EDPB Plenary 6/Minutes
Adoption of the minutes and the agenda
Minutes of the 5th EDPB meeting
The minutes were adopted unanimously.
Draft agenda of the 6th EDPB meeting
The Chair of the Board informed the members that a new point is added to the agenda on the Brexit, i.e. point 2.1.A after the request of two members of the EDPB.
Items 2.1, 2.1.A (NEW), 3.2.1, 3.2.1.1, 3.2.1.2, 3.3.2, 3.3.3 and 3.3.4 of the agenda were declared confidential according to Art. 33 EDPB RoP.
The Chair of the Board welcomed the new Commissioner of the DE (Fed) SA.
The Chair of the Board and the FR SA informed the members about the fine imposed by the French SA on Google.
Observers were present during the plenary meeting except for points 2.1, 3.2.1.1 and 3.2.1.2 of the agenda.
The updated draft agenda was adopted.
For discussion and/or adoption - current focus of the EDPB
Privacy Shield: Report on the second annual review - Discussion and adoption - [REDACTED]
In October 2018 the second annual joint review of the EU – U.S. Privacy Shield took place in Brussels. At the last plenaries the joint review team reported orally and in written form about the review.
The EDPB had agreed to provide its own separate report about the review in addition to one from the COM, as it was done after the first review last year.
The draft report consists of an executive summary, the conclusions on the commercial and government access aspects of the Privacy Shield as well as an annex on the factual findings of this year’s review. The factual findings were already communicated during the November plenary meeting. The analysis of the substantial parts has been discussed, respectively, at the last meetings of the ITS and the BTLE expert subgroups.
Members of the EDPB made comments on the draft report.
After discussions, the members of the Board unanimously adopted the report taking into account the comments made.
It was decided that the press release will make a distinction between the essential and additional concerns regarding the Privacy Shield, also acknowledging the recently appointed Ombudsperson.
NEW - BREXIT - [REDACTED]
[REDACTED]
Following the discussions, it was agreed to convey a meeting of the Strategic Advisory expert subgroup on the 31 January 2019. The [REDACTED] was asked to draft an information note on the transfers of data between the EU and UK in case of a hard Brexit, [REDACTED]. This draft will be discussed during the Strategic Advisory expert subgroup meeting.
[REDACTED]
Annual Expert SG Working Plans for 2019 - discussion and possible adoption -
Th EDPB SEC explained that this item followed the application of Art. 25.6 of EDPB RoP.
The EDPB SEC has gathered all the working plans provided by the different expert subgroups and the planning of meetings for 2019 in overview documents. The document was first discussed with the group of coordinators and the Strategic Advisory expert subgroup.
The EDPB SEC clarified that the adoption of the working plan does not automatically provide the mandates for the different items.
After discussions, some adjustments were integrated in the document. The members adopted this document unanimously.
EDPB 2019/2020 work program - Discussion -
The EDPB SEC explained that according to Art. 29 RoP the EDPB has to adopt a two year work program. The SEC prepared a proposal based on the annual working plans and following the discussions at the meeting of the Strategic Advisory expert subgroup.
After discussions, some adjustments were introduced to the draft document.
Members of the EDPB were invited to provide comments in written form. The EDPB SEC was requested to provide a revised version for the next plenary that will integrate the new written comments that will be sent by the members.
Secretariat - Data protection and Freedom of expression
Draft answer to In’t Veld - Discussion and adoption
The SEC explained that the EDPB has received two letters concerning the request for information made by the [REDACTED] to the RISE Project, as a result of a complaint made by a natural person about possible violations of said person’s personal data, following the publication of specific information by the RISE project in the public domain.
The first letter was submitted on 12 November 2018 by MEP Sophie In ‘t Veld.
The draft reply was presented by the EDPB SEC. After discussions, the letter was adapted and the members of the EDPB adopted at a majority the modified version of the letter. [REDACTED]
Draft answer to civil society privacy organisations - Discussion and adoption
A letter was submitted on 19 November 2018 by several civil society privacy organisations, that concerned the same subject matter as point 2.4.1.
The draft reply was presented by the EDPB SEC. The members discussed the content of this letter together with the one from MEP Sophie In ‘t Veld. After discussions, the letter was adapted and the members of the EDPB adopted the modified version of the letter. [REDACTED]
Draft mandate for guidance on the balance between data protection and freedom of expression - request for mandate
The [REDACTED] presented the background to their request.
The request for mandate was rejected by the members of the EDPB: [REDACTED]
[REDACTED]
Guidelines on Art. 47 LED - request for mandate
Art. 51 (1) (c) of the Law Enforcement Directive (LED) provides that the EDPB has the task to draw up guidelines for SAs concerning the application of measures referred to in Art. 47(1) and (3) LED.
Art. 47 LED deals with the investigative, corrective and advisory powers of national SAs towards competent authorities, e.g. police and judicial authorities within the EU competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
In addition, according to Art. 51 (1) (b) LED the EDPB may examine, also on its own initiative, any question covering the application of this Directive and issue guidelines, recommendations and best practices in order to encourage consistent application of the LED.
The BTLE expert subgroup requested a mandate to work on Art. 47 LED and prepare draft guidelines. The guidelines should include guidance on the interpretation, transposition as well as the application of Art. 47 LED by SAs.
The members of the Board unanimously granted the mandate under the condition that the guidelines should be without prejudice to national transpositions already enacted.
Questionnaire on the use of personal data by political campaigns - request for mandate
The Chair informed participants that she participated to the first meeting of the European cooperation network on elections on 21 January, hosted by the European Commission. The Commission stressed the importance for all SAs to be actively involved at national level in this network (established as part of the electoral package presented by the Commission in September).
In light of the upcoming European Parliament elections in May and numerous national elections scheduled for 2019, the SAESG has discussed the possibility to develop a questionnaire that EDPB members could send to the political parties in a coordinated manner, in particular to get information about the manner they collect and process personal data in the context of the electoral process during its meeting on 9 January 2019.
After discussion, there was no majority to support the mandate proposed. [REDACTED]
Instead, the members of the Board agreed to draft a joint statement on the topic. The [REDACTED] will draft a proposal that will be discussed during the next Social Media expert subgroup meeting.
For discussion and/or adoption - Expert subgroups and Secretariat
Compliance, eGovernment and Health Expert Subgroup and Key Provisions Expert Subgroup
Clinical Trials Regulation Q&A: Consultation from the COM under Art. 70 GDPR - discussion and adoption
On 8 October 2018, the European Commission (DG SANTE) has submitted to the EDPB a request for consultation under Art. 70 GDPR concerning a document on “Questions and Answers on the interplay between the Clinical Trials Regulation (CTR)[1] and the General Data Protection regulation (GDPR)” (hereafter the “Q&A”).
The request refers specifically to a compilation of questions that have arisen during the last months and the respective replies providing possible harmonised views from an EU perspective on a number of topics which have been drafted by DG SANTE. The Q&A addresses topics such as the adequate legal basis, informed consent and its withdrawal, information of data subjects, transfers and secondary uses, always in the context of the clinical trials Regulation.
In particular, the issue of the appropriate legal basis for the processing of personal data in the context of the clinical trials Regulation has raised some confusion since the entry into force of the GDPR.
[REDACTED]
After discussions by the members of the EDPB, the letter and the opinion were amended in order to take into account the comments made by the members.
The majority of the members of the Board adopted the new version of the opinion as well as the letter. [REDACTED]
Art. 64 GDPR Opinion on Contractual Clauses for processors [REDACTED] under Art. 28.8 GDPR - discussion and confirmation of the drafting team
On 10 December 2018, a request has been issued by the [REDACTED] via IMI for an EDPB opinion under Art. 64(1)d GDPR on draft contractual clauses under Art. 28(8) GDPR to frame the relation between controller and processor(s).
The request was broadcasted on 19 December 2018. Since the applicable 8 weeks deadline will end on 13 February 2019 and due to the complexity of the request, the Compliance, eGovernment and Health as well as the Key Provisions expert subgroups asked for an extension of the deadline for an additional six weeks as foreseen in Art. 64.3 GDPR.
The EDPB approved that a drafting team composed of representatives of the Compliance, eGovernment and Health as well as the Key Provisions expert subgroups will prepare an opinion, in liaison with the EDPB Secretariat.
Both expert subgroups have issued a call for rapporteurs. For the moment, five SAs have offered to participate to the drafting team [REDACTED].
The members of the EDPB granted the extension of the deadline and confirmed the drafting team.
Technology Expert Subgroup
DPIA Lists - [REDACTED]
Art. 64 GDPR Opinions on DPIA lists: LI, NO - discussion and adoption - [REDACTED]
The rapporteur explained that Art. 35(4) GDPR requires national SAs to establish and make public a list of the kind of processing operations which are subject to the requirement of a data protection impact assessment. Following the previous adoption of 22 lists at the September Plenary and 4 lists at the December Plenary, 2 new lists (LI and NO) are submitted for adoption during this plenary. The draft opinions were prepared by the same group of co- rapporteurs as for the September and December Plenary meeting.
[REDACTED]
Some remarks were made in the draft opinion regarding other issues on which the Plenary had already expressed its views. The members of the EDPB unanimously validated the assessment undertaken by the Technology expert subgroup and adopted the 2 opinions.
Follow up of the opinions on DPIA Lists issued in September 2018 - discussion and adoption - [REDACTED]
Following their adoption at the September Plenary, the 22 opinions on draft decisions regarding Art. 35.4 GDPR (DPIA lists) were communicated to the competent SAs. The SAs were requested to notify the Chair within two weeks after reception of the final opinion, whether they intend to maintain or amend their draft decision and submit, if any, the amended draft decision.
All 22 SAs indicated that they amended their draft decision and provided their amended draft. The amendments were discussed in the Technology expert subgroup. In only a few cases did questions arise as to whether the amendments sufficed to take utmost account of the opinion.
One such case involves the wording used in DPIA lists items regarding “biometric data”: some amended draft decisions reference “biometric data” without specifying that it relates to “biometric data, for the purpose of uniquely identifying a natural person” as requested in the opinions.
Another point related to the need to clarify that the criteria of “biometric data, for the purpose of uniquely identifying a natural person”, “genetic data” and “vulnerable data subjects” had to be necessarily combined with another criteria, such as “Large scale”.
[REDACTED]
With regard to DPIA lists according to Art. 35(5) GDPR, which SAs are not obliged to issue, the coordinator of the Technology expert subgroup asked all SAs intending to submit such a list to the Board to indicate the timing as soon as possible.
Guidelines on certification - discussion and adoption
The rapporteur explained that the EDPB adopted the draft guidelines on certification and identifying certification criteria during its first Plenary meeting in May. These guidelines were published for public consultation on 30 May 2018. 15 consultation responses were received and fully analysed by the co-rapporteurs. The drafting team specifically clarified the approval of criteria and the related European Data Protection Seal.
[REDACTED]
[REDACTED]
The updated guidelines also include a new annex aiming to guide the SAs and the EDPB when reviewing and assessing the certification criteria.
Members of the Board adopted the certification guidelines - [REDACTED] and decided to submit the annex to a public consultation.
The results of the public consultation will be analysed by the Technology expert subgroup.
EDPB answer to the Australian SA on data breach notification - discussion and adoption
The coordinator of the Technology expert subgroup explained that the Chair has received a written request from the office of the Australian Information Commissioner in relation to the publication of the data breach notifications.
There is a mandatory data breach scheme in Australia since February 2018 that requires regulated entities to notify the Information Commissioner's office and the affected individuals in the event of a serious data breach. The Commissioner's office publishes quarterly statistical reports about notifications. The Commissioner is considering whether additional information should be published, like the name of the notifying controller.
According to the Australian Commissioner, these obligations are similar to the data breach notification requirements introduced by the GDPR. Therefore, she contacted the Chair of the Board to better understand the European approach and in particular to ask if the national supervisory authorities are publishing the name of controllers being subject to a security breach.
[REDACTED]
The Technology expert subgroup decided to submit the draft letter to the Board for adoption.
The members of the EDPB adopted the draft letter [REDACTED].
Secretariat
Draft answer to In’t Veld - Spanish election law - discussion and adoption
The EDPB SEC explained that on 23 November 2018, MEP Sophie In’ t Veld addressed a letter to the Chair of the EDPB regarding the recently adopted Spanish electoral law. Given the Cambridge Analytica case and the forthcoming elections for the European Parliament, MEP In ‘t Veld requested an urgent reply.
The EDPB SEC has prepared a draft answer following the discussions that took place during the last Strategic Advisory expert subgroup meeting. [REDACTED]
[REDACTED]
The members of the EDPB unanimously adopted the amended draft reply letter.
EDPB Budget updates - discussion - [REDACTED]
During the WP29 plenary meeting of 10 April 2018, the EDPS presented the proposed draft budget for 2019, which was supported by the WP29 Chair and deputy chairs.
On 5 June 2018, the Chair of the EDPB, in cooperation with the EDPS, participated to the defence of the EDPB budget in front of the EU budget authorities.
The 2019 EDPB budget has been approved by the budget authorities (EP and EU Council) by 12 December 2018 with a budget cut for translations.
The EDPS and the EDPB SEC presented the approved 2019 EDPB budget and the execution of 2018 EDPB budget.
A member raised questions regarding the translations, the external consultants and the total amount of the budget.
Access request-pending requests - state of play - [REDACTED]
No discussions took place on this point. This item will be discussed during the next plenary meeting (12-13 February 2019).
Legislative consultation of the EDPB - discussion and adoption - [REDACTED]
No discussions took place on this point. This item will be discussed during the next plenary meeting (12-13 February 2019).
Miscellaneous
Quick access to DPO or other responsible staff
The DE SA explained that a recent data leak (doxing) affecting hundreds of politicians and other high profile people in Germany (e.g. see [1]) [REDACTED].
The collected data – partly sensitive personal information of the affected persons - was distributed on a variety of servers throughout the internet and a Twitter account was used to publish links needed to access the data.
[REDACTED]
One SA expressed itself to assist SAs that might encounter the same problem with companies for which they act as lead authority.
The members of the EDPB decided to discuss this item during the next plenary meeting with a view to assess if there is a legal basis for the EDPB to act on this.
Annex: Attendance list
AT SA, BE SA, BG SA, CY SA, CZ SA, DE SA, DK SA, EDPS, EE SA, EL SA, ES SA, FI SA, FR SA, HR SA, HU SA, IE SA, IT SA, IS SA, LI SA, LT SA, LU SA, LV SA, MT SA, NL SA, NO SA, PL SA, PT SA, RO SA, SE SA, SI SA, SK SA, UK SA
European Commission
EDPB Secretariat
Observers:
ME, MD
Footnotes
- ↑ Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, OJEU L 158 27/05/2014
License
 © European Data Protection Board, 2018-2024. |
This item was provided by the European Data Protection Board via a request pursuant to Article 15(3) TFEU and Regulation (EC) No 1049/2001. You may re-use it free of charge for non-commercial and commercial purposes provided that the source is acknowledged and that you do not distort the original meaning or message of the document. The EDPB, nor its Secretariat assume liability stemming from the re-use. |
 |
|---|
