European Data Protection Supervisor

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Continue Reading The EDPB and EDPS adopt joint opinions on the new draft SCCs

On 26 February 2019, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, published his first annual report since the General Data Protection Regulation (GDPR) came into force last year.

This is a short overview of some of the key themes in the EDPS’s annual report:

  1. Overview of 2018:
  • GDPR: This is the first annual report of the EDPS since the GDPR ((EU) 2016/679) came into force on 25 May 2018, bringing in new data protection legislation for a new era.
  • Establishing the European Data Protection Board: The GDPR established the European Data Protection Board (EDPB), replacing the Article 29 Working Party. The EDPB took over the Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice. The EDPB is also tasked with ensuring the consistent application of the GDPR in each EU member state.
  • Publishing opinions: The EDPS publishes opinions to inform how EU institutions make decisions about personal data ranging from big data and fundamental rights to consumer and data protection law. In particular, the latter opinion was identified by the EDPS as a highlight for him last year.
  • The ePrivacy Directive (ePR): The proposed ePR will align the EU’s ePrivacy regime more closely with the GDPR. The EDPS continues to support the efforts of EU legislators in reaching agreement on the final text of the ePR. Progress was made last year with the Council of the European Union publishing amendments to the draft ePR. It is hoped that the ePR will come into force in 2019.


Continue Reading First annual report of the European Data Protection Supervisor since GDPR

Data Protection Authorities (“DPAs”) from across the world gathered in Marrakesh for the 38th International Privacy Conference. This event is held annually for the purpose of debating topical data protection issues.

The debates this year centred on data privacy being central to: sustainable development, government access to personal data, the role of technology, adequacy, localisation and differing cultural and political frameworks.
Continue Reading Data Protection Authorities gather for the 38th International Privacy Conference

The European Data Protection Supervisor (EDPS) has published its opinion on the European Commission draft Regulation on electronic identification and trust services for electronic transactions in the internal market. The proposed Regulation is expected to enhance trust in pan-European electronic transactions, to ensure cross-border mutual recognition of electronic identification by enhancing current rules on e