Skip to content

EDPB addresses codes of conduct as transfer tool and finalises the guidelines on the concepts of controller and processor and on virtual voice assistants

Browse this blog post

Related news and insights

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

Blog Post: 14 February 2024

ICO and AEPD take steps for protection of minors

Blog Post: 07 February 2024

EDPB launches website auditing tool

Blog Post: 31 January 2024

ICO publishes updated Opinion on age assurance

On 8 July 2021, the European Data Protection Board (EDPB) announced the outcomes of its plenary session that took place on 7 July. 

During the plenary session, the EDPB adopted new Guidelines on codes of conduct as a tool for transfers (the Guidelines on COC). The EDPB explains that the Guidelines on COC seek to clarify the application of Articles 40(3) and 46(2)(e) GDPR. These provisions stipulate that codes of conduct, after having been approved by a competent supervisory authority and granted general validity within the EEA by the European Commission, may also be used, and adhered to, by controllers and processors that are not subject to the GDPR, in order to provide appropriate safeguards for transfers of data outside of the EEA. View the Guidelines on COC here.

The EDPB also adopted a final version of the Guidelines on the concepts of Controller and Processor. The final version incorporates further clarifications of the concepts of controller, joint controllers and processors following public consultation. (The Guidelines were not available at the time of this publication.)

In addition, the EDPB adopted a final version of the Guidelines on Virtual Voice Assistants (the Guidelines on VVA), that aim to assist relevant stakeholders on how to address a series of compliance challenges for virtual voice assistants. View the Guidelines on VVAs here.

The EDPB further announced its decision to disband its TikTok taskforce, which was created to address TikTok’s practices in the EU, exchange information between supervisory authorities and coordinate potential enforcement actions. The EDPB explained that TikTok now has an establishment in the EU, and has identified its establishment in Ireland as the main establishment for the ongoing case concerning the TikTok app. The GDPR one-stop-shop procedure now applies and the Irish supervisory authority (the DPC) is the lead authority in charge of the files. 

The EDPB also decided that its first coordinated enforcement action will focus on public sector bodies’ use of cloud-based services.
Other topics discussed by the EDPB plenary session include (i) the guidelines on the use of social media by public bodies, (ii) internal guidelines on handling complaints against public authorities or private bodies processing data on the basis of legal obligation or performance of a public task, (iii) response to the members of European Parliament on FATCA, and (iv) the US order to retain airlines passengers' health data. 

See here for the EDPB press release and here for the agenda for the 51st plenary session


Related expertise