The European Data Protection Board (EDPB) met for its seventh plenary session on 12 February 2019. The session covered many areas of discussion, outlined in the agenda.

The four main areas covered, and highlighted in the EDPB’s press release, were:

1. Work programme: The EDPB adopted a two-year work programme, covering 2019-2020. The work programme has been designed based on priority needs for individuals, stakeholders and EU legislators. Examples of activities that the work programme covers include:

i. issuing guidance on topics such as data protection by design and by default, children’s data and legitimate interests;

ii. issuing consistency opinions on the administrative arrangements discussed below, and on the interplay between the General Data Protection Regulation 2016/679 (GDPR) and ePrivacy Regulation;

iii. other activities centred around the EU-U.S. Privacy Shield, the ePrivacy Regulation and data breach notifications; and

iv. a general focus on topics including non-personal data, blockchain and the use of new technologies such as artificial intelligence.

2. Administrative arrangements: The EDPB adopted an opinion on administrative arrangements. It allows personal data to transfer between European Economic Area (EEA) financial supervisory authorities and their non-EEA counterparts. Supervisory authorities will need to authorise and monitor the application of the administrative arrangements.

3. Brexit: The EDPB adopted an information note. It provides advice to companies and public authorities on data transfers involving the UK in the event of a no-deal Brexit.

i. Transfers from the EEA to the UK: post- Brexit, the UK will be a third country, and data transfers will require one of the mechanisms provided for in the GDPR. These mechanisms include standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms and relying on derogations.

ii. Transfers from the UK to the EEA: current practice will continue, and personal data can transfer freely.

4. Guidelines on codes of conduct: The GDPR encourages codes of conduct to be agreed by trade associations or sectoral bodies to “contribute to the proper application” of the GDPR. The EDPB adopted draft guidelines on this issue. They will provide practical guidance and interpretative assistance on the submission, approval and publication of codes of conduct. The guidelines will be subject to public consultation before being finalised.


The next plenary is scheduled to take place on 12-13 March 2019.

In the meantime, keep an eye out for our blog on the EDPB’s information note on data transfers in the event of a no-deal Brexit. The blog will take a more in-depth look at the EDPB’s guidance.