European Data Protection Board holds its fifth plenary session and considers the EU-Japan draft adequacy decision, DPIAs and accreditation

On 4 and 5 December 2018, the European Data Protection Authorities, assembled in the EDPB, met for their fifth plenary session, during which a wide range of topics were discussed.

EU-Japan draft adequacy decision

The Board Members adopted an opinion on the EU-Japan draft adequacy decision, which the Board received from the European Commission in September 2018.

The EDPB’s key objective was to assess whether the Commission had ensured that sufficient guarantees were in place for an adequate level of data protection for individuals in the Japanese framework. The EDPB said that it did not expect the Japanese legal framework to replicate European data protection law. The EDPB welcomed the efforts made by the European Commission and the Japanese PPC to increase convergence between the two legal frameworks. The improvements brought in by the Supplementary Rules to bridge some of the differences were very important and well received.

However, following a careful analysis of the Commission’s draft adequacy decision as well as of the Japanese data protection framework, the EDPB said that a number of concerns remained, such as the protection of personal data transferred from the EU to Japan, throughout their whole life cycle. The EDPB recommended the European Commission address the requests for clarification made by the EDPB, provide further evidence and explanations regarding the issues raised and closely monitor their application.

Data Protection Impact Assessment lists

The EDPB adopted opinions on the Data Protection Impact Assessment (DPIA) lists, submitted to the Board by Denmark, Croatia, Luxembourg and Slovenia. These lists form an important tool for the consistent application of the GDPR across the EEA.

The EDPB said that the DPIA was a process to help identify and mitigate data protection risks that could affect the rights and freedoms of individuals. While in general the data controller needs to assess if a DPIA is required before engaging in the processing activity, national supervisory authorities should establish and make a list of the kind of processing operations that are subject to the requirement for a DPIA.

Guidelines on accreditation

The EDPB adopted a revised version of the WP29 guidelines on accreditation, including a new annex. The aim of the guidelines is to assist on how to interpret and implement the provisions of Article 43 of the GDPR. In particular, they aim to help Member States, supervisory authorities and national accreditation bodies establish a consistent and harmonised baseline for the accreditation of certification bodies that issue certification in accordance with the GDPR.

The new annex provides guidance on the additional requirements for the accreditation of certification bodies to be established by supervisory authorities. The EDPB said that the annex will now be subject to public consultation. To read the EDPB’s press release in full, click here.