TOOLS ADOPTED BY THE EDPB IN OCTOBER 2022
By Mugurel Olariu, RPD protectie date
The European for Data Protection Board – EDPB adopted several documents in October 2022, among which we point out the most important of them, as follows:
√ Guideline 9/2022 on personal data breach notification according to GDPR*1.
√ Statement 04/2022 on design options for a digital euro from the perspective of privacy and data protection*2.
√ a List of procedural aspects that are proposed to be harmonized at the level of the European Union, to ensure the effectiveness of the application of the General Data Protection Regulation*3.
Next, we present a selection of the aspects developed by the mentioned tools:
Guideline 9/2022 regarding the notification of personal data breaches according to the GDPR:
➣ Represents an updated version of the Guide on the notification of personal data security breaches under Regulation 2016/679, adopted on October 3, 2017 by GL 29, revised on February 6, 2018 by GL 29 – WP 250 rev.01. The document is in the public consultation phase until November 28, 2022.
➣ It is also based on Opinion no. 3/2014 regarding the notification of personal data security breach of GL 29 – WP 213, adopted on March 25, 2014.
➣ The 11 identified examples and 15 quotes from the content of the GDPR are reproduced, for a better correlation of the practical aspects with the regulation.
➣ The annex shows A. Chart on notification requirements and B. Examples of personal data security breaches and who must notify them. It is important to note that: The following non-exhaustive examples will assist operators in determining whether to notify the breach in various personal data breach scenarios. These examples can also help to distinguish between risk and high risk to the rights and freedoms of individuals.
Statement 04/2022 on design options for a digital euro from a privacy and data protection perspective. Data protection aspects refer to:
➣ Privacy and data protection by design and default – preliminary, the EDPB reminds that a very high standard of privacy and protection of data, in line with public expectations expressed by citizens, is crucial to ensure the trust of European citizens in the future digital euro, representing a key success factor of the project. Compared to physical cash and its beneficial properties for privacy and freedoms, it is certain that the distinctive value proposition for a digital euro in an already highly competitive and efficient payment landscape would be its high level of privacy, which is the responsibility of the public sector to offer and would be a decisive trigger in its adoption by EU citizens. For this reason, a digital euro should be designed as close as possible to physical cash.
➣ Avoid systematic validation and tracking of transactions – EDPB notes that the “baseline scenario” chosen by the ECB would be the development of a form of digital euro available online and with transactions validated by a third party. Such a design choice would entail full transparency of certain personal data (including transaction data) to the third party for AML/CFT purposes. The introduction of an offline modality with private transactions and holdings for lower-value proximity payments and a “selective privacy”5 approach for the online modality, where only high-value transactions are subject to AML/CFT checks, are described as “beyond baseline” and need further investigation.
➣ A privacy threshold, both offline and online – In this context, the EDPB suggests introducing in the baseline scenario, for both offline and online modalities, a “privacy threshold” expressed as a transaction value under that no transaction tracking can take place, thus giving citizens confidence in privacy. of day-to-day digital euro payments and reflecting its low AML/CFT risk nature. This lack of tracking means that small value transactions are not subject to verification and are not recorded in the intermediary’s accounts.
➣ The need for a specific regulatory framework – In addition, the EDPB recommends the development of a specific legal framework for the digital euro, which should specifically address data protection and AML/CFT issues, along with the development of other legal issues. Indeed, the current legal framework on electronic payments does not seem to be adequate for an instrument such as the digital euro, which has fundamentally different characteristics from other existing electronic payment means in terms of policy objectives and the level of trust required to meets expectations. of the public. The EDPB recommends that this specific legal framework be part of the “baseline scenario” envisaged by the EU institutions.
➣ Encourage democratic public debate – Finally, the EDPB calls on the ECB and the Commission to step up public debate on the protection of personal data in digital payments. In the EDPB’ view, the ECB and the Commission could benefit from further external input from civil society and academia on how, in practice, the digital euro project could meet the highest standards of privacy and data protection. Regarding the implementation of the prototype e-commerce use case, the EDPB recommends ensuring that the proposal will be fully compliant with Schrems II and other applicable data protection rules.
The list of procedural aspects proposed to be harmonized at the level of the European Union, in order to ensure the effectiveness of the application of the General Data Protection Regulation, is sent by e-mail to the European Commissioner for Justice – Didier Reynders. It develops in the Annex a List of procedural aspects of the proposals made and which essentially refer to:
1. Regarding the parties to the administrative procedure:
1.1. Identification of the parties to the procedure; status and rights of the claimant.
1.2. The rights of the parties to the procedure.
1.3. Party access to file and confidentiality.
1.4. The right to be heard.
2. Regarding the procedural deadlines:
2.1. Procedural stages that are not subject to a deadline.
3. Regarding complaints:
3.1. Formal admissibility requirements.
3.2. Dismissal or rejection of the complaint and termination of the procedure initiated by a complaint.
3.3. Resolving complaints through amicable settlement.
4. Regarding investigative powers:
4.1. Preliminary verification and clarification of the investigative powers of the Supervisory Authority to the authorities before establishing the power.
4.2. Investigation “to the extent appropriate”.
4.3. Compliance with executive orders.
5. Regarding the cooperation procedure under Article 60 GDPR:
5.1. Informal cooperation and scope of information exchanged between the Supervisory Authorities.
5.2. Information of the Supervisory Authorities concerned and of the Committee in accordance with art 60 (7) GDPR and the moment when the decisions can be published.
———————————————————————
*1 https://edpb.europa.eu/system/files/2022-10/edpb_guidelines_202209_personal_data_breach_notification_targetedupdate_en.pdf
*2 https://edpb.europa.eu/system/files/2022-10/edpb_statement_20221010_digital_euro_en.pdf
*3 https://edpb.europa.eu/system/files/2022-10/edpb_letter_out2022-0069_to_the_eu_commission_on_procedural_aspects_en_0.pdf