Bernd Schütze
European Data Protection Board: Work started and first guidelines published
TheEuropean Data Protection Board (EDPB, homepage https://edps.europa.eu/) was convened in accordance with Art. 68 GDPR and started its work as scheduled on 25 May 2018. Its first meeting adopted the Guidelinesof Article 29 Data Protection Group, see EDPB publication “Endorsement of GDPR WP29 guidelines by the EDPB“or the web pages
- Guidelines relevant to controllers and processors
- Guidelines on your rights
at EDPB.
A total of 16 of the existing papers under Article 29 Data Protection Group were adopted:
- Guidelines on consent under Regulation 2016/679,WP259 rev.01
- Guidelines on transparency under Regulation 2016/679,WP260 rev.01
- Automated individual decision–making and profiling. Guidelines on Automated individual decision – making and Profiling for Regulatory purposes of 2016/679,WP251 rev.01
- Personal data breach notifications. Guidelines on Personal data breach notifications under Regulation 2016/679,WP250 rev.01
- The right to data portability. Guidelines on the right to data portability under Regulation 2016/679,WP242 rev.01 (also available in German)
- Data protection impact assessment. Guidelines on Data Protection Impact Assessment (DPIA) and determination whether processing is “likely to result in a high risk”for the purposes of Regulation 2016/679,WP248 rev.01 (also available in German)
- Data Protection Officers. Guidelines on Data Protection Officers (‘DPO’),WP243 rev.01 (also available in German)
- Lead supervisory authority. Guidelines for identifying a controller or processor’s lead supervisory authority,WP244 rev.01 (also available in German)
- Position Paper on derogationsfrom the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR
- Working Document. Setting Forth a Co–operation Procedure for the approval of “Binding Corporate Rules”for controllers and processors under the GDPR,WP 263 rev. 01
- Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data,WP 264
- Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data,WP 265
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules,WP 256 rev.01
- Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules,WP 257 rev.01
- Adequacy Referential,WP 254 rev.01
- Guidelines on the application and setting of administrative fines for purposes of the Regulation 2016/679,WP 253 (also available in German)
The EDPB also published the first two “own”guidelines on 30 May 2018:
- Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of Regulation 2016/679 (draft)
https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-12018-certification-and-identifying_en - Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (final)
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22018-derogations-article-49-under-regulation_en
Draft Paper 1/2018 of course describes what Certification means to the EDPB. On the whole, everything is dealt with rather superficially however. This paper will nevertheless be thoroughly read and commented on especially by organisations wishing to act as certification organisations, such as the Datenschutz Zertifizierungsgesellschaft mbH (DSZ)founded by BvD and GDD. Comments may be submitted to EDPB@edpb.europa.euuntil 12 July 2018.
The Final Paper Guideline 2/2018, dealing with exceptions under Art. 49 GDPR, also of course addresses consent to transfers to third countries (Art. 49 Para. 1 lit. A GDPR). It again clearly states here that informed consent must explicitly include specific risks inherent in transfers to third countries. Everyone dealing with this topic was probably quite aware of this. The paper nevertheless once again states this quite clearly – making it “official”. Consent to transfer to a third country can only be a one-off, single transfer – general consent will hardly be possible (see Section 2.1.2 in the paper).
Author: Bernd Schütze