Nyhetssamlare

Today, Andrea Jelinek, Chair of the European Data Protection Board (EDPB) presented the EDPB Annual Report 2021. The report provides a detailed overview of the work carried out by the EDPB in the last year.

EDPB Chair, Andrea Jelinek said: "2021 was the EDPB’s fourth year of existence and the first year of implementation of the multiannual EDPB Strategy 2021-2023. It was a very productive year, in which we completed many key actions to reach the objectives set out in our Strategy. Although we continued working mostly remotely due to the continuing impact of the COVID-19 pandemic, we made significant progress on a number of important files. To make this possible, we held over 380 EDPB meetings, including plenaries and expert subgroup meetings.”

In early 2021, the EDPB adopted its two-year Work Programme for 2021-2022. The Work Programme follows the priorities set out in the Strategy for 2021-2023 and puts the EDPB’s strategic objectives into practice. The Work Programme and Strategy helped guide the EDPB’s work in 2021 and will continue to guide its work in the years to come.

Over the past year, the EDPB continued to pay a great deal of attention to international transfers of personal data. In 2021, the EDPB adopted its final version of the Recommendations on supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. In addition, the EDPB adopted opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive (LED), as well as its opinion on the draft adequacy decision for the Republic of Korea. The EDPB also adopted guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA.

A second area in which the EDPB carried out important work, was digital policy. Among others, the EDPB and EDPS adopted joint opinions on the proposal for a Data Governance Act (DGA) and the draft Artificial Intelligence Act. Furthermore, the Members of the Board adopted a statement on the Digital Service Package and Data Strategy.

Law Enforcement formed another priority area for the EDPB in 2021. Not only did the EDPB adopt its first opinion on an adequacy decision under the LED, the EDPB also adopted recommendations on the LED adequacy referential, aiming to standardise the adequacy procedure under the LED. In addition, the EDPB carried out an evaluation of the LED itself.

In 2021, the EDPB adopted 8 guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, as well as 6 guidelines and recommendations in their final version following public consultation.

Another key task of the EDPB is to ensure consistency in enforcement and cooperation between national authorities. In 2021, the EDPB adopted 35 Art. 64 GDPR consistency opinions. Most of these opinions concern binding corporate rules and accreditation requirements for certification bodies and code of conduct monitoring bodies.

In July 2021, the EDPB adopted its very first Art. 66 GDPR Urgent Binding Decision following a request from the Hamburg supervisory authority (SA), which had adopted provisional measures against Facebook Ireland ltd.

In the same month, the EDPB also adopted its second Art. 65 GDPR binding decision which sought to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA, acting as lead SA, regarding WhatsApp Ireland Ltd. and the subsequent objections expressed by a number of concerned supervisory authorities.

The GDPR requires the EEA SAs to cooperate closely to ensure the consistent application of the GDPR and protection of individuals’ data protection rights across the EEA.

• Between 1 January and 31 December 2021, there were 506* cross-border cases out of which 375 originated from a complaint, while 131 had other origins, such as investigations, legal obligations and/or media reports.
• The One-Stop-Shop mechanism demands cooperation between the LSA and the CSAs. The LSA leads the investigation and plays a key role in the process of reaching consensus between the CSAs, in addition to working towards reaching a coordinated decision about the data controller or processor. Between 1 January 2021 and 31 December 2021, there were 209 draft decisions, of which 141 resulted in final decisions.
• The mutual assistance procedure allows SAs to ask for information from other SAs or to request other measures for effective cooperation, such as prior authorisations or investigations. Between 1 January 2021 and 31 December 2021, SAs initiated 243 formal mutual assistance procedures. They initiated 2418 informal mutual assistance procedures. Mutual assistance is also used by the SAs requesting the competent SA to handle complaints they received which do not relate to cross-border processing as defined by the GDPR.

To read the EDPB Annual Report 2021, click here

Note to editors:

* References to case register entries in these statistics do not have a 1-to-1 correlation to the number of cross-border complaints handled per country as multiple complaints may be bundled in one case register entry which therefore can relate to multiple cross-border cases. Depending on the Member State legislation, supervisory authorities may have handled complaints outside of the Art. 60 procedure in accordance with their national law.

The European Data Protection Board (EDPB) is an independent European body, established by the General Data Protection Regulation (GDPR), which aims to ensure the consistent application of data protection rules across the European Economic Area (EEA). It achieves this aim by promoting cooperation between national Supervisory Authorities (SAs) and issuing general, EEA-wide guidance regarding the interpretation and application of data protection rules.

The EDPB comprises the Heads of the EU SAs and the European Data Protection Supervisor (EDPS). The European Commission has the right to participate in the activities and meetings of the EDPB without voting rights. The SAs of the EEA countries (Iceland, Liechtenstein and Norway) are also members of the EDPB, although they do not hold the right to vote.

 

EDPB_Press Release_Statement_04

Uppdatering kl 09.43 torsdag 12 maj 2022: Det viktiga meddelande som utfärdades på grund av en brand i Uppsala gäller inte längre.

Brussels, 5 May - The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion  on the proposed Data Act.

The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way possible.  

The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.

Wojciech Wiewiórowski, EDPS, said: “Data must be processed according to European values if we aim to shape a safer digital future. As we move to create new opportunities for data use, we must ensure that the existing data protection framework remains fully intact. Access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.”

The EDPS and EDPB advise the co-legislators to provide limitations or restrictions on the use of data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue is likely to allow precise conclusions to be drawn concerning data subjects’ private lives, or would otherwise entail high risks for the rights and freedoms of data subjects. The EDPS and EDPB recommend introducing clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.

The EDPS and EDPB express their deep concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) in case of “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data requires a legal basis that is adequately accessible and foreseeable. The legal basis must also define the scope and manner of the exercise of powers by the competent authorities, and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data.

As regards enforcement, the EDPS and EDPB welcome the designation of data protection supervisory authorities as competent authorities responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. The EDPS and EDPB ask the co-legislators to designate national data protection authorities as coordinating competent authorities under the Data Act.

Andrea Jelinek, EDPB Chair, said: “It is crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market. Not just for this proposal, but also concerning other legislative proposals, such as the Data Governance Act or the Digital Markets Act. A clear distribution of competences amongst the relevant regulators will need to be ensured, as well as efficient cooperation to avoid the risk of fragmented supervision, the establishment of a parallel set of rules and to ensure legal certainty for organisations and data subjects.”

 

Every year in early May we celebrate peace and unity in Europe through Europe Day, to commemorate the signing of the 'Schuman Declaration'. This year, on 7 May, the EU institutions invite you to a wide range of online and on-site activities across the EU Member States, as well as in the home of the EU institutions in Brussels, Luxembourg and Strasbourg. 

EDPB and EDPS will be both present with a common booth at the European Commission ’s headquarters – the Berlaymont building – from 10:00 to 18:00 on Saturday 7 May.

For more information about Europe Day 2022 visit: https://europeday.europa.eu/index_en

Vienna, 29 April - At a two-day high level meeting in Vienna, EDPB Members have agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods used.

Andrea Jelinek, Chair of the European Data Protection Board, said: "In the past four years, we have invested a great deal of resources in the interpretation and consistent application of the GDPR by endorsing and adopting no less than 57 Guidelines and 6 Recommendations. Enforcement by the data protection authorities (DPAs) has ramped up with cumulative fines adding up to 1.55Bn€ at the end of 2021. More than ever, strong and swift enforcement is crucial for ensuring a consistent interpretation of the GDPR. To stay on top of this growing workload and make the most efficient use of the possibilities for cooperation foreseen in the GDPR, we will yearly identify a number of cross-border cases of strategic importance for which an action plan with a fixed timeline for cooperation will be set. All EDPB Members are committed to close cooperation and we focus on practical solutions to strengthen the capacity of DPAs to enforce.”

Groups of DPAs may decide to join forces on investigation and enforcement activities and DPAs may share the work within these groups. When needed, an EDPB task force can be created.

Furthermore, the DPAs commit to exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level, which can be reflected in national enforcement programmes. DPAs can prepare a common enforcement framework, including common instruments for inspections.

Finally, the EDPB stresses the importance of further harmonisation of national procedural laws. Andrea Jelinek: “We will identify a list of administrative procedural aspects that could be further harmonised on EU level to maximise the positive impact of GDPR, and share this information with the European Commission. This will help bridge differences and ensure a more effective application of the GDPR.”

 

Full statement available here

 

EDPB_Press Release_Statement_03

Svenska utrikesdepartementet, UD, avråder från alla icke nödvändiga resor till Iran. Detta på grund av säkerhetsläget.

Integritetsskyddsmyndigheten (IMY) ska undersöka om ett företag som gör det möjligt att söka efter känsliga personuppgifter i domstolsavgöranden från de allmänna förvaltningsdomstolarna måste följa reglerna i dataskyddsförordningen trots att bolaget har ett så kallat utgivningsbevis.

Yttrandefriheten är stark i Sverige men den är inte absolut. Och även om det finns ett privatundantag i dataskyddsförordningen så finns det en gräns för vad föräldrar får publicera för inlägg i sociala medier om sina barn.

Granskningen av Svea Inkasso är ett led i myndighetens arbete att rutinmässigt kontrollera stora aktörer som har inkassotillstånd.

Integritetsskyddsmyndigheten (IMY) inleder nu en tillsyn av larmbolaget Verisure för att utreda de uppgifter som förekommit om att anställda på bolaget delat bildmaterial mellan sig utan att det har varit befogat.

Uppdatering 11 april klockan 07.25: Meddelandet gäller inte längre.

SMHI har utfärdat en orange varning för kraftigt snöfall i kombination med hård vind från Umeåtrakten upp till Luleåtrakten under fredagen. Snöfallet kan ge mycket begränsad framkomlighet på vägar, förseningar inom buss-, tåg- och flygtrafiken samt elbortfall.

Europeiska dataskyddsstyrelsen, EDPB, har på sitt senaste plenarmöte diskuterat principöverenskommelsen om ett nytt transatlantiskt ramverk för skydd för personuppgifter vid överföring till USA. EDPB välkomnar principöverenskommelsen men flaggar för att mycket arbete återstår innan ett nytt system för överföringar är på plats.

Brussels, 7 April - The EDPB adopted a statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA) when their data are transferred to the U.S. as a positive first step in the right direction.

The EDPB notes that this announcement does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the U.S.. Data exporters must continue taking the necessary actions to comply with the case law of the Court of Justice of the European Union (CJEU), and in particular its Schrems II decision of 16 July 2020. The EDPB will pay special attention to how this political agreement is translated into concrete legal proposals.

The EDPB looks forward to assessing carefully the improvements that the new framework may bring in light of EU law, CJEU case law and previous recommendations of the Board, once the EDPB receives all supporting documents from the European Commission. In particular, the EDPB will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB will look into whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction.

The EDPB reiterates that it remains committed to playing a constructive role in securing transatlantic transfers of personal data that benefit EEA individuals and organisations.

Next, the EDPB adopted a letter expressing concerns about the recent legislative developments in Belgium aimed at reforming the law establishing the Belgian Supervisory Authority (BE SA),as it may negatively impact the stability and the independent functioning of the Belgian authority.

The EDPB stresses that independent supervision, which it fears is impacted by the proposed reforms, is essential to the fundamental right to data protection and for this reason is protected by the Charter and the EU Treaty. It is also the cornerstone of effective enforcement under the GDPR and effective cooperation among SAs. Furthermore, the EDPB is concerned about the proposals’ alignment with the GDPR and strict CJEU case law. In particular, the EDPB pointed out as issues the interruption of the current mandate of the BE SA’s external members and the added grounds of dismissal of members. The EDPB also questions how the various proposals leading to increased parliamentary oversight may relate to the requirement for SAs to “remain free from external influence” in accordance with Art. 52(2) GDPR. In addition, the EDPB states that the legislative proposal to make the use of a shared service centre mandatory may conflict with the SA’s freedom to choose and have its own staff (Art. 52(5) GDPR), which may result in indirect external influence on the stability and functioning of the BE SA.

Finally, the EDPB agreed to request observer status within the Spring Conference of European Data Protection Authorities. The Spring Conference provides a platform for dialogue for data protection authorities all over Europe, including non-EEA countries. This request forms part of the EDPB Strategy 2021-2023 to strengthen engagement with the international community and to facilitate cooperation between EDPB members and the data protection authorities of third countries. 

EDPB Deputy Chair Aleid Wolfsen said: “International cooperation is vital to upholding data protection rights in the EEA and beyond. This is another important step forward in reinforcing our engagement with the international community to promote EU data protection standards and to ensure effective protection of personal data beyond EU borders.”

 

EDPB_Press Release_2022_05

SMHI har utfärdat en orange varning för kraftigt snöfall i nordöstra Svealand och Gästrikland från torsdag eftermiddag. Vädret kan leda till stora störningar i trafiken och förseningar inom buss-, tåg- och flygtrafiken.

Folkhälsomyndigheten rekommenderar att personer som är 65 år och äldre erbjuds en fjärde dos vaccin mot covid-19.

Integritetsskyddsmyndigheten, IMY, publicerar nu en rapport över de anmälningar om personuppgiftsincidenter som myndigheten tagit emot under 2021. I rapporten framgår bland annat att hälso- och sjukvården rapporterat en väsentligt högre andel incidenter orsakade av it-angrepp jämfört med året innan.

Rapportnummer 2022:01

Background information

Date of final decision: 08/11/2021
National Case            
Controller: TELEFÓNICA MÓVILES ESPAÑA, S.A.U.          
Legal Reference: Confidentiality (Article 5.1.f)
Decision:  Imposition of a fine of 900,000 euros.
Key words:  Loss of confidentiality.

 

Summary of the Decision Origin of the case

Various claims are filed as a result of the issuance of duplicate SIM cards to third parties other than subscribers. As a result of the above, the holders of the telephone line are not only left without service, but the third parties access their bank accounts.

We find an assumption of using fraudulent practices based on the generation of duplicates of SIM cards without the consent of their legitimate holders in order to access confidential information for criminal purposes (known as "SIM Swapping").

Key Findings

Spanish DPA carries out research actions to analyze the procedures followed to manage SIM change requests by TELEFÓNICA MÓVILES ESPAÑA, S.A.U., identifying the vulnerabilities that may exist in the implemented operating procedures, to detect the causes for which these cases could be occurring, as well as to find points of non-compliance, improvement or adjustment, to determine responsibilities, reduce risks and increase security in the processing of personal data of affected persons.

The data that is processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module), which unequivocally identifies the subscriber on the network, are personal data, and their treatment must be subject to data protection regulations.

It has been verified that the measures implemented by TELEFÓNICA MÓVILES ESPAÑA, S.A.U. were insufficient, so they generated a loss of confidentiality and the transfer of personal data to a third party.

Decision

The AEPD imposes a total fine of 900,000 euros for the infringement consisting of a lack of confidenciality.

 

For further information: https://www.aepd.es/es/documento/ps-00021-2021.pdf

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned

 

Integritetsskyddsmyndigheten (IMY) har fått ett uppdrag att höja kunskapen om integritets- och dataskyddsfrågor hos innovationsaktörer. Nu överlämnar myndigheten en delredovisning av uppdraget till regeringen.