During its plenary session, the EDPB adopted two Art. 64 GDPR opinions on the first draft decisions on transnational1 Codes of Conduct (Codes) presented to the Board by the Belgian and French supervisory authorities (SAs). In particular, the Belgian SA’s draft decision concerns the EU CLOUD Code of conduct, addressed to cloud service providers. The French SA’s draft decision concerns the CISPE Code of conduct, addressed to cloud infrastructure service providers. These Codes aim to provide practical guidance and define specific requirements (i.e. Art. 28 GDPR) for processors in the EU subject to these Codes. They are not to be used in the context of international transfers of personal data. The EDPB is of the opinion that both draft codes comply with the GDPR and fulfil the requirements set forth in Art. 40 and 41 GDPR. According to the GDPR, adherence to approved codes of conduct may be used as an element to demonstrate legal compliance.
EDPB Chair, Andrea Jelinek said: “We welcome the efforts made by the code owners to elaborate codes of conduct, which are practical, transparent and potentially cost-effective tools to ensure greater consistency among a sector and foster data protection compliance.”
The EDPB adopted a statement on the Data Governance Act (DGA) in light of developments in the legislative process. The statement is a follow-up to the joint EDPB-EDPS opinion on the DGA and reinforces its main remarks. The EDPB reiterates that, without robust data protection safeguards, there is a risk that the trust in the digital economy would not be sustainable. The statement further highlights the need to ensure consistency of the DGA with the EU data protection acquis and urges the co-legislators to carefully consider certain aspects, such as the interplay between the DGA and the GDPR, and the importance of ensuring that the new definitions and concepts are not incompatible with the GDPR.
Finally, the EDPB adopted recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. The recommendations cover situations in which data subjects buy a product or pay for a service via a website or an application and provide their credit card data in order to conclude a unique transaction. It appears that in such situations, the data subject does not reasonably expect the credit card data to be stored for longer than what is necessary to pay the goods or services, neither is it evident that the storage of the credit card data to facilitate future purchases is necessary to pursue the legitimate interest of the controller or a third party. As such, consent in accordance with Art. 6(1)(a) GPDR should be considered the sole appropriate legal basis for storing credit card data after the purchase.
The agenda of the forty-ninth plenary is available here.
This terminology used in the EDPB Guidelines 01/2019 covers codes of conduct relating to processing activities in several Member States.
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.