the opinion that the wording proposed by the Parliament should provide appropriate guarantees that detection orders will be sufficiently targeted, to ensure that it can protect victims without disproportionally affecting the rights and freedoms protected by EU law.”
The EDPB stresses the importance to further limit the risk that those orders could affect persons who are unlikely to be involved in child sexual abuse-related crimes. Furthermore, the EDPB regrets that detection orders are not limited to child sexual abuse materials (CSAM) that are already known to authorities, despite the fact that the technologies used to detect new CSAM have proven in the past to have significant error rates.
During the plenary, the EDPB also discussed the scope of the guidance related to the Consent or Pay model. In addition to the upcoming Art. 64 (2) Opinion, which will address the Consent or Pay model in the context of large online platforms, it was agreed that there is a need to consecutively develop Guidelines with a broader scope.
Finally, the EDPB nominated several representatives to take part in, respectively, the European Commission’s Data Privacy Framework review team, Digital Markets Act High-Level Subgroup on Art. 5.2 DMA, and Digital Services Act taskforce on age verification.
The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. The tool was developed in the context of the EDPB Support Pool of Experts (SPE) and can be used by both legal and technical auditors at data protection authorities (DPAs), as well as by controllers and processors who wish to test their own websites. The tool is a Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here.
The new tool allows preparing, carrying out and evaluating audits directly in the tool by a simple visit to the website in question. The tool is also compatible with other tools, such as the EDPS website evidence collector, and allows auditors to import and evaluate the results of audits carried out on those tools. Finally, the tool can generate reports.
While several website auditing tools already exist, these usually require technical expertise. Therefore, the EDPB decided to develop a solution that would be easy to use in order to facilitate enforcement by national DPAs and compliance checks by controllers.
The software was developed by an SPE expert under the supervision of the EDPB Secretariat. It was presented to auditors from DPAs at the first EDPB Bootcamp in June 2023. Following positive feedback from the participants, it was decided to consolidate the software and publish it as Free and Open Source Software. A second version with new features is planned for later this year.
The Support Pool of Experts was developed as part of the EDPB 2021-2023 Strategy to help DPAs increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts.
On the occasion of Data Protection Day, we invite you to meet EDPB Chair Anu Talus, who was appointed in May 2023 for a mandate of 5 years.
Check out the video below to learn all about how the Chair combines her work at the EDPB with her work as Finnish Data Protection Ombudsman and how both roles complement and enrich each other.
Happy Data Protection Day from all of us at the EDPB!
Hyvää tietosuojapäivää meiltä kaikilta EDPB:ssä!
Sorry, your browser doesn't support embedded videos.
The EDPB has published a thematic one-stop-shop case digest on Security of Processing (Art. 32 GDPR) and Data Breach Notification (Art. 33 & 34 GDPR).
Since the entry into force of the GDPR, data protection authorities (DPAs) have closely cooperated to adopt a growing number of one-stop-shop decisions on data security and data breaches.
The case digest offers valuable insights on how DPAs have interpreted and applied GDPR provisions in diverse scenarios, such as hacking, ransomware, or accidental data disclosure.
Case handlers working within DPAs now have a rich pool of analyses of security incidents, along with the corresponding security measures found to be appropriate or not in the specific context.
The summary and analysis of these decisions are useful for organisations (both controllers and processors) when assessing whether their security measures are appropriate, both before and following a data breach.
This is the second instalment of the EDPB’s case digests, which look at a selection of one-stop-shop decisions taken from the EDPB’s public register. The one-stop-shop case digest are produced within the framework of the EDPB Support Pool of Experts, a strategic initiative that helps DPAs increase their capacity to supervise and enforce.
Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced by DPOs, along with a series of recommendations to further strengthen their role.
Anu Talus, EDPB Chair said: “The Coordinated Enforcement Framework (CEF) enables data protection authorities (DPAs) to cooperate more closely on selected topics in order to achieve better efficiency and more consistency. DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights. Through the CEF, DPAs investigated whether DPOs have the means to fulfil their tasks, as required by the GDPR. The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges.”
In the course of 2023, 25 DPAs across the European Economic Area (EEA) (including the EDPS) launched coordinated investigations into this topic. Various organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors (both public and private entities), and more than 17,000 replies were received and analysed. Extensive data was collected offering valuable insights into the profile, position and work of DPOs 5 years after the entry into application of the GDPR.
Despite some concerns and challenges faced by some DPOs (such as the lack of designation of a DPO, even if mandatory; insufficient resources or expert knowledge for the DPO; DPOs not being fully entrusted with the tasks required under data protection law; lack of independence or of reporting to the highest management), the results are encouraging. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular trainings; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. In addition, they indicate that they are consulted in most cases, and provided with sufficient information to fulfil their tasks, and their opinions are followed quite well. Moreover, most consider that they have the means to do their job. However, there are still too many DPOs who are not in such a position.
In order to address the challenges identified, the report lists some recommendations for organisations, DPOs and DPAs to strengthen DPOs’ independence and to guarantee that they have the necessary resources to carry out their tasks. Among others, the report encourages DPAs to carry out more awareness-raising activities, information and enforcement actions. The report also encourages organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments.
The report is accompanied by two appendices: the statistics gathered during this action and the national reports of each participating DPA.
The CEF is a key action of the EDPB under its 2021-2023 Strategy, aimed at streamlining enforcement and cooperation among DPAs. The CEF 2024 action will be on the implementation of the right of access by data controllers.
Further information on national designation and position of DPO:
During its latest plenary, the EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative. The EDPB welcomes the Commission’s initiative, which aims to help protect the fundamental rights and freedoms of users, to empower them to make effective choices, and to increase transparency towards users
The cookie pledge initiative was developed by the European Commission in response to concerns regarding the so-called “cookie fatigue” phenomenon and consists of a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft pledge principles would be contrary to the GDPR and the ePrivacy Directive.
The draft pledging principles would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused, this is an important step towards reducing cookie fatigue.
Furthermore, the EDPB flags that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive. The data protection authorities remain competent to exercise their powers when necessary.
Brussels, 15 December - During its latest plenary, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. While a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this point in time and calls on the co-legislators to swiftly adopt the new Regulation laying down additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that the DPAs and the EDPB need sufficient resources to continue carrying out their tasks.
EDPB Chair Anu Talus said: “The GDPR has strengthened, modernised and harmonised data protection principles across the EU. The EDPB guidance played a key role in making individuals and businesses aware of their rights and responsibilities under the GDPR. We will keep on supporting the implementation of the GDPR in particular by SMEs, and more generally raising awareness of the GDPR. In addition, cooperation among DPAs and enforcement of the GDPR has gained momentum. More than ever, the EDPB is committed to ensure effective and consistent enforcement of the GDPR.”
The EDPB has consolidated its position as the EU body in charge of ensuring the consistent application of the GDPR, making use of the full set of instruments at its disposal. It has built a comprehensive library of guidance documents to help promote compliance among controllers and processors and consistent enforcement by DPAs. In addition, it has supplied a framework for the practical application of compliance tools such as codes of conduct and certification mechanisms, which has enabled them to become operational in a consistent manner across the EU. Furthermore, the EDPB has aptly played its unique role in settling disputes in cross-border cases, thereby ensuring the consistent application of the GDPR.
Regarding enforcement, the EDPB is convinced that effective and efficient cooperation between DPAs leads to a common data protection culture. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way.
The EDPB and the DPAs will continue their efforts to further enhance enforcement cooperation and to achieve more efficient and consistent results within the current legal framework.
Given the importance of streamlining national procedural rules, the EDPB submitted in October 2022 a ‘wish list’ to the European Commission, on procedural aspects that could be harmonised at EU level. The EDPB-EDPS joint opinion of 19 September 2023 on the Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR, welcomed that the proposal aims to foster effective enforcement of data protection rules and intends to give effect to many of the suggestions contained in the ‘EDPB wish list’; it also made a number of recommendations to ensure the greatest possible efficiency of this upcoming Regulation.
Moreover, the EDPB calls on Member States to make sure that all DPAs have the necessary resources to carry out their tasks effectively, as there are considerable challenges ahead. First and foremost, the continuously evolving technological landscape presents new data protection challenges every day. New legislation is also considered or has been introduced, providing additional rules to create a safer digital space and to establish a level playing field for businesses in the digital economy, such as the DMA, the DSA, the DGA or the proposal for an AI Act. These new legislations may place additional responsibilities on DPAs or the EDPB with regard to enforcement and supervision. However, there is a discrepancy between this increasing workload, and the available resources. In addition, both the EDPB’s and DPAs’ tasks under the GDPR continue at an increased intensity. Moreover, increased enforcement cooperation among DPAs, which in turn leads to higher involvement of the EDPB, has had a significant impact on the workload. The success in the performance of these tasks relies largely on the resources available to the DPAs and to the EDPB, including via its Secretariat. It is therefore essential to ensure that the EDPB Secretariat is provided with the necessary resources, as it plays a key role in the preparation and execution of many of the tasks entrusted to the EDPB.
Regarding international transfers, the EDPB underlines the importance of continuing to develop adequacy decisions with third countries and international organisations, and expects the Commission to finalise its work on the review of the adequacy decisions adopted under Directive 95/46/EC.
In addition, the EDPB encourages the Commission to continue developing international cooperation and stresses the importance of effective enforcement cooperation with third countries.
During the plenary, the EDPB also held a general discussion on the ‘pay or ok’ model. It was decided that a request for mandate for guidelines on this topic will be prepared.