On 25 April 2018, the European Parliament’s Civil Liberties, Justice & Home Affairs Committee published a corrigendum (an error to be corrected in a printed work after publication) to the European General Data Protection Regulation ((EU 2016/679) (GDPR).
There are 26 “official” language versions of the GDPR (all European Economic Area countries plus Norway and Iceland). This can create differences in interpretation, with potentially serious ramifications for enforcement and compliance, so harmonising the legislation is a key concern for the EU Parliament. The corrigendum deals mainly with typographical and clerical errors for all language versions of the GDPR. Many of these had previously been requested by Member States for their own language versions.
- Amending the (original) English version of Article 37(1)(c) concerning when a data protection officer (DPO) should be designated – in line with Article 29 Working Party guidelines on DPOs. The text was amended from an “and” to an “or”, which affects the construction of the article.
- References to “criteria”, “conditions” and “requirements”, in relation to certification under Articles 41–43, 57 and 64, have been swapped around; although it is unclear to what extent this provides any further clarity.
- Article 43(6) text concerning certification bodies has been deleted: “The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means”.
- Article 70(1)(o) concerning the tasks of the European Data Protection Board (which will replace Article 29 Working Party) and the accreditation of certification bodies and a register of accredited bodies has been amended. The amended text confirms that the new entity will “approve the criteria of certification” and must maintain a register of “certification mechanisms and data protection seals and marks pursuant to Article 42(8) and of the certified controllers or processors established in third countries pursuant to Article 42(7)”.
The amendments outlined in the corrigendum are relatively minor or clerical, but organisations should be aware of them, especially concerning the mandatory appointment of a DPO. The corrigendum is also an important reminder that companies doing business in multiple Member States should always consult the applicable language version of the GDPR for each relevant jurisdiction.