Photo of Angelika Bialowas

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Continue Reading The EDPB and EDPS adopt joint opinions on the new draft SCCs

On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read the judgment here.

The CJEU held that a printed contract for mobile telecommunication services containing a clause stating that the customer has consented to the collection and storage of their identity documents does not constitute valid consent where the box referring to that clause has been pre-ticked by the data controller before the contract was signed.

The case follows up on the previous ruling in Planet49 (Case C-673/17) on which we commented last year here and here.

Continue Reading CJEU delivers judgment on conditions for valid consent in an offline context

Following a previous European Commission recommendation to support the gradual lifting of coronavirus (COVID-19) restrictions through mobile data and apps, on 19 October 2020, the European Commission has set up an EU-wide system for the interoperability of track and trace apps.

Background

National contact tracing and warning apps can play a key role in all phases of COVID-19 management by warning users if they had been in contact with someone who has indicated they tested positive for COVID-19 and giving appropriate health advice. Most EU Member States have developed national contact tracing and warning apps which can be used on voluntary basis.

The new ‘gateway’ system allows these national apps across the EU to talk to each other and exploits the full potential of national apps by moving towards a centralised system where they can be interoperable through a single gateway service.

The design of the gateway system builds on the set of technical specifications as set out in the EU Commission Guidelines for interoperability, EU toolbox and the EU Commission and European Data Protection Board guidelines on data protection for contact tracing and warning apps.
Continue Reading European Commission implements interoperable gateway for COVID-19 contact tracing and warning apps

On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each other and cooperate in an endeavor to reach consensus when they coordinate investigations that cross borders in the European Union (EU).

 Background

Under Article 60 of the GDPR, the lead supervisory authority (LSA) is required to submit draft decisions to the concerned supervisory authorities, who may then raise a “relevant and reasoned objection” to the LSA within a specific timeframe of four weeks. On review of the relevant and reasoned objection, the LSA can either follow the suggestions of the concerned supervisory authorities and produce a revised draft decision, or disagree with the objections and submit the matter to the EDPB for consideration under the GDPR’s consistency mechanism.
Continue Reading EDPB releases guidelines on relevant and reasoned objection

On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance).

The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time.

The new Guidance comes as the lockdown measures start to ease and businesses begin to reopen. It sets out six key data protection steps that organisations need to consider around the use of personal data.
Continue Reading ICO issues guidance for organisations amid coronavirus recovery