On 25 May 2020, the European Data Protection Board (EDPB) issued its opinions on draft decisions of certain national supervisory authorities on certification and code of conduct monitoring bodies’ accreditation requirements. This includes opinions on the draft decisions from supervisory authorities in:

  • Finland, Germany, Ireland, and Italy, on the approval of the requirements for accreditation of a code of conduct monitoring body under article 41 of the General Data Protection Regulation (GDPR)
  • The Czech Republic, Germany, and Ireland, on the approval of the requirements for accreditation of a certification body under article 43(3) of the GDPR

Continue Reading EDPB publishes opinions on draft decisions of Data Protection Authorities on the accreditation of certification bodies and code of conduct monitoring bodies

The novel coronavirus pandemic has created an immediate and immense need for scientific research. Amid this urgency, the European Data Protection Board (EDPB), during its twenty-third plenary session held on April 21, adopted guidelines to shed light on legal questions concerning the use of health data (pursuant to article 4(15) of the General Data Protection Regulation (GDPR)) for such research purposes.

The guidelines reiterate that data protection rules do not hinder measures taken to combat the coronavirus outbreak and in fact provide special rules for the processing of health data for the purpose of scientific research (for instance, in article 9(2)(j) and article 89(2)) that will be applicable in the current crisis.

Data controllers and processors must respect the data protection principles set out in article 5 of the GDPR, and all processing of health data must comply with one of the legal grounds and the specific derogations listed respectively in articles 6 and 9 of the GDPR for the lawful processing of this special category of data. The guidelines specifically address the rules concerning consent and respective national legislation. It also spells out the important aspects of the article 5 principles.
Continue Reading EDPB’s new guidelines relieve concerns over processing health data for scientific research

The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019.

One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the General Data Protection Regulation (GDPR), more commonly known as ‘performance of a contract’ legal basis.

The final version of the guidelines has not changed from the previous draft which we discussed here in our blog in April.

As a reminder, we have outlined below some of the key points from the guidelines.Continue Reading EDPB issues guidelines on the contractual lawful basis for processing for online services

At its eleventh plenary session on 4 June 2019 in Brussels, the European Data Protection Board (EDPB) adopted final versions of (1) the Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679, (2) annex 2 to the Guidelines on certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

The Dutch Data Protection Authority (CBP) has published new guidelines on data protection and implementation of data security principles, which replace the previous guidance from 2001. The guidelines seek to provide practical advice on how data controllers and processors can ensure compliance with the Dutch Data Protection Act (Wet bescherming persoonsgegevens).

The new guidelines include