EDPB adopts Guidelines on Codes of Conduct as a tool for transfers

Jul 8, 2021

Source: European Data Protection Board

During its plenary session, the EDPB adopted Guidelines on Codes of Conduct (CoCs) as a tool for transfers. The main purpose of the guidelines is to clarify the application of articles 40 (3) and 46 (2) (e) of the GDPR. These provisions stipulate that once approved by a competent SA and after having been granted general validity within the EEA by the Commission, a CoC may also be adhered to and used by controllers and processors not subject to the GDPR to provide appropriate safeguards to transfers of data outside of the EU. The guidelines complement the EDPB Guidelines 1/2019 on codes of conduct which establish the general framework for the adoption of codes of conduct.

The EDPB adopted a final version of the Guidelines on Virtual Voice Assistants (VVA). The Guidelines aim to provide recommendations to relevant stakeholders on how to address some of the most relevant compliance challenges for VVAs. Following public consultation, the Guidelines were updated to reflect comments received.

Also following public consultation, the EDPB adopted a final version of the Guidelines on the concepts of Controller and Processor. These Guidelines aim to provide clarifications concerning fundamental concepts such as (joint) controller and processor. The final version integrates updated wording and further clarifications in order to address comments and feedback received during the public consultation.

Following the establishment of TikTok in the EU and the identification of its main establishment in Ireland for the ongoing cases related to the TikTok app, the EDPB decided to disband its TikTok Taskforce. This Taskforce was created to coordinate potential actions from the EEA supervisory authorities (SAs) and to acquire a more comprehensive  overview of TikTok’s processing and practices across the EU. At the time the Taskforce was created, there was no main establishment for TikTok in the EU and the Taskforce aimed to facilitate the exchange of information between SAs. Now, the One-Stop-Shop procedure applies and the Irish SA (DPC) was designated as the lead authority in charge of the files.

Consequently, the SAs involved in the Taskforce will use the designated tools under the cooperation mechanism, while also taking into account article 64(2) GDPR and EDPB opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment. Several SAs have already transferred their investigations to the DPC.

The SAs will have the opportunity to hold discussions on the matter, within the EDPB, and in particular within its Enforcement Expert Subgroup.

It is important to note that the EDPB can only take action in case the consistency mechanism in article 63 GDPR is triggered. After having issued provisional measures pursuant to article 66(1) GDPR, and having received assurances from TikTok on their application, including commitments that the latter undertook regarding its processing activities, the Italian SA decided that it no longer requires an urgent decision from the EDPB.

Finally, the EDPB discussed possible topics for its first coordinated enforcement action, following the EDPB’s decision to set up a Coordinated Enforcement Framework on 20 October 2020. The EDPB decided that the first action will concern the use of cloud-based services by public sector bodies and further work will now be carried out to specify the details and the scope in the upcoming months.

Note to editors:

All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more