The UK’s Information Commissioner’s Office (ICO) has published new guidance on certification and codes of conduct for data processing as well as expected timetables for finalising its revised guidelines on these topics.
Certification
Certification is a voluntary mechanism for organisations to validate their compliance with the General Data Protection Regulation 2016/679 (GDPR). Once the submissions…
The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda.
One of the key developments was the adoption of draft guidelines by the EDPB on the scope and application of GDPR Article 6(1)(b) which is largely known as ‘contractual necessity’ or ‘performance of a contract’ legal basis. GDPR Article 6(1)(b) provides a lawful basis for processing where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
The guidelines offer important clarification on what may be considered “necessary”, as well as useful guidance for processing in the context of online services to ensure that this legal basis is only relied upon when appropriate.
Continue Reading EDPB guidelines on processing personal data under GDPR, Article 6(1)(b)
The European Data Protection Board (EDPB) has adopted guidelines in relation to the certification mechanism prescribed under the General Data Protection Regulation 2016/679 (GDPR). The EDPB guidelines are aimed at supervisory authorities and certification bodies and provide helpful insight into the requirements and criteria relevant to all types of certification mechanisms issued under articles 42 and 43 of the GDPR.
Certification
The EDPB, supervisory authorities and certification bodies are required to encourage certification mechanisms and data protection seals and marks. Although these terms are not defined under the GDPR, it is clear that they intend to mark the approval of GDPR compliance in relation to specific processing operations carried out by a controller or processor. Once certified, the organisation may display a seal or mark to demonstrate its compliance.
The certification mechanism is recognised as an appropriate safeguard. Restricted transfers can therefore be made to an organisation if that organisation has received a certification, providing the organisation makes binding and enforceable commitments to apply the appropriate safeguards. The EDPB plans to issue further guidance on these required commitments.
Continue Reading EDPB issues guidelines on GDPR certification
On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here.
At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally and binding corporate rules lead supervisory authorities (BCR lead).
Data transfers in the event of a no-deal Brexit
The guidance is separated into three distinct sections.
Preparation for transfers of data from the EEA to the UK
The EDPB sets out five steps for businesses to take in advance of Brexit. Businesses who transfer data from the European Economic Area (EEA) to the United Kingdom (UK) should start preparing now. To prepare, the EDPB suggests the following:
I. Identify the processing activities that require the transfer of personal data
II. Determine the data transfer mechanism that is most appropriate on the facts
III. Prepare the relevant transfer mechanism in advance of 30 March 2019
IV. Indicate in internal documents that you will be transferring data to the UK
V. Update your privacy notices accordingly.Continue Reading No-deal Brexit: EU regulators issue data transfer guidance
The European Data Protection Board (EDPB) met for its seventh plenary session on 12 February 2019. The session covered many areas of discussion, outlined in the agenda.
The four main areas covered, and highlighted in the EDPB’s press release, were:
1. Work programme: The EDPB adopted a two-year work programme, covering 2019-2020. The work programme has been designed based on priority needs for individuals, stakeholders and EU legislators. Examples of activities that the work programme covers include:
i. issuing guidance on topics such as data protection by design and by default, children’s data and legitimate interests;
ii. issuing consistency opinions on the administrative arrangements discussed below, and on the interplay between the General Data Protection Regulation 2016/679 (GDPR) and ePrivacy Regulation;
iii. other activities centred around the EU-U.S. Privacy Shield, the ePrivacy Regulation and data breach notifications; and
iv. a general focus on topics including non-personal data, blockchain and the use of new technologies such as artificial intelligence.
Continue Reading Updates from the European Data Protection Board
The European Data Protection Board (EDPB) recently adopted its opinion on the interplay between the Clinical Trials Regulation 536/2014 (CTR) and the General Data Protection Regulation 2016/679 (GDPR) (the opinion). The opinion was given at the request of the European Commission.
The CTR seeks to harmonise the rules for conducting clinical trials throughout the European Union, and the request for an opinion stemmed from an acknowledgement of the crucial interplay between these two pieces of EU legislation. The EDPB emphasised that interplay by clearing stating in the opinion that the CTR cannot be used as an exemption for compliance with the GDPR.
The opinion distinguishes between the primary use of data and the secondary use of data in clinical trials.Continue Reading The interplay between the Clinical Trials Regulation and the GDPR
On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).
Last week we published a blog on these guidelines, focusing on when the GDPR applies to non-European Union (EU) controllers and processors. This week, we focus on when non-EU controllers and processors who come within the scope of the GDPR must appoint an EU representative.
GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.Continue Reading Does GDPR require non-EU companies to nominate EU representatives? EDPB issues guidance
On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).
This is the first of two blogs on the guidelines. This blog considers the extra-territorial scope of the GDPR. Next week, we will consider the need for non-European Union (EU) controllers to designate a representative located in the EU.
Territorial scope
The GDPR has extra-territorial effect. This means it can apply to companies based outside of the EU.
GDPR applies to a non-EU-based company where that company:
This has been an area of significant uncertainty for non-EU companies. The guidelines offer some much-needed clarity.Continue Reading EDPB issues much-awaited guidance on GDPR’s territorial scope
During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.
On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined.
Continue Reading Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?
At the latest meeting in Brussels, Justice ministers failed to come to a consensus on the “one stop shop mechanism” and the role of the proposed European Data Protection Board (EDPB). The minutes state that while a “majority of ministers endorsed the general architecture of the proposal,” “further technical work is required”.
Ahead of the…
