EDPS - Western Balkans and Eastern Partnership Region: working together for data protection
Read the story of this special partnership in this blogpost by EDPS Secretary General, available here.
0Read the story of this special partnership in this blogpost by EDPS Secretary General, available here.
0Watch with us a short video of our Blue Book trainees who worked with us for 5-months! To be our next trainee, apply here!
1 Watch the videoWatch a video message by EDPS Wojciech Wiewiórowski.
1 Watch the videoOne of our institution's priorities is to ensure that individuals’ personal data is protected according to EU standards both inside and outside the EU/European Economic Area.
0Episode 3 of our TechDispatch Talks is available! Learn more about Neurodata with our special guests.
1 Listen nowWatch our new Talk with the Chief Executive of the Christchurch Call Foundation.
1 Full video hereThis newsletter presents the EDPS’ main activities of the last 30 days: look back on the topical debates of our Summit, join us for a Techdispatch on neurodata, read up on our Opinion on sustainable fisheries and aquaculture, and more.
1 Read it nowExplore with us this month's topics: AI, the role of data protection officers, latest Opinions and more
1 Have a listenThe European Commission has published the vacancy notice for the European Data Protection Supervisor.
1 More informationThe new TechDispatch will delve into the processing of Neurodata within a constantly evolving market of services. In recent years, there is a worrying trend towards a technically possible, though ethically and legally questionable use of some neurotechnologies.
1 Read moreBlogpost by Leonardo Cervera Navas on the 54th EDPS-DPO meeting
1 Read hereThe EDPS and the University of Karlstad are hosting an Internet Privacy Engineering Network (IPEN) event on "Human supervision of automated decisions" on 3 September 2024.
When: 3 September 2024, 14:00-18:00 CEST
Where:
Topic: Human oversight of automated decision-making
Overview:
EU regulations such as the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AIA) mandate human oversight in automated decision-making processes to ensure fairness and accountability.
Additionally, the 2019 Ethics guidelines for trustworthy AI advocate for "Human agency and oversight" as one of the seven ethical principles to ensure AI is trustworthy and ethically sound.
Recordings available on our dedicated website.
1 Read more
Let’s explore topics such as: AI in the EU institutions; upcoming European Data Protection Summit: Rethinking Data in a Democratic Society; EU-Canada agreement on transfers of Passenger Name Record and latest talks.
1 Have a listenThe guidelines issued today on generative AI are a first step towards more extensive recommendations in response to the evolving landscape of generative AI tools. Read Press Release.
01- First EDPS Orientations for EUIs using Generative AI
2- The Essence of the Fundamental Rights to Privacy and to the Protection of Personal Data: a Concept Paper
3- Improving privacy of European Institutions’ Websites
4- Meet #teamEDPS
5- Calling All Talent: EDPS elevates to leading employer
30 days of data protection at the EDPS: what’s happened in our privacy world in May? This month we’ve worked on our plan for AI in the EU institutions and continued to plan for our EDPS Summit: Rethinking data in a democratic society. Sign up to this event and read about our work in this newsletter.
1 Read it nowRead Closing Remarks by European Data Protection Supervisor Wojciech Wiewiórowski delivered at the Computers, Privacy and Data Protection Conference.
0The European Data Protection Board (EDPB) organises a remote stakeholder event, taking place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed), in order to collect stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models.
The aim of the event is to gather relevant insights from organisations that have expertise in ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee . This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application.
How to take part?
The EDPB launches a call for expression of interest in order to select participants for the EDPB’s stakeholder event on ‘Consent or Pay’. You can find further information on this event and instructions to register here.
The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
The Commission services in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB) have agreed to work together to clarify and give guidance on the interplay between DMA and GDPR.
This enhanced dialogue between Commission’s services and the EDPB will focus on the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR, as there is a need to ensure the coherent application to digital gatekeepers of the applicable regulatory frameworks.
Developing a coherent interpretation of the DMA and GDPR while respecting each regulators’ competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives.
The DMA established a High Level Group to provide the Commission with advice and expertise to ensure that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner. The Commission and representatives from the EDPB and EDPS already engaged on data-related and interoperability obligations in the High Level Group. This project builds on this engagement and deepens the cooperation in relation to the two specific regulatory frameworks.
Read more information about:
The European Data Protection Board (EDPB) is organising a remote stakeholder event aimed at collecting stakeholders’ input in the context of upcoming guidelines on the application of data protection legislation in the context of ‘Consent or Pay’ models. The event will take place on 18 November 2024 from 10.00 to 16.00 CET (exact time to be confirmed).
The aim of the event is to collect relevant insights from organisations that have expertise in ‘Consent or Pay’ models, which require data subjects to choose between consenting to processing of personal data for a specified purpose or paying a fee. This event will contribute to the EDPB’s ongoing work on guidelines on ‘Consent or Pay’ models. These guidelines are a continuation of the EDPB Opinion 08/2024, which addressed the ‘Consent or Pay’ model in the context of large online platforms. The guidelines will have a broader scope of application.
Individuals representing European sector associations, organisations or NGOs and individual companies, law firms or academics are invited to take part in this event (one participant per organisation). A limited number of participants will be allowed to take part, to permit a meaningful discussion in a remote setting. The EDPB encourages all organisations interested in this matter to delegate a representative with technical knowledge of this topic.
Do you wish to participate to make your voice heard? Stay tuned:
The EDPB will launch a call for expression of interest to participate in the EDPB’s stakeholder event on ‘Consent or Pay’ on 12 September at 10.00 (Brussels time).The call will be closed as soon as a sufficiently high number of applicants is reached with a view to ensuring the participation of a maximum number of stakeholders.
The call will be launched on the EDPB website.
Brussels, 17 July - During its latest plenary, the European Data Protection Board (EDPB) adopted a statement on the Data Protection Authorities’ (DPAs) role in the Artificial Intelligence Act (AI Act) framework.
According to the EDPB, DPAs already have experience and expertise when dealing with the impact of AI on fundamental rights, in particular the right to protection of personal data, and should therefore be designated as Market Surveillance Authorities (MSAs) in a number of cases. This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.
According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.
In its statement, the EDPB recommends that:
EDPB Deputy Chair Irene Loizidou Nicolaidou said: “DPAs should play a prominent role in enforcing the AI Act as most AI systems involve processing of personal data. I strongly believe that DPAs are suitable for this role because of their full independence and deep understanding of the risks of AI for fundamental rights, based on their existing experience.”
Next, the Board adopted two Frequently Asked Questions (FAQ) documents concerning the EU-U.S. Data Privacy Framework (DPF), aimed at providing more clarification on the functioning of the DPF.
The FAQ for individuals provides information on the functioning of the DPF: how to benefit from it, how to lodge a complaint and how this complaint will be handled.
Likewise, the FAQ for businesses explains which U.S. companies are eligible to join the DPF: what to do before transferring personal data to a company in the U.S. which is DPF-certified, and where to find further guidance.
Finally, the EDPB adopted an opinion approving the EuroPriSe Criteria Catalogue for the certification of processing activities by processors, resulting in a European Data Protection Seal.* European Data Protection Seals serve as important tools contributing to GDPR compliance.
In September 2022, the EDPB had adopted an opinion on the EuroPriSe certification criteria, enabling their recognition in Germany as certification criteria for processing operations by processors. Following an update of the scheme, this new opinion approves the criteria as being applicable in the whole EU/EEA, and as a European Data Protection Seal.
GDPR certification contributes to the demonstration of compliance efforts and to increased transparency and trust. It allows for better assessment of the degree of protection offered by products, services, processes or systems used by organisations that process personal data.
Note to editors:
*The EuroPrise European Data Protection Seal will be added to the register of certification mechanisms and data protection seals in accordance with Article 42(8) GDPR.
The opinion on the approval of the EuroPriSe certification scheme as European Data Protection Seal, adopted during the EDPB Plenary, is subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once it has been completed.
The Coordinated Supervision Committee (CSC) elected Fanny Coudert from the European Data Protection Supervisor (EDPS) as its new coordinator for a term of two years. Ms. Coudert succeeds former coordinator Clara Guerra from the Portuguese Data Protection Authority (DPA).
Fanny Coudert will lead the work of the Committee with the support of Deputy Coordinators Sebastian Hümmeler from the Federal German DPA and Matej Sironic from the Slovenian DPA.
EDPB Chair Anu Talus said: “I would like to thank outgoing CSC coordinator Clara Guerra for her valuable work in the past years, which helped the CSC grow and expand. Today, the CSC ensures that the supervision of 5 bodies, agencies and systems is seamlessly coordinated by its members. This work is crucial for an EU without internal borders.”
I would also like to welcome Fanny Coudert and I look forward to working with her. I am confident that her expertise can contribute positively and significantly to the expanding workload of the CSC.”
Editor's note:
The Coordinated Supervision Committee ensures the coordinated supervision of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system or EU body, office or agency. The Committee was created within the framework of the European Data Protection Board (EDPB) and brings together the EU supervisory authorities (SAs) and the European Data Protection Supervisor (EDPS), as well as the supervisory authorities of the Non-EU Schengen Member States, when foreseen under EU law.
The CSC currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO), Europol and the Schengen Information System (SIS). Gradually, the Committee will also cover other IT systems, bodies, offices and agencies in the fields of Border, Asylum and Migration (EES, Eurodac, ETIAS, VIS, and their interoperability), Police and Justice Cooperation (ECRIS-TCN) and the next generation Prüm.
You can find more information on the Committee here.
About the CSC Coordinator and Deputy Coordinators mandates:
The Coordinator and the Deputy Coordinators are designated for a term of two years starting from the date of their respective elections and they may be re-elected once for a further two years.
Deputy Coordinator Sebastian Hümmeler was re-elected for the second time on 29 November 2023 and Deputy Coordinator Matej Sironic was elected on 10 April 2024.
Brussels, 19 June - During its latest plenary, the Members of the European Data Protection Board (EDPB) elected Zdravko Vukić, Director of the Croatian Personal Data Protection Agency, as Deputy Chair. Vukić replaces Aleid Wolfsen (Chair of the Dutch Data Protection Authority), who has reached the end of his five-year mandate as EDPB Deputy Chair.
Over the coming years, Zdravko Vukić, together with fellow Deputy Chair Irene Loizidou Nikolaidou, will work closely together with EDPB Chair Anu Talus to ensure the consistent application of EU data protection rules and to promote effective cooperation among data protection authorities throughout the European Economic Area (EEA).
EDPB Deputy Chair Zdravko Vukić said:
“I am honoured and thankful to be elected EDPB Deputy Chair. The EDPB is a prominent and influential EU decision-making body, which plays a key role in shaping a digital society that is in line with EU common values.
All EDPB Members work together closely to raise awareness of GDPR at both national and EU levels, to empower individuals to exercise their rights and help companies, including small businesses, understand their compliance obligations.
In the years to come, I will make it my responsibility as Deputy Chair to continue pursuing these objectives and I will be committed to enhancing enforcement cooperation to address emerging challenges with innovative approaches and tools.
In order to deliver these results, we have to ensure that the DPAs and the EDPB Secretariat, serving as crucial link between authorities, are adequately staffed. As Deputy Chair, I will devote special attention and time to this crucial aspect too.”
EDPB Chair Anu Talus said:
“I would like to thank outgoing Deputy Chair Aleid Wolfsen for his commitment and contribution over the past years, which helped us as a Board to grow together and achieve excellent results.
I also look forward to working with Deputy Chair Zdravko Vukić to face the challenge of the increasing number of tasks of the EDPB.”
While it is already common practice for the EDPB to hold a public consultation after the adoption of the first version of guidelines, the Board decided it may also consult stakeholders prior to the preparation of guidelines on a case-by-case basis.
This prior consultation will enable the EDPB to take on stakeholders’ comments, questions and practical examples during the initial drafting period.
Brussels, 24 May - During its latest plenary, the EDPB adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports*. This Article 64(2) Opinion, following a request from the French Data Protection Authority, addresses a matter of general application and produces effects in more than one Member State.
EDPB Chair Anu Talus said: “More and more airport operators and airline companies around the world are piloting facial recognition systems allowing passengers to go more easily through the various checkpoints. It is important to be aware that biometric data are particularly sensitive and that their processing can create significant risks for individuals. Facial recognition technology can lead to false negatives, bias and discrimination. Misuse of biometric data can also have grave consequences, such as identity fraud or impersonation. Therefore, we urge airline companies and airport operators to opt for less intrusive ways to streamline passenger flows, when possible. In the view of the EDPB, individuals should have maximum control over their own biometric data.”
The Opinion analyses the compatibility of the processing with the storage limitation principle (Article 5(1)(e) GDPR), the integrity and confidentiality principle (Article 5(1)((f)) GDPR, data protection by design and default (Article 25 GDPR) and security of processing (Article 32 GPDR). Compliance with other GDPR provisions including regarding the lawfulness of the processing are not in scope of this Opinion.**
There is no uniform legal requirement in the EU for airport operators and airline companies to verify that the name on the passenger’s boarding pass matches the name on their identity document, and this may be subject to national laws. Therefore, where no verification of the passengers’ identity with an official identity document is required, no such verification with the use of biometrics should be performed, as this would result in an excessive processing of data.
In its Opinion, the EDPB considered the compliance of processing of passengers’ biometric data with four different types of storage solutions, ranging from ones that store the biometric data only in the hands of the individual to those which rely on centralised a storage architecture with different modalities. In all cases, only the biometric data of passengers who actively enrol and consent to participate should be processed.
The EDPB found that the only storage solutions which could be compatible with the integrity and confidentiality principle, data protection by design and default and security of processing, are the solutions whereby the biometric data is stored in the hands of the individual or in a central database but with the encryption key solely in their hands. These storage solutions, if implemented with a list of recommended minimum safeguards, are the only modalities which adequately counterbalance the intrusiveness of the processing by offering individuals the greatest control.
The EDPB found that the solutions based on the storage in a centralised database either within the airport or in the cloud, without the encryption keys in the hands of the individual, cannot be compatible with the requirements of data protection by design and default and, if the controller limits themselves to the measures described in the scenarios analysed, would not comply with the requirements of security of processing.
Regarding the principle of storage limitation, controllers need to ensure they have a sufficient justification for the envisaged retention period and limit it to what is necessary for the proposed purpose.
Next, a report was adopted by the DPAs on the work of the ChatGPT taskforce. This taskforce was created by the EDPB to promote cooperation between DPAs investigating the chatbot developed by OpenAI.
The report provides preliminary views on certain aspects discussed between DPAs and does not prejudge the analysis that will be made by each DPA in their respective, ongoing investigation***.
It analyses several aspects concerning common interpretation of the applicable GDPR provisions relevant for the various ongoing investigations, such as:
Taskforce members also developed a common questionnaire as a possible basis for their exchanges with Open AI, which is published as an annex to the report.
Furthermore, the EDPB decided to develop guidelines on Generative AI, focusing as a first step on data scraping in the context of AI training.
Finally, the EDPB adopted a statement on the Commission's "Financial data access and payments package" (which includes the proposals for the Regulation on the framework for Financial Data Access (FIDA), on the Payments Service Regulation (PSR) and on the Payment Services Directive 3 (PSD3)).
The EDPB takes note of the European Parliament’s reports on the FIDA and PSR proposals, but considers that, with regard to the prevention and detection of fraudulent transactions, additional data protection safeguards should be included in the transaction monitoring mechanism of the PSR Proposal. It is important to ensure that the level of interference with the fundamental right to the protection of personal data of persons concerned is necessary and proportionate to the objective of preventing payment fraud.