Brussels, 21 October – On October 20th, the EDPB met for its 40th plenary session. During the plenary, a wide range of topics was discussed.
Following public consultation, the EDPB adopted a final version of the Guidelines on Data Protection by Design & Default. The guidelines focus on the obligation of Data Protection by Design and by Default (DPbDD) as set forth in Art. 25 GDPR. The core obligation enshrined in Art.25 is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This means that controllers have to implement appropriate technical and organisational measures and the necessary safeguards, designed to ascertain data protection principles in practice and to protect the rights and freedoms of data subjects. In addition, controllers should be able to demonstrate that the implemented measures are effective.
The Guidelines also contain guidance on how to effectively implement the data protection principles in Article 5 GDR, listing key design and default elements, as well as practical cases for illustration. They further provide recommendations on how controllers, processors and producers can cooperate to achieve DPbDD.
The final guidelines integrate updated wording and further legal reasoning in order to address comments and feedback received during the public consultation.
The EDPB decided to set up a Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities (SAs). The objective of the CEF is to facilitate joint actions in a flexible and coordinated manner, ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations. The purpose of recurring annual coordinated actions is to promote compliance, to empower data subjects to exercise their rights and to raise awareness.
The EDPB adopted a letter in response to the Europäische Akademie für Informationsfreiheit und Datenschutz concerning the data protection implications of Art.17 of the Copyright Directive, in particular concerning upload filters. In the letter, the EDPB states that any processing of personal data for the purpose of upload filters must be proportionate and necessary and that, as far possible, no personal data should be processed when Art. 17 Copyright Directive is implemented. Where the processing of personal data is necessary, such as for the redress mechanism, such data should only concern data necessary for this specific purpose, while applying all the other principles of the GDPR. The EDPB further highlighted that it is in continuous exchange with the European Commission on this topic and that it has indicated its availability for further collaboration.
You can read the agenda of the EDPB’s fortieth plenary here.
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.