EDPB's October plenary-harmonisation of GDPR enforcement, a new Data Protection Seal and updated guidance

A wish list to harmonise procedural aspects of enforcing the GDPR

The EDPB adopted a letter to the European Commission containing a ‘wish-list’, identifying those parts of national procedural law that the EDPB would like to see harmonised at the EU level. Acknowledging that it is premature to revise the General Data Protection Regulation (GDPR) at this stage, the EDPB considers it necessary to iron out the differences in administrative procedures and practices which have a detrimental impact on cross border cooperation.

Amongst other things, the wish-list includes the following procedural aspects:

• the status and rights of the parties to the administrative procedures, including the status of the complainant and representatives, the right to be heard and the scope of access to documentation;
• procedural deadlines, including the introduction of additional deadlines and clarification of others as well as rules to address exceeding deadlines (eg where cross-border cases are not handled within a certain timeframe and the lead supervisory authority points to the impossibility of doing so to justify delay);
• requirements for admissibility or dismissal of complaints and amicable settlements, including formalities and confirmation that supervisory authorities will not re-examine admissibility in cross-border cases;
• investigative powers of supervisory authorities, including preliminary vetting of those powers before competence is established, clarifying when further investigation is necessary and addressing monitoring of enforcement orders; and
• the practical implementation of the cooperation procedure, including clarifications regarding information sharing and publication of decisions.

First EU-wide data protection seal

The EDPB also adopted an opinion approving the certification criteria submitted by the Luxembourg supervisory authority (CNPD) for the first EU-wide data protection seal (Europrivacy). 
The Europrivacy scheme is managed by the European Centre for Certification and Privacy (ECCP) in Luxembourg. It covers a large range of different processing operations performed by both controllers and processors from various sectors. The seal was developed through the European Research Programme Horizon 2020 (see the ECCP website for further details and European Commission’s overview).

New statement on digital euro

The EDPB further adopted a new statement on the digital euro, highlighting its concerns around ensuring that the protection of personal data is balanced against the anti-money laundering concerns of the European Central Bank by ensuring that daily transactions aren’t traced or validated systematically by third parties. The EDPB reiterated its previous position that the digital euro should take the principles of data protection by design and by default into account from the outset. You can read our summary of the previous EDPB statement here.

Targeted consultations on amended guidance

The EDPB also announced two “targeted” consultations ) on two guidelines where only the modified text is subject to consultation, rather than the entire document:

• an updated version of the Guidelines on data breach notification was published on 18 October 2022 and the consultation will be open until 29 November 2022. In addition to some minor, editorial changes, the draft guidelines clarify the notification requirements applicable in the context of personal data breaches that occur where controllers are not established in the EU. The proposed change will require controllers which are not established in the EU to notify the supervisory authorities in each Member State where data subjects affected by a breach reside, rather than just the supervisory authority of the controller’s EU representative. The Guidelines are available here; 
• the updated Guidelines on identifying a controller or processor’s lead supervisory authority was published on 21 October 2022 and the consultation will be open until 2 December 2022. The proposed update relates to the notion of main establishment in the context of joint controllership. In a nutshell, the draft guidelines clarify that joint controllers cannot decide on the location of their main establishment. Interestingly, the EDPB also notes that the concept of the main establishment is linked to a single controller and does not extend to a joint controllership situation, which means that joint controllers will not necessarily share a common main establishment. The Guidelines are available here.

The EDPB press release is available here, the letter to the European Commission is available here, the opinion on Europrivacy scheme is available here. The EDPB statement on the digital euro is available here.

This article was prepared in collaboration with data protection team of aosphere.