The EDPB held its 43^rd plenary session on 15 December 2020 during which:

• the EDPB adopted its Strategy 2021-2023, which sets out its strategic objectives, grouped around four pillars:
  • advancing harmonisation and facilitating compliance;
  • supporting effective enforcement and efficient cooperation between national supervisory authorities;
  • a fundamental rights approach to new technologies; and
  • the global dimension.
• the EDPB published a statement on the end of the Brexit transition period in which it describes the main implications for data controllers and processors; the EDPB underlined the issue of data transfers to a third country as well as the consequences in the area of regulatory oversight and the One-Stop-Shop (OSS) mechanism; the EDPB also adopted an information note on data transfers under the GDPR after the Brexit transition period ends;
• the EDPB adopted Guidelines on restrictions of data subject rights under Article 23 GDPR; the guidelines advise on the conditions surrounding the use of such restrictions in light of the Charter of Fundamental Rights and the GDPR; they provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Article 23; any restriction needs to respect the essence of the right that is being restricted and restrictions that are extensive and intrusive to the extent that they void the fundamental right to the protection of personal data of its basic content cannot be justified; the Guidelines also analyse how legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed in Article 23(1) and the obligations and rights which may be restricted; an explanation of the “necessity and proportionality” test that restrictions need to pass based on Article 23(1) is also provided; the Guidelines will be submitted for public consultation for a period of eight weeks until 12 February 2021;
• following public consultation, the EDPB adopted a final version of the Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR; the guidelines aim to provide further guidance on the data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions in the GDPR and the PSD2; to address comments received during the public consultation a section on fraud prevention was included;
• following public consultation, the EDPB adopted a final version of the Guidelines on Articles 46(2)(a) and 46(3)(b) of the GDPR for transfers of personal data between EEA and non-EEA public authorities and bodies; these Articles cover transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision; the final version of the Guidelines integrates updated wording, and legal reasoning in order to address comments and feedback received during the public consultation, as well as necessary changes following the Schrems II ruling; and
• the EDPB adopted a statement on the protection of personal data processed in relation with the prevention of the use of the financial system for the purposes of money laundering and terrorist financing.

To read the EDPB’s press release in full, click here.