The European Data Protection Board (EDPB) at the last plenary session adopted the Opinion on certain obligations arising from the relationship between the manager, the executor and the sub-processor, the Guidelines on legitimate interest, the statement on establishing additional procedural rules for the implementation of the General Regulation on data protection and the work program of the EDPB for the period 2024-2025. Also, the request of the Information and Privacy Agency of Kosovo to become an observer in the activities of the European Data Protection Board (EDPB) was adopted.
The director of the Personal Data Protection Agency and the vice-president of the European Data Protection Board Zdravko Vukić provided full support for granting observer status to the supervisory authority of Kosovo. He emphasized that the Information and Privacy Agency of Kosovo fulfills all the prescribed criteria, i.e. that the Agency operates independently and that it is in the interest of the Committee to have the supervisory body of Kosovo as an observer, and that Kosovo is a potential candidate for EU membership, which has taken binding international obligations to fully harmonize its data protection rules with those of the EU.
“One of the priorities of the Personal Data Protection Agency is to improve data protection standards in the Western Balkans in accordance with EU standards. We have made considerable efforts in North Macedonia and are willing to do the same in Kosovo. Harmonization of personal data protection standards in the Western Balkans with EU standards is important for the entire EU and EDPB members. I believe that granting observer status to Kosovo will significantly contribute to this goal and further improve data protection practices in the region,” said EDPB Vice President Zdravko Vukić and pointed out that the Personal Data Protection Agency has so far successfully cooperated with the Information and Privacy Agency.
The European Committee for Data Protection adopted the Guidelines on the processing of personal data based on legitimate interest , and the Personal Data Protection Agency participated in the team that drafted the Guidelines.
These Guidelines analyze the criteria established in Article 6, paragraph 1, point (f) of the General Data Protection Regulation, which controllers must meet in order to lawfully process personal data based on legitimate interest. The recent judgment of the Court of Justice of the European Union on this issue is also taken into account (C-621/22, October 4, 2024).
In order to be able to rely on a legitimate interest, the data controller must fulfill three cumulative conditions:
1. realization of the legitimate interest of the data controller or a third party;
2. the necessity of processing personal data for the purpose of achieving a legitimate interest;
3. the interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interests of the controller or a third party (balancing).
First of all, only legitimate, clearly and precisely formulated, real and present interests can be considered legitimate. For example, such legitimate interests could exist in a situation where an individual is a client or in the service of a controller. Secondly, if there are reasonable, equally effective, but less intrusive alternatives to achieve the desired interests, the processing cannot be considered necessary. The necessity of processing should also be examined in accordance with the principle of data minimization. Thirdly, the controller must ensure that his legitimate interest does not prevail over the interests of the individual, fundamental rights and freedoms. When weighing this up, the controller must take into account the interests of individuals, the effect of processing and their reasonable expectations, as well as the existence of additional protective measures that could limit the effect on the individual. These Guidelines also explain how this assessment should be carried out in practice, among others in a number of specific contexts such as fraud prevention, direct marketing and information security. The document also explains the relationship between that legal basis and a number of data subjects’ rights in accordance with the General Data Protection Regulation.
The guidelines will be subject to public consultation until November 20, 2024.
The European Data Protection Board also adopted an Opinion on certain obligations arising from the relationship of the manager, executor and sub-processor , based on the request of the Danish data protection authority sent to the Board in accordance with Article 64, paragraph 2 of the General Data Protection Regulation. The opinion refers to the interpretation of certain duties of the data controller who rely on processors and sub-processors, as well as the text of the contract between the data controller and data processor. The Opinion explains that controllers should at all times have readily available information about the identity (ie name, address, contact person) of all processors, sub-processors, etc. in order to best fulfill their obligations under Article 28 of the General Regulation on data protection. In addition, the obligation of the controller to verify that there are “sufficient guarantees” of the (sub)processor should apply regardless of the risk to the data subject’s rights and freedoms, although the extent of such verification may vary, in particular based on the risks associated with the processing. The Opinion also states that, although the original processor should ensure that it proposes sub-processors with sufficient guarantees, the final decision and responsibility for engaging a specific sub-processor is still made by the controller.
The European Data Protection Board believes that, in accordance with the General Data Protection Regulation, the data controller is not obliged to systematically request that reprocessing contracts verify whether data protection obligations have been transferred down the processing chain. The controller should assess whether it is necessary to request a copy of such contracts or to review them in order to demonstrate compliance with the General Data Protection Regulation.
In addition, if transfers of personal data outside the European Economic Area take place between two (sub)processors, the processor as data exporter should prepare relevant documentation, such as that relating to the basis of the transfer used, the assessment of the impact of the transfer and possible supplementary measures. However, since the controller is still subject to the obligations arising from Article 28 paragraph 1 of the General Data Protection Regulation on “sufficient guarantees”, in addition to those from Article 44, to ensure that transfers of personal data do not compromise the level of protection, he should evaluate that documentation and be able to show it to the data protection authority.
Furthermore, the Committee adopted the Statement after the changes made by the European Parliament and the Council to the Commission’s Proposal for a Regulation on the establishment of additional procedural rules in connection with the implementation of the Social Security Act.
The Statement generally welcomes the changes introduced by the European Parliament and the Council and recommends further consideration of specific elements in order to achieve the new regulation’s goals of simplifying cooperation between authorities and improving the implementation of the General Data Protection Regulation.
The Statement provides practical recommendations that can be used in the context of the upcoming trialogues. In particular, the EDPB reiterates the need for a legal basis and harmonized procedure for negotiated settlements and makes recommendations to ensure that consensus on a summary of key issues is reached in the most effective way. The Committee also welcomes the inclusion of additional deadlines and reminds that they must be realistic and encourages the co-legislators to remove provisions related to relevant and reasoned objections and “reasoning” in the dispute resolution process.
Although the Statement welcomes the goal of achieving greater transparency, the introduction of a common case file, as proposed by the European Parliament, would require complex changes to the document management and communication systems used at the European and national level. The technical solutions for its implementation should be carefully evaluated and the ways to grant access to these solutions should be further clarified.
The European Data Protection Board welcomes the Council’s amendment allowing the lead data protection authority to be exempted from so-called enhanced cooperation in simple cases, but highlights the need for further clarification of the scope of this exemption.
President of the European Data Protection Board, Anu Talus, said: “The draft regulation could significantly simplify the implementation of the General Data Protection Regulation by increasing the efficiency of handling cases. Greater harmonization at EU level is needed to maximize the effectiveness of the cooperation and consistency mechanisms of the General Data Protection Regulation.”
Finally, the Committee adopted its work program for the period 2024-2025 . It is the first of two work programs that will implement the EDPB strategy for the period 2024-2027. adopted in April 2024. It is based on the priorities set out in the strategy of the European Data Protection Board and takes into account the needs identified as the most important for stakeholders.