INSTRUMENTS ADOPTED BY EDPB IN MARCH 2023
By Mugurel Olariu, RPD protectie date
On March 28, 2023, the European Committee for Data Protection – ECPD adopted in the remote plenary session, the following working documents*1, of interest to operators from industry:
✔ Guidelines no. 8/2022 on the identification of the lead authority, final form (after public consultation)*2;
✔ Guidelines no. 9/2022 on security incident notification, final form (after public consultation)*3.
We present below the essential aspects of the documents, as follows:
Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority*4
On 5 April 2017, the Article 29 Working Party adopted its Guidelines for the identification of a controller or a controller’s main supervisory authority (WP244 rev.01), which were endorsed by the European Data Protection Board (referred to in continued EDPB) in its first plenary meeting. This document is a slightly updated version of these guides. Any reference to the WP29 Guidelines for the identification of a controller or a processor’s lead supervisory authority (WP244 rev.01) should henceforth be interpreted as a reference to these EDPB guidelines.
The EDPB noted that further clarification was needed, in particular regarding the notion of principal establishment in the context of the joint controller and taking into account the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
The paragraph on this issue has been revised and updated, while the rest of the document has been left unchanged except for editorial changes. The revision refers more specifically to Section 2.1.3 on Joint controllers.
The GDPR does not specifically address the issue of the designation of a lead supervisory authority where two or more operators established in the EEA jointly determine the purposes and means of processing – namely Joint controllers. Article 26 paragraph (1) and recital 79 of the RGPD specify that, in situations of joint control, the operators establish, in a transparent way, their respective responsibilities for complying with their obligations under the RGPD.
As recalled by the EDPB in its Guidelines on the concept of controller and processors, joint controllers must determine who does what, decide among themselves who will have to perform specific tasks, to ensure that the processing complies with the provisions of the obligations applicable under GDPR in relation to the joint processing in question.
Where the processing is carried out by a group of undertakings which has its seat in the EEA, it is assumed that the seat of the undertaking with general control is the decision-making center relating to the processing of personal data and will therefore be taken to be the seat principal of the group, unless decisions on the purposes and means of processing are taken by another unit. The parent or operational headquarters of the EEA group of enterprises is likely to be the principal place of business, as this would be the place of its central administration.
The compliance measures and related obligations that joint controllers should take into account when determining their respective responsibilities, in addition to those specifically mentioned in Article 26(1) – Joint Controllers of the GDPR, include, among others, the organization contact with data subjects and supervisory authorities.
The reference in the definition to a place of central operator administration works well for organizations that have a central decision headquarters and a branch structure. In such cases, it is clear that the power to make decisions about cross-border processing and to carry them out lies with the company headquarters. In such cases, determining the location of the main unit – and therefore which supervisory authority is the main supervisory authority – is straightforward. However, the decision-making system of the group of companies could be more complex, giving independent decision-making powers in relation to cross-border processing to different units. The criteria mentioned above should help groups of enterprises to identify their principal place of business.
It should be recalled that the supervisory authorities are not obliged to comply with the terms of such an agreement, neither with regard to the qualification of the parties as joint controllers nor with regard to the designated point of contact.
In addition, the decision-making power of the associated operators does not include the determination of the competent supervisory authority in accordance with Articles 55 – Competence and 56 – Competence of the lead supervisory authority of the GDPR or the ability of these supervisory authorities to exercise the tasks and powers described in Articles 57 – Tasks and 58 – Powers from RGPD.
The notion of head office is linked, by virtue of the GDPR, to a single operator and cannot be extended to a situation of joint controllers. This is without prejudice to the possibility for each joint controllers to have its own head office. In other words, the main establishment of a controller cannot be considered as the main establishment of joint controllers for the processing carried out under their common control. Therefore, joint controllers cannot designate (among the units where decisions on the purposes and means of processing are made) a common head office for both joint controllers.
Also, in the Annex are clarified in the form of questions and answers, the aspects regarding:
➢ Does the operator or the processor carry out cross-border processing of personal data?
➢ How is the main supervisory authority identified?
➢ Are there supervisory authorities interested?
Guidelines 9/2022 on personal data breach notification under GDPR*5
On 3 October 2017, Working Party 29 (hereafter “WP29”) adopted its Guidelines on personal data breach notification under Regulation 2016/679 (WP250 rev.01), which were endorsed by the European Data Protection Board (hereinafter referred to as “EDPB”) at its first plenary meeting. This document is a slightly updated version of these guides. Any reference to the WP29 Guidelines on personal data breach notification under Regulation 2016/679 (WP250 rev.01) should henceforth be interpreted as a reference to these Guidelines 9/2022 of the EDPB.
The EDPB noted that there was a need to clarify the notification requirements for personal data breaches at non-EU establishments. The paragraph on this issue has been revised and updated, while the rest of the document has been left unchanged except for editorial changes. The review refers, more specifically, to point 73 of Section II.C.2 of the document.
If a non-EU controller is subject to Article 3(2) or Article 3(3) of the GDPR and experiences a breach, it is therefore required to comply with the notification obligations under articles 33 and 34 of the GDPR.
Article 27 of the GDPR requires a controller (and authorized person) to appoint a representative in the EU where Article 3(2) of the GDPR applies. However, the mere presence of a representative in a Member State does not trigger the One Stop Shop system. For this reason, the breach will have to be notified to each supervisory authority for which the data subjects reside in their Member State.
This notice(s) will be the responsibility of the controller. In accordance with guidelines 3/2018 on the territorial scope of the GDPR (Article 3)6, the EDPB considers that the position of representative in the Union is not compatible with the role of an external Data Protection Officer (“external DPO”), hence the responsibility to notify the supervisory authority in the event of a security breach of personal data remains that of the controller, in accordance with Article 27 paragraph (5) GDPR. A representative may still be involved in the notification process if this has been explicitly stipulated in the written mandate.
In the Appendix, the aspects regarding:
A. Chart showing notification requirements.
B. Examples of personal data security breaches and who to notify.
———————————————————————————————–
*1 https://www.dataprotection.ro/?page=Comunicat_Presa_05.04.2023&lang=ro
*2 https://edpb.europa.eu/system/files/2022-10/edpb_guidelines_202208_identifyinglsa_targetedupdate_en.pdf
*3 https://edpb.europa.eu/our-worktools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_ro
*4 Adoption of the guidelines (updated version of the previous guidelines WP244 rev.01 adopted by Working Party 29 and approved by the EDPB on 25 May 2018) for a targeted public consultation.
*5 Adoption of the guidelines (updated version of the previous guidelines WP250 (rev.01) adopted by working group 29 and approved by the EDPB on 25 May 2018) for a specific public consultation – version 1.0 on 10 October 2022. Adoption of guidelines following specific public consultation – version 2.0 on 28 March 2023 on the subject of data breach notification for non-EEA controllers.
*6 Available at https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr article-3-version_en
