On 25 and 26 September 2011, the European data protection authorities, gathered in the European Data Protection Board (EDPD), held their third plenary meeting since the establishment of the body at the time of the GDPR’s entry into force. During this third plenary meeting some very interesting topics were discussed, which could have a direct impact on entrepreneurs in Belgium.
What is the European Data Protection Board?
The European Data Protection Board is the successor to what used to be known as “Working Party 29”. It is the consultative body between the various data protection authorities of the EU Member States. After all, the GDPR is a European regulation that has to create a unified legal system for data processing throughout the EU, but this is only possible if there is permanent consultation between the member states on local implementation and impact of that GDPR, of course. It is the consultative body that formally met for the third time at the end of September and had the following items on the agenda.
EU-Japan adequacy decision
The board members discussed the EU-Japan draft adequacy decision they received from Commissioner Věra Jourová and were asked to give an opinion on. The board will now thoroughly review the draft decision. The Council is determined to take into account the broad impact of the draft decision on adequacy and the need to protect personal data in the EU. In recent weeks we have already reported on our blog pages several times about a number of non-EU countries that have started the preparation of a “GDPR-like” legislation in recent months. California and Brazil, for example, are working on legislation that should strengthen the protection of the citizen when processing his personal data.
This is important for European companies that are active in those countries or exchange data with those countries. So-called “data export” outside the EU is only possible under strict conditions and only if it can guarantee that the personal data in question will obtain a similar level of protection in those third countries as in the EU.
One of the easiest ways to export data is when it is done to a country included on a list of the EU with “safe” countries, countries that are considered to be of an equivalent level based on an “adequacy decision” of the EU. protection as the EU itself. That list is for the time being very short, only 11 countries are on it. There are a lot of little practical “countries like Jersey, Guernsey, Andorra or the Faroese islands and a few more” useful “destinations like Argentina, Canada, Israel or Switzerland.
If data is exported to a country that is not on this short list, other guarantees are needed. For more information about this you can always take a cotnact with our team at email@example.com. The good news now is that the EU is working on an extension of this list. Japan would be added to this, as a direct result of recent trade agreements with Japan and of the fact that Japan itself is working on its own “GDPR”, which must provide the necessary guarantees. exporting data to and from Japan will therefore be simpler in the future.
Data Protection Impact Assessment standards
The GDPR stipulates that in a number of cases a so-called Data Protection Impact Assessment must take place prior to the processing of personal data. This is the case if there is an identifiable “risk” for the party involved in the processing that one wants to perform. The GDPR imposes an obligation on each of the Member States to draw up a list of cases where a DPIA is mandatory, something that all Member States have already done.
At its plenary session, the EDPB has already collated these national opinions and agreed on this basis a set of common criteria for DPIAs in Europe. These lists are an important tool for the consistent application of the GDPR across the EU. The EDPB received 22 national lists with a total of 260 different types of processing. The EDPB President, Andrea Jelinek, said: “It has been a huge challenge for the members of the Board and the EDPB Secretariat to examine all these lists and to establish common criteria for what a DPIA brings about and what does not. It was an excellent opportunity for the EDPB to test the possibilities and challenges of consistency in practice. The AVG does not require full harmonization or an ‘EU list’, but requires more consistency, which we have achieved in these 22 opinions by agreeing on a common vision.”
Guidelines for territorial scope
The EDPB adopted new draft guidelines which will contribute to a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR in different situations, in particular where the data controller or processor is established outside the EU, including the appointment of a representative within the EU by these companies.
Questions about GDPR or data protection in general within and outside the EU?
Feel free to contact our team at firstname.lastname@example.org or on +32 2 721 13 00.