The European Data Protection Board adopted two opinions on the first draft decisions on transnational Codes of Conduct presented to the Board by the Belgian and French supervisory authorities during the 19th May plenary section. The Board has also adopted an opinion on the Regulation on the Data Managements and some recommendations on the legal basis for credit card’s data retention in cases in which the only purpose of the retention is those one to facilitate new online payments.
Opinions on the first transnational code of conduct
In particular, the Belgian SA’s draft decision concerns the EU CLOUD Code of conduct, addressed to cloud service providers. The French SA’s draft decision concerns the CISPE Code of conduct, addressed to cloud infrastructure service providers. The purpose of the Code of Conduct is to provide a practical guide and define specific requirements for the personal data processing by European operators to which shall be applied this Code.
The Board considers that both the projects of the codes of conducts are in compliance with the General Data Protection Regulation (GDPR) and that meet the GDPR’s requirements.
Opinions of the EDPB: Opinions on the Belgian SA’s draft decision, Opinion on the French SA’s draft decision
edpb_opinion_202116_eucloudcode_en edpb_opinion_202117_cispecode_en_0 (1) edpb_opinion_202116_eucloudcode_en (1) edpb_opinion_202117_cispecode_en_0 (2)Opinions of the European Data Protection Board on the data governance regulation
The European Data Protection Board has issued an opinion on the legislation about the data governance, after the developments of the legislative process. The opinion confirms main points arisen by the Board and by the EDPS in their common opinion of March.
March joined opinion:
edpb-edps_joint_opinion_dga_en (1)The Board reaffirms that without strong personal data protection guarantees, the confidence into the digital economy shall not be durable. The opinion underlines also that it shall be granted the coherence of the legislation on the governance of data.
It is also important that new definitions and concepts are not in contrast with the General Data Protection Regulation.
Opinion on the Law on management of data on the website of the European Data Protection Board:
edpb_statementondga_19052021_en_0The consent shall be used as a legal basis for the credit card’s data retention
The Board has also issued recommendations on the legal basis for the credit card’s data retention when the only purpose is to facilitate new online payments. The recommendations cover situations in which data subjects buy a product or pay a service only by a website or an app and provide their credit card’s data for the payment transaction.
The EDPB considers that in these situations the data subjects shall not reasonably expected that credit card’s data are stored more than necessary in order to pay goods and services. In addition, it is not obviously that the credit card’s data retention in order to facilitate future shopping is necessary in order to pursuit the data controller or third part’s legitimate interests. The consent, according to the GDPR, shall be considered as the only appropriate legal basis for the credit card’s data retention after shopping.
recommendations022021_on_storage_of_credit_card_data_en_1SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA