The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board (EDPB). Isabelle Vereecken (Head of the EDPB Secretariat) and Bas Van Bockel (Head of Department of International, Policy and Strategy, Dutch Data Protection Authority) addressed key topics such as data protection impact assessments (DPIA), international data transfers and the one-stop-shop principle.
Ms. Vereecken explained that the EDPB has received twenty-two black lists from the national data protection supervisory authorities (DPAs) with 260 different types of processing overall, which, in the view of the DPAs, require a DPIA. In its third plenary session on 26 September, the EDPB has reached an agreement on and adopted twenty-two opinions establishing common criteria for DPIA lists based on the lists submitted to the EDPB by the DPAs (available here).
Given that the GDPR requires DPAs to take utmost account of the EDPB’s opinions, it is expected that each DPA will then re-issue the public version of their lists amended to the corresponding EDPB’s opinion.
In the context of international data transfers, Ms. Vereecken mentioned that the EDPB is preparing its opinion on the European Commission’s draft adequacy decision regarding Japan, which was released in September of this year. Further, the EDPB will start reviewing the EU-U.S. Privacy Shield Framework in October of this year. As already emphasized by the EDPB in its second plenary meeting, its focus will be on the concerns regarding the ombudsman mechanism raised by the EDPB’s predecessor, the Article 29 Working Party.
Another crucial topic addressed by Ms. Vereecken was the territorial scope of the GDPR. Ms. Vereecken acknowledged the need for guidance in this regard and mentioned that the EDPB will release an opinion on the territorial applicability of the GDPR in early 2019.
During the conference, both Ms. Vereecken and Mr. Van Bockel noted that the DPAs still need to resolve some practical aspects regarding the one-stop-shop principle. A number of DPAs have asked the EDPB for assistance in determining their role as lead supervisory authority. The EDPB’s position is that in practice the lead supervisory authority probably will not be the only contact point. Taking into account the capacity of the lead supervisory, authority and the types of processing activities (cross-border processing/local processing), local DPAs should function as contact points for the controller/processor as well.
Still being discussed within the EDPB is whether the one-stop-shop principle may apply only to one controller/processor having multiple establishments or if it may also apply to multiple controllers/processors. Ms. Vereecken indicated that the principle may apply also to multiple controllers at least when they act as joint controllers, and pointed out that the focus should be more on identifying the processing activities and less on the companies within a corporate group for the purpose of identifying the lead supervisory authority.