fbpx

Download free GDPR compliance checklist!

Tag Archives for " EDPB "

Hungarian Government Suspends GDPR Data Subjects Rights

On May 4, 2020, the Hungarian Government issued a Decree that suspends, during the COVID-19 created state of emergency, the one-month deadline that controllers have under the GDPR to reply to data subject rights requests.

According to the Decree, the normal one-month deadline to reply to data subject rights requests will start running once the state of emergency ends, for which there is no fixed date yet.

The Decree also allows public entities to refuse or suspend freedom of information (“FOIA”) requests in certain situations. The Decree has been heavily criticized by civil society groups and prompted the scrutiny by the European Data Protection Board (“EDPB”).

Source: Hungarian Government Suspends GDPR Data Subjects Rights

No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body

On 4 May, the European Data Protection Board (“EDPB”) adopted an updated version of its guidelines on consent.

EDPB stated that you can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. EDPB also stated that scrolling on a website or digital service can not — in any way — be interpreted as consent.

Source: No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body | TechCrunch

EDPB adopts further COVID-19 guidance

During its 23rd plenary session, the EDPB adopted guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak and guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.

The  guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak aim to shed light on the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.

The guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:
1.    using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
2.    using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.

Source: European Data Protection Board – Twenty-third Plenary session: EDPB adopts further COVID-19 guidance | European Data Protection Board

The EDPB Responds to the European Commission’s Recommendation on COVID-19 Mobile Apps

On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission’s call for consultation (the letter ) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

In its letter, the EDPB sets forth data privacy and information security measures that app developers should consider when developing mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps).

Source: The EDPB Responds to the European Commission’s Recommendation on COVID-19 Mobile Apps

Google gobbling Fitbit is a major privacy risk

The European Data Protection Board (EDPB) has intervened to raise concerns about Google’s plan to scoop up the health and activity data of millions of Fitbit users — at a time when the company is under intense scrutiny over how extensively it tracks people online and for antitrust concerns.

Google confirmed its plan to acquire Fitbit last November, saying it would pay $7.35 per share for the wearable maker in an all-cash deal that valued Fitbit, and therefore the activity, health, sleep and location data it can hold on its more than 28M active users, at ~$2.1 billion.

Regulators are in the process of considering whether to allow the tech giant to gobble up all this data.

Source: Google gobbling Fitbit is a major privacy risk, warns EU data protection advisor | TechCrunch

European Data Protection Board Issues Opinion on U.S. CLOUD Act

On July 10, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (CLOUD Act) on the legal framework for the protection of personal data in the EU.

The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”

Source: European Data Protection Board Issues Opinion on U.S. CLOUD Act

EDPB issues annual report

The European Data Protection Board released its 2018 annual report. The report covers the rules of procedure adopted in the first EDPB plenary session and the creation of the EDPB Secretariat. 

Focus of the report is cooperation among supervisory authorities and transparency. It also touches EDPB’s guidance on certification, territorial scope and accreditation, its opinions regarding ePrivacy regulation and European Commission’s adequacy decisions.

Read full report.

EDPB Publishes Opinion on the Competence of a Supervisory Authority Relating to the Main or Single Establishment

On July 9, 2019, the European Data Protection Board (EDPB) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment at the request of the French and the Swedish data protection authorities.

A change of circumstances relating to the main or single establishment may occur when the single or main establishment is (i) relocated from an EEA country to another EEA country; (ii) moved from or ceases to exist in an EEA country; (iii) relocated from a non-EEA country to an EEA country or is set up in an EEA country.

Full article: EDPB Publishes Opinion on the Competence of a Supervisory Authority in Change in Circumstances Relating to the Main or Single Establishment

EDPB and the EDPS consider the European Commission to be a processor of patient data in the eHealth Digital Service Infrastructure

On July 12, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the processing of patient data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI).

The eHDSI system was established in the context of the eHealth Network and allows for the exchange of electronic health data of patients between Member States. Opinion confirms that Member States act as “joint controllers” and the European Commission acts as a processor in processing of patient data within the eHDSI .

Full article: The European Data Protection Board and the European Data Protection Supervisor consider the European Commission to be a processor of patient data in the eHealth Digital Service Infrastructure

EDPB publishes overview on the implementation of the GDPR and national DPAs

European Data Protection Board has published an overview of the implementation and enforcement of the General Data Protection Regulation (GDPR) covering both the cooperation mechanism and the consistency findings.

EDPB thinks that the GDPR cooperation and consistency mechanism work quite well in practice. The experiences of the EDPB regarding consistency is – up to now – limited, as no dispute resolution through this new EU body was necessary during the reported period.

Read full report.

1 2 3 5
>