November 25, 2019

On 12 and 13 November 2019 the EDPB met for its fifteenth plenary session, during which a wide range of topics was discussed, including:

• Guidelines on Territorial Scope: the EDPB adopted a final version of the Guidelines on Territorial Scope following public consultation. The Guidelines aim to provide a common interpretation of the GDPR for EEA Data Protection Authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the legal framework, as per Article 3 GDPR. The Guidelines also provide further clarification on the application of the GDPR in various situations, for example, where the data controller or processor is established outside the EEA, including on the designation and role of a representative under Article 27 GDPR. The final Guidelines address comments and feedback received during the public consultation;
• Third Annual Privacy Shield Review: the EDPB adopted its report on the third Annual Joint Review of the EU-US Privacy Shield. The EDPB welcomed the efforts made by the US authorities to implement the Privacy Shield. However, it said that a number of concerns still need to be addressed. In particular, it said that compliance checks with the substance of the Privacy Shield’s principles “remain concerning”. Other areas requiring further attention include: the application of the Privacy Shield requirements on onward transfers; HR data and processors; and the recertification process. As for the collection of data by public authorities, the EDPB encouraged the US to issue and publish further reports to provide an independent assessment of surveillance programmes conducted outside the US while data are being transferred from the EU to the US. The EDPB could not conclude that the US Ombudsperson was vested with sufficient powers to access information and remedy non-compliance; and
• Guidelines on Data Protection by Design and Default: The EDPB adopted Guidelines on Data Protection by Design and Default, focusing on the obligations in Article 25 GDPR. The effective implementation of data protection principles and data subjects’ rights and freedoms by design and by default requires controllers to implement appropriate technical and organisational measures and the necessary safeguards to comply with data protection principles in an effective manner and to protect the rights and freedoms of data subjects. In addition, controllers must be able to demonstrate that the implemented measures are effective. The Guidelines will be submitted for public consultation.

To read the EDPB’s press release in full, click here.