EDPB

Subscribe to EDPB via RSS
Digital shield 3D rendering stock photo.

The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.

By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty

On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines

Internet Cyber Security network with lock

Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.

By James Lloyd and Sami Qureshi

In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines.

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679.

The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan, and Amy Smyth

On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries (the New SCCs). The New SCCs were published two days after the European Data Protection Board (EDPB) released its draft recommendations on supplementary measures (the Recommendations). (For more information, see Latham’s blog post The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.)

In the New SCCs, the Commission has substantially updated the SCC terms. The New SCCs provide for new types of data transfer (i.e., processor-to-processor and processor-to-controller transfers, in addition to the controller-to-controller and controller-to-processor transfers covered in the current SCCs) and, to a limited extent, address matters arising from the CJEU Schrems II decision.

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.

By Myria Saarinen and Charlotte Guérin

France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision.

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU.

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?

By Gail Crawford, Ulrich Wuermeling, and Calum Docherty

Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).

The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.