EU - EDPB endorses first EU-wide codes of conduct for cloud services, issues statement on Data Governance Act and gives recommendations on the storage of credit card data

First EU-wide Codes of Conduct for Cloud services

The EDPB adopted two positive opinions on the draft decisions that authorise EU-wide codes of conduct (referred to as “transnational codes of conduct”, to reflect that the codes can be used throughout EU and are not limited to one EU member state). The draft decisions were put forward by the French supervisory authority (the CNIL), in relation to the CISPE Data Protection Code of Conduct for cloud infrastructure service providers (including the IaaS sector), and the Belgian DPA in relation to the EU CLOUD Code of Conduct for cloud service providers. 

Both Codes of Conduct are intended as a framework to assist cloud service providers to demonstrate their compliance with processor obligations under GDPR and assure customers that they engage compliant data processors. The codes cannot be used as a tool to facilitate international personal data transfers outside EEA, although there are plans for them to evolve for this purpose. The EDPB noted that both codes of conduct, once the approvals of respective national supervisory authorities are final, can be used as a means of demonstrating GDPR compliance. The response of CISPE is available here and the response of EU CLOUD Code of Conduct here. On 20 May 2021, the Belgian DPA approved the EU CLOUD Code of Conduct. 

Statement on draft Data Governance Act

The EDPB also adopted a statement on the proposed Data Governance Act (DGA) in which it reiterates the concerns raised earlier this year by the EDPB and European Data Protection Supervisor (EDPS) in a joint opinion on the DSA. The statement stresses the need for consistency between the DGA and the existing EU data protection regime. 

The EDPB made clear its sentiments that EU legislators have so far not followed its advice in relation to aligning key concepts of the DGA with the GDPR and not weakening the checks and safeguards for individuals, e.g. by introducing data altruism provisions. The EDPB calls on the European Parliament and Council of European Union to ensure that the DGA is fully compatible with the GDPR and the DGA does not create new grounds for personal data processing. The statement is available here.

Recommendations on legal basis for storing credit card data in online transactions

The EDPB further adopted its recommendations on the legal basis for the storage of credit card data for the sole purpose of furthering online transactions (the Recommendations), where it concludes that consent can be the only ground for related data processing. 

The EDPB addressed situations when an individual uses a credit card to pay for a product or service via a website or application. The EDPB considers that if this concerns a unique transaction, the individuals do not have a reasonable expectation that their credit card data would be stored for longer than necessary to complete this transaction. The EDPB also does not consider that storing credit card data for future transactions is necessary to pursue the legitimate interest of the controller or a third party. Therefore, consent can is the only appropriate legal basis for storing credit card data following a purchase. The Recommendations were not available at the time of this publication.

During the plenary meeting, the EDPB also discussed: (i) a letter about the process to identify a controller’s main establishment under GDPR; (ii) upcoming guidance on criteria to determine territorial competence of supervisory authorities under the ePrivacy Directive; (iii) a letter to the European Commission on the data protection aspects of the AML-CFT legislative proposals; and (iv) an opinion on draft Lithuanian Art. 28 standard contractual clauses.

The agenda of the latest EDPB plenary meeting is available here. The EDPB’s press release relating to the plenary meeting is available here. The EDPB’s opinion on the CNIL’s draft decision concerning CISPE Data Protection Code of Conduct is available here, and the opinion on the Belgian DPA’s draft decision concerning the EU CLOUD Code of Conduct is available here. The Belgian DPA’s press release relating to the approval is available here.