In this issue, read up on our latest Press Releases, Opinions, Formal Comments, the EDPS-EDPB trainees' podcast, and more.
In this issue
EDPS survey on Covid-19 related processing activities by EU institutions, bodies, offices and agencies
On 4 March 2022, the European Data Protection Supervisor (EDPS) published a report on the new processing operations, and on the IT tools that EU institutions, bodies, offices and agencies (EUIs) introduced to ensure business continuity during the COVID-19 pandemic and the compliance of these activities with Regulation (EU) 2018/1725.
The report is based on an earlier survey and comprises three parts: new processing operations implemented by EUIs; IT tools implemented or enhanced by EUIs to enable teleworking; and new processing operations implemented by EUIs in charge of tasks related to public health.
The dynamic evolution of the COVID-19 pandemic means that EUIs must continually adapt their processes. The report aims to support them in what appears to be a long-lasting challenge, which will likely continue to have an impact even after the end of the pandemic.
The EU Digital Identity Wallet: A Data Protection Perspective
Every traineeship session, the European Data Protection Supervisor’s (EDPS) and the European Data Protection Board’s (EDPB) trainees organise a conference as a final project to mark their time spent at the institution.
This session, the EDPS and EDPB trainees decided to eschew the traditional conference format and instead produced a series of podcasts on the EU Digital Identity Wallet proposed by the European Commission in June 2021, by convening various experts in their field.
The first episode provides an overview of the European Commission’s proposal on the EU Digital Identity Wallet. The crux of the European Commission’s proposal is to create a Wallet, which will be available to all EU citizens and residents, along with businesses based in the EU. It would be usable not only for identity documents, but for all attestations, including those with sensitive personal data, such as health data-related documents. Through the EU Digital Identity Wallet, citizens will be able to prove their identity and share information with the click of a button on their phone or another edge device.
In the second episode, the ethical aspects of the proposed EU Digital Identity Wallet were discussed, especially its impact on vulnerable individuals and those with low digital literacy.
The third and final episode explores the possible design features of digital currencies in general, and in particular, what a digital Euro could look like and how this topic relates to the EU Digital Wallet.
Listen to the first episode.
Listen to the second episode.
Listen to the third episode.
Read the EDPS and EDPB’s blogpost, published on 23 February 2022, explaining their podcast series in more detail.
Data protection and use of cloud by public sector: the EDPS initiates and participates in the 2022 Coordinated Enforcement Action of the EDPB
The 2022 Coordinated Enforcement Action (CEF) of the European Data Protection Board (EDPB) officially kicked off on 15 February 2022 with a series of actions that will be taken by the 22 participating supervisory authorities competent at national and EU level. Building on common preparatory work by all participating supervisory authorities, the authorities will implement the CEF at their level in one or several of the following ways: fact-finding exercise; questionnaire to identify if a formal investigation is warranted; commencement of a formal investigation; follow-up to ongoing formal investigations.
The European Data Protection Supervisor (EDPS) is participating in the 2022 coordinated action of the EDPB by focusing on the EU institutions’, bodies’, offices’ and agencies’ compliance with Regulation (EU) 2018/1725 when using cloud-based services.
This topic was first proposed by the EDPS in light of the need for closer cooperation and action to ensure compliance with EU data protection laws, in particular regarding the controller-processor relationship and international transfers when public sector bodies use cloud-based services.
EDPS’ Technology and Privacy Unit continues online talks on personal data breaches
With personal data being processed by European institutions, bodies, offices and agencies (EUIs) in their day-to-day work, the EDPS frequently raises awareness of data protection matters.
As an example of this type of work, the Technology and Privacy Unit of the EDPS pursued its efforts to raise EUIs’ awareness of personal data breaches by delivering an online talk on 15 February 2022, hosted by the European School of Administration, on personal data breaches and data breach notifications.
The online talk focused on defining what a personal data breach is, and what EUIs should do to both prevent and handle personal data breaches.
According to Regulation (EU) 2018/1725, all EUIs must notify personal data breaches to the EDPS, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EUI in question must inform the individuals concerned without unnecessary delay.
EDPS Preliminary Remarks on Modern Spyware
The revelations made about the Pegasus spyware raised very serious questions about the possible impact of modern spyware tools on fundamental rights, and particularly on the rights to privacy and data protection.
This EDPS paper, published on 15 February 2022, aims to contribute to the ongoing assessment in the EU and globally of the risks posed by this type of surveillance technology. It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.
In this paper, you can find more information, such as:
- What is Pegasus and how does it work?
- How can spyware like Pegasus be abused?
- Can Pegasus be used legally within the scope of EU law?
- What could and should the EU do?
Read the EDPS Paper, available here.
Combatting fraud on value-added tax
In his Formal Comments, the EDPS welcomes the clarity of the data protection roles and responsibilities of the EU Member States as joint controllers and of the European Commission (EC) as processors. To this end, the EDPS also made specific comments on the European Commission’s responsibility to develop technical measures for the establishment of CESOP.
The EDPS highlights that the EC must ensure compliance of these measures with the provisions of Regulation (EU) 2018/1725 on the security of processing personal data, and with the EDPS’ Guidelines on the protection of personal data in IT governance and management of EU institutions.
In his Formal Comments, the EDPS addresses the EC’s concerns regarding different technical options to organise the crosschecking of data in CESOP with data included in the Import One-Stop-Shop (IOSS) - the electronic portal businesses can use to fulfil their VAT e-commerce obligations on distance sales of imported goods; and with data included in the VIES - the VAT Information Exchange System.
According to Council Regulation (EU) No 904/2010 on administrative cooperation and combatting fraud in the field of VAT, the EDPS believes that the legal basis is not sufficient for CESOP to include a central copy of national databases for OSS and VIES for the crosschecking of data.
The EDPS adds in his Formal Comments that the processing of requests to access information included in the VIES and OSS databases could be put in place if the procedure to address them are in compliance with data protection rules and principles under EU law. Importantly, it must be ensured that these requests for information are only made for the purpose of countering VAT fraud, and that access to such information must be controlled and limited to relevant actors in the field.
Read the EDPS’ Formal Comments available here.
Centralising information on financial services, capital markets and sustainability
On 19 January 2022, the EDPS issued Formal Comments on the European Single Access Point (ESAP), a platform which aims to provide centralised access to publically available information that is relevant to financial services, capital markets and sustainability. This envisaged platform is to be built and governed by the European Securities and Markets Authority (ESMA).
The ESAP may involve the collection of individuals’ personal data, such as information on an individual’s financial assets.
The EDPS’ Formal Comments concern:
- the proposed Regulation establishing the ESAP;
- the proposal for a Directive amending certain Directives concerning the establishment and functioning of the ESAP;
- the proposal for a Regulation amending certain Regulations on the establishment and functioning of ESAP.
The EDPS highlights in its Formal Comments that, as a general rule, the creation of any new platform involving the public disclosure of personal data should apply the principles of:
- data minimisation, meaning that the collection of an individual’s data for a specific purpose should be kept to a minimum;
- data accuracy, meaning that the data collected about an individual should be accurate;
- data protection-by-design and by default, meaning that the EU’s data protection principles should be embedded throughout the conception and creation of the ESAP platform.
In its Formal Comments, the EDPS also gives recommendations concerning a number of specific matters, for example, on:
- the processing of personal data concerning criminal convictions and offenses;
- specifications concerning the submission of individuals’ financial data to be made available on the ESAP platform;
- the data protection role and responsibilities of the relevant EU authorities involved, such as ESMA, the European Banking Authority and the European Insurance Pension Authority.
Concluding its Formal Comments, the EDPS gives its advice on storage limitations of individuals’ personal data, on the purposes for which personal data may be processed, and on other technical and organisational measures to put in place to protect individuals’ personal data.
A new Learning and Development Plan
The EDPS has recently launched a Learning and Development Plan (L&D Plan) for members of staff of the European institutions, bodies, offices and agencies (EUIs). The L&D Plan includes a series of online training courses and recorded online talks on data protection and on how to apply Regulation (EU) 2018/1725.
EUIs’ members of staff may process individuals’ personal data in their day-to-day work, whether this may be for human resources purposes, procurement procedures, planning of events, for example. In this context, it is important that members of staff acquire the sufficient knowledge of data protection, and are aware of their obligations under EU data protection law.
The first training course of the L&D Plan, titled EDPS course on Data Protection - EUDPR fast-track training course for practical application in your daily tasks, provides EUIs’ members of staff with an introduction, or refresher, to the data protection rules and principles to apply when processing personal data of individuals, such as the concept of accountability, the responsibilities of a data controller or data processor. This training course sets the foundation for the online talks, which are also part of the L&D Plan, that delve deeper into these topics.
The recorded online talks, listed below, were prepared in collaboration with the European School of Administration (EUSA):
- Data protection in procurement and outsourcing (01/07/2020)
- Data protection in outsourcing - Arrangements with processors in practice (14/09/21)
- EDPS on transfers of personal data, in particular international transfers (20/10/2020)
- EDPS on international transfers of personal data (18/11/2020)
- Which are the data protection implications on the use of social media and Information &Communications Technology/ remote working tools by the EU Institutions? (17/03/2021)
- EDPS on international transfers of personal data to public bodies and international organisations (22/06/2021)
- Conditions and Safeguards in International Transfers to Private Entities 1 (14/09/2021)
- EDPS - Personal Data Breaches in EU Institutions: Examples of common data breaches (09/11/2021)
- EDPS: Conditions and Safeguards in International Transfers to Private Entities 2 (06/12/2021)
- Online talk: EUDPR: Data protection in procurement and outsourcing in practice (25/01/2022)
- Personal Data Breaches in the EUIs (15/02/22)
The EDPS holds regular training sessions, usually at the request of EUIs’ data protection officers or data protection coordinators. Our approach emphasises on tailor-made training sessions in relation to the EUI in question’s core business activity or data protection challenges they may encounter. Why not organise a training session for your EUI by emailing the EDPS’ Supervision and Enforcement Unit at email@example.com.
Controllership and Data Transfers
The EDPS was recently consulted by one of the EUIs’ libraries. In its Informal Consultation, the EDPS clarified the EUI library’s role and responsibility as a data controller, in the context of transfers of personal data that are necessary between the controller and another natural or legal person, under article 50 (1) (c) of Regulation (EU) 2018/1725.
The EDPS produced its advice on the basis of the European Data Protection Board’s (EDPB) Guidelines on Controllership (2020/07). The EDPB’s Guidelines helped to determine the relationship between the EUI’s library and its subscribers, the EUI’s members of staff. In this context, the EUI’s library is the sole controller when processing subscribers’ personal data when managing the access to various publications, such as magazines; books; journals and newspapers.
The EUI library’s record of processing operations, in its current form, seems to suggest that subscribers to certain publications based outside the European Economic Area (EEA) would need to provide specific consent via a separate data protection statement to the publishers of these publications.
However, the EDPS recommends that this record of processing operations and accompanying data protection statement are modified, since the EUI library can rely on article 50 (1) (c) of Regulation (EU) 2018/1725, because transfers of subscribers’ data to non-EEA publishers are necessary for the access to publications based outside of the EU/EEA.
Upcoming online talk: managing access requests
On 29 March 2022, the EDPS, together with the European School of Administration (EUSA), will hold an online talk dedicated to the topic of access requests in the context of different data processing operations, such as staff’s appraisals; annual check-ups; administrative inquiries; disciplinary proceedings; access to candidates’ results in the context of recruitment procedures.
If EUIs’ members of staff wish to attend this online talk, they can enrol directly via EU-Learn here, or by emailing EUSA EPSO-EUSA-15YEARS@ec.europa.eu, or by emailing the EDPS’ Supervision and Enforcement Unit firstname.lastname@example.org.