During its latest plenary, the EDPB adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s), Guidelines on legitimate interest, a Statement on laying down additional procedural rules for GDPR enforcement and the EDPB work programme 2024-2025.
It adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s) following a request under Article 64(2) of the GDPR by the Danish Data Protection Authority. Article 64(2) GDPR provides that any data protection authority can ask the EDPB to issue an opinion on matters of general application or producing effects in more than one Member State.
The Opinion considers issues arising when controllers rely on one or more processors and sub-processors. It addresses eight questions about the interpretation of certain duties of controllers relying on processors and sub-processors, as well as the wording of controller-processor contracts, arising in particular from Article 28 GDPR.
The Opinion explains that controllers should always have the information about the identity (i.e. name, address, contact person) of all processors, sub-processors etc. readily available so that they can best fulfil their obligations under Article 28 GDPR. In addition, the controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary based on risk.
The Opinion also states that while the initial processor should ensure that it recommends sub-processors with sufficient guarantees, the ultimate decision and responsibility on engaging a specific sub-processor remains with the controller.
The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check if data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.
In addition, where transfers of personal data outside of the EEA take place between two sub-processors, the processor as data exporter should prepare the relevant documentation, such as the reasons for the transfer, the transfer impact assessment and the possible supplementary measures. However, as the controller is still subject to the duties under Article 28(1) GDPR about “sufficient guarantees”, as well as the ones under Article 44 to ensure that the level of protection is not undermined by transfers of personal data, it should assess this documentation and be able to show it to the competent regulator.
Next, the Board adopted Guidelines on the processing of personal data based on legitimate interest.
Data controllers need a legal basis to process personal data lawfully. Legitimate interest is one of the six possible legal bases. The guidelines analyse the criteria in Article 6(1) (f) GDPR that controllers must meet to lawfully process personal data based on legitimate interest. To rely on legitimate interest, the controller needs to fulfil three cumulative conditions:
- The pursuit of a legitimate interest by the controller or by a third party;
- The necessity to process personal data to pursue the legitimate interest; and
- The interests or fundamental freedoms and rights of individuals do not take precedence over the legitimate interest(s) of the controller or of a third party (balancing exercise).
Only the interests that are lawful, clearly and precisely articulated, real and present may be considered legitimate. If there are reasonable, just as effective, but less intrusive, alternatives for achieving the interests pursued, the processing may not be necessary. The necessity of a processing should also be examined with the principle of data minimisation in mind. The controller must ensure that its legitimate interest does not override the individual’s interests, fundamental rights or freedoms. In this balancing exercise, the controller needs to consider the interests of the individuals, the impact of the processing and their reasonable expectations, as well as the existence of additional safeguards which could limit the impact on the individual.
In addition, the Guidelines explain how this assessment should be carried out in practice, including in specific contexts such as fraud prevention, direct marketing and information security.
The consultation on the Guidelines ends on 20 November 2024.
Next, the Board adopted a Statement following the amendments made by the European Parliament and the Council to the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR. The Statement generally welcomes the modifications introduced by the European Parliament and the Council, and recommends further addressing specific elements for the Regulation to achieve the objectives of streamlining cooperation between authorities and improving the enforcement of the GDPR.
The EDPB reiterates the need for a legal basis and harmonised procedure for amicable settlements and it makes recommendations to achieve consensus on the summary of key issues in the most efficient manner. The Board also welcomes the inclusion of additional deadlines but notes that they need to be realistic and urges the co-legislators to remove the provisions related to the relevant and reasoned objections and the ‘statement of reasons’ in the dispute resolution procedure.
While the Statement welcomes the objective of achieving increased transparency, the introduction of a joint case file, as proposed by the European Parliament, would require complex changes to the document management and communication systems used at European and national levels. The technical solutions for its implementation should be carefully assessed, and how access is granted to it should be further clarified. The EDPB welcomes the Council’s amendment allowing the lead national regulator to opt out from the so-called enhanced cooperation in simple and straightforward cases, but the scope of this opt-out needs to be explained further.
The EDPB has also adopted its work programme for 2024-2025. This is the first one of two work programmes which will implement the EDPB strategy for 2024-2027 that was adopted in April 2024. It is based on the priorities set in the EDPB strategy and it also considers the needs identified as most important for stakeholders.
Finally, the EDPB members agreed to grant the status of observer to the EDPB’s activities to the Kosovan Information and Privacy Agency under Article 8 of its EDPB Rules of Procedure.