EDPB Plenary no.51 / 7 June 2021
By Mugurel Olariu, RPD protectie date
The european / supranational body for data protection – European Data Protection Board / EDPB, held its 51st plenary meeting on 7 July 2021, examining a number of important documents and working tools, including we mention:
1. Internal guidance on the handling of complaints against public authorities or private bodies acting under Article 6 (1) (c) or (e) of the RGPD.
2. Guidelines on Codes of Conduct as a tool for transfers.
3. Guidelines on the Use of social media by public bodies – mandate application.
4. Guidelines on Virtual voice assistants (after public consultation).
5. Guidelines on the concepts of controller and processor (after public consultation).
The mentioned working tools are to be published by the EDPB in the near future, so we will perform a detailed analysis after their appearance. Until then, we will make some theoretical clarifications, from the perspective of the general regulation.
1. The legality of the processing, according to art. 6 of the RGPD, concerns two distinct conditions and situations, both for the public authorities and for the private bodies that fulfill a task that serves the public interest, detailed in paragraph (1) letter c) and e), which provide:
c) the processing is necessary in order to fulfill a legal obligation incumbent on the operator;
e) the processing is necessary for the fulfillment of a task that serves a public interest or that results from the exercise of the public authority with which the operator is invested;
Thus, the circumstance refers only to the activity of managing the complaints / requests of the data subjects by the public authorities or private bodies, respectively to the need to process personal data concerning:
– fulfillment of a legal obligation,
– performing a task in the public interest, or
– results from the exercise of the public authority with which the operator is invested.
It follows that the recipients of this internal guide are qualified by public authorities or private bodies, which carry out data processing that falls into one of the three hypotheses presented.
Undoubtedly, the other private operators can also take over the model that will be published, as a minimum necessary, in the situation when they have not yet ordered appropriate measures, of a technical and organizational nature, for managing the requests of the data subjects.
EDPB Plenary no.51 / 7 June 2021
2. Guidelines on Codes of Conduct as a tool for transfers, results from the provisions of art. 40 para. (2) lit. j) and paragraph (3) and of art. 46 para. (2) lit. e) of the GDPR.
Thus, on the one hand, the obligation that in the Code of Conduct according to which there must be provisions in order to specify how to apply to j) the transfer of personal data to third countries or international organizations; from the perspective of art. 40 paragraph (2), for the operators or authorized persons to whom the RGPD applies or not, from the perspective of art. 40 paragraph (3), and on the other hand, to offer such an adequate guarantee through the Code of Conduct approved, from the perspective of art. 46, paragraph (2) letter e) of the RGPD.
We remind you that the adequate guarantees in the transfer of personal data provided by art. 46 paragraph (2) of the RGPD, show that:
2. The appropriate guarantees referred to in paragraph 1 may be provided without the need for any specific authorization from a supervisory authority, by:
a) a legally binding and enforceable instrument between public authorities or bodies;
b) mandatory corporate rules in accordance with Article 47;
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2);
d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 (2);
e) a code of conduct approved in accordance with Article 40, accompanied by a binding and enforceable undertaking by the operator or the person empowered by the third country operator to apply appropriate safeguards, including the rights of data subjects; or
f) a certification mechanism approved in accordance with Article 42, accompanied by a binding and enforceable undertaking by the operator or the person empowered by the third country operator to apply appropriate guarantees, including on the rights of data subjects.
EDPB Plenary no.51 / 7 June 2021
3. The request for a mandate which is the subject of the Guidelines on the Use of social media by public bodies, will regulate the limits of the mandate for public authorities aiming at this use. In short, the circumstance will also regulate the concrete way and the cases in which public authorities can use social networks.
Obviously, this Guide will also take into account a close link with Guidelines 8/2020 on targeting / targeting social media users.
4. Guidelines on Virtual voice assistants, adopted on March 9, 2021 – Guide 8/2020 is finalized in version 2.0, after public consultation.
5. Guidelines on the concepts of controller and processor, adopted on September 7, 2020 – Guide 7/2020, is finalized in version 2.0, after public consultation.
We reiterate that we will return in future articles with details of the instruments presented, in order to clarify for industry operators the issues regulated at Board level.
EDPB Plenary no.51 / 7 June 2021
By Mugurel Olariu, RPD protectie date
