On October 7, 2024, the European Data Protection Board ("EDPB") adopted four salient documents during its latest plenary session. These documents are:
- An opinion on the obligations of controllers relying on processors and sub-processors under Article 28 of the General Data Protection Regulation ("GDPR");
- New guidelines on legitimate interest;
- A Statement on laying down additional procedural rules for GDPR enforcement; and
- The EDPB work programme 2024-2025.
1. Opinion vis-à-vis Article 28 GDPR
In its recent Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s) ("Opinion"), the EDPB crystallised key responsibilities for controllers relying on processors and sub-processors under Article 28 GDPR, following a request by the Danish Data Protection Authority. Article 28 regulates the use of processors, however several ambiguities existed which created inconsistent interpretations.
In brief, the EDPB upheld that controllers must maintain "readily available" information (i.e. name, address, contact person) on all processors and sub-processors and must verify that they are able to provide sufficient guarantees to protect the rights of their data subjects. The Opinion also underscores that while processors, in line with Article 28, are responsible for ensuring their sub-processors meet data protection obligations, the ultimate responsibility lies with the controller. It is thus up to the Controllers to verify the adequacy of guarantees provided by all processors and sub-processors in the data processing chain, particularly where data processing poses a high risk to the rights and freedoms of data subjects.
Nonetheless, the level of verification expected from controllers varies depending on the risk associated with the processing. In addition, the EDPB again clarified that when transferring data outside the EEA, controllers must ensure that transfers comply with GDPR requirements.
The Opinion is accessible here.
2. Legitimate Interest Guidelines
The EDPB also adopted Guidelines on Legitimate Interest, clarifying the conditions under which controllers can rely on legitimate interest as a legal basis for processing personal data. Such guidance is thus essential for organisations seeking to justify processing their data processing activities based on legitimate interest under Article 6(1)(f) of the GDPR.
In line with the recent judgement of Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (C-621/22) the guidelines outline that this legal basis should not be viewed as a fallback option or applied indiscriminately. For context, the EDPB stressed that for such justification to be lawful, three conditions must be met, namely:
- The existence of a legitimate interest;
- The necessity of processing for that interest; and
- The balance favouring the controller's interests over the data subjects' rights.
Controllers must thus document their assessment of these conditions, considering various factors, including the impact on data subjects and potential alternative methods for safeguarding their interests without infringing on rights.
The Guidelines are accessible here.
3. Statement on Procedural Rules
Additionally, the EDPB adopted a Statement 4/2024 on the recent legislative developments on the Draft Regulation laying down additional procedural rules for the enforcement of the GDPR ("Statement"), as a response to the amendments made by the European Parliament and the Council to the proposal for a Regulation concerning GDPR enforcement procedures. While the EDPB within the Statement generally welcomed these modifications, it emphasised the need for further refinements to ensure a level of effective cooperation between authorities and enhance enforcement mechanisms.
Key recommendations include the establishment of a legal basis for amicable settlements, streamlining the dispute resolution process, and clarifying the implementation of a joint case file system. The EDPB also highlighted the importance of realistic deadlines and the need for a clear scope regarding the opt-out provision for lead Data Protection Authorities across all member states. The EDPB welcomed this proposal as a step towards addressing challenges in particular to scenarios revolving around cross-border data protection.
The Statement is accessible here.
4. 2024-2025 EDPB Roadmap
The EDPB also adopted its 2024-2025 Work Programme, outlining its priorities for the coming years. The EDPB's Roadmap is structured around four key pillars aimed at strengthening data protection and compliance:
- The first pillar focuses on enhancing harmonisation and promoting compliance through comprehensive guidance on crucial topics such as anonymisation;
- The second pillar aims to reinforce a common enforcement culture and improve cooperation among authorities, ensuring efficient use of cooperation tools;
- The third pillar highlights safeguarding data protection in an evolving digital landscape, addressing interplays with other EU laws and emerging technologies; and lastly
- The fourth pillar contributes to global dialogue on data protection, facilitating international cooperation and the exchange of best practices among EDPB members and non-EU authorities.
The Work Programme can be accessed here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.