Bernd Schütze

European Data Protection Board: Work started and first guidelines published

TheEuropean Data Protection Board  (EDPB, homepage was convened in accordance with Art. 68 GDPR and started its work as scheduled on 25 May 2018. Its first meeting adopted the Guidelinesof Article 29 Data Protection Group, see EDPB publication “Endorsement of GDPR WP29 guidelines by the EDPB“or the web pages

  • Guidelines relevant to controllers and processors
  • Guidelines on your rights

at EDPB.

A total of 16 of the existing papers under Article 29 Data Protection Group were adopted:

  1. Guidelines on consent under Regulation 2016/679,WP259 rev.01
  2. Guidelines on transparency under Regulation 2016/679,WP260 rev.01
  3. Automated individual decision–making and profiling. Guidelines on Automated individual decision – making and Profiling for Regulatory purposes of 2016/679,WP251 rev.01
  4. Personal data breach notifications. Guidelines on Personal data breach notifications under Regulation 2016/679,WP250 rev.01
  5. The right to data portability. Guidelines on the right to data portability under Regulation 2016/679,WP242 rev.01 (also available in German)
  6. Data protection impact assessment. Guidelines on Data Protection Impact Assessment (DPIA) and determination whether processing is “likely to result in a high risk”for the purposes of Regulation 2016/679,WP248 rev.01 (also available in German)
  7. Data Protection Officers. Guidelines on Data Protection Officers (‘DPO’),WP243 rev.01 (also available in German)
  8. Lead supervisory authority. Guidelines for identifying a controller or processor’s lead supervisory authority,WP244 rev.01 (also available in German)
  9. Position Paper on derogationsfrom the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR
  10. Working Document. Setting Forth a Co–operation Procedure for the approval of “Binding Corporate Rules”for controllers and processors under the GDPR,WP 263 rev. 01
  11. Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data,WP 264
  12. Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data,WP 265
  13. Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules,WP 256 rev.01
  14. Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules,WP 257 rev.01
  15. Adequacy Referential,WP 254 rev.01
  16. Guidelines on the application and setting of administrative fines for purposes of the Regulation 2016/679,WP 253 (also available in German)


The EDPB also published the first two “own”guidelines on 30 May 2018:

Draft Paper 1/2018 of course describes what Certification means to the EDPB. On the whole, everything is dealt with rather superficially however. This paper will nevertheless be thoroughly read and commented on especially by organisations wishing to act as certification organisations, such as the Datenschutz Zertifizierungsgesellschaft mbH (DSZ)founded by BvD and GDD. Comments may be submitted to EDPB@edpb.europa.euuntil 12 July 2018.

The Final Paper Guideline 2/2018, dealing with exceptions under Art. 49 GDPR, also of course addresses consent to transfers to third countries (Art. 49 Para. 1 lit. A GDPR). It again clearly states here that informed consent must explicitly include specific risks inherent in transfers to third countries. Everyone dealing with this topic was probably quite aware of this. The paper nevertheless once again states this quite clearly – making it “official”. Consent to transfer to a third country can only be a one-off, single transfer – general consent will hardly be possible (see Section 2.1.2 in the paper).

Author: Bernd Schütze

Leave a Reply

Your email address will not be published. Required fields are marked *