Free tools and resources for Data Protection Officers!

Tag Archives for " EDPB "

EDPB’s common sense approach to the GDPR’s territorial scope

EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.

The guidelines start by treading into well-known territory: the “establishment criterion.” Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion.

Full article: EDPB’s common sense approach to the GDPR’s territorial scope

Dispatch from Brussels: GDPR enforcement, guidance to come in 2019

During her interview with IAPP Chief Knowledge Officer Omer Tene, Dixon said major GDPR-related fines will not come down the pike in 2018, but it’s safe to expect some fines in 2019. This notion was foreshadowed earlier in the day by the EDPB’s Jelinek during her keynote address.

Notably, both Jelinek and Dixon said no cross-border cases have been escalated to the EDPB. But that doesn’t mean enforcement is far away.

Full article: Dispatch from Brussels: GDPR enforcement, guidance to come in 2019

Does the EDPB answer frequently asked questions on territorial scope?

The European Data Protection Board (EDPB , the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation ( GDPR ); namely, Article 3 on territorial scope.

Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.

Source: Does the EDPB answer frequently asked questions on territorial scope?

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR.

In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or loca­tion data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Full article: DP Impact Assessments: EDPB Differs Slightly from ICO Position

What’s subject to a DPIA under the GDPR?

Under the European Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer.

he supervisory authorities of 22 Member States submitted draft lists to the European Data Protection Board identifying data processing activities likely to result in a high risk and therefore require DPIAs. The EDPB subsequently issued opinions on each of these lists.

Source: What’s subject to a DPIA under the GDPR? EDPB on draft lists of 22 supervisory authorities

EDPB dealing with 162 cross border cases but no fines issued as yet

The European Data Protection Board (EDPB) has by now 162 cross-border cases on its case register and are under investigation. Some 18,000 breach notifications have been received by the 25 EU DPAs which have issued their statistics, and 15 One Stop Shop procedures have been started at the Board. In addition, there have been 233 procedures relating to Mutual Assistance between the DPAs.

Source: EDPB dealing with 162 cross border cases but no fines issued as yet – Privacy Laws & Business

EDPB Adopts Opinions on National DPIA Lists in the EU

The European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States regarding which processing operations are subject to the requirement of conducting a data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (“GDPR”).

Full article: EDPB Adopts Opinions on National DPIA Lists in the EU

EDPB: ICO too strict on data protection impact assessments

The opinion, issued by the European Data Protection Board (EDPB), differs from guidance the UK’s Information Commissioner’s Office (ICO) has issued on DPIAs. Businesses planning to process biometric, genetic or location data do not automatically have to carry out a data protection impact assessment (DPIA) first to comply with the General Data Protection Regulation (GDPR), an EU privacy watchdog has said.

The ICO is not bound to update its guidance in light of the EDPB’s opinion, but must justify its reasons for not doing so if “it does not intend to follow this opinion, in whole or in part”, the EDPB said

Source: EDPB: ICO too strict on data protection impact assessments

EDPB adopts letter regarding the PSD2 Directive

The European Data Protection Board (EDPB) adopted a letter on behalf of the EDPB Chair addressed to Sophie in’t Veld MEP regarding the revised Payments Services Directive (PSD2 Directive). In its reply to Sophie in’t Veld the EDPB sheds further light on ‘silent party data’ by Third Party Providers, the procedures with regard to giving and withdrawing consent, the Regulatory Technical Standards, the cooperation between banks and the European Commission, EDPS and WP29 and what remains to be done to close any remaining data protection gaps.

Source: Letter regarding the PSD2 Directive – European Data Protection Board

‘Legitimate interest’ may permit processing of ‘silent party data’ under PSD2

Businesses in the payment services market do not necessarily need the consent of ‘silent parties’ to process their personal data when providing payment initiation or account information services to their customers, the European Data Protection Board (EDPB) has said.

Source: ‘Legitimate interest’ may permit processing of ‘silent party data’ under PSD2

>