EDPB

Subscribe to EDPB via RSS

They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR

On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer where EU data subjects disclose on their own initiative personal data directly to a non-EU company. Consequently, there is no need to implement a transfer tool in such situations. The Guidelines are open to public consultation until the end of January 2022.
Continue Reading EU Regulators Define Data Transfers

On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing.
Continue Reading EDPB Clarifies Key Health Research Data Protection Rules

On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).

The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations.
Continue Reading EDPB Publishes New Guidance for Data Breach Notification

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic.

The guidelines remain largely unchanged from the earlier version but do provide helpful clarifications on two points: a) the validity of consent when interacting with so-called “cookie walls”; and b) “scrolling” as a means of indicating consent.
Continue Reading EDPB Adopts Updated Consent Guidance

On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission’s call for consultation (the letter) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

As previously reported in our blog post, the European Commission’s recommendation sets out a “toolbox” of measures to be implemented across EU member states to address the use of technology in combating the spread of the COVID-19 pandemic. In its letter, the EDPB sets forth data privacy and information security measures that app developers should consider when developing mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps).
Continue Reading The EDPB Responds to the European Commission’s Recommendation on COVID-19 Mobile Apps