On October 7, 2024, the European Data Protection Board (“EDPB”) adopted four salient documents during its latest plenary session. These documents are:
In its recent Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s) (“Opinion”), the EDPB crystallised key responsibilities for controllers relying on processors and sub-processors under Article 28 GDPR, following a request by the Danish Data Protection Authority. Article 28 regulates the use of processors, however several ambiguities existed which created inconsistent interpretations.
In brief, the EDPB upheld that controllers must maintain “readily available” information (i.e. name, address, contact person) on all processors and sub-processors and must verify that they are able to provide sufficient guarantees to protect the rights of their data subjects. The Opinion also underscores that while processors, in line with Article 28, are responsible for ensuring their sub-processors meet data protection obligations, the ultimate responsibility lies with the controller. It is thus up to the Controllers to verify the adequacy of guarantees provided by all processors and sub-processors in the data processing chain, particularly where data processing poses a high risk to the rights and freedoms of data subjects.
Nonetheless, the level of verification expected from controllers varies depending on the risk associated with the processing. In addition, the EDPB again clarified that when transferring data outside the EEA, controllers must ensure that transfers comply with GDPR requirements.
The Opinion is accessible here.
The EDPB also adopted Guidelines on Legitimate Interest, clarifying the conditions under which controllers can rely on legitimate interest as a legal basis for processing personal data. Such guidance is thus essential for organisations seeking to justify processing their data processing activities based on legitimate interest under Article 6(1)(f) of the GDPR.
In line with the recent judgement of Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (C-621/22) the guidelines outline that this legal basis should not be viewed as a fallback option or applied indiscriminately. For context, the EDPB stressed that for such justification to be lawful, three conditions must be met, namely:
Controllers must thus document their assessment of these conditions, considering various factors, including the impact on data subjects and potential alternative methods for safeguarding their interests without infringing on rights.
The Guidelines are accessible here.
Additionally, the EDPB adopted a Statement 4/2024 on the recent legislative developments on the Draft Regulation laying down additional procedural rules for the enforcement of the GDPR (“Statement”), as a response to the amendments made by the European Parliament and the Council to the proposal for a Regulation concerning GDPR enforcement procedures. While the EDPB within the Statement generally welcomed these modifications, it emphasised the need for further refinements to ensure a level of effective cooperation between authorities and enhance enforcement mechanisms.
Key recommendations include the establishment of a legal basis for amicable settlements, streamlining the dispute resolution process, and clarifying the implementation of a joint case file system. The EDPB also highlighted the importance of realistic deadlines and the need for a clear scope regarding the opt-out provision for lead Data Protection Authorities across all member states. The EDPB welcomed this proposal as a step towards addressing challenges in particular to scenarios revolving around cross-border data protection.
The Statement is accessible here.
The EDPB also adopted its 2024-2025 Work Programme, outlining its priorities for the coming years. The EDPB's Roadmap is structured around four key pillars aimed at strengthening data protection and compliance:
The Work Programme can be accessed here.
Author: J.J. Galea
For more information regarding Data Protection contact us at info@gtg.com.mt