On November 11, 2020, the European Data Protection Board (“EDPB”) released two documents as a follow-up to the Court of Justice of the European Union’s (“CJEU”) notable July 2020 decision, known as Schrems II. These documents are intended to assist companies navigating the ever-evolving world of data transfers from the EU to third countries. The “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (the “Recommendations”) were adopted on November 10 and are open for public consultation until November 30. They provide data exporters, or the parties sending personal data out of the EU to third countries, with a set of steps to take in order to help with the “complex task of assessing third countries and identifying appropriate supplementary measures where needed.” The other document, entitled “Recommendations 02/2020 on the European Essential Guarantees for surveillance measures” (“EU Essential Guarantees”) and providing further information for the assessment of third countries, was adopted outright.
On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here.
The European Data Protection Board (“EDPB”), has just issued a consultation which aims to clarify and establish a common understanding of the notion of the terms “relevant and reasoned” under the General Data Protection Regulation (“GDPR”). With the cooperation mechanism set out by the GDPR, the supervisory authorities (“SAs”) must ensure that relevant information is exchanged with each other in order to reach consensus.
Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.
In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.
The EDPB Guidelines on Data Protection by Design and by Default are now available on the EDPB website: https://europa.eu/!gT88BJ. The public consultation will be open until 16 January 2020.