CINXE.COM

<?xml version="1.0" encoding="utf-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://www.edpb.europa.eu/edpb_en"> <channel> <title>EDPB News</title> <link>https://www.edpb.europa.eu/edpb_en</link> <description/> <language>en</language> <item> <title>EDPB publishes CSC biannual report</title> <link>https://www.edpb.europa.eu/news/news/2025/edpb-publishes-csc-biannual-report_en</link> <description><![CDATA[Brussels, 13 February - The EDPB published the <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/csc-biannual-reports/coordinated-supervision-committee-report-0_en" target="_blank">Coordinated Supervision Committee's (CSC) biannual activity report (July 2022 - December 2024)</a>. Over the last two years, the CSC worked on the integration of the large-scale EU information technology (IT) systems within its scope. During the reporting period, it took over the supervision of the upgraded Schengen Information System (SIS) and the Visa Information System (VIS). In addition, the Committee prepared for the arrival of new systems and for the implementation of interoperability regulations. The Committee has also published a <a href="https://www.edpb.europa.eu/system/files/2024-04/recommendations-on-imi-transparency-obligations_en.pdf" target="_blank">set of recommendations on the Internal Market Information System (IMI) transparency obligations for data controllers</a>. In addition, in July 2023, the CSC published <a href="https://www.edpb.europa.eu/system/files/2023-09/20230725_europol_guide_for_exercising_the_rights_draft_version_sec_fv.pdf" target="_blank">‘Europol’s information systems - a guide for exercising data subjects’ rights: the right of access, rectification, erasure and restriction’</a>. Following the <a href="https://www.edps.europa.eu/system/files/2023-09/23-09-06_executive-summary-europol-inspection-report_en.pdf" target="_blank">2022 Audit Report</a> of the EDPS on Europol’s processing of personal data of minors under 15 years old, provided to Europol by third countries and international organisations and marked as suspects, the CSC undertook a coordinated activity to analyse the input from several Member States. During the past two years, the Committee also promoted dialogue and engagement with stakeholders, particularly with civil society.   <h3>CSC’s future work</h3> Looking forward to the coming years, the CSC is ready to welcome more EU IT systems and EU bodies, offices or agencies within its scope. As the range of the CSC’s activities continues to expand, the Committee will keep its organisation and operation under constant review to ensure an effective and efficient supervision. In addition, the CSC will continue to assist national data protection authorities (DPAs) in their work, by providing further clarification on the interpretation of EU and national laws. The Committee will also foster the exchange of information and best practices, and provide support for joint audits and coordinated inspections. Taking advantage of its unique framework and broad perspective, the CSC will ensure the proper monitoring of multiple data flows among systems, transversal interactions and sharing of information between EU agencies and bodies. To this end, and to guarantee a high level of data protection, the Committee will keep developing coordinated supervisory activities.   <h3>Background</h3> The CSC is a group of DPAs, which together ensure coordinated supervision of large scale IT systems, and of EU bodies, offices and agencies falling under its scope. The CSC enjoys an autonomous functioning and positioning and it adopts its own rules of procedure and working methods. The Committee was established within the framework of the EDPB.   ]]></description> <pubDate>Thu, 13 Feb 2025 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">9f81eac0-88f0-4bce-9311-5126f876c820</guid> </item> <item> <title>EDPB adopts statement on age assurance, creates a task force on AI enforcement and gives recommendations to WADA</title> <link>https://www.edpb.europa.eu/news/news/2025/edpb-adopts-statement-age-assurance-creates-task-force-ai-enforcement-and-gives_en</link> <description><![CDATA[Brussels, 12 February - During its February 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/other/statement-12025-age-assurance_en" target="_blank">statement on age assurance</a> and decided to create a taskforce on AI enforcement. In addition, the Board also adopted recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code. In a statement on age assurance, the EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. The statement aims to ensure a consistent European approach to age assurance, to protect minors while complying with data protection principles.  <blockquote>EDPB Chair Anu Talus said: “Age assurance is essential to ensure that children do not access content that is not appropriate for their age.  At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected. The principles put forward by the EDPB will help the industry to assess an individual’s age in a way that is compliant with data protection principles, while protecting children’s wellbeing.” </blockquote> The EDPB is also cooperating with the European Commission on age verification in the context of the Digital Services Act (DSA) working group. During the plenary, the Board also decided to extend the scope of the ChatGPT task force to AI enforcement. In addition, the EDPB members underlined the need to coordinate DPAs' actions regarding urgent sensitive matters and for that purpose will set up a quick response team.  <blockquote>EDPB Chair Anu Talus said: “The GDPR is a legal framework that promotes responsible innovation. The GDPR has been designed to maintain high data protection standards while fully leveraging the potential of innovation, such as AI, to benefit our economy. The EDPB’s task force on AI enforcement and the future quick response team will play a crucial role in ensuring this balance, coordinating the DPAs' actions and supporting them in navigating the complexities of AI while upholding strong data protection principles.” </blockquote> During the plenary, the EDPB also adopted recommendations on the 2027 WADA World Anti-Doping Code. When processing personal data for anti-doping purposes, it is essential to respect and safeguard the personal data of athletes. In many cases, this will involve the processing of sensitive personal data, such as health data derived from biological samples. The EDPB’s main objective is to assess the compatibility of the WADA Anti-doping Code and International Standard for Data Protection (ISDP) with the GDPR. The Anti-doping Code and Standards should hold the National Anti-Doping Organisations (NADOS) subject to a standard equivalent to that of the GDPR when processing personal data for anti-doping purposes.  The EDPB’s recommendations address key principles of data protection, such as the need for an appropriate legal basis for the processing of personal data and purpose limitation. The recommendations also address the fact that individuals need to be fully informed about the processing of their personal data and can effectively exercise their rights.   Note to editors: The recommendations on the 2027 World Anti-Doping Agency (WADA) World Anti-Doping Code, adopted during the EDPB Plenary, are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once the process has been completed.   ]]></description> <pubDate>Wed, 12 Feb 2025 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">d3b04e8c-1807-45b9-9b42-6c2cc1ee0a72</guid> </item> <item> <title>Stay in control of your personal data. Happy Data Protection day 2025!</title> <link>https://www.edpb.europa.eu/news/news/2025/stay-control-your-personal-data-happy-data-protection-day-2025_en</link> <description><![CDATA[If someone asked you to answer 100 questions about your personal life to sell the answers, would you agree? Most likely not. It can be difficult  to keep in control over your personal data and to keep it safe. From online shopping and browsing to social media, with every click, share and login-in you leave behind a digital trail. The GDPR ensures that your data can only be used in ways you agree to and that you can access any information about yourself. But do people actually know how to protect their data?  We asked passers-by on the streets of Brussels. Happy Data Protection Day! Sorry, your browser doesn't support embedded videos. ]]></description> <pubDate>Tue, 28 Jan 2025 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">e7f23ef5-2782-485f-a52d-9a7c3bee8ee9</guid> </item> <item> <title>CEF 2024: EDPB identifies challenges to the full implementation of the right of access</title> <link>https://www.edpb.europa.eu/news/news/2025/cef-2024-edpb-identifies-challenges-full-implementation-right-access_en</link> <description><![CDATA[Brussels, 20 January - The European Data Protection Board (EDPB) has adopted a <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-implementation-right-access_en" target="_blank">report on the implementation of the right of access by controllers</a>. The report summarises the outcome of a series of coordinated national actions carried out in 2024 under the Coordinated Enforcement Framework (CEF). It lists the issues that were observed for some controllers, along with a series of recommendations to help them implement the right of access. A central element is controllers’ awareness of the <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en" target="_blank">EDPB Guidelines 01/2022 on data subjects rights – Right of access</a> and whether these guidelines were followed in practice. <blockquote>EDPB Deputy Chair Zdravko Vukíc said: “The CEF is a valuable initiative that helps strengthen the cooperation among Data Protection Authorities (DPAs): by tackling selected topics in a coordinated fashion, they achieve greater efficiency and more consistency. How controllers implement the right of access lies at the heart of data protection and it is one of the most frequently exercised data subject rights.” </blockquote> Throughout 2024, 30 DPAs across Europe launched coordinated investigations into the compliance of controllers with the right of access, by opening formal investigations, assessing whether a formal investigation was warranted and/or carrying out fact-finding exercises.  A total of 1,185 controllers, consisting of small and medium-sized enterprises (SMEs) and big companies active in different industries and fields, as well as various types of public entities, responded to the action. <h4>Areas of improvement and main challenges</h4> The results suggest that more awareness raising about Guidelines 01/2022 is necessary, both at national and EU level, as the guidelines help controllers implement the right of access, explain how exercising this right can be made easier, and list the exceptions and limitations of the right to access. As a result of the 2024 CEF action, seven challenges were identified. One of them is the lack of documented internal procedures to handle access requests. In addition, inconsistent and excessive interpretations of the limits to the right of access were also observed, such as overly relying on certain exceptions to automatically refuse access requests. Another example is the barriers that individuals could encounter when exercising their right of access, such as  formal requirements or being requested to provide excessive identification documents. For each challenge identified, the report provides a list of non-binding recommendations to be taken into account by controllers and DPAs. <h4> Positive findings</h4> Despite the existing challenges, two thirds of participating DPAs evaluated the level of compliance of responding controllers with respect to the right of access from ‘average’ to ‘high’. One important factor identified as having an impact on the level of compliance was the volume of access requests received by controllers, as well as the size of the organisation. More specifically, large-sized controllers or controllers receiving more requests were more likely to reach a higher level of compliance than small organisations with less resources. Positive findings were observed across Europe. These include the implementation of best practices by controllers, such as user-friendly online forms enabling individuals to submit an access request easily as well as self-service systems to allow individuals to autonomously download their personal data in a few clicks and at any time. <h4> Background and next steps</h4> The CEF is a key action of the EDPB under its 2024-2027 Strategy, aimed at streamlining enforcement and cooperation among DPAs.  In the past three years, two previous CEF actions were carried out. The results of these national actions are aggregated and analysed together to generate deeper insight into the topic and allowing for targeted follow-up on both national and EU level. In 2023, the EDPB published the report on its first coordinated action on the <a href="https://edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-use-cloud-based-services-public_en" target="_blank">use of cloud-based services by the public sector</a>. In 2024, the EDPB also published the report on the outcome of the second coordinated action on the <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-designation-and-position-data_en" target="_blank">designation and position of Data Protection Officers</a>. The CEF 2025 action will be on the <a href="https://www.edpb.europa.eu/news/news/2024/cef-2025-edpb-selects-topic-next-years-coordinated-action_en" target="_blank">implementation of the right to erasure</a>.   For further information: <ul> <li>AT DPA: <a href="https://dsb.gv.at/aktuelles/schwerpunktpruefung-2024:-datenschutzbehoerde-zieht-positive-bilanz-fuer-den-telekomsektor" target="_blank">Schwerpunktprüfung 2024: Datenschutzbehörde zieht positive Bilanz für den Telekomsektor</a></li> <li>CS DPA: <a href="https://uoou.gov.cz/novinky/vse/edpb-prijal-zaverecnou-zpravu-ke-spolecne-kontrolni-akci-cef-2024" target="_blank">EDPB přijal závěrečnou zprávu ke společné kontrolní akci CEF 2024</a></li> <li>DA DPA: <a href="https://www.datatilsynet.dk/internationalt/internationalt-nyt/2025/jan/edpb-vedtager-rapport-om-dataansvarliges-overholdelse-af-indsigtsretten" target="_blank">DPB vedtager rapport om dataansvarliges overholdelse af indsigtsretten</a></li> <li>DE DPA (Brandenburg): <a href="https://www.lda.brandenburg.de/lda/de/service/presseinformationen/details-presse/~22-01-2025-europaweite-pruefaktion-zur-umsetzung-des-auskunftsrechts" target="_blank">Brandenburgische Datenschutzbeauftragte beteiligte sich an europaweiter Prüfaktion zur Umsetzung des Auskunftsrechts</a></li> <li>DE DPAs (DSK): <a href="https://datenschutzkonferenz-online.de/media/pm/20250122-DSK-PM-CEF-Bericht.pdf" target="_blank">Pressemitteilung der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 22. Januar 2025</a></li> <li>EDPS: <a href="https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/coordinated-enforcement-action-edps-findings-highlight-challenges-right-access-personal-data_en" target="_blank">Coordinated Enforcement Action: EDPS findings highlight challenges on right of access to personal data</a></li> <li>EL DPA: <a href="https://www.dpa.gr/index.php/el/enimerwtiko/deltia/ylopoiisi-tis-3is-syntonismenis-drasis-toy-eyropaikoy-symboylioy-prostasias" target="_blank">Υλοποίηση της 3ης συντονισμένης δράσης του Ευρωπαϊκού Συμβουλίου Προστασίας Δεδομένων για το δικαίωμα πρόσβασης</a></li> <li>ES DPA: <a href="https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/resultados-de-la-accion-europea-que-ha-analizado-la-atencion" target="_blank">Resultados de la acción europea que ha analizado la atención del ejercicio del derecho de acceso por parte de los responsables</a> </li> <li>FI DPA: <a href="https://tietosuoja.fi/-/raportti-omien-henkilotietojen-tarkastusoikeutta-koskevasta-selvityksesta-on-julkaistu-taydensimme-ohjeistusta-verkkosivuillamme" target="_blank">Raportti omien henkilötietojen tarkastusoikeutta koskevasta selvityksestä on julkaistu – täydensimme ohjeistusta verkkosivuillamme</a> </li> <li>FR DPA: <a href="https://www.cnil.fr/fr/droit-dacces-bilan-des-controles-de-la-cnil-dans-le-cadre-dune-action-coordonnee-europeenne" target="_blank">Droit d’accès : bilan des contrôles de la CNIL dans le cadre d’une action coordonnée européenne</a></li> <li>HU DPA: <a href="https://naih.hu/hirek/728-kozlemeny-az-europai-adatvedelmi-testulet-altal-a-2024-evre-prioritaskent-meghatarozott-a-hozzaferesi-jog-ervenyesitesere-fokuszalo-osszehangolt-intezkedes-eredmenyerol" target="_blank">Közlemény az Európai Adatvédelmi Testület által a 2024. évre prioritásként meghatározott, a hozzáférési jog érvényesítésére fókuszáló összehangolt intézkedés eredményéről</a> </li> <li>IE DPA: <a href="https://www.dataprotection.ie/en/news-media/latest-news/dpc-welcomes-publication-european-data-protection-boards-report-implementation-right-access">DPC welcomes publication of the European Data Protection Board’s report on the implementation of the right of access by controllers </a>and <a href="https://www.dataprotection.ie/en/news-media/latest-news/dpc-national-report-findings-under-coordinated-enforcement-framework-2024" target="_blank">DPC national report findings under the Coordinated Enforcement Framework for 2024</a></li> <li>LU DPA: <a href="https://cnpd.public.lu/fr/actualites/international/2025/01/droit-acces-cef.html" target="_blank">Le droit d’accès en pratique : observations et recommandations du cadre d’action coordonnée européen</a> (FR), <a href="https://cnpd.public.lu/en/actualites/international/2025/01/droit-acces-cef.html" target="_blank">The right of access in practice: observations and recommendations from the European Coordinated Enforcement Framework</a> (EN), <a href="https://cnpd.public.lu/de/actualites/international/2025/01/droit-acces-cef.html" target="_blank">Das Auskunftsrecht in der Praxis: Beobachtungen und Empfehlungen des koordinierten Durchsetzungsrahmen (CEF)</a> (DE)</li> <li>MT DPA: <a href="https://idpc.org.mt/idpc-publications/cef-2024-idpc-report-on-coordinated-enforcement-action-2024-on-right-of-access/" target="_blank">CEF 2024: IDPC Report on Coordinated Enforcement Action 2024 on Right of Access</a></li> <li>SI DPA: <a href="https://www.ip-rs.si/novice/ali-ustrezno-obravnavate-zahteve-za-dostop-do-lastnih-osebnih-podatkov-poro%C4%8Dilo-usklajene-akcije-eovp-1737548916" target="_blank">Ali ustrezno obravnavate zahteve za dostop do lastnih osebnih podatkov? Poročilo usklajene akcije EOVP</a></li> <li>PT DPA: <a href="https://www.cnpd.pt/comunicacao-publica/noticias/comite-europeu-emite-recomendacoes-para-simplificar-o-direito-de-acesso-aos-dados/" target="_blank">Comité Europeu emite recomendações para simplificar o direito de acesso aos dados</a></li> </ul> ]]></description> <pubDate>Mon, 20 Jan 2025 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">ea516c8f-51fc-4149-a4f5-803d6d3b03f4</guid> </item> <item> <title>EDPB adopts pseudonymisation guidelines and paves the way to improve cooperation with competition authorities </title> <link>https://www.edpb.europa.eu/news/news/2025/edpb-adopts-pseudonymisation-guidelines-and-paves-way-improve-cooperation_en</link> <description><![CDATA[Brussels, 17 January - During its January 2025 plenary meeting, the European Data Protection Board (EDPB) has adopted <a href="https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en" target="_blank">guidelines on pseudonymisation</a>, as well as a <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/other-guidance/position-paper-interplay-between-data-protection-and_en" target="_blank">statement on the interplay of competition law and data protection</a>. EDPB clarifies the use of pseudonymisation for GDPR compliance The GDPR introduces the term ‘pseudonymisation’* and refers to it as a safeguard that may be appropriate and effective to meet data protection obligations. In its guidelines, the EDPB clarifies the definition and applicability of pseudonymisation and pseudonymised data, and the advantages of pseudonymisation. The guidelines provide two important legal clarifications: <ol> <li>Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. Indeed, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.  </li> <li>Pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis (Art. 6(1)(f)  GDPR), as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose (Art. 6(4) GDPR).</li> </ol> The guidelines also explain how pseudonymisation can help organisations meet their obligations relating to the implementation of data protection principles (Art. 5 GDPR), data protection by design and default (Art. 25 GDPR) and security (Art. 32 GDPR). Finally, the guidelines analyse technical measures and safeguards, when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals. The guidelines will be subject to public consultation until 28 February 2025, providing stakeholders with the opportunity to comment and allowing for the incorporation of future developments in case law. Interplay between data protection law and competition law: the EDPB’s take on how to improve cooperation between regulators During the plenary meeting, the EDPB also adopted a position paper on the interplay between data protection law and competition law. The CJEU Meta vs. Bundeskartellamt ruling of 4 July 2023 clearly indicated that data protection and competition authorities are required to work together, in some cases, to achieve effective and coordinated enforcement of data protection and competition law. While these are separate areas of law pursuing different goals in different frameworks, they may in some cases apply to the same entities. It is therefore important to assess situations where the laws may intersect. In this position paper, the EDPB explains how data protection and competition law interact. It suggests steps for incorporating market and competition factors into data protection practices and for data protection rules to be considered in competition assessments. It also provides recommendations for improving cooperation between regulators. For example: authorities should consider creating a single point of contact to manage coordination with other regulators. <blockquote>EDPB Deputy Chair Zdravko Vukíc said: “As business models evolve, the need to protect personal data is becoming increasingly central. The EDPB promotes coherence among separate but interacting areas of regulation, to ensure the best possible protection of individuals. To this end, we will continue to work together with Competition Authorities to strengthen the ability of Data Protection Authorities (DPAs) to take into account the economic context, and the ability of Competition Authorities to incorporate data protection considerations in their assessments and decisions.” </blockquote>   Note to editors: *’ Pseudonymisation’ is defined in Art. 4 (5) GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” ]]></description> <pubDate>Fri, 17 Jan 2025 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">e80e1f1c-860b-4aca-8360-0f1e750ccc2f</guid> </item> <item> <title>EDPB opinion on AI models: GDPR principles support responsible AI</title> <link>https://www.edpb.europa.eu/news/news/2024/edpb-opinion-ai-models-gdpr-principles-support-responsible-ai_en</link> <description><![CDATA[Brussels, 18 December - The European Data Protection Board (EDPB) has adopted an <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282024-certain-data-protection-aspects_en" target="_blank">opinion* on the use of personal data for the development and deployment of AI models</a>. This opinion looks at 1) when and how AI models can be considered anonymous, 2) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and 3) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third party data. The opinion was requested by the Irish Data Protection Authority (DPA) with a view to seeking Europe-wide regulatory harmonisation. To gather input for this opinion, which deals with fast-moving technologies that have an important impact on society, the EDPB organised a stakeholders’ event and had an exchange with the EU AI Office. <blockquote>EDPB Chair Talus said: “AI technologies may bring many opportunities and benefits to different industries and areas of life. We need to ensure these innovations are done ethically, safely, and in a way that benefits everyone. The EDPB wants to support responsible AI innovation by ensuring personal data are protected and in full respect of the General Data Protection Regulation (GDPR).” </blockquote> Regarding anonymity, the opinion says that whether an AI model is anonymous should be assessed  on a case by case basis by the DPAs. For a model to be anonymous, it should be very unlikely (1) to directly or indirectly identify individuals whose data was used to create the model, and (2) to extract such personal data from the model through queries. The opinion provides a non-prescriptive and non-exhaustive list of methods to demonstrate anonymity. With respect to legitimate interest, the opinion provides general considerations that DPAs should take into account when they assess if legitimate interest is an appropriate legal basis for processing personal data for the development and the deployment of AI models. A <a href="https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en">three-step test</a> helps assess the use of legitimate interest as a legal basis. The EDPB gives the examples of a conversational agent to assist users, and the use of AI to improve cybersecurity. These services can be beneficial for individuals and can rely on legitimate interest as a legal basis, but only if the processing is shown to be strictly necessary and the balancing of rights is respected. The opinion also includes a number of criteria to help DPAs assess if individuals may reasonably expect certain uses of their personal data. These criteria include: whether or not the personal data was publicly available, the nature of the relationship between the individual and the controller, the nature of the service, the context in which the personal data was collected, the source from which the data was collected, the potential further uses of the model, and whether individuals are actually aware that their personal data is online. If the balancing test shows that the processing should not take place because of the negative impact on individuals, mitigating measures may limit this negative impact. The opinion includes a non-exhaustive list of examples of such mitigating measures, which can be technical in nature, or make it easier for individuals to exercise their rights or increase transparency. Finally, when an AI model was developed with unlawfully processed personal data, this could have an impact on the lawfulness of its deployment, unless the model has been duly anonymised. Considering the scope of the request from the Irish DPA, the vast diversity of AI models and their rapid evolution, the opinion aims to give guidance on various elements that can be used for conducting a case by case analysis. In addition, the EDPB is currently developing guidelines covering more specific questions, such as web scraping. Note to editors: *An Article 64(2) opinion addresses a matter of general application or produces effects in more than one Member State. ]]></description> <pubDate>Wed, 18 Dec 2024 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">1907f05d-10c3-4456-8465-3824d087c6ab</guid> </item> <item> <title>EDPB calls for coherence of digital legislation with the GDPR</title> <link>https://www.edpb.europa.eu/news/news/2024/edpb-calls-coherence-digital-legislation-gdpr_en</link> <description><![CDATA[Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/statements/statement-62024-second-report-application-general-data_en" target="_blank">a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR)</a>.* In its statement, the EDPB welcomes the reports from the European Commission and the Fundamental Rights Agency**. Importantly, the EDPB underlines the importance of legal certainty and coherence of digital legislation with the GDPR, and recalls some of its ongoing initiatives to clarify the enforcement interplay of the GDPR with the AI Act, the EU Data Strategy and the Digital Services Package. In addition, the EDPB announces it will step up the production of content for non-experts, small and medium-sized enterprises (SMEs) and other groups. Finally, the Board highlights the genuine need for additional financial and human resources to help  DPAs and the EDPB deal with increasingly complex challenges and additional competences. Note to editors * In July 2024, the European Commission published its second report on the application of the GDPR, adopted under Art. 97 GDPR. ** In June 2024, the Fundamental Rights Agency (FRA) published a report on the experiences of DPAs when implementing the GDPR. The findings  of this report complement the European Commission's evaluation of the GDPR.   ]]></description> <pubDate>Wed, 04 Dec 2024 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">4be578a3-3a14-4691-99ad-5a5b3c73fe9f</guid> </item> <item> <title>EDPB clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification</title> <link>https://www.edpb.europa.eu/news/news/2024/edpb-clarifies-rules-data-sharing-third-country-authorities-and-approves-eu-data_en</link> <description><![CDATA[Brussels, 03 December - During its latest plenary, the European Data Protection Board (EDPB) published <a href="https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-022024-article-48-gdpr_en" target="_blank">guidelines on Art.48 GDPR</a> about data transfers to third country authorities and  approved a new European Data Protection Seal. <h4>EDPB helps organisations assess data transfer requests by third country authorities</h4> In a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications. When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether they can lawfully transfer personal data to third country authorities when asked to do so. Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.* The guidelines are subject to <a href="https://www.edpb.europa.eu/our-work-tools/general-guidance/public-consultations-our-guidance_en" target="_blank">public consultation</a> until 27 January 2025. <h4>Approval of EU Data Protection Seal</h4> During the plenary meeting, the Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board already adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now be applicable across Europe and as a European Data Protection Seal. GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency helps people trust the product, service, process or system for which organisations process their personal data.   Note to editors: * The transfer must comply with Art.6 GDPR and the provisions of Chapter V. An international agreement may provide for both a legal basis under Art. 6(1) (c) or 6(1) (e) GDPR and a ground for transfer under Art. 46(2) (a) GDPR. ]]></description> <pubDate>Tue, 03 Dec 2024 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">a6084bf6-90dd-4ec0-82fa-bb298292090f</guid> </item> <item> <title>EDPB adopts its first report under the EU-U.S. Data Privacy Framework and a statement on the recommendations on access to data for law enforcement</title> <link>https://www.edpb.europa.eu/news/news/2024/edpb-adopts-its-first-report-under-eu-us-data-privacy-framework-and-statement_en</link> <description><![CDATA[Brussels, 05 November - During its latest plenary, the European Data Protection Board (EDPB) adopted a <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/other/edpb-report-first-review-european-commission-implementing_en">report on the first review1 of EU-U.S. Data Privacy Framework (DPF)</a>, as well as a <a href="https://www.edpb.europa.eu/our-work-tools/our-documents/statements/statement-52024-recommendations-high-level-group-access_en" target="_blank">statement on the recommendations of the high-level group (HLG)2 on access to data for effective law enforcement</a>. The EDPB welcomes the efforts by the U.S. authorities and the European Commission to implement the DPF, and takes note of several developments that took place since the adoption of the adequacy decision in July 2023. Regarding commercial aspects, i.e. the application and enforcement of requirements applying to companies self-certified under this framework, the EDPB notes that the U.S Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. In addition, the redress mechanism for EU individuals has been implemented and there is comprehensive complaint-handling guidance published on both sides of the Atlantic. However, the low number of complaints received so far under the DPF highlights the importance of having U.S. authorities initiate monitoring activities concerning compliance of DPF-certified companies with the substantive DPF Principles. The EDPB encourages the development of guidance by U.S. authorities, clarifying the requirements that DPF-certified companies would need to comply with when they transfer personal data that they have received from EU exporters. Guidance by U.S. authorities on human resources data would also be welcome. The EDPB expresses its availability to provide feedback on these guidance documents. Concerning the access by U.S. public  authorities  to  personal  data transferred from the EU to certified organisations, the EDPB focused; on the  effective  implementation  of  the  safeguards introduced by the Executive Order 14086 in the U.S. legal framework, such as the necessity and proportionality principles  and  the  new  redress  mechanism. The Board considers that the elements of the redress mechanism are in place; at the same time, it renews the call to the European Commission to monitor the practical functioning of the different safeguards, e.g. the implementation of the principles of necessity and proportionality. The EDPB also recommends that the Commission monitors future developments related to the U.S. Foreign Intelligence Surveillance Act, in particular given the extended reach of Section 702 after its re-authorisation by the U.S. Congress earlier this year. <blockquote>EDPB Deputy Chair Zdravko Vukić said: “We are pleased that progress has been made since the adoption of the adequacy decision thanks to the fruitful cooperation between U.S. authorities, the EU Commission and the EDPB. At the same time, there is still space for improvement and we should continue working together to maintain a high level of data protection and safeguard the rights and freedoms of EU individuals.” </blockquote> Finally, the Board recommends that the next review of the EU-U.S. adequacy decision should take place within three years or less.  The statement on the recommendations of the HLG on access to data for effective law enforcement underlines that fundamental rights must be safeguarded when law enforcement agencies access the personal data of individuals. While the EDPB supports the aim of effective law enforcement, it points out that some of the HLG’s recommendations could cause serious intrusiveness vis-à-vis fundamental rights, in particular the respect for privacy and family life.  While the EDPB positively notes the recommendation may lead to the establishment of a level-playing field on data retention, it considers that a broad and general obligation to retain data in electronic form by all service providers would create a significant interference with the rights of individuals. Therefore, the EDPB questions whether this would meet the requirements of necessity and proportionality of the Charter of Fundamental Rights of the EU and the CJEU jurisprudence.  In its statement, the EDPB also emphasizes that the recommendations concerning encryption should not prevent its use or weaken the effectivity of the protection it provides. For example, the introduction of a client-side process allowing remote access to data before it is encrypted and sent on a communication channel, or after it is decrypted at the recipient, would in practice weaken encryption. Preserving the protection and effectivity of encryption is important to avoid that the respect for private life and confidentiality is negatively impacted and to ensure that the freedom of expression and economic growth, which depend on trustworthy technologies, are safeguarded.    Note to editors 1 In line with art. 3 of EU-U.S. adequacy decision, the EU Commission is required to review the adequacy decision one year after its adoption. The review meeting was held in Washington D.C. on 18-19 July 2024 and the EU Commission was accompanied by five representatives of the EDPB. 2 The HLG was launched by the European Commission in June 2023 and it is co-chaired by the EU Commission and the rotating Presidency of the Council. It was launched with the aim to explore challenges for law enforcement practitioners in connection to access to data and propose solutions and recommendations. In June 2024, the  HLG  published  42  recommendations  for  the further development of EU policies and legislation, structured as “capacity  building  measures”,  “cooperation  with  industry  and standardisation” and “legislative measures”. The  recommendations  cover  in  particular  encryption, cooperation  with  the  industry  as  well  as  between  law  enforcement agencies, and the need for harmonised rules on data retention.   ]]></description> <pubDate>Tue, 05 Nov 2024 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">c9f8f7ea-b6b1-420f-8c51-2f608219a3ec</guid> </item> <item> <title>EDPB stakeholder event AI models</title> <link>https://www.edpb.europa.eu/news/news/2024/edpb-stakeholder-event-ai-models_en</link> <description><![CDATA[The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics.    During today’s event, the EDPB will collect input for of the preparation of a consistency opinion on AI models, requested by the Irish Data Protection Authority under Art. 64 (2) GDPR.   EDPB Chair Anu Talus said: “During the stakeholder event we will tackle a number of targeted questions, which will feed our reflection in the context of the preparation of our Opinion on AI models. Stakeholder input is especially valuable for these fast-moving technologies with an exceptional societal impact.”   The EDPB's opinion on “AI models” is due by the end of 2024.   ]]></description> <pubDate>Tue, 05 Nov 2024 13:00:00 +0100</pubDate> <dc:creator>EDPB</dc:creator> <guid isPermaLink="false">df75b995-2810-491e-8c2e-8f1f7879a80f</guid> </item> </channel> </rss>