ARBEJDSDOKUMENT FRA KOMMISSIONENS TJENESTEGRENE […] Ledsagedokument til MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling - to års anvendelse af den generelle forordning om databeskyttelse
Tilhører sager:
- Hovedtilknytning: MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling — to års anvendelse af den generelle forordning om databeskyttelse {SWD(2020) 115 final} ()
- Hovedtilknytning: MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG RÅDET Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale omstilling — to års anvendelse af den generelle forordning om databeskyttelse {SWD(2020) 115 final} ()
Aktører:
1_EN_autre_document_travail_service_part1_v7.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2217036.pdf
EN EN
EUROPEAN
COMMISSION
Brussels, 24.6.2020
SWD(2020) 115 final
COMMISSION STAFF WORKING DOCUMENT
[…]
Accompanying the document
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN
PARLIAMENT AND THE COUNCIL
Data protection as a pillar of citizens’ empowerment and the EU’s approach to the
digital transition - two years of application of the General Data Protection Regulation
{COM(2020) 264 final}
Europaudvalget 2020
KOM (2020) 0264
Offentligt
1
Contents
1 Context....................................................................................................................3
2 Enforcement of the GDPR and functioning of the cooperation and consistency
mechanisms....................................................................................................................4
2.1 Use of strengthened powers by data protection authorities.............................4
Specific issues for the public sector.......................................................................5
Cooperation with other regulators .........................................................................6
2.2 The cooperation and consistency mechanisms................................................6
One-stop-shop........................................................................................................7
Mutual assistance...................................................................................................8
Consistency mechanism.........................................................................................8
Challenges to be addressed ....................................................................................9
2.3 Advice and guidelines ...................................................................................10
Awareness raising and advice by data protection authorities ..............................10
Guidelines of the European Data Protection Board.............................................11
2.4 Resources of the data protection authorities .................................................12
3 Harmonised rules but still a degree of fragmentation and diverging approaches.14
3.1 Implementation of the GDPR by the Member States....................................14
Main issues relating to national implementation .................................................15
Reconciliation of the right to the protection of personal data with freedom of
expression and information..................................................................................16
3.2 Facultative specification clauses and their limits..........................................17
Fragmentation linked to the use of facultative specification clauses...................17
4 Empowering individuals to control their data ......................................................19
5 Opportunities and challenges for organisations, in particular Small and Medium
size Enterprises ............................................................................................................22
Toolbox for businesses ........................................................................................25
6 The application of the GDPR to new technologies ..............................................26
7 International transfers and global cooperation .....................................................28
7.1 Privacy: a global issue...................................................................................28
7.2 The GDPR transfer toolbox...........................................................................30
Adequacy decisions .............................................................................................31
Appropriate safeguards ........................................................................................35
Derogations..........................................................................................................41
Decisions by foreign courts or authorities: not a ground for transfers ................42
7.3 International cooperation in the area of data protection................................44
2
The bilateral dimension........................................................................................44
The multilateral dimension ..................................................................................46
Annex I: Clauses for facultative specifications by national legislation
Annex II: Overview of the resources of data protection authorities
3
1 CONTEXT
The General Data Protection Regulation1
(hereafter ‘the GDPR’) is the result of eight
years of preparation, drafting and inter-institutional negotiations, and entered into
application on 25 May 2018 following a two-year transition period (May 2016 - May
2018). Article 97 of the GDPR requires the Commission to report on the evaluation
and review of the Regulation, starting with a first report after two years of application
and every four years thereafter.
The evaluation is also part of multi-faceted approach that the Commission already
followed before the GDPR entered into application and has continued to actively
pursue since then. As part of this approach, the Commission engaged into on-going
bilateral dialogues with Member States on the compliance of national legislation with
the GDPR, actively contributed to the work of the European Data Protection Board
(hereafter ‘the Board’) by providing its experience and expertise, supported data
protection authorities and maintained close contacts with a wide range of stakeholders
on the practical application of the Regulation.
The evaluation builds on the stocktaking exercise that the Commission carried out on
the first year of the GDPR application and that was summarised in the
Communication issued in July 20192
. It also follows-up on the Communication on the
application of the GDPR issued in January 20183
. The Commission also adopted the
Guidance on the use of personal data in the electoral context published in September
2018 and the Guidance on apps supporting the fight against the COVID-19 pandemic
issued in April 2020.
Although its focus is on the two issues highlighted in Article 97(2) of the GDPR,
namely international transfers and the cooperation and consistency mechanisms, this
evaluation takes a broader approach in order to address issues which have been raised
by various actors during the last two years.
To prepare the evaluation, the Commission took into account the contributions from:
the Council4
;
the European Parliament (Committee on Civil Liberties, Justice and Home
Affairs)5
;
the Board6
and individual data protection authorities7
, based on a questionnaire
sent by the Commission;
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC - OJ L 119, 4.5.2016, p. 1–88
2
Communication from the Commission to the European Parliament and the Council, Data Protection
as a trust-enabler in the EU and beyond – taking stock – COM(2019) 374 final, 24.7.2019
4
Council position and findings on the application of the General Data Protection Regulation –
14994/2/19 Rev2, 15.01.2020:
https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf
5
Letter of the LIBE Committee of the European Parliament of 21 February 2020 to Commissioner
Reynders, Ref.: IPOL-COM-LIBE D (2020)6525.
4
the feedback from the members of the Multi-stakeholder expert Group to support
the application of the GDPR8
, also based on a questionnaire sent by the
Commission;
and ad hoc contributions received from stakeholders.
2 ENFORCEMENT OF THE GDPR AND FUNCTIONING OF THE COOPERATION AND
CONSISTENCY MECHANISMS
The GDPR set up an innovative governance system and created the foundation of a
truly European data protection culture that aims to ensure not only a harmonised
interpretation, but also a harmonised application and enforcement of data protection
rules. Its pillars are the independent national data protection authorities and the newly
established Board.
As the data protection authorities are key to the functioning of the whole EU data
protection system, the Commission is attentively monitoring their effective
independence, including as regards adequate financial, human and technical
resources.
It is still too early to fully assess the functioning of the cooperation and consistency
mechanisms, given the short experience gathered so far9
. In addition, data protection
authorities have not yet used the full array of tools provided for by the GDPR to
strengthen their cooperation further.
2.1 Use of strengthened powers by data protection authorities
The GDPR establishes independent data protection authorities and provides them with
harmonised and strengthened enforcement powers. Since the GDPR applies, those
authorities have been using of a wide range of corrective powers provided for in the
GDPR, such as administrative fines (22 EU/EEA authorities)10
, warnings and
reprimands (23), orders to comply with data subject’s requests (26), orders to bring
processing operations into compliance with the GDPR (27), and orders to rectify,
erase or restrict processing (17). Around half of the data protection authorities (13)
have imposed temporary or definitive limitations on processing, including bans. This
demonstrates a conscious use of all corrective measures provided for in the GDPR;
6
Contribution of the Board to the evaluation of the GDPR under Article 97, adopted on 18 February
2020: https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-
gdpr-under-article-97_en
7
https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en
8
The Multi-stakeholder expert group on the GDPR set up by the Commission involves civil society
and business representatives, academics and practitioners:
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537
The report of the Multi-stakeholder Group is available at:
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId=
21356
9
This fact is also highlighted in particular by the Council in its position and findings on the
application of the GDPR and by the Board in its contribution to the evaluation.
10
The figures in parenthesis indicate the number of EU/EEA data protection authorities that made use
of the listed power between May 2018 and the end of November 2019. See contribution from the
Board on pages 32-33.
5
the data protection authorities did not shy away from imposing administrative fines in
addition to or instead of other corrective measures, depending on the circumstances of
individual cases.
Administrative fines:
Between 25 May 2018 and 30 November 2019, 22 EU/EEA data protection
authorities issued approximately 785 fines. Only a few authorities have not yet
imposed any administrative fines, although proceedings that are currently ongoing
might lead to such fines. Most of the fines related to infringements against: the
principle of lawfulness; valid consent; protection of sensitive data; the obligation of
transparency, the rights of data subjects; and data breaches.
Examples of fines imposed by data protection authorities include11
:
- EUR 200 000 for non-compliance with the right to object direct marketing in
Greece;
- EUR 220 000 on a data broker company in Poland for failure to inform individuals
that their data was being processed;
- EUR 250 000 imposed on the Spanish football league LaLiga, for lack of
transparency in the design of its smartphone application;
- EUR 14,5 million for infringement of data protection principles, in particular
unlawful storage, by a German real estate company;
- EUR 18 million for unlawful processing of special categories of data at a large
scale by Austrian postal services;
- EUR 50 million on Google in France, because of the conditions for obtaining
consent from users.
The success of the GDPR should not be measured by the number of fines issued, since
the GDPR provides for a broader palette of corrective powers. Depending on the
circumstances, for example, the deterrent effect of a ban on processing or the
suspension of data flows can be much stronger.
Specific issues for the public sector
The GDPR allows Member States to determine whether and to what extent
administrative fines may be imposed on public authorities and bodies. Where Member
States make use of this possibility, this does not deprive the data protection authorities
of using all the other corrective powers vis-à-vis public authorities and bodies12
.
Another specific issue is the supervision of courts: although the GDPR also applies to
the activities of courts, these are exempted from supervision by data protection
authorities when acting in their judicial capacity. However, the Charter and the TFEU
oblige Member States to entrust an independent body within their judicial systems
with the supervision of such processing operations13
.
11
Several of the decisions imposing fines are still subject to judicial review.
12
Article 83(7) GDPR.
13
Article 8(3) of the Charter; Article 16 (2) TFEU; recital 20 of the GDPR.
6
Cooperation with other regulators
As announced in its Communication of July 2019, the Commission supports
interaction with other regulators, in full respect of the respective competencies.
Promising areas of cooperation include consumer protection and competition. The
Board indicated its willingness to engage with other regulators in particular in relation
to concentration in digital markets14
. The Commission recognised the importance of
privacy and data protection as a qualitative parameter for competition15
. Members of
the Board participated in joint workshops with the Consumer Protection Cooperation
Network on cooperation on better enforcement of the EU consumer and data
protection legislation. This approach will be pursued to foster common understanding
and develop practical ways to address concrete problems experienced by consumers
in particular in the digital economy.
In order to ensure a consistent approach to privacy and data protection, and pending
the adoption of the ePrivacy Regulation, close cooperation with the authorities
competent for enforcing the ePrivacy Directive16
, the lex specialis in the area of
electronic communications, is indispensable. Closer cooperation with the authorities
competent under the NIS-Directive17
, and the NIS Cooperation Group, would be to
the mutual benefit of those authorities and the data protection authorities.
2.2 The cooperation and consistency mechanisms
The GDPR created the cooperation mechanism (one-stop-shop system for operators,
joint operations and mutual assistance between data protection authorities) and the
consistency mechanism in order to foster a uniform application of the data protection
rules, through a consistent interpretation and the resolution of possible disagreement
between authorities by the Board.
The Board, gathering all data protection authorities, has been established as an EU
body with legal personality and is fully operational, supported by a secretariat18
. It is
crucial for the functioning of the two mechanisms mentioned above. By the end of
2019, the Board had adopted 67 documents, including 10 new guidelines19
and 43
opinions2021
.
14
Cf. the statement of the Board on the data protection impacts of economic concentration,
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf.
15
See Case COMP M. 8124 Microsoft/LinkedIn.
16
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications) - OJ L 201 , 31/07/2002 P. 0037 -
0047
17
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning
measures for a high common level of security of network and information systems across the Union
- OJ L 194, 19.7.2016, p. 1–30
18
See details on the secretariat activities in the contribution from the Board, pages 24-26.
19
In addition to the 10 guidelines adopted by the Article 29 Working Party in the run-up to the
GDPR’s entry into application and endorsed by the Board. Moreover, the Board has adopted 4
additional guidelines between January and end May 2020, and updated an existing one.
20
42 of these opinions were adopted under Article 64 of the GDPR and one was adopted under
Article 70(1)(s) of the GDPR and concerned the adequacy decision with respect to Japan.
21
See contribution from the Board, pages 18-23 for a complete overview of the Board’s activities.
7
The important role of the Board emerged where there was a need to rapidly provide
for consistent interpretation of the GDPR and to find immediately applicable solutions
at EU level. For example in the context of the COVID-19 outbreak, in March 2020
the Board adopted a statement on the processing of personal data, which deals inter
alia with the lawfulness of processing and the use of mobile location data in that
context22
, and in April 2020 it adopted guidelines on the processing of data
concerning health for the purpose of scientific research in the context of the COVID-
19 outbreak 23
and guidelines on the use of location data and contact tracing tools in
the context of the COVID-19 outbreak 24
. The Board also made a significant
contribution to design of the EU approach to tracing apps by the Commission and the
Member States.
Day-to-day cooperation between data protection authorities, whether they act in their
own capacity or as members of the Board, is based on exchanges of information and
notifications of cases opened by the authorities. In order to facilitate communication
between authorities, the Commission gave significant support by providing them with
an information exchange system25
.Most authorities consider it as adapted to the needs
of the cooperation and consistency mechanisms, even though it could be further fine-
tuned for example by making it more user-friendly.
Although it is still early days, a number of achievements and challenges can already
be identified and are presented below. They show that, so far, data protection
authorities have made an effective use of the cooperation tools, with a preference for
more flexible solutions.
One-stop-shop
As a general rule, in cross-border cases, a Member State’s data protection authority
can be involved either (i) as lead authority when the main establishment of the
operator is located in this Member State, or (ii) as a concerned authority when the
operator has an establishment on the territory of this Member State, when individuals
in this Member State are substantially affected, or when a complaint has been lodged
with them.
Such close cooperation has become daily practice: since the date of application of the
GDPR, data protection authorities in all Member States have at some point been
identified either as lead authorities or as concerned authorities in cross-border cases,
although to a different extent.
From May 2018 until end 2019, the data protection authority in Ireland acted as lead
authority in the highest number of cross-border cases (127), followed by Germany
(92), Luxembourg (87), France (64) and the Netherlands (45). This ranking reflects
notably the specific situation of Ireland and Luxembourg, who host several big
multinational tech companies.
22
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_
processingpersonaldataandcovid-19_en.pdf
23
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-
data-concerning-health-purpose_en.
24
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_
with_annex_en.pdf
25
Internal Market Information System ('IMI').
8
The ranking is different as regards involvement as concerned data protection
authorities with the authorities in Germany being involved in the highest number of
cases (435), followed by Spain (337), Denmark (327), France (332) and Italy (306)26
.
Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted
through the one-stop-shop procedure, out of which 79 resulted in final decisions. At
the date of the publication of this report, several important decisions with a cross-
border dimension and subject to the one-stop-shop mechanism are pending. Among
these decisions, some involve multinational big tech companies27
. They are expected
to provide clarification and to contribute to an increased harmonisation in the
interpretation of the GDPR.
Mutual assistance
Data protection authorities have made a wide use of the mutual assistance tool.
By the end of 2019, there had been 115 Mutual Assistance28
procedures, in particular
for carrying out investigations, most of them by the data protection authorities of
Spain (26), Germany (20), Denmark (13), Poland (12) and Czech Republic (10). On
the other hand, Ireland (19), France (11), Austria (10), Germany (10) and
Luxembourg (9) had received the most requests 29
.
The vast majority of authorities find mutual assistance a very useful tool for
cooperation and have not encountered any particular obstacle to applying the mutual
assistance procedure. The voluntary mutual assistance exchange, which does not have
a legal deadline or strict duty to answer, has been used more frequently, in 2 427
procedures. The data protection authority of Ireland sent and received the highest
number of mutual assistance requests (527 sent and 359 received), followed by
German authorities (260 sent/356 received).
On the other hand, joint operations30
, which would make it possible for data
protection authorities of several Member States to be involved already at the level of
the investigations of cross-border cases, have not been conducted yet. Reflection is
on-going within the Board on the practical implementation of this tool and how to
promote its use.
Consistency mechanism
So far only the first leg of the consistency mechanism has been used, namely the
adoption of Board opinions31
. On the other hand, no dispute resolution at Board
level32
or urgency procedure33
has been triggered yet.
26
See contribution from the Board, page 8.
27
For instance, on 22 May 2020, the Irish data protection authority has submitted a draft decision to
other concerned authorities, in accordance with Article 60 of the Regulation, concerning an
investigation into Twitter International Company regarding data breach notification. On the same
day, the Irish data protection authority also announced that a draft decision on WhatsApp Ireland
Limited for submission under Article 60 was in preparation, concerning transparency including in
relation to transparency around what information is shared with Facebook.
28
Article 61 GDPR.
29
See contribution from the Board, pages 12-14.
30
Article 62 GDPR.
31
Based on Article 64 GDPR.
9
Between 25 May 2018 and 31 December 2019, the Board issued 36 opinions in the
context of the adoption of measures by one of its members34
. Most of them (31)
concerned the adoption of national lists of processing operations requiring a data
protection impact assessment. Two opinions concerned Binding Corporate Rules, two
others concerned draft accreditation requirements for a code of conduct monitoring
body, and one concerned Standard Contractual Clauses35
.
Furthermore, the Board adopted, on request, six opinions36
. Three of these opinions
concerned national lists identifying processing which does not require a data
protection impact assessment. The others concerned respectively an administrative
arrangement for the transfer of personal data between EEA and non-EEA financial
supervisory authorities, the interplay between the ePrivacy Directive and the GDPR
and the competence of a supervisory authority in case of a change in circumstances
relating to the main or single establishment.37
Challenges to be addressed
Although the data protection authorities have been very actively working together in
the Board and already intensively use the cooperation tool of mutual assistance,
building a truly data protection common culture is still an ongoing process.
In particular, the handling of cross-border cases calls for a more efficient and
harmonised approach and the effective use of all cooperation tools provided in the
GDPR. There is a very broad consensus on this point since it was raised in different
ways by the European Parliament, the Council, the European Data Protection
Supervisor, stakeholders (within the Multi-stakeholder Group and beyond) and by the
data protection authorities.
The main issues to be tackled in this context include differences in:
national administrative procedures, concerning in particular: complaint handling
procedures, the admissibility criteria for complaints, the duration of proceedings
due to different timeframes or the absence of any deadlines, the moment in the
procedure when the right to be heard is granted, the information and involvement
of complainants during the procedure;
interpretations of concepts relating to the cooperation mechanism, such as relevant
information, the notion of “without delay”, “complaint”, the document which is
defined as the “draft decision” of the lead data protection authority, amicable
settlement (in particular the procedure leading to amicable settlement and the legal
form of the settlement); and
the approach to when to start the cooperation procedure, involve the concerned
data protection authorities and communicate information to them. Complainants
also lack clarity on how their cases are handled in cross-border situations, as was
stressed by several members of the Multi-stakeholder Group. Moreover,
32
Article 65 GDPR.
33
Article 66 GDPR.
34
Under Article 64(1) GDPR.
35
Article 28(8) GDPR.
36
Under Article 64(2) GDPR.
37
See contribution from the Board, page 15.
10
businesses mention that in certain instances national data protection authorities did
not refer cases to the lead data protection authority, but handled them as local
cases.
The Commission welcomes the Board’s announcement that it has started a reflection
on how to address these concerns. In particular, the Board indicated that it will clarify
the procedural steps involved in the cooperation between the lead data protection
authority and the concerned data protection authorities, analyse national
administrative procedural laws, work towards a common interpretation of key
concepts, and strengthen communication and cooperation (including joint operations).
The Board’s reflection and analysis should lead to devising more efficient working
arrangements in cross-border cases38
, including by building on the expertise of its
members and by strengthening the involvement of its secretariat. In addition, it should
be noted that the Board’s responsibility in ensuring a consistent interpretation of the
GDPR cannot be discharged by simply finding the lowest common denominator.
Finally, as an EU body the Board must also apply EU administrative law and ensure
transparency in the decision making process.
2.3 Advice and guidelines
Awareness raising and advice by data protection authorities
Several data protection authorities created new tools, such as help lines for individuals
and businesses, and toolkits for businesses39
. Many operators welcome the
pragmatism shown by these authorities in assisting with the application of the GDPR.
In particular, several of them have actively and closely collaborated and
communicated with data protection officers, including through data protection
officers’ associations. Many authorities also issued guidelines covering the data
protection officers’ role and obligations to support data protection officers during
their daily activities and held seminars specifically designed for them. However, this
is not the case for all data protection authorities.
Feedback received from stakeholders also points to a number of issues as regards
guidance and advice:
the lack of a consistent approach and guidance between national data protection
authorities on certain issues (e.g. on cookies40
, the application of legitimate
interest, on data breach notifications or on data protection impact assessments) or
even between data protection authorities within the same Member States (e.g. in
Germany on the notions of controller and processor);
the inconsistency of guidelines adopted at national level with those adopted by the
Board;
38
As also pointed out in the Council position and findings.
39
See below under point 7.
40
Pending the adoption of the ePrivacy Regulation, close cooperation with the competent authorities
responsible for the enforcement of the ePrivacy Directive in the Member States is necessary. In
accordance with that Directive, in some Member States the authorities competent for enforcing
Article 5(3) of the ePrivacy Directive (which sets out the conditions under which "cookies” may be
set and accessed on a user’s terminal equipment) are not the same as the GDPR supervisory
authorities.
11
the absence of public consultations on certain guidelines adopted at national level;
different levels of engagement with stakeholders among data protection
authorities;
delays in receiving responses to information requests;
difficulties in obtaining practical and valuable advice from data protection
authorities;
the need to increase the level of sectoral expertise in some data protection
authorities (e.g. in the health and pharma sector).
Several of these issues are also linked to the lack of resources in several data
protection authorities (see below).
Divergent practices as regards the notification of data breaches41
While the Council highlights the burden caused by such notifications, there are
significant discrepancies on notifications between Member States: whereas from May
2018 to end November 2019, in most Member States the total number of data breach
notifications was below 2 000, and in 7 Member States between 2 000 and 10 000, the
Dutch and German data protection authorities reported respectively 37 400 and
45 600 notifications42
.
This may point to a lack of consistent interpretation and implementation, despite the
existence of EU-level guidelines on data breach notifications.
Guidelines of the European Data Protection Board
To date, the Board adopted more than 20 guidelines covering key aspects of the
GDPR43
. The guidelines are an essential tool for the consistent application of the
GDPR and have, therefore, been to a large extent welcomed by stakeholders.
Stakeholders have appreciated the systematic (6 to 8 weeks) public consultation.
However, they ask for more dialogue with the Board. In this context, the practice of
organising workshops on targeted topics prior to drafting guidelines should be
continued and amplified to ensure the transparency, inclusiveness, and relevance of
the Board’s work. Stakeholders also request that the interpretation of the most
contentious issues should be addressed in the guidelines, since these are subject to
public consultation, and not within opinions under Article 64(2) of the GDPR. Some
stakeholders also call for more practical guidelines, detailing the application of
concepts and provisions of the GDPR44
. Members of the Multi-stakeholder Group
stress the need for more concrete examples to reduce the room for diverging
interpretations between data protection authorities as much as possible. At the same
time, the requests to clarify how to apply the GDPR and to provide legal certainty
41
Article 33 GDPR.
42
See contribution from the Board page 35.
43
The work on guidelines already started before the entry into application of the GDPR on 25 May
2018 in the context of the Article 29 Working Party. See the full list of guidelines at
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-
practices_en
44
This has also been highlighted by the European Parliament and by the Council.
12
should not lead to additional requirements or diminish the advantages of the risk-
based approach and the accountability principle.
The topics on which stakeholders would like additional guidelines from the Board
include: the scope of data subjects’ rights (including in the employment context);
updates to the opinion on processing based on legitimate interest; the notions of
controller, joint controller and processor and the necessary arrangements between the
parties45
; the application of the GDPR to new technologies (such as blockchain and
artificial intelligence); processing in the context of scientific research (including in
relation to international collaboration); the processing of children’s data;
pseudonymisation and anonymisation; and the processing of health data.
The Board has already indicated that it will issue guidelines on many of these topics
and the work already started on several of them (e.g. on the application of legitimate
interest as a legal basis for processing).
Stakeholders ask the Board to update and revise existing guidelines where
appropriate,, taking into account the experience gathered since their publication and
taking the opportunity to go into more detail where needed.
2.4 Resources of the data protection authorities
Providing each data protection authority with the necessary human, technical and
financial resources, premises and infrastructure is a prerequisite for the effective
performance of their tasks and exercise of their powers, and therefore an essential
condition for their independence46
.
Most data protection authorities benefited from an increase in staff and resources
since the GDPR entered into force in 201647
. However many of them still report that
they do not have sufficient resources48
.
Number of staff working for national data protection authorities
The total number of staff working in EEA data protection authorities considered
together has increased by 42% between 2016 and 2019 (by 62% if one considers the
2020 forecast).
The number of staff has increased in most authorities during this period, with the
biggest increase (as a percentage) registered for authorities in Ireland (+169%), the
Netherlands (+145%), Iceland (+143%), Luxembourg (+126%) and Finland (+114%).
On the other hand, the number of staff decreased in several data protection authorities,
with the sharpest decreases observed in Greece (-15%), Bulgaria (-14%), Estonia (-
11%), Latvia (-10%) and Lithuania (-8%). In some authorities, the decrease in staff is
also due to the departure of data protection experts to the private sector offering more
attractive conditions.
45
Guidelines from the Board on controllers and processors are currently in preparation.
46
See Article 52(4) GDPR.
47
The Regulation entered into force in May 2016 and into application in May 2018, following a 2-
year transition period.
48
See contribution from the Board, pages 26-30.
13
In general, the forecast for 2020 provides for an increase of staff compared to 2019,
except for authorities in Austria, Bulgaria, Italy, Sweden and Iceland (where staff
numbers are expected to remain stable), Cyprus and Denmark (where staff numbers
are expected to decrease).
The German data protection authorities49
together have the highest number of staff
(888 in 2019/1002 in 2020 forecast), followed by the data protection authorities in
Poland (238/260), France (215/225), Spain (170/220), the Netherlands (179/188),
Italy (170/170) and Ireland (140/176).
The data protection authorities with the lowest staff numbers are those in Cyprus
(24/22), Latvia (19/31), Iceland (17/17), Estonia (16/18) and Malta (13/15).
Budget of national data protection authorities
The total budget of EEA data protection authorities considered together has increased
by 49% between 2016 and 2019 (by 64% if one considers the 2020 forecast).
The budget of most authorities increased during this period, with the biggest increase
(as a percentage) registered for authorities in Ireland (+223%), Iceland (+167%),
Luxembourg (+165%), the Netherland (+130%) and Cyprus (+114%). On the other
hand, some authorities saw only a small budget increase, with the smallest increases
registered for data protection authorities in Estonia (7%), Latvia (4%), Romania (3%)
and Belgium (1%), while the authority in France experienced a decrease (-2%).
In general, the forecast for 2020 provides for an increase in budget compared to 2019,
except for the authorities in Austria, Bulgaria, Estonia and the Netherlands (whose
budgets are expected to remain stable).
The data protection authorities with the highest budget are those of Germany (EUR
76.6 million in 2019/EUR 85.8 million in the 2020 forecast), Italy (29.1/30.1), The
Netherlands (18.6/18.6), France (18.5/20.1) and Ireland (15.2/16.9).
The authorities with the lowest budget are those of Croatia (EUR 1.2 million in
2019/EUR 1.4 million in the 2020 forecast), Romania (1.1/1.3), Latvia (0.6/1.2),
Cyprus (0.5/0.5) and Malta (0.5/0.6).
The table in Annex II provides an overview of the human and budgetary resources of
national data protection authorities.
Besides impacting their capacity to enforce rules at national level, the lack of
resources also limits data protection authorities’ capacity to participate in and
contribute to the cooperation and consistency mechanisms, and to the work carried
out within the Board. As highlighted by the Board, the success of the one-stop-shop
mechanism depends on the time and effort that data protection authorities can
dedicate to the handling of and cooperation on individual cross-border cases. The
resource issue is compounded by the authorities’ increased role in the supervision of
large-scale IT systems that are currently being developed. Furthermore, the data
49
There are 18 authorities in Germany, of which one is a federal authority and 17 are regional
authorities (including two in Bavaria).
14
protection authorities in Ireland and Luxembourg have specific resource needs given
their role as lead authorities for the enforcement of the GDPR vis-à-vis big tech
companies, which are located mostly in these Member States.
While the Council points to the impact of the cooperation mechanism and its
deadlines on the work of data protection authorities50
, the GDPR obliges Member
States to provide their national data protection authorities with adequate human,
financial and technical resources51
.
The secretariat of the Board, which is provided by the European Data Protection
Supervisor52
, is currently composed of 20 people, including legal, IT and
communication experts. It is to be assessed whether this figure needs to evolve in the
future in light of the effective fulfilment of its function of analytical, administrative
and logistical support to the Board and its subgroups, including through the
management of the information exchange system,
3 HARMONISED RULES BUT STILL A DEGREE OF FRAGMENTATION AND DIVERGING
APPROACHES
The GDPR provides for a consistent approach to data protection rules throughout the
EU, replacing the different national regimes that existed under the 1995 Data
Protection Directive.
3.1 Implementation of the GDPR by the Member States
The GDPR has been directly applicable in all Member States since 25 May 2018. It
obliged Member States to legislate, in particular to set up national data protection
authorities and the general conditions for their members, in order to ensure that each
authority acts with complete independence in performing its tasks and exercising its
powers in accordance with the GDPR. Legal obligations and public tasks can
constitute a legal ground for the processing of personal data only if they are laid down
in (Union or) national law. In addition, Member States must lay down rules on
penalties in particular for infringements not subject to administrative fines and must
reconcile the right to the protection of personal data with the right to freedom of
expression and information. National law can also provide for a legal basis for the
exemption from the general prohibition for processing special categories of personal
data, for example for reasons of substantial public interest in the area of public health,
including protection against serious cross-border threats to health. Furthermore,
Member States must ensure the accreditation of certification bodies.
The Commission is monitoring the implementation of the GDPR in national
legislation. At the time of writing this report, all Member States except Slovenia has
adopted new data protection legislation or adapted their law in this area. The
50
Article 60 GDPR.
51
Article 52(4) GDPR.
52
Article 75 GDPR.
15
Commission therefore requested Slovenia to provide clarification on the progress
made to date and urged it to finalise that process53
.
In addition, the compliance of national legislation with data protection rules as
regards the Schengen acquis is also assessed in the context of the Schengen
Evaluation Mechanism coordinated by the Commission. The Commission and
Member States jointly evaluate how countries implement and apply the Schengen
acquis in a number of areas; for data protection this concerns large-scale IT systems
like the Schengen Information System and the Via Information System and includes
the role of data protection authorities in supervising the processing of personal data
within those systems.
Work on adapting sectoral laws is still on-going at national level. Following the
GDPR’s incorporation into the European Economic Area Agreement, its application
was extended to Norway, Iceland and Lichtenstein. These countries have also adopted
their national data protection laws.
The Commission will make use of all the tools at its disposal, including infringement
procedures, to ensure that Member States comply with the GDPR.
Main issues relating to national implementation
The main issues identified to date as part of the ongoing assessment of national
legislation and bilateral exchanges with Member States include:
Restrictions to the GDPR’s application: some Member States, for example,
completely exclude the activities of the national parliament ;
Differences in the applicability of national specification laws. Some Member
States link the applicability of their national law to the place where the goods or
services are offered, others to the place of establishment of the controller or
processor. This runs contrary to the objective of harmonisation pursued by the
GDPR;
National laws that raise questions on the proportionality of the interference with
the right to data protection. For example, the Commission launched an
infringement procedure against a Member State that had enacted legislation
requiring judges to disclose specific information about their non-professional
activities, which is incompatible with the right to respect for private life and the
right to the protection of personal data54
;
The absence of an independent body for the supervision of data processing by
courts acting in their judicial capacity55
.
Legislation in areas fully regulated by the GDPR beyond the margin for
specifications or restrictions. This is, in particular, the case where national
53
It has to be noted that the national data protection authority in Slovenia is set up based on the
current national data protection law and supervise the application of the GDPR in that Member
State.
54
This infringement procedure concerns the Polish law on the judiciary of 20 December 2019, which
affects the independence of the judges and concerns, inter alia, the disclosure of the engagement of
judges in non-professional activities:
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772.
55
See Article 8(3) of the Charter; Article 16 TFEU; recital 20 of the GDPR.
16
provisions determine conditions for processing based on legitimate interest, by
providing for the balancing of the respective interests of the controller and of the
individuals concerned, while the GDPR obliges each and every controller to
undertake such balancing individually and avail itself of that legal basis.
Specifications and additional requirements beyond processing for compliance with
a legal obligation or performance of a public task (e.g. for video surveillance in
the private sector or for direct marketing); and for concepts used in the GDPR
(e.g. ‘large scale’ or ‘erasure’).
Some of these issues may be clarified by the Court of Justice in cases that are still
pending56
.
Reconciliation of the right to the protection of personal data with freedom of
expression and information
A specific issue concerns the implementation of the obligation for Member States to
reconcile by law the right to the protection of personal data with freedom of
expression and information57
. This issue is very complex, since an assessment of the
balancing between these fundamental rights must also take into account provisions
and safeguards in press and media laws.
The assessment of Member State legislation shows different approaches to the
reconciliation of the right to the protection of personal data with freedom of
expression and information:
Some Member States lay down the principle of precedence of freedom of
expression or exempt in principle the application of entire chapters mentioned in
Article 85(2) GDPR if processing for journalistic purposes and for academic,
artistic and literary expression is at stake. To a certain extent, media laws provide
for some safeguards as regards data subject rights.
Some Member States lay down the precedence of the protection of personal data
and exempt the application of data protection rules only in specific situations,
such as where a person with public status is concerned.
Other Member States provide for a certain balancing by the legislator and/or a
case-by-case assessment as regards derogations from certain provisions of the
GDPR.
The Commission will continue its assessment of national legislation on the basis of
the requirements of the Charter. The reconciliation must be provided for by law,
respect the essence of those fundamental rights, and be proportional and necessary
(Article 52(1) of the Charter). Data protection rules should not affect the exercise of
freedom of expression and information especially by creating a chilling effect or by
being interpreted as a way to put pressure on journalists to disclose their sources.
56
For example, the exemption of a parliamentary committee from the application of the GDPR is
subject to a pending court case for a preliminary ruling (C-272/19).
57
Article 85 GDPR.
17
3.2 Facultative specification clauses and their limits
The GDPR gives Member States the possibility to further specify its application in a
limited number of areas. This margin for national legislation is to be distinguished
from the obligation to implement certain other provisions of the GDPR as mentioned
above. The clauses for facultative specifications are listed in Annex I.
The margins for Member State law are subject to the conditions and limits set by the
GDPR and do not allow for a parallel national data protection regime58
. Member
States are obliged to amend or repeal the national data protection laws, including
sectoral legislation with data protection aspects.
Furthermore, related Member State legislation must not include provisions which
might create confusion regarding the direct application of the GDPR. Therefore,
where the GDPR provides for specifications or restrictions of its rules by Member
State law, Member States may incorporate elements of the GDPR in their national
law, to the extent necessary to ensure coherence and to render the national provisions
comprehensible to the persons to whom they apply59
.
Stakeholders consider that Member States should reduce or refrain from using
facultative specification clauses since they do not contribute to harmonisation. The
national divergences in both the implementation of the laws and their interpretation by
data protection authorities considerably increase the cost of legal compliance across
the EU.
Fragmentation linked to the use of facultative specification clauses
Age limit for children consent for information society services
A number of Member States have made use of the possibility to provide for a lower
age than 16 years for consent in relation to information society services (Article 8(1)
GDPR). Whereas nine Member States apply the 16 years’ age limit, eight Member
States opted for 13 years, six for 14 years and three for 15 years.60
Consequently, a company providing information society services to minors across the
EU has to distinguish between the ages of potential users, depending in which
Member State they reside. This is contrary to the key objective of the GDPR to
provide for an equal level of protection to individuals and of business opportunities in
all Member States.
Such differences lead to situations where the Member State in which the controller is
established provides for another age limit than the Member States where the data
subjects are residing.
58
The widely used term of “opening clauses” to mean specification clauses is misleading since it
might give the impression that Member States have margins of manoeuvre beyond the provisions of
the Regulation.
59
Recital 8 of the GDPR.
60
13 years for Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal and Sweden; 14 years for
Austria, Bulgaria, Cyprus, Spain, Italy and Lithuania; 15 years for Czech Republic, Greece and
France; 16 years for Germany, Hungary, Croatia, Ireland, Luxembourg, the Netherlands, Poland,
Romania and Slovakia.
18
Health and research
When implementing derogations from the general prohibition for processing special
categories of personal data61
, Member State legislation follows different approaches
as regards the level of specification and safeguards, including for health and research
purposes. Most Member States introduced or maintained further conditions for the
processing of genetic data, biometric data or data concerning health. This is also true
for derogations related to data subject rights for research purposes62
, both as regards
the extent of the derogations and the related safeguards.
The Board’s future guidelines on the use of personal data in the field of scientific
research will contribute to a harmonised approach in this area. The Commission will
provide input to the Board, in particular as regards health research, including in the
form of concrete questions and analysis of concrete scenarios that it received from the
research community. It would be helpful if these guidelines could be adopted before
the launch of Horizon Europe Framework Programme in view of harmonising data
protection practices and facilitating data sharing for research advancements.
Guidelines from the Board on the processing of personal data in the area of health
could also be useful.
The GDPR provides a robust framework for national legislation in the area of public
health and explicitly includes cross-border health threats and the monitoring of
epidemics and their spread63
, which was relevant in the context of the fight against the
COVID-19 pandemic.
At EU level, on 8 April 2020 the Commission adopted a Recommendation for a
toolbox for the use of technology and data in this context, including mobile
applications and the use of anonymised mobility data64
, and on 16 April 2020 a
guidance on apps supporting the fight against the pandemic in relation to data
protection65
. The Board published a statement on data processing in this context on 19
March 202066
, followed on 21 April 2020 by guidelines on data processing for
research purposes and on the use of localisation data and contact tracing tools in this
context67
. These recommendations and guidelines clarify how the principles and rules
on the protection of personal data apply in the context of the fight against the
pandemic.
Extensive restrictions of data subjects’ rights
Most national data protection laws that restrict data subject’s rights do not specify the
objectives of general public interest safeguarded by these restrictions and/or do not
sufficiently meet the conditions and safeguards required by Article 23(2) of the
61
Article 9 GDPR.
62
Article 89(2) GDPR.
63
See Article 9(2)(i) GDPR and recital 46.
64
https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf .
65
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from =
EN.
66
https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-
outbreak_en.
67
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-
practices_en.
19
GDPR68
. Several Member States leave no room for the proportionality test or extend
the restrictions even beyond the scope of Article 23(1) of the GDPR. For example,
some national laws deny the right of access for reasons of disproportionate effort on
the side of controller, for personal data which are stored on the basis of a retention
obligation or related to the performance of public tasks without limiting such
restriction to objectives of general public interest.
Additional requirements for companies
Although the requirement of a mandatory data protection officer is based on the risk-
based approach69
, one Member State70
extended it to a quantitative criteria, obliging
companies in which 20 employees or more are permanently involved in the automated
processing of personal data to designate a data protection officer, independently of the
risks connected with the processing activities71
. This has led to additional burdens.
4 EMPOWERING INDIVIDUALS TO CONTROL THEIR DATA
The GDPR makes fundamental rights effective, in particular the right to the protection
of personal data, but also the other fundamental rights recognised by the Charter,
including the respect for private and family life, freedom of expression and
information, non-discrimination, freedom of thought, conscience and religion,
freedom to conduct a business and the right to an effective remedy. These rights must
be balanced against each other in accordance with the principle of proportionality72
.
The GDPR provides individuals with enforceable rights, such as the right of access,
rectification, erasure, objection, portability and enhanced transparency. It also gives
individuals the right to lodge a complaint with a data protection authority, including
through representative actions, and to judicial redress.
Individuals are increasingly aware of their rights, as shown in the results of the July
2019 Eurobarometer73
and the survey carried out by the Fundamental Rights
Agency74
.
According to the Fundamental Rights Survey carried out by the Fundamental Rights
Agency:
69% of the population aged 16+ in the EU have heard about the GDPR;
71% of respondents in the EU have heard about their national data protection
authority; this figure ranges from 90% in the Czech Republic to 44% in Belgium;
68
For instance because they simply repeat the wording of Article 23(1) GDPR.
69
Article 37(1) GDPR.
70
Germany.
71
Making use of the specification clause in Article 37(4) GDPR.
72
Cf. recital 4 of the GDPR.
73
https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2956
74
European Union Agency for Fundamental Rights (FRA) (2020): Fundamental Rights Survey 2019.
Data protection and technology: https://fra.europa.eu/en/publication/2020/fundamental-rights-
survey-data-protection
20
60% of respondents in the EU are aware of a law that allows them to access their
personal data as held by public administration; however, this percentage decreases
to 51% for private companies;
more than one in five respondents (23%) in the EU do not want to share personal
data (such as one’s address, citizenship or date of birth) with public
administration, and 41% do not want to share these data with private companies.
Individuals are increasingly using their right to lodge complaints with data protection
authorities, either individually or by representative actions75
. Only a few Member
States have allowed non-governmental organisations to launch actions without a
mandate, in line with the possibility provided by the GDPR. The proposed Directive
on representative actions for the protection of the collective interests of consumers76
is
expected, once adopted, to strengthen the framework for representative actions also in
the field of data protection.
Complaints
The total number of complaints between May 2018 and end of November 2019 as
reported by the Board is around 275 00077
. However, this figure should be considered
with much caution given that the definition of a complaint is not identical among
authorities. The absolute number of complaints received by data protection
authorities78
is very different between Member States. The highest numbers of
complaints were registered in Germany (67 000), the Netherlands (37 000), Spain and
France (18 000 each), Italy (14 000), Poland and Ireland (12 000 each). Two-thirds of
authorities reported the number of complaints as ranging between 8 000 and 600. The
lowest numbers of complaints were registered in Estonia and Belgium (around 500
each), Malta and Iceland (fewer than 200 each).
The number of complaints is not necessarily correlated to the size of the population or
GDP, with for instance close to twice as many complaints in Germany compared to
the Netherlands, and four times as many compared to Spain and France.
Feedback from the Multi-stakeholder Group shows that organisations have put in
place a variety of measures to facilitate the exercise of data subjects’ rights, including
implementing processes that ensure individual review of requests and a reply from the
controller, the use of several channels (mail, dedicated email address, website, etc.),
updated internal procedures and policies on the timely internal handling of requests,
and staff training. Some companies have put in place digital portals accessible
through the company’s website (or the company’s intranet for employees) to facilitate
the exercise of rights by data subjects.
However, further progress is needed on the following points:
Not all data controllers comply with their obligation to facilitate the exercise of
data subjects’ rights79
. They need to ensure that data subjects have an effective
point of contact to whom they can explain their problems. This can be the data
75
Article 80 GDPR.
76
COM/2018/0184 final - 2018/089 (COD)
77
Both under Articles 77 and 80 GDPR.
78
See contribution from the Board, pages 31-32.
79
Article 12(2) GDPR.
21
protection officer, whose contact details have to be provided pro-actively to the
data subject80
. The contact modalities must not be limited to e-mails, but must also
enable the data subject to address the controller through other means.
Individuals still face difficulties when requesting access to their data, for instance
from platforms, data brokers and adtech companies.
The right to data portability is not used to its full potential. The European Strategy
for Data (hereafter Data Strategy)81
, adopted by the Commission on 19 February
2020, emphasised the need to facilitate all possible uses of this right (e.g. by
mandating technical interfaces and machine-readably formats allowing portability
of data in (near-to) real-time). Operators note that there are sometimes difficulties
in providing the data in a structured, commonly used machine-readable format
(due to the lack of standard). Only organisations in particular sectors, such as
banking, telecommunications, water and heating meters, report having
implemented the necessary interfaces82
. New technological tools have been
developed to facilitate the exercise by individuals of their rights under the GDPR,
not limited to data portability (e.g. personal data spaces and personal information
management services).
Rights of children: Several members of the Multi-stakeholder Group stress the
need to provide information to children and the fact that many organisations
ignore that children may be concerned by their data processing. The Council
stressed that particular attention could be paid to the protection of children when
drafting codes of conduct. The protection of children is also a focus of data
protection authorities83
.
Right to information: some companies have a very legalistic approach, taking data
protection notices as a legal exercise, with information being quite complex,
difficult to understand or incomplete, whereas the GDPR requires that any
information should be concise and use clear and plain language84
. It seems that
some companies do not follow the Board’s recommendations, for example as
regards listing the names of the entities with whom they share data.
Several Member States extensively restricted data subjects’ rights through
national law, and some even beyond the margins of Article 23 of the GDPR.
The exercise of the rights of individuals is sometimes hampered by the practices
of a few major digital players that make it difficult for individuals to choose the
settings that most protect their privacy (in violation of the requirement of data
protection by design and default85
)86
.
80
Article 13(1)(b) and Article 14 (1)(b) GDPR.
81
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf
82
See report from the Multi-stakeholder Group.
83
See the results of a public consultation on children’s data protection rights carried out by the Irish
data protection authority: https://www.dataprotection.ie/sites/default/files/uploads/2019-
09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20S
tream%201.pdf. The French data protection authority also launched a public consultation in April
2020: https://www.cnil.fr/fr/la-cnil-lance-une-consultation-publique-sur-les-droits-des-mineurs-
dans-lenvironnement-numerique
84
Article 12(1) GDPR.
85
Article 25 GDPR.
22
The Board’s guidelines on data subjects’ rights are eagerly awaited by stakeholders.
5 OPPORTUNITIES AND CHALLENGES FOR ORGANISATIONS, IN PARTICULAR
SMALL AND MEDIUM SIZE ENTERPRISES
Opportunities for organisations
The GDPR fosters competition and innovation. Together with the Free Flow of Non-
Personal Data Regulation87
, it ensures the free flow of data within the EU and creates
a level playing field with companies not established in the EU. By creating a
harmonised framework for the protection of personal data, the GDPR ensures that all
actors in the internal market are bound by the same rules and benefit from the same
opportunities, regardless of whether they are established and where the processing
takes place. The technological neutrality of the GDPR provides the data protection
framework for new technological developments. The principles of data protection by
design and by default incentivises innovative solutions, which include data protection
considerations from the outset and may reduce the cost of compliance with data
protection rules.
In addition, privacy becomes an important competitive parameter that individuals
increasingly take into consideration when choosing their services. Those who are
more informed and sensitive to data protection considerations look for products and
services that ensure effective protection of personal data. The implementation of the
right to data portability has the potential to lower the barriers to entry for businesses
offering innovative, data-protection-friendly services. The effects of a potentially
broader use of this right on the market in different sectors should be monitored.
Compliance with the data protection rules and their transparent application will create
trust on the use of the people’s personal data and thus new opportunities for
businesses.
Like all regulation, data protection rules have inherent compliance costs for
companies. However, these costs are outweighed by the opportunities and advantages
of strengthened trust in digital innovation and the societal benefits resulting from
respecting a fundamental right. By ensuring a level playing field and equipping data
protection authorities with what they need to enforce the rules effectively, the GDPR
prevents non-compliant companies from free-riding on the trust built by those who
follow the rules.
Specific challenges for Small and Medium size Enterprises (SMEs)
86
See report by the Norwegian Consumer Council, Deceived by Design, which highlighted the “dark
patterns”, default settings and other features and techniques used by companies to nudge users
towards intrusive options:
https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/
See also the research published in December 2019 by the Transatlantic Consumer Dialogue and the
Heinrich-Böll-Stiftung Brussels European Union analysing the practices of three major global
platforms:
https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global-
platforms
87
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018
on a framework for the free flow of non-personal data in the European Union - OJ L 303,
28.11.2018, p. 59–68
23
There is a general perception by stakeholders, but also by the European Parliament,
the Council and data protection authorities that applying the GDPR is especially
challenging for micro, small and medium size enterprises, and to small voluntary and
charitable organisations.
According to the risk-based approach, it would not be appropriate to provide
derogations based on the size of the operators, as their size is not in itself an
indication of the risks the processing of personal data that it undertakes can create for
individuals. The risk-based approach pairs flexibility with effective protection. It
takes into account the needs of SMEs that do not have processing of data as their core
business, and calibrates their obligations in particular based on the likelihood and
severity of the risks related to the specific processing they carry out.88
Small and low-risk processing should not be treated in the same way as high risk and
frequent processing – independently of the size of the company that undertakes it.
Therefore, as the Board concluded, “in any case, the risk-based approach promoted by
the legislator in the text should be maintained, as risks for data subjects do not depend
on the size of controllers”89
. The data protection authorities should fully take on board
this principle when enforcing the GDPR, preferably within a common European
approach in order not to create barriers to the Single Market.
The data protection authorities developed several tools and stressed their intention to
further improve them. Some authorities have launched awareness campaigns and will
even hold free “GDPR classes” for SMEs.
Examples of guidance and tools provided by data protection authorities specifically to
SMEs
publication of information addressed to SMEs;
seminars for data protection officers and events for SMEs that do not need to
designate a data protection officer;
interactive guides to assist SMEs;
hotlines for consultations;
templates for processing contracts and records on processing activities.
A description of activities carried out by data protection authorities is presented in the
Board’s contribution90
.
Several of the actions that specifically support SMEs received EU funding. The
Commission provided financial support through three waves of grants, for a total of
EUR 5 million, with the two most recent ones specifically aimed at supporting
national data protection authorities in their efforts to reach out to individuals and
SMEs. As a result, in 2018, EUR 2 million were allocated to nine data protection
authorities for activities in 2018-2019 (Belgium, Bulgaria, Denmark, Hungary,
88
Article 24(1) GDPR.
89
See contribution from the Board, p. 35.
90
See contribution from the Board, pages 35-45.
24
Lithuania, Latvia, the Netherlands, Slovenia, and Iceland)91
, and in 2019 EUR 1
million was allocated to four data protection authorities for activities in 2020
(Belgium, Malta, Slovenia and Croatia in partnership with Ireland)92. An additional
EUR 1 million will be allocated in 2020.
Despite these initiatives, SMEs and start-ups often report that they struggle with the
implementation of the accountability principle set forth under the GDPR93
. They
notably report that they do not always get enough guidance and practical advice from
the national data protection authorities, or that the time it takes to get guidance and
advice is too long. There have also been cases where authorities were reluctant to
engage in legal issues. When confronted with such situations, SMEs often turn to
external advisors and lawyers to deal with the implementation of the accountability
principle and the risk-based approach (including transparency requirements, records
of processing and data breach notifications). This may also create further costs for
them.
One specific issue is the recording of processing activities, which is considered by
SMEs and small associations as a cumbersome administrative burden. The exemption
from that obligation in Article 30(5) GDPR is indeed very narrow. However, the
related efforts for complying with that obligation should not be over-estimated. Where
the core business of SMEs does not involve the processing of personal data, such
records may be simple and not burdensome. The same applies for voluntary and other
associations. Such simplified records would be facilitated by records templates, as is
already the practice of some data protection authorities. In any case, everyone who
processes personal data should have an overview on their data processing as a basic
requirement of the accountability principle.
The development of practical tools at EU level by the Board, such as harmonised
forms for data breaches and simplified records of processing activities, may help
SMEs and small associations94
whose main activities do not focus on the processing
of personal data to meet their obligations.
Various industry associations have made efforts to raise awareness and inform their
members, for instance through conferences and seminars, providing businesses with
information on available guidance, or developing a privacy assistance service for
members. They also report an increasing number of seminars, meetings and events
organised by think tanks and SME associations on matters related to the GDPR.
In order to enhance the free movement of all data within the EU and to establish a
coherent application of the GDPR and the Free Flow of Non-Personal Data
Regulation, the Commission also issued a practical guidance on rules governing the
91
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec-
rdat-trai- ag-2017.
92
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding-
supporting-implementation-gdpr_en
93
See report from the Multi-stakeholder Group.
94
See contribution from the Council.
25
processing of mixed datasets, composed of both personal and non-personal data, and
targeting especially SMEs95
.
Toolbox for businesses
The GDPR provides for tools that help demonstrate compliance, such as codes of
conduct, certification mechanisms, and standard contractual clauses.
Codes of conduct
The Board has issued guidelines96
to support and facilitate “code owners” in drafting,
amending or extending codes, and to provide practical guidance and interpretative
assistance. These guidelines also clarify the procedures for the submission, approval
and publication of codes at both national and EU level by setting out the minimum
criteria required.
Stakeholders consider codes of conduct as very useful tools. Although many codes are
implemented at national level, a number of EU wide codes of conduct are currently in
preparation (for instance on mobile health apps, health research in genomics, cloud
computing, direct marketing, insurance, processing by prevention and counselling
services for children)97
. Operators believe that EU-wide codes of conduct should be
promoted more prominently as they foster the consistent application of the GDPR
across all Member States.
However, codes of conduct also require time and investment from operators both for
their development and for the setting up of the required independent monitoring
bodies. Representatives from SMEs stress the importance and usefulness of codes of
conduct tailored to their situation and not entailing disproportionate costs.
Consequently, business associations in a number of sectors implemented other kinds
of self-regulatory tools such as codes of good practice or guidance. While such tools
may provide useful information, they do not have the approval of data protection
authorities and cannot serve as a tool to help demonstrate compliance with the GDPR.
The Council stresses that codes of conduct must pay particular attention to the
processing of children’s data and health data. The Commission is supporting code(s)
of conducts that would harmonise the approach in health and research and facilitate
the cross-border processing of personal data98
. The Board is in the process of
approving draft accreditation requirements for codes of conduct monitoring bodies put
forward by a number of data protection authorities99
. Once transnational or EU codes
of conduct are ready to be submitted to data protection authorities for approval, they
will undergo consultation of the Board. Having transnational codes of conduct rapidly
in place is especially important for areas involving the processing of significant
amounts of data (e.g. cloud computing) or sensitive data (e.g. health/research).
95
Communication from the Commission to the European Parliament and the Council - Guidance on
the Regulation on a framework for the free flow of non-personal data in the European Union,
COM/2019/250 final.
96
https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct-
and-monitoring-bodies-under_en.
97
See report from the Multi-stakeholder Group.
98
See actions announced in the European Strategy for Data, page 30.
99
Under Article 41(3) GDPR. See EDPB opinions at: https://edpb.europa.eu/our-work-
tools/consistency-findings/opinions_en
26
Certification
Certification can be a useful instrument to demonstrate compliance with specific
requirements of the GDPR. It can increase legal certainty for businesses and promote
the GDPR globally.
As pointed out in the study on certification published in April 2019100
, the objective
should be to facilitate the uptake of relevant schemes. The development of
certification schemes in the EU will be supported by the guidelines issued by the
Board on certification criteria 101
and on the accreditation of certification bodies102
.
Security and data protection by design are key elements to be considered in
certification schemes under the GDPR and would benefit from a common and
ambitious approach throughout the EU. The Commission will continue to support the
current contacts between the European Union Agency for Cybersecurity (ENISA), the
data protection authorities and the Board.
As regards cybersecurity, following the adoption of the Cybersecurity Act the
Commission requested that ENISA prepare two certification schemes including one
scheme for cloud services103
. Further schemes addressing the cybersecurity of
services and products for consumers are under consideration. While these certification
schemes established under the Cybersecurity Act, do not explicitly address data
protection and privacy, they contribute to increasing consumers’ trust in digital
services and products. Such schemes may provide evidence of adherence to the
principles of security by design as well as the implementation of appropriate technical
and organisational measures related to the security of processing of personal data.
Standard contractual clauses
The Commission is working on standard contractual clauses between controllers and
processors104
, also in light of the modernisation of the standard contractual clauses for
international transfers (see Section 7.2). A Union act, adopted by the Commission,
will have EU-wide binding effect which will ensure full harmonisation and legal
certainty.
6 THE APPLICATION OF THE GDPR TO NEW TECHNOLOGIES
A technology neutral framework open to new technologies
The GDPR is technology-neutral, trust-enabling, and based on principles105
. These
principles, including lawful and transparent processing, purpose limitation and data
100
https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en
101
https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and-
identifying-certification_en.
102
https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation-
certification-bodies_en. Several supervisory authorities have already submitted their accreditation
requirements to the EDBP, both for code of conduct monitoring bodies and for certification bodies.
See the overview at: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en.
103
https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe
104
Article 28(7) GDPR.
105
As recalled by the Council, the European Parliament and the Board in their contributions to the
evaluation.
27
minimisation, provide for a solid basis for the protection of personal data, irrespective
of the processing operations and techniques applied.
Members of the Multi-stakeholder Group report that overall the GDPR has a positive
impact on the development of new technologies and provides a good basis for
innovation. The GDPR is seen as an essential and flexible tool for ensuring the
development of new technologies in accordance with fundamental rights. The
implementation of its core principles is particularly crucial for data intensive
processing. The GDPR’s risk based and technology neutral approach provides a level
of data protection that is adequate to address the risk of processing, including by
emerging technologies.
In particular, stakeholders mention that the GDPR’s principles of purpose limitation
and further compatible processing, data minimisation, storage limitation,
transparency, accountability and the conditions under which automated decision
making processes106
can be legally deployed to a large extent address the concerns
related to the use of artificial intelligence.
The future-proof and risk based approach of the GDPR will also be applied in the
possible future framework for artificial intelligence and when implementing the Data
Strategy. The Data strategy aims at fostering data availability and at the creation of
common European data spaces supported by federated cloud infrastructure services.
As regards personal data, the GDPR provides the main legal framework, within which
effective solutions can be devised on a case-by-case basis depending on the nature
and content of each data space.
The GDPR has increased awareness about the protection of personal data both within
and outside the EU and has prompted companies to adapt their practices to take into
account data protection principles when innovating. However, civil society
organisations note that, although the GDPR’s impact on the development of new
technologies appears positive, the practices of major digital players have not yet
fundamentally changed towards more privacy-friendly processing. Strong and
effective enforcement of the GDPR vis-à-vis large digital platforms and integrated
companies, including in areas such as online advertising and micro-targeting, is an
essential element for protecting individuals.
The Commission is analysing the broader issues related to the market behaviours of
large digital players in the context of the Digital Services Act package107
. As regards
research in the field of social media, the Commission recalls that the GDPR cannot be
used as an excuse by social media platforms to limit researchers’ and fact-checkers’
access to non-personal data such as statistics on which targeted ads have been sent to
which categories of people, the criteria for designing this targeting, information on
fake accounts, etc.
The GDPR’s technologically-neutral and future-proof approach was put to the test
during the COVID-19 pandemic and has proven to be successful. Its principles based
rules supported the development of tools to combat and monitor the spread of the
virus.
106
However, stakeholders observe that not all automated decision-making processes in an artificial
intelligence context fall under Article 22 GDPR.
107
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_962
28
Challenges to be addressed
The development and application of new technologies do not put these principles into
question. The challenges lie in clarifying how to apply the proven principles to the use
of specific technologies such as artificial intelligence, blockchain, Internet of Things,
facial recognition or quantum computing.
In this context, the European Parliament and the Council stressed the need for a
continuous monitoring to clarify how the GDPR applies to new technologies and big
tech companies. In addition, stakeholders warn that the assessment of whether the
GDPR remains fit for purpose also requires a constant monitoring.
Industry stakeholders stress that innovation requires that the GDPR is applied in a
principle-based way, in line with its design, rather than in a rigid and formal manner.
They are of the view that Board’s guidelines on how to apply the GDPR principles,
concepts and rules to new technologies such as artificial intelligence, blockchain or
Internet of Things, taking into account the risk-based approach, would help provide
clarifications and more legal certainty. Such soft law tools are well suited to
accompany the GDPR’s application to the new technologies since they provide for
more legal certainty and can be reviewed in line with technological developments.
Some stakeholders also suggest that sectoral guidance on how to apply the GDPR to
new technologies could be helpful.
The Board stated that it will continue to consider the impact of emerging technologies
on the protection of personal data.
Stakeholders also underline the importance for regulators to get a thorough
understanding of how technology is being used and to engage in a dialogue with
industry on the development of emerging technologies. They consider that a
‘regulatory sandbox’ approach – as a means to obtain guidance on the application of
the rules – could be an interesting option to test new technologies and help businesses
apply the data protection by design and by default principle in new technologies.
In terms of further policy action, stakeholders recommend that any future policy
proposals on artificial intelligence should build on the existing legal frameworks and
be aligned with the GDPR. Potential specific issues should be carefully assessed,
based on relevant evidence, before new prescriptive rules are proposed.
The Commission White Paper on Artificial Intelligence puts forward a number of
policy options on which stakeholders’ views were sought until 14 June 2020. As
regards facial recognition, a technology that may significantly impact individuals’
rights, the White Paper recalled the current legislative framework and opened a public
debate on the specific circumstances, if any, which might justify the use of artificial
intelligence for facial recognition and other remote biometric identification purposes
in public places, and on common safeguards.
7 INTERNATIONAL TRANSFERS AND GLOBAL COOPERATION
7.1 Privacy: a global issue
The demand for the protection of personal data knows no borders, as individuals
around the world increasingly cherish and value the privacy and security of their data.
29
At the same time, the importance of data flows for individuals, governments,
companies and, more generally, society at large is an inescapable fact in our
interconnected world. They constitute an integral part of trade, cooperation between
public authorities and social interactions. In that respect, the current COVID-19
pandemic also highlights how critical the transfer and exchange of personal data are
for many essential activities, including ensuring the continuity of government and
business operations – by enabling teleworking and other solutions that heavily rely on
information and communication technologies – developing cooperation in scientific
research on diagnostics, treatments and vaccines, and fighting new forms of
cybercrime such as online fraud schemes offering counterfeit medicines claiming to
prevent or cure COVID-19.
Against this background, and more than ever before, protecting privacy and
facilitating data flows have to go hand in hand. The EU, with its data protection
regime combining openness to international transfers with a high level of protection
for individuals, is very well placed to promote safe and trusted data flows. The GDPR
has already emerged as a reference point at international level and acted as a catalyst
for many countries around the world to consider introducing modern privacy rules.
This is a truly global trend running, to mention just a few examples, from Chile to
South Korea, from Brazil to Japan, from Kenya to India, from Tunisia to Indonesia,
and from California to Taiwan. These developments are remarkable not only from a
quantitative but also from a qualitative point of view: many of the privacy laws
recently adopted, or in the process of being adopted, are based on a core set of
common safeguards, rights and enforcement mechanisms that are shared by the EU.
In a world that is too often characterised by different, if not divergent, regulatory
approaches, this trend towards global convergence is a very positive development that
brings new opportunities for increasing the protection of individuals in Europe while,
at the same time, facilitating data flows and lowering transaction costs for business
operators.
To seize these opportunities and implement the strategy set out in its 2017
Communication on “Exchanging and Protecting Personal Data in a Globalised
World”108
, the Commission has significantly stepped up its work on the international
dimension of privacy making full use of the available transfer ‘toolbox’, as explained
below. This included actively engaging with key partners with a view to reaching an
“adequacy finding” and yielded important results, such as the creation of the world’s
largest area of free and safe data flows between the EU and Japan.
Besides its adequacy work, the Commission has worked closely with data protection
authorities within the Board, as well as with other stakeholders, to harness the full
potential of the GDPR’s flexible rules for international transfers. This concerns the
modernisation of instruments such as standard contractual clauses, the development of
certification schemes, codes of conduct or administrative arrangements for data
exchanges between public authorities, as well as the clarification of key concepts
108
Communication from the Commission to the European Parliament and the Council ‘Exchanging
and Protecting Personal Data in a Globalised World’, 10.1.2017 (COM(2017) 7 final).
30
relating to, for example, the territorial scope of EU data protection rules or the use of
so-called “derogations” to transfer personal data.
Finally, the Commission intensified its dialogue in a number of bilateral, regional and
multilateral fora to foster a global culture of respect for privacy and develop elements
of convergence between different privacy systems. In its efforts, the Commission
could count on the active support of the European External Action Service and the
network of EU delegations in third countries and missions to international
organisations. This also ensured coherence and greater complementarity between
different aspects of the external dimension of EU policies – from trade to the new
Africa-EU Partnership.
7.2 The GDPR transfer toolbox
As more and more private and public operators rely on international data flows as part
of their routine operations, there is an increasing need for flexible instruments that can
be adapted to different sectors, business models and transfer situations. Reflecting
these needs, the GDPR offers a modernised toolbox that facilitates the transfer of
personal data from the EU to a third country or international organisation, while
ensuring that the data continues to benefit from a high level of protection. This
continuity of protection is important, given that in today’s world data moves easily
across borders and the protections guaranteed by the GDPR would be incomplete if
they were limited to processing inside the EU.
With Chapter V of the GDPR, the legislator confirmed the architecture of the transfer
rules that already existed under Directive 95/46: data transfers may take place where
the Commission has made an adequacy finding with respect to a third country or
international organisation or, in the absence thereof, where the controller or processor
in the EU (“data exporter”) has provided appropriate safeguards, for instance through
a contract with the recipient (“data importer”). In addition, statutory grounds for
transfers (so-called derogations), remain available for specific situations for which the
legislator has decided that the balance of interests allows a data transfer under certain
conditions. At the same time, the reform has clarified and simplified the existing
rules, for instance by stipulating in detail the conditions for an adequacy finding or
binding corporate rules, by limiting authorisation requirements to very few, specific
cases and completely abolishing notification requirements. Moreover, new transfer
tools like codes of conduct or certification schemes have been introduced and the
possibilities for using existing instruments (e.g. standard contractual clauses) have
been expanded.
Today’s digital economy allows foreign operators to (remotely but) directly
participate in the EU internal market and to compete for European customers and their
personal data. Where they specifically target Europeans through the offering of goods
or services, or monitoring of their behaviour, they should comply with EU law in the
same way as EU operators. This is reflected in Article 3 of the GDPR, which extends
the direct applicability of EU data protection rules to certain processing operations of
controllers and processors outside the EU. This guarantees the necessary safeguards,
and moreover a level playing field for all companies operating in the EU market.
Its broad reach is one of the reasons why the effects of the GDPR have also been felt
in other parts of the world. The detailed guidance issued by the Board on the GDPR
territorial scope, following a comprehensive public consultation, is therefore
31
important to help foreign operators determine whether and which processing activities
are directly subject to its safeguards, including by providing concrete examples 109
.
The extension of the scope of application of EU data protection law, however, in and
of itself is not sufficient to guarantee its respect in practice. As also highlighted by the
Council110
, it is crucial to ensure compliance by, and effective enforcement against,
foreign operators. The appointment of a representative in the EU (Article 27(1), (2) of
the GDPR), who can be addressed by individuals and supervisory authorities in
addition to or instead of the responsible company acting from abroad111
should play a
key role in this regard. This approach, which is also increasingly taken in other
contexts112
, should be pursued more vigorously to send a clear message that the lack
of an establishment in the EU does not relieve foreign operators of their responsibility
under the GDPR. Where these operators fail to meet their obligation to appoint a
representative113
, supervisory authorities should make use of the full enforcement
toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans
on processing in the EU, enforcement against joint controllers established in the EU).
Finally, it is very important that the Board finalises its work on further clarifying the
relationship between Article 3 on the direct application of the GDPR and the rules on
international transfers in Chapter V114
.
Adequacy decisions
The input received from stakeholders confirms that adequacy decisions continue to be
an essential tool for EU operators to safely transfer personal data to third countries115
.
Such decisions provide the most comprehensive, straightforward and cost-effective
solution for data transfers as these are assimilated to intra-EU transmissions, thus
ensuring the safe and free flow of personal data without further conditions or need for
authorisation. Adequacy decisions therefore open up commercial channels for EU
operators and facilitate cooperation between public authorities, while providing
109
EDPB, Guidelines 2/2018 on the territorial scope of the GDPR, 12.11.2019. The Guidelines address
several of the points raised during the public consultation, for instance the interpretation of the
targeting and monitoring criteria.
110
See Council position and findings, paras 34, 35 and 38.
111
See Article 27(4) and Recital 80 GDPR (“The designated representative should be subject to
enforcement proceedings in the event of non-compliance by the controller or processor”).
112
Proposal for a Directive of the European Parliament and of the Council laying down harmonised
rules on the appointment of legal representatives for the purpose of gathering evidence in criminal
proceedings (COM/2018/226 final), Article 3; Proposal for a Regulation of the European
Parliament and of the Council on preventing the dissemination of terrorist content online
(COM(2018) 640 final), Article 16(2), (3).
113
According to one submission to the public consultation, one of the main points to address “is
effective enforcement and real consequences for those who chose to ignore this requirement […] It
should be borne in mind in particular that this also places businesses established in the Union at a
competitive disadvantage to those noncompliant businesses established outside the Union trading
into the Union.” See EU Business Partners, submission of 29 April 2020.
114
Several submissions to the public consultation have raised this point, for instance as regards the
transmission of personal data to recipients outside the EU but covered by the GDPR.
115
Council position and findings, paragraph 17; Contribution from the Board, pp. 5-6. Several
submissions to the public consultation, including from a number of business associations (like the
French Association of Large Companies, Digital Europe, the Global Data Alliance/BSA, the
Computer & Communication Industry Association (CCIA) or the US Chamber of Commerce) have
called for stepping-up the work on adequacy findings, especially with important trading partners.
32
privileged access to the EU single market. Building on the practice under the 1995
Directive, the GDPR explicitly allows for an adequacy determination to be made with
respect to a particular territory of a third country or to a specific sector or industry
within a third country (so-called ‘partial’ adequacy).
The GDPR builds upon the experience of the past years and the clarifications
provided by the Court of Justice by setting out a detailed catalogue of elements that
the Commission must take into account in its assessment. The adequacy standard
requires a level of protection that is comparable (or ‘essentially equivalent’) to that
ensured within the EU116
. This involves a comprehensive assessment of the third
country’s system as a whole, including the substance of privacy protections, their
effective implementation and enforcement, as well as the rules on access to personal
data by public authorities, in particular for law enforcement and national security
purposes117
.
This is also reflected in the guidance adopted by the former Article 29 Working Party
(and endorsed by the Board), in particular the so-called ‘adequacy referential’, which
further clarifies the elements that the Commission must take into account when
carrying out an adequacy assessment, including by providing an overview of
‘essential guarantees’ for access to personal data by public authorities118
. The latter
builds in particular on the case law of the European Court of Human Rights. While
the standard of ‘essential equivalence’ does not involve a point-to-point replication
(‘photocopy’) of EU rules, given that the means of ensuring a comparable level of
protection may vary between different privacy systems, often reflecting different legal
traditions, it nevertheless requires a strong level of protection.
This standard is justified by the fact that an adequacy decision essentially extends to a
third country the benefits of the single market in terms of the free flow of data.
However, it also means that sometimes there will be relevant differences between the
level of protection ensured in the third country in question compared to the GDPR
that need to be bridged, for instance through the negotiation of additional safeguards.
Such safeguards should be viewed positively as they further strengthen the protections
available to individuals in the EU. At the same time, the Commission agrees with the
Board on the importance of continuously monitoring their application in practice,
including effective enforcement by the third country data protection authority119
.
The GDPR clarifies that adequacy decisions are ‘living instruments’ that should be
continuously monitored and periodically reviewed120
. In line with these requirements,
116
Judgment of the Court of Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian
Schrems v Data Protection Commissioner (‘Schrems’), points 73, 74 and 96. See also Recital 104 of
the GDPR, which refers to the standard of essential equivalence.
117
Article 45(2) and Recital 104 GDPR. See also Schrems , points 75, 91-91.
118
Adequacy Referential, WP 254 rev. 01, 6 February 2018 (available at:
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108).
119
Contribution from the Board, pp. 5-6.
120
Article 45(4) and (5) GDPR require the Commission to monitor developments in third countries on
an ongoing basis and to regularly – at least every four years – review an adequacy finding. They
also give the Commission the power to repeal, amend or suspend an adequacy decision if it finds
that the country or international organisation concerned no longer ensures an adequate level of
protection. Article 97(2)(a) GDPR furthermore requires the Commission to submit an evaluation
report to the European Parliament and the Council by 2020. See also the judgment of the Court of
33
the Commission has regular exchanges with the relevant authorities to pro-actively
follow-up on new developments. For example, since the adoption of the decision on
the EU-U.S. Privacy Shield in 2016121
, the Commission, together with representatives
from the Board, carried out three annual reviews to evaluate all aspects of the
functioning of the framework.122
These reviews relied on information obtained
through exchanges with the U.S. authorities as well as input from other stakeholders,
such as EU data protection authorities, civil society and trade associations. They have
allowed to improve the practical functioning of various elements of the framework. In
a wider perspective, the annual reviews contributed to establishing a broader dialogue
with the U.S. administration on privacy in general, and the limitations and safeguards
with respect to national security in particular.
As part of its first evaluation of the GDPR, the Commission is also required to review
the adequacy decisions adopted under the 1995 Directive123
. The Commission
services have engaged in an intense dialogue with each of the 11 concerned countries
and territories to assess how their personal data protection systems have evolved since
the adequacy decision was adopted and whether they meet the standard set by the
GDPR. The need to ensure the continuity of such decisions, as they are a key tool for
trade and international cooperation, is one of the factors that has prompted several of
these countries and territories to modernise and strengthen their privacy laws. These
are certainly welcome developments. Additional safeguards are being discussed with
some of these countries and territories to address relevant differences in protection.
However, given that the Court of Justice in a judgment to be delivered on 16 July may
provide clarifications that could be relevant for certain elements of the adequacy
standard, the Commission will report separately on the evaluation of the mentioned 11
adequacy decisions after the Court of Justice has handed down its judgment in that
case.124
Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection
Commissioner, point 76.
121
Commission implementing decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive
95/46/EC of the European Parliament and of the Council on the adequacy of the protection
provided by the EU-U.S. Privacy Shield. This adequacy decision is a specific case that, in the
absence of general data protection legislation in the U.S., relies on commitments made by
participating companies (that are enforceable under U.S. law) to apply the data protection standards
set out by this arrangement. Moreover, the Privacy Shield builds on the specific representations and
assurances made by the U.S. government as regards access for national security purposes that
underpin the adequacy finding
122
Reviews took place in 2017 (Report from the Commission to the European Parliament and the
Council on the first annual review of the functioning of the EU-U.S. Privacy Shield, COM(2017)
611 final), 2018 (Report from the Commission to the European Parliament and the Council on the
second annual review of the functioning of the EU-U.S. Privacy Shield, COM(2018) 860 final) and
2019 (Report from the Commission to the Parliament and the Council on the third annual review of
the functioning of the EU-U.S. Privacy Shield, COM(2019) 495 final).
123
These existing adequacy decisions concern countries that are closely integrated with the European
Union and its Member States (Switzerland, Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man),
important trading partners (e.g. Argentina, Canada, Israel), and countries that played a pioneering
role in developing data protection laws in their region (New Zealand, Uruguay)
124
Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
(“Schrems II”), concerns a reference for a preliminary ruling on the so-called standard contractual
clauses. However, certain elements of the adequacy standard may also be further clarified by the
34
Implementing the strategy laid down in its 2017 Communication on “Exchanging and
Protecting Personal Data in a Globalised World”, the Commission also engaged in
new adequacy dialogues125
. This work already yielded significant results involving
key partners of the EU. In January 2019, the Commission adopted its adequacy
decision for Japan, which is based on a high degree of convergence, including through
specific safeguards such as in the area of onward transfers and through the creation of
a mechanism to investigate and resolve individuals’ complaints concerning
government access to personal data for law enforcement and national security
purposes.
As the first adequacy finding adopted under the GDPR, the framework agreed with
Japan provides a useful precedent for future decisions126
. This includes the fact that it
was reciprocated on the Japanese side with an “adequacy” finding for the EU.
Together, these mutual adequacy findings create the largest area of safe and free
personal data flows in the world, thereby complementing the EU-Japan Economic
Partnership Agreement. In fact, the arrangement supports around EUR 124 billion of
trade in goods and EUR 42.5 billion of trade in services every year.
The adequacy process is also at an advanced stage with South Korea. One important
outcome thereof is South Korea’s recent legislative reform that led to the
establishment of an independent data protection authority equipped with strong
enforcement powers. This illustrates how an adequacy dialogue can contribute to
increased convergence between the EU’s data protection rules and those of a foreign
country.
The Commission fully agrees with the call from stakeholders to intensify the dialogue
with selected third countries in view of possible new adequacy findings127
. It is
actively exploring this possibility with other important partners in Asia, Latin
America and the Neighbourhood, building on the current trend towards upward global
convergence in data protection standards. For example, comprehensive privacy
legislation has been adopted or is at an advanced stage of the legislative process in
Latin America (Brazil, Chile), and promising developments are taking place in Asia
(e.g. India, Indonesia, Malaysia, Sri Lanka, Taiwan and Thailand), Africa (e.g.
Ethiopia, Kenya) as well as in the European Eastern and Southern neighbourhood
Court. The hearing in this case took place on 9 July 2019 and the judgment has been announced for
16 July 2020.
125
See supra fn 109. The Commission explained that the following criteria will be taken into account
when assessing with which third countries a dialogue on adequacy should be pursued: (i) the extent
of the EU's (actual or potential) commercial relations with the third country, including the existence
of a free trade agreement or ongoing negotiations; (ii) the extent of personal data flows from the
EU, reflecting geographical and/or cultural ties; (iii) the country’s pioneering role in the field of
privacy and data protection that could serve as a model for other countries in its region; and (iv) the
overall political relationship with the country, in particular as regards the promotion of common
values and shared objectives at international level.
126
European Parliament, Resolution of 13 December 2018 on the adequacy of the protection of
personal data afforded by Japan (2018/2979(RSP)), point 27; Contribution from the Board, pp. 5-6.
127
See e.g. European Parliament, Resolution of 12 December 2017 on ‘Towards a digital trade
strategy’ (2017/2065(INI)), points 8, 9; Council position and findings on the application of the
General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraph 17; Contribution
from the Board, p. 5.
35
(e.g. Georgia, Tunisia). Where possible, the Commission will work towards achieving
comprehensive adequacy decisions covering both the private and public sector128
.
Moreover, the GDPR also introduced the possibility for the Commission to adopt
adequacy findings for international organisations. At a time when some international
organisations are modernising their data protection regimes by putting in place
comprehensive rules, as well as mechanisms that provide independent oversight and
redress, this avenue could be explored for the first time.
Adequacy also plays an important role in the context of the relationship with the
United Kingdom following Brexit, provided that the applicable conditions are met. It
constitutes an enabling factor for trade, including digital trade, and an essential
prerequisite for a close and ambitious cooperation in the area of law enforcement and
security129
. Moreover, given the significance of data flows with the UK and its
proximity to the EU market, a high degree of convergence between data protection
rules on both sides of the Channel is an important element for ensuring a level
playing field. In line with the Political Declaration on the Future Relationship
between the EU and the UK, the Commission is currently carrying out an adequacy
assessment under both the GDPR and the Law Enforcement Directive130
.
Considering the autonomous and unilateral nature of an adequacy assessment, these
talks follow a separate track from the negotiations on an agreement on the future
relationship between the EU and the UK.
Finally, the Commission welcomes that other countries are putting in place data
transfer mechanisms similar to an adequacy finding. In doing so, they often recognise
the EU and countries for which the Commission has adopted an adequacy decision, as
safe destinations for transfers131
. The growing number of countries benefitting from
EU adequacy decisions, on the one hand, and this form of recognition by other
countries, on the other hand, has the potential of creating a network of countries
where data can flow freely and safely. The Commission considers this a welcome
development that will further increase the benefits of an adequacy decision for third
countries and contribute to global convergence. This type of synergies can also
usefully contribute to the development of frameworks for the safe and free flow of
data, such as in the context of the ‘data free flow with trust’ initiative (see below).
Appropriate safeguards
The GDPR provides for a number of other transfer instruments beyond the
comprehensive solution of an adequacy finding. The flexibility of this “toolbox” is
128
As also requested by the Council, see Council position and findings on the application of the
General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraphs 17 and 40.
However, this requires that the conditions for an adequacy finding concerning data transfers to
public authorities are met, including as regards independent oversight.
129
See the negotiating directives annexed to the Council Decision authorising the opening of
negotiations with the United Kingdom of Great Britain and Northern Ireland for a new partnership
agreement (ST 5870/20 ADD 1 REV 3), paragraphs 13 and 118.
130
See revised text of the political declaration setting out the framework for the future relationship
between the European Union and the United Kingdom as agreed at negotiators’ level on 17 October
2019, paragraphs 8-10 (available at https://ec.europa.eu/commission/sites/beta-
political/files/revised_political_declaration.pdf ).
131
For example, by Argentina, Colombia, Israel, Switzerland or Uruguay.
36
demonstrated by Article 46 GDPR, which regulates data transfers based on
“appropriate safeguards”, including enforceable data subject rights and effective legal
remedies. To guarantee appropriate safeguards, different instruments are available in
order to cater to the transfer needs of both commercial operators and public bodies.
Standard contractual clauses (SCCs)
The first group of these instruments concerns contractual tools, which can be either
tailor-made, ad hoc data protection clauses agreed between an EU data exporter and a
data importer outside the EU authorised by the competent data protection authority
(Article 46(3)(a) GDPR) or model clauses pre-approved by the Commission (Article
46(2)(c), (d) GDPR132
). The most important of these instruments are so-called
standard contractual clauses (SCCs), i.e. model data protection clauses which the data
exporter and the data importer can incorporate into their contractual arrangements
(e.g. a service contract requiring the transfer of personal data) on a voluntary basis
and that set out the requirements related to appropriate safeguards.
SCCs represent by far the most widely used data transfer mechanism133
. Thousands of
EU companies rely on SCCs in order to provide a wide range of services to their
clients, suppliers, partners and employees, including services essential to the
functioning of the economy. Their broad use indicates that they are very helpful to
businesses in their compliance efforts and of particular benefit to companies that do
not have the resources to negotiate individual contracts with each of their commercial
partners. Through their standardisation and pre-approval, SCCs provide companies
with an easy-to-implement tool to meet data protection requirements in a transfer
context.
The existing sets of SCCs134
were adopted and approved on the basis of the 1995
Directive. These SCCs remain in force until amended, replaced or repealed, if
necessary, by a Commission decision (Article 46(5) of the GDPR). The GDPR
expands the possibilities to use SCCs both within the EU and for international
transfers. The Commission is working together with stakeholders to make use of these
possibilities and to update existing clauses135
. In order to ensure that the future design
of SCCs is fit for purpose, the Commission has been collecting feedback on
132
Standard contractual clauses (SCCs) for international transfers always require Commission
approval, but may be prepared either by the Commission itself or by a national DPA. All existing
SCCs fall into the first category.
133
According to the IAPP-EY Annual Privacy Governance Report 2019, “the most popular of these
[transfer] tools – year over year – are overwhelmingly standard contractual contracts: 88% of
respondents in this year’s survey reported SCCs as their top method for extraterritorial data
transfers, followed by compliance with the EU-U.S. Privacy Shield arrangement (60%). For
respondents transferring data from the EU to the U.K. (52%), 91% report they intend to use SCCs
for data-transfer compliance after Brexit”.
134
There are currently three sets of standard contractual clauses adopted by the Commission for the
transfer of personal data to third countries: two for transfers from an EEA-controller to a non-EEA
controller and one for transfers from an EEA-controller to a non-EEA-processor. They were
amended in 2016, further to the judgment of the Court of Justice in the Schrems I case (C-362/14),
to remove any restrictions on the competent supervisory authorities to exercise their powers to
oversee data transfers. See https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/standard-contractual-clauses-scc_en.
135
See also Contribution from the Board, pp. 6-7. Likewise, the Council has called on the Commission
“to review and revise [the SCCs] in the near future to take into account the needs of controllers and
processors”. See Council position and findings.
37
stakeholders’ experiences with SCCs, through the ‘Multi-stakeholder Group on the
GDPR’ and a dedicated workshop held in September 2019, but also via multiple
contacts with companies using SCCs as well as civil society organisations. The Board
is also updating a number of guidelines that could be relevant for the review of SCCs,
for instance on the concepts of controller and processor.
Building on the feedback received, the Commission services are currently working on
revising the SCCs. In that context, a number of areas for improvement have been
identified, in particular with regard to the following aspects:
1. Updating the SCCs in light of new requirements introduced by the GDPR, such
as those concerning the controller-processor relationship under Article 28 GDPR
(in particular the processor obligations), the transparency obligations of the data
importer (in terms of the necessary information to be provided to the data
subject), etc.
2. Addressing a number of transfer scenarios that are not covered by the current
SCCs, such as the transfer of data from an EU processor to a non-EU (sub)
processor, but also for instance situations where the controller is located outside
the EU136
.
3. Better reflecting the realities of processing operations in the modern digital
economy, where such operations often involve multiple data importers and
exporters, long and often complex processing chains, evolving business
relationships, etc. In order to cater for such situations, solutions being explored
include, for example, the possibility to enable the signing of SCCs by multiple
parties or accession of new parties throughout the lifetime of the contract.
In addressing these points, the Commission is also considering ways to make the
current ‘architecture’ of the SCCs more user friendly, for example by replacing
multiple sets of SCCs by a single comprehensive document. The challenge is to strike
a good balance between the need for clarity and a certain degree of standardisation, on
the one hand, and the necessary flexibility that will allow the clauses to be used by a
number of operators with different requirements, in different contexts and for
different types of transfers, on the other hand.
Another important aspect to consider is the possible need, in light of current litigation
before the Court of Justice137
, to further clarify the safeguards as regards access by
foreign public authorities to data transferred based on SCCs, in particular for national
security purposes. This may include requiring the data importer or the data exporter,
or both, to take action, and to clarify the role of data protection authorities in that
context. Although the revision of the SCCs is well-advanced, it will be necessary to
wait for the judgment of the Court to reflect any possible additional requirement in the
revised clauses, before a draft decision on a new set of SCCs can be submitted to the
136
Several submissions to the public consultation have commented on this last scenario, often raising
concerns that requiring EU processors to ensure appropriate safeguards in their relationship with
non-EU controllers would place them at a competitive disadvantage vis-à-vis foreign processors
offering similar services.
137
See Schrems II case.
38
Board for its opinion and then proposed for adoption through the “comitology
procedure”138
.
In parallel, the Commission is in contact with international partners that are
developing similar tools.139
This dialogue, allowing for an exchange of experiences
and best practices, could significantly contribute to further developing convergence
‘on the ground’, and in this way facilitate compliance with cross-border transfer rules
for companies operating across different regions of the world.
Binding corporate rules (BCRs)
Another important instrument are the so-called binding corporate rules (BCRs). These
are legally binding policies and arrangements that apply to the members of a
corporate group, including their employees (Articles, 46(2)(b), 47 of the GDPR). The
use of BCRs allows personal data to move freely among the various group members
worldwide – dispensing with the need to have contractual arrangements between each
and every corporate entity – while ensuring that the same high level of protection of
personal data is complied with throughout the group. They offer a particularly good
solution for complex and large corporate groups and for close cooperation of
enterprises exchanging data across multiple jurisdictions. Unlike for the 1995
Directive, under the GDPR BCRs can be used by a group of enterprises engaged in a
joint economic activity but not forming part of the same corporate group.
Procedurally, BCRs have to be approved by the competent data protection authorities,
based on a non-binding opinion by the Board140
. To guide this process, the Board has
reviewed the BCR ‘referentials’ (setting out substantive standards) for controllers141
and processors142
in light of the GDPR, and continues to update these documents on
the basis of the practical experience gained by supervisory authorities. It has also
adopted various guidance documents to help applicants, and streamline the
application and approval process for BCRs143
. According to the Board, more than 40
BCRs are currently in the pipeline for approval, half of which are expected to be
approved by the end of 2020144
. It is important that data protection authorities
continue working on further streamlining the approval process, as the length of such
138
In accordance with Article 46(2)(c) GDPR, standard contractual clauses have to be adopted through
the examination procedure laid down under Article 5 of Regulation (EU) No 182/2011 of the
European Parliament and of the Council of 16 February 2011 laying down the rules and general
principles concerning mechanisms for control by Member States of the Commission’s exercise of
implementing powers - OJ L 55, 28.2.2011, p. 13–18. This involves in particular a positive decision
from a committee composed of representatives of the Member States.
139
This includes, for instance, the work currently being carried out by the ASEAN Member States to
develop ‘ASEAN model contractual clauses’. See ASEAN, Key Approaches for ASEAN Cross
Border Data Flows Mechanism (available at: https://asean.org/storage/2012/05/Key-Approaches-
for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf).
140
For an overview of the EDPB opinions rendered so far, see https://edpb.europa.eu/our-work-
tools/consistency-findings/opinions_en.
141
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109.
142
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110.
143
These documents were adopted (by the former Article 29 Working Party) following the entry into
force of the GDPR, but before the end of the transition period. See WP263
(https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264
(https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf);
WP265 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848).
144
Contribution from the Board, p. 7.
39
procedures is often mentioned by stakeholders as a practical obstacle to the broader
use of BCRs.
Finally, regarding specifically BCRs approved by the UK data protection authority –
the Information Commissioner Office – companies will be able to continue to use
them as a valid transfer mechanism under the GDPR after the end of the transition
period under the EU-UK Withdrawal Agreement, but only if they are amended so that
any connection to the UK legal order is replaced with appropriate references to
corporate entities and competent authorities within the EU. The approval of any new
BCRs should be sought from one of the supervisory authorities in the EU.
Certification mechanisms and codes of conduct
In addition to modernising and broadening the application of the already existing
transfer tools, the GDPR has also introduced new instruments, thereby expanding the
possibilities for international transfers. This includes the use, under certain conditions,
of approved codes of conduct and certification mechanisms (such as privacy seals or
marks) for ensuring appropriate safeguards. These are bottom-up tools that allow for
tailor-made solutions – as a general accountability mechanism (see Articles 40 to 42
of the GDPR) and, specifically, for international data transfers – reflecting, for
instance, the specific features and needs of a given sector or industry, or of particular
data flows. By calibrating the obligations with the risks, Codes of Conduct can also be
a very useful and cost-effective way for small and medium-sized businesses to meet
their GDPR obligations.
As regards certification mechanisms, although the Board adopted guidelines to foster
their use within the EU, its work on developing criteria to approve certification
mechanisms as international transfer tools is still ongoing. The same is true for codes
of conduct, regarding which the Board is currently working on guidelines for using
them as a tool for transfers.
Given the importance of providing operators with a broad range of transfer
instruments that are adapted to their needs, and the potential that in particular
certification mechanisms hold for facilitating data transfers while ensuring a high
level of data protection, the Commission urges the Board to finalise as soon as
possible its guidance in this regard. This concerns both substantive (criteria) and
procedural aspects (approval, monitoring, etc.). Stakeholders have expressed a lot of
interest in these transfer mechanisms and should be able to make full use of the
GDPR’s toolkit. The Board’s guidelines would also contribute to promoting the EU
model for data protection globally and foster convergence as other privacy systems
are using similar instruments.
Valuable lessons can be drawn from existing standardisation efforts in the area of
privacy, both at European and international level. One interesting example is the
recently released international standard ISO 27701145
, which aims to help businesses
meet privacy requirements and manage risks related to the processing of personal data
through ‘privacy information management systems’ . Although certification under the
standard as such does not fulfil the requirements of Articles 42 and 43 of the GDPR,
145
The list of specific requirements making up this ISO standard is available at:
https://www.iso.org/standard/71670.html.
40
applying Privacy Information Management Systems can contribute to accountability,
including in the context of international data transfers.
International agreements and administrative arrangements
The GDPR also makes it possible to ensure appropriate safeguards for data transfers
between public authorities or bodies on the basis of international agreements (Article
46(2)(a)) or administrative arrangements (Article 46(3)(b)). While both instruments
have to guarantee the same outcome in terms of safeguards, including enforceable
data subject rights and effective legal remedies, they differ as to their legal nature and
adoption procedure.
Unlike international agreements, which create binding obligations under international
law, administrative arrangements (e.g. in the form of a Memorandum of
Understanding) are typically non-binding and therefore require prior authorisation by
the competent data protection authority (see also Recital 108 of the GDPR). One early
example concerns the administrative arrangement for the transfer of personal data
between EEA and non-EEA financial supervisors cooperating under the umbrella of
the International Organisation of Securities Commission (IOSCO), on which the
Board gave its Opinion146
in early 2019. Since then, the Board has further developed
its interpretation of the ‘minimum safeguards’ that international (cooperation)
agreements and administrative arrangements between public authorities or bodies
(including international organisations) need to ensure to comply with the requirements
of Article 46 GDPR. On 18 January 2020 it adopted draft guidelines147
, thereby
addressing the Member States’ request for further clarification and guidance as to
what may be considered appropriate safeguards for transfers between public
authorities148
. The Board strongly recommends that public authorities use these
guidelines as a reference point for their negotiations with third parties149
.
The guidelines demonstrate the flexibility in the design of such instruments, including
on important aspects such as oversight150
and redress151
. This should allow public
146
EDPB, Opinion 4/2019 on the draft Administrative Arrangement for the transfer of personal data
between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA
Financial Supervisory Authorities, 12.2.2019.
147
EDPB, Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of
personal data between EEA and non-EEA public authorities and bodies (draft available at:
https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles-
46-2-and-46-3-b_en ). According to the EDPB, “[t]he competent [supervisory authority] will base
its examination on the general recommendations set out in these guidelines, but might also ask for
more guarantees depending on the specific case.” The EDPB submitted these draft guidelines to a
public consultation that ended on 18 May 2020.
148
Council position and findings, paragraph 20.
149
At the same time, the EDPB clarifies that public authorities remain “free to rely on other relevant
tools providing for appropriate safeguards in accordance with Article 46 GDPR.” Regarding the
choice of instrument, the EDPB underlines that “[i]t should be carefully assessed whether or not to
make use of non-legally binding administrative arrangements to provide safeguards in the public
sector, in view of the purpose of the processing and the nature of the data at hand. If data protection
rights and redress for EEA individuals are not provided for in the domestic law of the third country,
preference should be given to concluding a legally binding agreement. Irrespective of the type of
instrument adopted, the measures in place have to be effective to ensure the appropriate
implementation, enforcement and supervision” (paragraph 67).
150
This may include, for instance, combining internal checks (with a commitment to inform the other
party of any instance of non-compliance with independent oversight through external or at least
41
authorities to overcome the difficulties in, for instance, ensuring enforceable data
subject rights through non-binding arrangements. An important element of such
arrangements is their continuous monitoring by the competent data protection
authority – supported by information and record-keeping requirements – and the
suspension of data flows if appropriate safeguards can no longer be ensured in
practice.
Derogations
Finally, the GDPR clarifies the use of so-called ‘derogations’. These are specific
grounds for data transfers (e.g. explicit consent152
, performance of a contract or
important reasons of public interest) recognised in law, and on which entities can rely
in the absence of other transfer tools and under certain conditions.
To clarify the use of such statutory grounds, the Board has issued specific guidance153
and has interpreted Article 49 in a number of cases with respect to specific transfer
scenarios154
. Due to their exceptional character, the Board considers that derogations
have to be interpreted restrictively, on a case-by-case basis. Despite their strict
interpretation, these grounds cover a broad range of transfer scenarios. This includes
in particular data transfers by both public authorities and private entities necessary for
‘important reasons of public interest’, for example between competition, financial, tax
or customs authorities, services competent for social security matters or for public
health (such as in the case of contact tracing for contagious diseases or in order to
eliminate doping in sport)155
. Another area is that of cross-border cooperation for
criminal law enforcement purposes, in particular as regards serious crime156
.
through functionally autonomous mechanisms, as well as the possibility for the transferring public
body to suspend or terminate the transfer.
151
This may include, for instance, quasi-judicial, binding mechanisms (e.g. arbitration) or alternative
dispute resolution mechanisms, combined with the possibility for the transferring public authority
to suspend or terminate the transfer of personal data if the parties do not succeed in resolving a
dispute amicably, plus a commitment from the receiving public body to return or delete the personal
data. When opting for alternative redress mechanisms in binding and enforceable instruments
because there is no possibility to ensure effective judicial redress, the EDPB recommends seeking
the advice of the competent supervisory authority before concluding these instruments.
152
This is a change from Directive 95/46 which merely required ‘unambiguous’ consent. In addition,
the general requirements for consent pursuant to Article 4(11) GDPR apply.
153
EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25.5.2018
(available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf).
154
This includes, for instance, international transfers of health data for research purposes in the context
of the COVID-19 outbreak. See EDPB, Guidelines 03/2020 on the processing of data concerning
health for the purpose of scientific research in the context of the COVID-19 outbreak, 21.4.2020
(available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresea
rchcovid19_en.pdf).
155
See Recital 112.
156
See Brief of the European Commission on behalf of the European Union as Amicus Curiae in
Support of Neither Party in the Case US v. Microsoft, p. 15: “In general, Union as well as Member
State law recognize the importance of the fight against serious crime—and thus criminal law
enforcement and international cooperation in that respect—as an objective of general interest. […]
Article 83 of the TFEU identifies several areas of crime that are particularly serious and have cross-
border dimensions, such as illicit drug trafficking.” (available at:
42
The Board has clarified that, although the relevant public interest must be recognised
in EU or Member State law, this can be also established on the basis of “an
international agreement or convention which recognises a certain objective and
provides for international cooperation to foster that objective can be an indicator when
assessing the existence of a public interest pursuant to Article 49(1)(d), as long as the
EU or the Member States are a party to that agreement or convention”157
.
Decisions by foreign courts or authorities: not a ground for transfers
In addition to positively setting out the grounds for data transfers, Chapter V of the
GDPR also clarifies, in its Article 48, that orders from courts and decisions of
administrative authorities outside of the EU in themselves do not provide such
grounds, unless they are recognised or made enforceable based on an international
agreement (e.g. a Mutual Legal Assistance Treaty). Any disclosure by the requested
entity in the EU to the foreign court or authority in response to such an order or
decision constitutes an international data transfer that needs to be based on one of the
mentioned transfer instruments.158
The GDPR does not constitute a “blocking statute” and will, under certain conditions,
permit a transfer in response to an appropriate law enforcement request from a third
country. The important point is that it is EU law that should determine whether this is
the case and on the basis of which safeguards such transfers can take place.
The Commission explained the functioning of Article 48 GDPR, including the
possible reliance on the public interest derogation, in the context of a production order
(warrant) by a foreign criminal law enforcement authority in the Microsoft case before
the U.S. Supreme Court.159
In its submission, the Commission stressed the EU’s
interest in ensuring that law enforcement cooperation takes place “within a legal
framework that avoids conflicts of law, and is based on […] respect for each others’
fundamental interests in both privacy and law enforcement”160
. In particular, “from
the perspective of public international law, when a public authority requires a
https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17-
2%20ac%20European%20Commission%20for%20filing.pdf).
157
EDPB, Derogation Guidelines (supra fn. 153), p. 10. The EDPB further clarified that, while data
transfers based on the public interest derogation must not be “large scale” or “systematic”, but
“need to be restricted to specific situations and […] meet the strict necessity test”, there is no
requirement for them to be “occasional”.
158
This is made clear by the wording of Article 48 GDPR (“without prejudice to other grounds for
transfer pursuant to this Chapter”) and the accompanying Recital 115 (“[t]ransfers should only be
allowed where the conditions of this Regulation for a transfer to third countries are met. This may
be the case, inter alia, where disclosure is necessary for an important ground of public interest
recognised in Union or Member State law to which the controller is subject”). It is also recognised
by the EDPB, see Derogation Guidelines (supra fn. 153), p. 5. As for all processing operations, the
other safeguards under the Regulation must also be complied with (e.g. that data is transferred for a
specific purpose, is relevant, limited to what is necessary for the purpose of the request, etc.).
159
Microsoft submission (supra fn. 156). As the Commission explained, the GDPR thus makes
MLATs the “preferred option” for transfers as such treaties “provide for collection of evidence by
consent, and embody a carefully negotiated balance between the interests of different states that is
designed to mitigate jurisdictional conflicts that can otherwise arise.” See also EDPB, Derogation
Guidelines (supra fn. 153), p. 5 (“In situations where there is an international agreement, such as a
mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and
refer the requesting third country authority to existing MLAT or agreement”).
160
Microsoft submission (supra fn. 156), p. 4.
43
company established in its own jurisdiction to produce electronic data stored on a
server in a foreign jurisdiction, the principles of territoriality and comity under public
international law are engaged”161
.
This is also reflected in the Commission’s proposal for a Regulation on European
Production and Preservation Orders for electronic evidence in criminal matters162
,
which contains a specific ‘comity clause’ that makes it possible to raise an objection
against a production order if compliance would conflict with the laws of a third
country prohibiting disclosure in particular on the ground that this is necessary to
protect the fundamental rights of the individuals concerned163
.
Ensuring comity is important, given that law enforcement – like crime and in
particular cybercrime – is increasingly cross-border and thus often raises jurisdictional
questions and creates potential conflicts of law164
. Not surprisingly, the best way of
addressing these issues is through international agreements that provide for the
necessary limitations and safeguards for cross-border access to personal data,
including by ensuring a high level of data protection on the side of the requesting
authority.
The Commission, acting on behalf of the EU, is currently engaged in multilateral
negotiations for a Second Additional Protocol to the Council of Europe Cybercrime
(‘Budapest’) Convention, which aims to enhance existing rules to obtain cross-border
access to electronic evidence in criminal investigations while ensuring appropriate
data protection safeguards as part of the Protocol165
. Similarly, bilateral negotiations
have started on an agreement between the EU and the United States on cross-border
161
Microsoft submission (supra fn. 156), p. 6.
162
European Commission, Proposal for a Regulation of the European Parliament and of the Council on
European Production and Preservation Orders for electronic evidence in criminal matters, 17.4.2018
(COM(2018) 225 final). The Council adopted its general approach on the proposed Regulation on
7.12.2018 (available at: https://www.consilium.europa.eu/en/press/press-
releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#).
See also EDPS, Opinion 7/19 on proposals regarding European Production and Preservation Orders
for electronic evidence in criminal matters (available at: https://edps.europa.eu/data-
protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en).
163
The Explanatory Memorandum, p. 21, makes clear that, in addition to ensuring comity with respect
to the sovereign interests of third countries, protecting the individual concerned and avoiding
conflicts of law for service providers, one important motivation for the comity clause is reciprocity,
i.e. to ensure respect for EU rules, including on the protection of personal data (Article 48 GDPR).
See also Statement of the Article 29 Working Party of 29 November 2017, Data protection and
privacy aspects of cross-border access to electronic evidence (WP29 Statement) (available at:
file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempSt
ate/Downloads/20171207_e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9.
164
See WP29 Statement (supra fn. 163), p. 6.
165
See Recommendation for a Council Decision authorising the participation in negotiations on a
second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No. 185),
5.2.2019 (COM(2019) 71 final). See also EDPS, Opinion 3/2019 regarding the participation in the
negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention,
2.4.2019 (available at: https://edps.europa.eu/sites/edp/files/publication/19-04-
02_edps_opinion_budapest_convention_en.pdf); EDPB, Contribution to the consultation on a draft
second additional protocol to the Council of Europe Convention on Cybercrime (Budapest
Convention), 13.11.2019 (available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf).
44
access to electronic evidence for judicial cooperation in criminal matters166
. The
Commission counts on the support of the European Parliament and the Council, and
the guidance of the EDPB, throughout these negotiations.
More generally, it is important to ensure that when companies active in the European
market are called on the basis of a legitimate request to share data for law
enforcement purposes, they can do so without facing conflicts of law and in full
respect of EU fundamental rights. To improve such transfers, the Commission is
committed to develop appropriate legal frameworks with its international partners to
avoid conflicts of law and support effective forms of cooperation, notably by
providing for the necessary data protection safeguards, and thereby contribute to a
more effective fight against crime.
7.3 International cooperation in the area of data protection
Fostering convergence between different privacy systems also means learning from
each other, through the exchange of knowledge, experience and best practices. Such
exchanges are essential to address new challenges that are increasingly global in
nature and scope. This is why the Commission has intensified its dialogue on data
protection and data flows with a broad range of actors and in different fora, at
bilateral, regional and multilateral level.
The bilateral dimension
Following the adoption of the GDPR, there has been an increasing interest in the EU’s
experience in the design, negotiation and implementation of modern privacy rules.
Dialogue with countries going through similar processes has taken several forms.
The Commission services have made submissions to a number of public consultations
organised by foreign governments considering legislation in the area of privacy, for
example by the US167
, India168
, Malaysia and Ethiopia. In some third countries, the
Commission’s services had the privilege to testify before the competent parliamentary
bodies, for example in Brazil169
, Chile170
, Ecuador, and Tunisia171
.
166
See Recommendation for a Council Decision authorising the opening of negotiations in view of an
agreement between the EU and the United States of America on cross-border access to electronic
evidence for judicial cooperation in criminal matters, 5.2.2019 (COM(2019) 70 final). See also
EDPS, Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access
to electronic evidence (available at: https://edps.europa.eu/sites/edp/files/publication/19-04-
02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf).
167
See DG Justice and Consumers submission of 9 November 2018 in response to a request for public
comments on a proposed approach to consumer privacy [Docket No. 180821780-8780-01] by the
US National Telecommunications and Information Administration (available at:
https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approa
ch_to_consumer_privacy.pdf )
168
See DG Justice and Consumers submission of 19 November 2018 on the draft Personal Data
Protection Bill of India 2018 to the Ministry of Electronics and Information Technology (available
at:https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill-
india-2018-directorate-general-justice_en).
169
See plenary meeting of 17 April 2018 of the Brazilian Senate
(https://www25.senado.leg.br/web/atividade/sessao-plenaria/-/pauta/23384 ), meeting of the 10
April 2019 of the Joint Committee on MP 869/2018 of the Brazilian
Congress(https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), and meeting
45
Moreover, within the context of ongoing reforms of data protection laws, dedicated
meetings took place with government representatives or parliamentary delegations
from many regions of the world (e.g. Georgia, Kenya, Taiwan, Thailand, Morocco).
This included the organisation of seminars and study visits, for example with
representatives of the Indonesian government and a delegation of staffers from the US
Congress. This provided opportunities to clarify important concepts of the GDPR,
improve mutual understanding of privacy matters and illustrate the benefits of
convergence for ensuring a high level of protection of individual rights, trade and
cooperation. In some cases, it also allowed cautioning against certain misconceptions
of data protection that can lead to the introduction of protectionist measures such as
forced localisation requirements.
Since the adoption of the GDPR, the Commission has also engaged with several
international organisations, including in light of the importance of data exchanges
with those organisations in a number of policy areas. In particular, a specific dialogue
has been established with the United Nations, with a view to facilitate discussions
with all involved stakeholders to ensure smooth data transfers and develop further
convergence between the respective data protection regimes. As part of this dialogue,
the Commission will work closely with the EDPB to further clarify how EU public
and private operators can comply with their GDPR obligations when exchanging data
with international organisation such as the UN.
The Commission stands ready to continue sharing the lessons learned from its reform
process with interested countries and international organisations, in the same way it
learned from other systems when developing its proposal for new EU data protection
rules. This type of dialogue is mutually beneficial for the EU and its partners as it
allows to obtain a better understanding of the fast evolving privacy landscape and to
exchange views on emerging legal and technological solutions.
It is in this spirit that the Commission is setting up a “Data Protection Academy” to
foster exchanges between European and third country regulators and, in this way,
improve cooperation ‘on the ground’.
In addition there is a need to develop appropriate legal instruments for closer forms of
cooperation and mutual assistance, including by allowing the necessary exchange of
information in the context of investigations. The Commission will therefore make use
of the powers granted in this area by Article 50 of the GDPR and, in particular, seek
authorisation to open negotiations for the conclusion of enforcement cooperation
of 26 November 2019 of the Special Committee of the Brazilian Chamber of Deputies
(https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no-ambito-das-
constituicoes-de-outros-paises/).
170
See meetings of 29 May 2018
(https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&i
dsesion=12513&idpunto=15909&sesion=29/05/2018&listado=1), 24 April 2019
(https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomisio
n=186&tipo=3&legi=485&ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listad
o=2) and of the Constitutional, Legislative and Justice Affairs Committee of the Chilean Senate.
171
See meeting of 2 November 2018 of the Rights, Freedoms and External Relations Committee of the
Tunisian Assembly of the Representatives of the People
(https://www.facebook.com/1515094915436499/posts/2264094487203201/ ).
46
agreements with relevant third countries. In this context, it will also take into account
the Board’s views as to which countries should be prioritised in light of the volume of
data transfers, the role and powers of the privacy enforcer in the third country and the
need for enforcement cooperation to address cases of common interest.
The multilateral dimension
Beyond bilateral exchanges, the Commission is also actively participating in a number
of multilateral fora to promote shared values and build convergence at regional and
global level.
The increasingly universal membership of the Council of Europe’s ‘Convention 108’,
the only legally binding multilateral instrument in the area of personal data protection,
is a clear sign of this trend towards (upward) convergence172
. The Convention, which
is also open to non-members of the Council of Europe, has already been ratified by 55
countries, including a number of African and Latin American States173
. The
Commission significantly contributed to the successful outcome of the negotiations on
the modernisation of the Convention174
, and ensured that it reflected the same
principles as those enshrined in the EU data protection rules. Most EU Member States
have now signed the Amending Protocol, although the signatures of Denmark, Malta
and Romania are still outstanding. Only four Member States (Bulgaria, Croatia,
Lithuania and Poland) have so far ratified the Amending Protocol. The Commission
urges the three remaining Member States to sign the modernised Convention, and all
Member States to swiftly proceed to ratification, to allow for its entry into force in the
near future175
. Beyond that, it will continue to proactively encourage accession by
third countries.
Data flows and protection have recently also been addressed within the G20 and G7.
In 2019, global leaders for the first time endorsed the idea that data protection
contributes to trust in the digital economy and facilitates data flows. With the
172
Importantly, the modernised Convention is not just a treaty setting out strong data protection
safeguards, but also creates a network of supervisory authorities with tools for enforcement
cooperation and, with the Convention Committee, a forum for discussions, exchange of best
practices and development of international standards.
173
See full list of members: https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/108/signatures. Countries from Africa include Cabo Verde, Mauritius,
Morocco, Senegal and Tunisia, from Latin America Argentina, Mexico and Uruguay. Burkina Faso
has been invited to join the Convention.
174
See the text of the modernised Convention:
https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf.
175
According to its Decision on the Amending Protocol of 18 May 2018, the Committee of Ministers
“urged member States and other Parties to the Convention to take without delay the necessary
measures to allow the entry into force of the Protocol within three years from its opening for
signature and to initiate immediately, but in any case no later than one year after the date on which
the Protocol has been opened for signature, the process under their national law leading to
ratification...” It also “instructed its Deputies to examine bi-annually, and for the first time one year
after the date of opening for signature of the Protocol, the overall progress made towards
ratification on the basis of the information to be provided to the Secretary General by each of the
member States and other Parties to the Convention at the latest one month ahead of such an
examination.” See https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f.
47
Commission’s active support176
, leaders endorsed the concept of “data free flow with
trust” (DFFT) originally proposed by Japan in the G20 Osaka Declaration177
as well
as the G7 summit in Biarritz178
. This approach is also reflected in the Commission’s
2020 Communication on “A European strategy for data”179
which highlights its
intention to continue promoting data sharing with trusted partners while fighting
against abuses such as disproportionate access of (foreign) public authorities to data.
In doing so, the EU will also be able to rely on a number of tools in different policy
areas that increasingly take into account the impact on privacy: for example the first-
ever EU framework for the screening of foreign investment, which will become fully
applicable in October 2020, gives the EU and its Member States the possibility to
screen investment transactions that have effects on “access to sensitive information,
including personal data, or the ability to control such information” if they affect
security or public order180
.
The Commission is working with like-minded countries in several other multilateral
fora to actively promote its values and standards. One important forum is the OECD’s
recently created Working Party on Data Governance and Privacy (DGP), which is
pursuing a number of important initiatives related to data protection, data sharing, and
data transfers. This includes the evaluation of the 2013 OECD Privacy Guidelines.
Moreover, the Commission actively contributed to the OECD Council
Recommendation on Artificial Intelligence181
and ensured that the EU human-centric
approach, meaning that AI applications must comply with fundamental rights and in
particular data protection, was reflected in the final text. Importantly, the AI
Recommendation – which has subsequently been incorporated into the G20 AI
Principles annexed to the G20 Osaka Leaders’ Declaration182
– stipulates the
principles of transparency and explainability with a view “to enable those adversely
affected by an AI system to challenge its outcome based on plain and easy-to-
understand information on the factors and the logic that served as the basis for the
prediction, recommendation or decision”, thereby closely mirroring the principles of
the GDPR as regards automated-decision making183
.
176
In the margin of the April 2019 EU-Japan Summit, President Juncker expressed support for
Japan’s ‘data free flow with trust’ initiative and the launching of the ‘Osaka Track’ and
committed the Commission to “play an active role in both initiatives”.
177
See text of the G20 Osaka Leaders’ Declaration:
https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf
178
See text of the G7 Biarritz Strategy for an open, free and secure digital transformation:
https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9
d.pdf
179
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A European strategy for data,
19.2.2020 (COM(2020) 66 final) (https://ec.europa.eu/info/sites/info/files/communication-
european-strategy-data-19feb2020_en.pdf), pp. 23-24.
180
Art. 4(1)(d) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19.03.2019
establishing a framework for the screening of foreign direct investment into the Union (OJ L 79I,
21.03.2019).
181
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449
182
G20 Ministerial Statement on Trade and Digital Economy: https://g20trade-
digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf
183
See Articles 13(2)(f), 14(2)(g), 22 GDPR.
48
The Commission is also stepping up its dialogue with regional organisations and
networks that are increasingly playing a central role in shaping common data
protection standards184
, promoting the exchange of best practices, and fostering
cooperation between enforcers. This concerns, in particular, the Association of
Southeast Asian Nations (ASEAN) – including in the context of its ongoing work on
data transfer tools –, the African Union, the Asia Pacific Privacy Authorities (APPA)
forum and the Ibero-American Data Protection Network, all of which launched
important initiatives in this area and provide fora for fruitful dialogue between privacy
regulators and other stakeholders.
Africa is a telling example of the complementarity between the national, regional
and global dimensions of privacy. Digital technologies are quickly and deeply
transforming the African continent. This has the potential to accelerate the
achievement of the Sustainable Development Goals by boosting economic growth,
alleviating poverty and improving people’s lives. Having in place a modern data
protection framework attracting investment and fostering the development of
competitive business while contributing to the respect for human rights, democracy
and the rule of law is a key element of this transformation. The harmonisation of
data protection rules across Africa would enable digital market integration, while
convergence with global standards would facilitate data exchanges with the EU.
These different dimensions of data protection are interlinked and mutually
reinforcing.
There is now a growing interest in data protection in many African countries, and
the number of African countries that have adopted or are in the process of adopting
modern data protection rules, have ratified Convention 108185
or the Malabo
Convention186
continues to increase187
. At the same time, the regulatory framework
remains highly uneven and fragmented across the African continent. Many
countries still offer few or no data protection safeguards. Measures restricting data
flows are still widespread and hamper the development of a regional digital
economy.
To harness the mutual benefits of convergent data protection rules, the Commission
will engage with its African partners both bilaterally and in regional fora188
. This
184
See, for instance, the African Union Convention on Cyber Security and Personal Data Protection
(‘Malabo Convention’) and the Standards for Data Protection for the Ibero-American States
developed by the Ibero-American Data Protection Network.
185
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/108/signatures?p_auth=DW5jevqD
186
African Union Convention on Cyber Security and Personal Data Protection
https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection. In
addition, several of the Regional Economic Communities (RECs) have developed data protection rules,
for instance, the Economic Community of West African States (ECOWAS) and the Southern African
Development Community (SADC). See, respectively, http://www.tit.comm.ecowas.int/wp-
content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf and http://www.itu.int/ITU-
D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf.
188
Inter alia, through the Policy and Regulation Initiative for Digital Africa (PRIDA), see information
at: https://www.africa-eu-partnership.org/en/projects/policy-and-regulation-initiative-digital-africa-
prida.
49
builds on the work of the EU-AU Digital Economy Task Force within the context
of the New Africa-Europe Digital Economy Partnership189
. It is also in furtherance
of such objectives that the scope of the Commission’s partnership instrument
‘Enhanced Data Protection and Data Flows’ has been extended to include Africa.
The project will be mobilised to support African countries that intend to develop
modern data protection frameworks or that wish to strengthen the capacity of their
regulatory authorities, through training, knowledge sharing and exchange of best
practices.
Finally, while promoting convergence of data protection standards at international
level, as a way to facilitate data flows and thus trade, the Commission is also
determined to tackle digital protectionism, as recently highlighted in the Data
Strategy.190
To that end, it has developed specific provisions on data flows and data
protection in trade agreements which it systematically tables in its bilateral – most
recently with Australia, New Zealand, and the UK – and multilateral negotiations
such as the current WTO e-commerce talks. These horizontal provisions rule out
unjustified restrictions, such as forced data localisation requirements, while
preserving the regulatory autonomy of the parties to protect the fundamental right to
data protection.
Whereas dialogues on data protection and trade negotiations must follow separate
tracks, they can complement each other. In fact, convergence, based on high
standards and backed-up by effective enforcement, provides the strongest foundation
for the exchange of personal data, something that is increasingly recognised by our
international partners. Given that companies more and more operate across borders
and prefer to apply similar sets of rules in all their business operations worldwide,
such convergence helps creating an environment conducive to direct investment,
facilitating trade and improving trust between commercial partners. Synergies
between trade and data protection instruments should thus be further explored to
ensure free and safe international data flows that are essential for the business
operations, competitiveness and growth of European companies, including SMEs, in
our increasingly digitalised economy.
189
See Joint Communication of the European Commission and the High Representative for Foreign
Affairs and Security Policy ‘Towards a comprehensive strategy for Africa’ (available at:
https://ec.europa.eu/international-partnerships/system/files/communication-eu-africa-strategy-join-
2020-4-final_en.pdf); Digital Economy Task Force, New Africa-Europe Digital Economy Partnership:
Accelerating the Achievement of the Sustainable Development Goals (available at: https://www.africa-
eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf).
190
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf,
p. 23.
50
ANNEX I – Clauses for facultative specifications by national legislation
Subject Scope GDPR articles
Specifications for legal
obligations and public task
Adapting the application of provisions
with regard to the processing for
compliance with a legal obligation or a
public task, including for specific
processing situations under Chapter IX
Article 6(2) and
6(3)
Age limit for consent in
relation to information
society services
Determination of the minimum age
between 13 and 16 years
Article 8(1)
Processing of special
categories of data
Maintaining or introducing further
conditions, including limitations, for
the processing of genetic data,
biometric data or data concerning
health.
Article 9(4)
Derogation from information
requirements
Obtaining or disclosure expressly laid
down by law or for professional
secrecy regulated by law
Article 14(5)(c)
and (d)
Automated individual
decision-making
Authorisation for automated decision-
making in derogation from the general
prohibition
Article 22(2)(b)
Restrictions of data subject
rights
Restrictions from Articles 12 to 22,
Article 34 and corresponding
provisions in Article 5, when necessary
and proportionate to safeguard
exhaustively listed important
objectives
Article 23(1)
Consultation and
authorisation requirement
Requirement for controllers to consult
or obtain authorisation from the data
protection authority for processing for
a task in the public interest
Article 36(5)
Designation of a data
protection officer in
additional cases
Designation of a data protection officer
in cases other than the ones in
paragraph 1 of Article 37
Article 37(4)
Limitations of transfers Limitation of transfers of specific
categories of personal data
Article 49(5)
Complaints and court actions
of organisations in their own
right
Authorisation of privacy organisations
to lodge complaints and court actions
independently from a mandate by data
subjects
Article 80(2)
Access to official documents Reconciliation of public access to
official documents with the right to the
protection of personal data
Article 86
51
Processing of the national
identification number
Specific conditions for the processing
of the national identification number
Article 87
Processing in the
employment context
More specific rules for processing
employees’ personal data
Article 88
Derogations for processing
for archiving in the public
interest, research or
statistical purposes
Derogations from specified data
subject rights in so far as such rights
are likely to render impossible or
seriously impair the achievement of
specific purposes
Article 89(2) and
(3)
Reconciliation of data
protection with obligations
of secrecy
Specific rules on investigative powers
of data protection authorities in relation
to controllers or processors subject to
obligations of professional secrecy
Article 90
52
ANNEX II – Overview of the resources of data protection authorities
The table below presents an overview of the resources (staff and budget) of data
protection authorities per EU/EEA Member State191
.
When comparing the figures between Member States, it is important to bear in mind
that authorities may have tasks assigned to them beyond those under the GDPR, and
that these may vary between Member States. The ratio of staff employed by the
authorities to one million inhabitants and the ratio of the budget of the authorities to
one million euro of GDP are only included to provide additional elements of
comparison among Member States of similar size and should not be looked at in
isolation. The absolute figures, ratios and evolution over the past years should be
considered together when assessing the resources of a given authority.
STAFF (Full Time Equivalents) BUDGET (EUR)
EU/EEA
Member
States
2019
Forecast
2020
%
growth
2016-
2019
% growth
2016-
2020
(forecast)
Staff per
million
inhabitants
(2019)
2019
Forecast
2020
%
growth
2016-
2019
% growth
2016-
2020
(forecast)
Budget per
million EUR
of GDP
(2019)
Austria 34 34 48% 48% 3,8 2.282.000 2.282.000 29% 29% 5,7
Belgium 59 65 9% 20% 5,2 8.197.400 8.962.200 1% 10% 17,3
Bulgaria 60 60 -14% -14% 8,6 1.446.956 1.446.956 24% 24% 23,8
Croatia 39 60 39% 114% 9,6 1.157.300 1.405.000 57% 91% 21,5
Cyprus 24 22 NA NA 27,4 503.855 NA 114% NA 23,0
Czech Rep. 101 109 0% 8% 9,5 6.541.288 6.720.533 10% 13% 29,7
Denmark 66 63 106% 97% 11,4 5.610.128 5.623.114 101% 101% 18,0
Estonia 16 18 -11% 0% 12,1 750.331 750.331 7% 7% 26,8
Finland 45 55 114% 162% 8,2 3.500.000 4.500.000 94% 150% 14,6
France 215 225 9% 14% 3,2 18.506.734 20.143.889 -2% 7% 7,7
Germany 888 1002 52% 72% 10,7 76.599.800 85.837.500 48% 66% 22,3
Greece 33 46 -15% 18% 3,1 2.849.000 3.101.000 38% 50% 15,2
Hungary 104 117 42% 60% 10,6 3.505.152 4.437.576 102% 155% 24,4
Iceland 17 17 143% 143% 47,6 2.272.490 2.294.104 167% 170% 105,2
Ireland 140 176 169% 238% 28,5 15.200.000 16.900.000 223% 260% 43,8
Italy 170 170 40% 40% 2,8 29.127.273 30.127.273 46% 51% 16,3
Latvia 19 31 -10% 48% 9,9 640.998 1.218.978 4% 98% 21,0
Lithuania 46 52 -8% 4% 16,5 1.482.000 1.581.000 40% 49% 30,6
Luxembourg 43 48 126% 153% 70,0 5.442.416 6.691.563 165% 226% 85,7
Malta 13 15 30% 50% 26,3 480.000 550.000 41% 62% 36,3
Netherlands 179 188 145% 158% 10,4 18.600.000 18.600.000 130% 130% 22,9
Norway 49 58 2% 21% 9,2 5.708.950 6.580.660 27% 46% 15,9
Poland 238 260 54% 68% 6,3 7.506.345 9.413.381 66% 108% 14,2
Portugal 25 27 -4% 4% 2,4 2.152.000 2.385.000 67% 86% 10,1
Romania 39 47 -3% 18% 2,0 1.103.388 1.304.813 3% 22% 4,9
Slovakia 49 51 20% 24% 9,0 1.731.419 1.859.514 47% 58% 18,4
Slovenia 47 49 42% 48% 22,6 2.242.236 2.266.485 68% 70% 46,7
Spain 170 220 13% 47% 3,6 15.187.680 16.500.000 8% 17% 12,2
Sweden 87 87 81% 81% 8,5 8.800.000 10.300.000 96% 129% 18,5
TOTAL 2.966 3.372 42% 62% 6,6 249.127.139 273.782.870 49% 64% 17,4
Source of raw figures: contribution from the Board. Calculations from the Commission.
191
Except for Liechtenstein.
1_EN_autre_document_travail_service_part1_v9.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2231158.pdf
EN EN
EUROPEAN
COMMISSION
Brussels, 24.6.2020
SWD(2020) 115 final/2
This document corrects document SWD(2020) 115 final of 24.06.2020
Concerns the EN language version.
Footnote 3 completed.
The text shall read as follows:
COMMISSION STAFF WORKING DOCUMENT
[…]
Accompanying the document
COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN
PARLIAMENT AND THE COUNCIL
Data protection as a pillar of citizens’ empowerment and the EU’s approach to the
digital transition - two years of application of the General Data Protection Regulation
{COM(2020) 264 final}
Europaudvalget 2020
KOM (2020) 0264
Offentligt
1
Contents
1 Context....................................................................................................................3
2 Enforcement of the GDPR and functioning of the cooperation and consistency
mechanisms....................................................................................................................4
2.1 Use of strengthened powers by data protection authorities.............................4
Specific issues for the public sector.......................................................................5
Cooperation with other regulators .........................................................................6
2.2 The cooperation and consistency mechanisms................................................6
One-stop-shop........................................................................................................7
Mutual assistance...................................................................................................8
Consistency mechanism.........................................................................................8
Challenges to be addressed ....................................................................................9
2.3 Advice and guidelines ...................................................................................10
Awareness raising and advice by data protection authorities ..............................10
Guidelines of the European Data Protection Board.............................................11
2.4 Resources of the data protection authorities .................................................12
3 Harmonised rules but still a degree of fragmentation and diverging approaches.14
3.1 Implementation of the GDPR by the Member States....................................14
Main issues relating to national implementation .................................................15
Reconciliation of the right to the protection of personal data with freedom of
expression and information..................................................................................16
3.2 Facultative specification clauses and their limits..........................................17
Fragmentation linked to the use of facultative specification clauses...................17
4 Empowering individuals to control their data ......................................................19
5 Opportunities and challenges for organisations, in particular Small and Medium
size Enterprises ............................................................................................................22
Toolbox for businesses ........................................................................................25
6 The application of the GDPR to new technologies ..............................................26
7 International transfers and global cooperation .....................................................28
7.1 Privacy: a global issue...................................................................................28
7.2 The GDPR transfer toolbox...........................................................................30
Adequacy decisions .............................................................................................31
Appropriate safeguards ........................................................................................35
Derogations..........................................................................................................41
Decisions by foreign courts or authorities: not a ground for transfers ................42
7.3 International cooperation in the area of data protection................................44
2
The bilateral dimension........................................................................................44
The multilateral dimension ..................................................................................46
Annex I: Clauses for facultative specifications by national legislation
Annex II: Overview of the resources of data protection authorities
3
1 CONTEXT
The General Data Protection Regulation1
(hereafter ‘the GDPR’) is the result of eight
years of preparation, drafting and inter-institutional negotiations, and entered into
application on 25 May 2018 following a two-year transition period (May 2016 - May
2018). Article 97 of the GDPR requires the Commission to report on the evaluation
and review of the Regulation, starting with a first report after two years of application
and every four years thereafter.
The evaluation is also part of multi-faceted approach that the Commission already
followed before the GDPR entered into application and has continued to actively
pursue since then. As part of this approach, the Commission engaged into on-going
bilateral dialogues with Member States on the compliance of national legislation with
the GDPR, actively contributed to the work of the European Data Protection Board
(hereafter ‘the Board’) by providing its experience and expertise, supported data
protection authorities and maintained close contacts with a wide range of stakeholders
on the practical application of the Regulation.
The evaluation builds on the stocktaking exercise that the Commission carried out on
the first year of the GDPR application and that was summarised in the
Communication issued in July 20192
. It also follows-up on the Communication on the
application of the GDPR issued in January 20183
. The Commission also adopted the
Guidance on the use of personal data in the electoral context published in September
2018 and the Guidance on apps supporting the fight against the COVID-19 pandemic
issued in April 2020.
Although its focus is on the two issues highlighted in Article 97(2) of the GDPR,
namely international transfers and the cooperation and consistency mechanisms, this
evaluation takes a broader approach in order to address issues which have been raised
by various actors during the last two years.
To prepare the evaluation, the Commission took into account the contributions from:
the Council4
;
the European Parliament (Committee on Civil Liberties, Justice and Home
Affairs)5
;
the Board6
and individual data protection authorities7
, based on a questionnaire
sent by the Commission;
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC - OJ L 119, 4.5.2016, p. 1–88
2
Communication from the Commission to the European Parliament and the Council, Data Protection
as a trust-enabler in the EU and beyond – taking stock – COM(2019) 374 final, 24.7.2019
3
Communication from the Commission to the European Parliament and the Council: Stronger
protection, new opportunities – Commission guidance on the direct application of the General Data
Protection Regulation as of 25 May 2018, COM/2018/043 final
4
Council position and findings on the application of the General Data Protection Regulation –
14994/2/19 Rev2, 15.01.2020:
https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf
5
Letter of the LIBE Committee of the European Parliament of 21 February 2020 to Commissioner
Reynders, Ref.: IPOL-COM-LIBE D (2020)6525.
4
the feedback from the members of the Multi-stakeholder expert Group to support
the application of the GDPR8
, also based on a questionnaire sent by the
Commission;
and ad hoc contributions received from stakeholders.
2 ENFORCEMENT OF THE GDPR AND FUNCTIONING OF THE COOPERATION AND
CONSISTENCY MECHANISMS
The GDPR set up an innovative governance system and created the foundation of a
truly European data protection culture that aims to ensure not only a harmonised
interpretation, but also a harmonised application and enforcement of data protection
rules. Its pillars are the independent national data protection authorities and the newly
established Board.
As the data protection authorities are key to the functioning of the whole EU data
protection system, the Commission is attentively monitoring their effective
independence, including as regards adequate financial, human and technical
resources.
It is still too early to fully assess the functioning of the cooperation and consistency
mechanisms, given the short experience gathered so far9
. In addition, data protection
authorities have not yet used the full array of tools provided for by the GDPR to
strengthen their cooperation further.
2.1 Use of strengthened powers by data protection authorities
The GDPR establishes independent data protection authorities and provides them with
harmonised and strengthened enforcement powers. Since the GDPR applies, those
authorities have been using of a wide range of corrective powers provided for in the
GDPR, such as administrative fines (22 EU/EEA authorities)10
, warnings and
reprimands (23), orders to comply with data subject’s requests (26), orders to bring
processing operations into compliance with the GDPR (27), and orders to rectify,
erase or restrict processing (17). Around half of the data protection authorities (13)
have imposed temporary or definitive limitations on processing, including bans. This
demonstrates a conscious use of all corrective measures provided for in the GDPR;
6
Contribution of the Board to the evaluation of the GDPR under Article 97, adopted on 18 February
2020: https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-
gdpr-under-article-97_en
7
https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en
8
The Multi-stakeholder expert group on the GDPR set up by the Commission involves civil society
and business representatives, academics and practitioners:
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537
The report of the Multi-stakeholder Group is available at:
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId=
21356
9
This fact is also highlighted in particular by the Council in its position and findings on the
application of the GDPR and by the Board in its contribution to the evaluation.
10
The figures in parenthesis indicate the number of EU/EEA data protection authorities that made use
of the listed power between May 2018 and the end of November 2019. See contribution from the
Board on pages 32-33.
5
the data protection authorities did not shy away from imposing administrative fines in
addition to or instead of other corrective measures, depending on the circumstances of
individual cases.
Administrative fines:
Between 25 May 2018 and 30 November 2019, 22 EU/EEA data protection
authorities issued approximately 785 fines. Only a few authorities have not yet
imposed any administrative fines, although proceedings that are currently ongoing
might lead to such fines. Most of the fines related to infringements against: the
principle of lawfulness; valid consent; protection of sensitive data; the obligation of
transparency, the rights of data subjects; and data breaches.
Examples of fines imposed by data protection authorities include11
:
- EUR 200 000 for non-compliance with the right to object direct marketing in
Greece;
- EUR 220 000 on a data broker company in Poland for failure to inform individuals
that their data was being processed;
- EUR 250 000 imposed on the Spanish football league LaLiga, for lack of
transparency in the design of its smartphone application;
- EUR 14,5 million for infringement of data protection principles, in particular
unlawful storage, by a German real estate company;
- EUR 18 million for unlawful processing of special categories of data at a large
scale by Austrian postal services;
- EUR 50 million on Google in France, because of the conditions for obtaining
consent from users.
The success of the GDPR should not be measured by the number of fines issued, since
the GDPR provides for a broader palette of corrective powers. Depending on the
circumstances, for example, the deterrent effect of a ban on processing or the
suspension of data flows can be much stronger.
Specific issues for the public sector
The GDPR allows Member States to determine whether and to what extent
administrative fines may be imposed on public authorities and bodies. Where Member
States make use of this possibility, this does not deprive the data protection authorities
of using all the other corrective powers vis-à-vis public authorities and bodies12
.
Another specific issue is the supervision of courts: although the GDPR also applies to
the activities of courts, these are exempted from supervision by data protection
authorities when acting in their judicial capacity. However, the Charter and the TFEU
oblige Member States to entrust an independent body within their judicial systems
with the supervision of such processing operations13
.
11
Several of the decisions imposing fines are still subject to judicial review.
12
Article 83(7) GDPR.
13
Article 8(3) of the Charter; Article 16 (2) TFEU; recital 20 of the GDPR.
6
Cooperation with other regulators
As announced in its Communication of July 2019, the Commission supports
interaction with other regulators, in full respect of the respective competencies.
Promising areas of cooperation include consumer protection and competition. The
Board indicated its willingness to engage with other regulators in particular in relation
to concentration in digital markets14
. The Commission recognised the importance of
privacy and data protection as a qualitative parameter for competition15
. Members of
the Board participated in joint workshops with the Consumer Protection Cooperation
Network on cooperation on better enforcement of the EU consumer and data
protection legislation. This approach will be pursued to foster common understanding
and develop practical ways to address concrete problems experienced by consumers
in particular in the digital economy.
In order to ensure a consistent approach to privacy and data protection, and pending
the adoption of the ePrivacy Regulation, close cooperation with the authorities
competent for enforcing the ePrivacy Directive16
, the lex specialis in the area of
electronic communications, is indispensable. Closer cooperation with the authorities
competent under the NIS-Directive17
, and the NIS Cooperation Group, would be to
the mutual benefit of those authorities and the data protection authorities.
2.2 The cooperation and consistency mechanisms
The GDPR created the cooperation mechanism (one-stop-shop system for operators,
joint operations and mutual assistance between data protection authorities) and the
consistency mechanism in order to foster a uniform application of the data protection
rules, through a consistent interpretation and the resolution of possible disagreement
between authorities by the Board.
The Board, gathering all data protection authorities, has been established as an EU
body with legal personality and is fully operational, supported by a secretariat18
. It is
crucial for the functioning of the two mechanisms mentioned above. By the end of
2019, the Board had adopted 67 documents, including 10 new guidelines19
and 43
opinions2021
.
14
Cf. the statement of the Board on the data protection impacts of economic concentration,
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf.
15
See Case COMP M. 8124 Microsoft/LinkedIn.
16
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications) - OJ L 201 , 31/07/2002 P. 0037 -
0047
17
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning
measures for a high common level of security of network and information systems across the Union
- OJ L 194, 19.7.2016, p. 1–30
18
See details on the secretariat activities in the contribution from the Board, pages 24-26.
19
In addition to the 10 guidelines adopted by the Article 29 Working Party in the run-up to the
GDPR’s entry into application and endorsed by the Board. Moreover, the Board has adopted 4
additional guidelines between January and end May 2020, and updated an existing one.
20
42 of these opinions were adopted under Article 64 of the GDPR and one was adopted under
Article 70(1)(s) of the GDPR and concerned the adequacy decision with respect to Japan.
21
See contribution from the Board, pages 18-23 for a complete overview of the Board’s activities.
7
The important role of the Board emerged where there was a need to rapidly provide
for consistent interpretation of the GDPR and to find immediately applicable solutions
at EU level. For example in the context of the COVID-19 outbreak, in March 2020
the Board adopted a statement on the processing of personal data, which deals inter
alia with the lawfulness of processing and the use of mobile location data in that
context22
, and in April 2020 it adopted guidelines on the processing of data
concerning health for the purpose of scientific research in the context of the COVID-
19 outbreak 23
and guidelines on the use of location data and contact tracing tools in
the context of the COVID-19 outbreak 24
. The Board also made a significant
contribution to design of the EU approach to tracing apps by the Commission and the
Member States.
Day-to-day cooperation between data protection authorities, whether they act in their
own capacity or as members of the Board, is based on exchanges of information and
notifications of cases opened by the authorities. In order to facilitate communication
between authorities, the Commission gave significant support by providing them with
an information exchange system25
.Most authorities consider it as adapted to the needs
of the cooperation and consistency mechanisms, even though it could be further fine-
tuned for example by making it more user-friendly.
Although it is still early days, a number of achievements and challenges can already
be identified and are presented below. They show that, so far, data protection
authorities have made an effective use of the cooperation tools, with a preference for
more flexible solutions.
One-stop-shop
As a general rule, in cross-border cases, a Member State’s data protection authority
can be involved either (i) as lead authority when the main establishment of the
operator is located in this Member State, or (ii) as a concerned authority when the
operator has an establishment on the territory of this Member State, when individuals
in this Member State are substantially affected, or when a complaint has been lodged
with them.
Such close cooperation has become daily practice: since the date of application of the
GDPR, data protection authorities in all Member States have at some point been
identified either as lead authorities or as concerned authorities in cross-border cases,
although to a different extent.
From May 2018 until end 2019, the data protection authority in Ireland acted as lead
authority in the highest number of cross-border cases (127), followed by Germany
(92), Luxembourg (87), France (64) and the Netherlands (45). This ranking reflects
notably the specific situation of Ireland and Luxembourg, who host several big
multinational tech companies.
22
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_
processingpersonaldataandcovid-19_en.pdf
23
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-
data-concerning-health-purpose_en.
24
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_
with_annex_en.pdf
25
Internal Market Information System ('IMI').
8
The ranking is different as regards involvement as concerned data protection
authorities with the authorities in Germany being involved in the highest number of
cases (435), followed by Spain (337), Denmark (327), France (332) and Italy (306)26
.
Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted
through the one-stop-shop procedure, out of which 79 resulted in final decisions. At
the date of the publication of this report, several important decisions with a cross-
border dimension and subject to the one-stop-shop mechanism are pending. Among
these decisions, some involve multinational big tech companies27
. They are expected
to provide clarification and to contribute to an increased harmonisation in the
interpretation of the GDPR.
Mutual assistance
Data protection authorities have made a wide use of the mutual assistance tool.
By the end of 2019, there had been 115 Mutual Assistance28
procedures, in particular
for carrying out investigations, most of them by the data protection authorities of
Spain (26), Germany (20), Denmark (13), Poland (12) and Czech Republic (10). On
the other hand, Ireland (19), France (11), Austria (10), Germany (10) and
Luxembourg (9) had received the most requests 29
.
The vast majority of authorities find mutual assistance a very useful tool for
cooperation and have not encountered any particular obstacle to applying the mutual
assistance procedure. The voluntary mutual assistance exchange, which does not have
a legal deadline or strict duty to answer, has been used more frequently, in 2 427
procedures. The data protection authority of Ireland sent and received the highest
number of mutual assistance requests (527 sent and 359 received), followed by
German authorities (260 sent/356 received).
On the other hand, joint operations30
, which would make it possible for data
protection authorities of several Member States to be involved already at the level of
the investigations of cross-border cases, have not been conducted yet. Reflection is
on-going within the Board on the practical implementation of this tool and how to
promote its use.
Consistency mechanism
So far only the first leg of the consistency mechanism has been used, namely the
adoption of Board opinions31
. On the other hand, no dispute resolution at Board
level32
or urgency procedure33
has been triggered yet.
26
See contribution from the Board, page 8.
27
For instance, on 22 May 2020, the Irish data protection authority has submitted a draft decision to
other concerned authorities, in accordance with Article 60 of the Regulation, concerning an
investigation into Twitter International Company regarding data breach notification. On the same
day, the Irish data protection authority also announced that a draft decision on WhatsApp Ireland
Limited for submission under Article 60 was in preparation, concerning transparency including in
relation to transparency around what information is shared with Facebook.
28
Article 61 GDPR.
29
See contribution from the Board, pages 12-14.
30
Article 62 GDPR.
31
Based on Article 64 GDPR.
9
Between 25 May 2018 and 31 December 2019, the Board issued 36 opinions in the
context of the adoption of measures by one of its members34
. Most of them (31)
concerned the adoption of national lists of processing operations requiring a data
protection impact assessment. Two opinions concerned Binding Corporate Rules, two
others concerned draft accreditation requirements for a code of conduct monitoring
body, and one concerned Standard Contractual Clauses35
.
Furthermore, the Board adopted, on request, six opinions36
. Three of these opinions
concerned national lists identifying processing which does not require a data
protection impact assessment. The others concerned respectively an administrative
arrangement for the transfer of personal data between EEA and non-EEA financial
supervisory authorities, the interplay between the ePrivacy Directive and the GDPR
and the competence of a supervisory authority in case of a change in circumstances
relating to the main or single establishment.37
Challenges to be addressed
Although the data protection authorities have been very actively working together in
the Board and already intensively use the cooperation tool of mutual assistance,
building a truly data protection common culture is still an ongoing process.
In particular, the handling of cross-border cases calls for a more efficient and
harmonised approach and the effective use of all cooperation tools provided in the
GDPR. There is a very broad consensus on this point since it was raised in different
ways by the European Parliament, the Council, the European Data Protection
Supervisor, stakeholders (within the Multi-stakeholder Group and beyond) and by the
data protection authorities.
The main issues to be tackled in this context include differences in:
national administrative procedures, concerning in particular: complaint handling
procedures, the admissibility criteria for complaints, the duration of proceedings
due to different timeframes or the absence of any deadlines, the moment in the
procedure when the right to be heard is granted, the information and involvement
of complainants during the procedure;
interpretations of concepts relating to the cooperation mechanism, such as relevant
information, the notion of “without delay”, “complaint”, the document which is
defined as the “draft decision” of the lead data protection authority, amicable
settlement (in particular the procedure leading to amicable settlement and the legal
form of the settlement); and
the approach to when to start the cooperation procedure, involve the concerned
data protection authorities and communicate information to them. Complainants
also lack clarity on how their cases are handled in cross-border situations, as was
stressed by several members of the Multi-stakeholder Group. Moreover,
32
Article 65 GDPR.
33
Article 66 GDPR.
34
Under Article 64(1) GDPR.
35
Article 28(8) GDPR.
36
Under Article 64(2) GDPR.
37
See contribution from the Board, page 15.
10
businesses mention that in certain instances national data protection authorities did
not refer cases to the lead data protection authority, but handled them as local
cases.
The Commission welcomes the Board’s announcement that it has started a reflection
on how to address these concerns. In particular, the Board indicated that it will clarify
the procedural steps involved in the cooperation between the lead data protection
authority and the concerned data protection authorities, analyse national
administrative procedural laws, work towards a common interpretation of key
concepts, and strengthen communication and cooperation (including joint operations).
The Board’s reflection and analysis should lead to devising more efficient working
arrangements in cross-border cases38
, including by building on the expertise of its
members and by strengthening the involvement of its secretariat. In addition, it should
be noted that the Board’s responsibility in ensuring a consistent interpretation of the
GDPR cannot be discharged by simply finding the lowest common denominator.
Finally, as an EU body the Board must also apply EU administrative law and ensure
transparency in the decision making process.
2.3 Advice and guidelines
Awareness raising and advice by data protection authorities
Several data protection authorities created new tools, such as help lines for individuals
and businesses, and toolkits for businesses39
. Many operators welcome the
pragmatism shown by these authorities in assisting with the application of the GDPR.
In particular, several of them have actively and closely collaborated and
communicated with data protection officers, including through data protection
officers’ associations. Many authorities also issued guidelines covering the data
protection officers’ role and obligations to support data protection officers during
their daily activities and held seminars specifically designed for them. However, this
is not the case for all data protection authorities.
Feedback received from stakeholders also points to a number of issues as regards
guidance and advice:
the lack of a consistent approach and guidance between national data protection
authorities on certain issues (e.g. on cookies40
, the application of legitimate
interest, on data breach notifications or on data protection impact assessments) or
even between data protection authorities within the same Member States (e.g. in
Germany on the notions of controller and processor);
the inconsistency of guidelines adopted at national level with those adopted by the
Board;
38
As also pointed out in the Council position and findings.
39
See below under point 7.
40
Pending the adoption of the ePrivacy Regulation, close cooperation with the competent authorities
responsible for the enforcement of the ePrivacy Directive in the Member States is necessary. In
accordance with that Directive, in some Member States the authorities competent for enforcing
Article 5(3) of the ePrivacy Directive (which sets out the conditions under which "cookies” may be
set and accessed on a user’s terminal equipment) are not the same as the GDPR supervisory
authorities.
11
the absence of public consultations on certain guidelines adopted at national level;
different levels of engagement with stakeholders among data protection
authorities;
delays in receiving responses to information requests;
difficulties in obtaining practical and valuable advice from data protection
authorities;
the need to increase the level of sectoral expertise in some data protection
authorities (e.g. in the health and pharma sector).
Several of these issues are also linked to the lack of resources in several data
protection authorities (see below).
Divergent practices as regards the notification of data breaches41
While the Council highlights the burden caused by such notifications, there are
significant discrepancies on notifications between Member States: whereas from May
2018 to end November 2019, in most Member States the total number of data breach
notifications was below 2 000, and in 7 Member States between 2 000 and 10 000, the
Dutch and German data protection authorities reported respectively 37 400 and
45 600 notifications42
.
This may point to a lack of consistent interpretation and implementation, despite the
existence of EU-level guidelines on data breach notifications.
Guidelines of the European Data Protection Board
To date, the Board adopted more than 20 guidelines covering key aspects of the
GDPR43
. The guidelines are an essential tool for the consistent application of the
GDPR and have, therefore, been to a large extent welcomed by stakeholders.
Stakeholders have appreciated the systematic (6 to 8 weeks) public consultation.
However, they ask for more dialogue with the Board. In this context, the practice of
organising workshops on targeted topics prior to drafting guidelines should be
continued and amplified to ensure the transparency, inclusiveness, and relevance of
the Board’s work. Stakeholders also request that the interpretation of the most
contentious issues should be addressed in the guidelines, since these are subject to
public consultation, and not within opinions under Article 64(2) of the GDPR. Some
stakeholders also call for more practical guidelines, detailing the application of
concepts and provisions of the GDPR44
. Members of the Multi-stakeholder Group
stress the need for more concrete examples to reduce the room for diverging
interpretations between data protection authorities as much as possible. At the same
time, the requests to clarify how to apply the GDPR and to provide legal certainty
41
Article 33 GDPR.
42
See contribution from the Board page 35.
43
The work on guidelines already started before the entry into application of the GDPR on 25 May
2018 in the context of the Article 29 Working Party. See the full list of guidelines at
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-
practices_en
44
This has also been highlighted by the European Parliament and by the Council.
12
should not lead to additional requirements or diminish the advantages of the risk-
based approach and the accountability principle.
The topics on which stakeholders would like additional guidelines from the Board
include: the scope of data subjects’ rights (including in the employment context);
updates to the opinion on processing based on legitimate interest; the notions of
controller, joint controller and processor and the necessary arrangements between the
parties45
; the application of the GDPR to new technologies (such as blockchain and
artificial intelligence); processing in the context of scientific research (including in
relation to international collaboration); the processing of children’s data;
pseudonymisation and anonymisation; and the processing of health data.
The Board has already indicated that it will issue guidelines on many of these topics
and the work already started on several of them (e.g. on the application of legitimate
interest as a legal basis for processing).
Stakeholders ask the Board to update and revise existing guidelines where
appropriate,, taking into account the experience gathered since their publication and
taking the opportunity to go into more detail where needed.
2.4 Resources of the data protection authorities
Providing each data protection authority with the necessary human, technical and
financial resources, premises and infrastructure is a prerequisite for the effective
performance of their tasks and exercise of their powers, and therefore an essential
condition for their independence46
.
Most data protection authorities benefited from an increase in staff and resources
since the GDPR entered into force in 201647
. However many of them still report that
they do not have sufficient resources48
.
Number of staff working for national data protection authorities
The total number of staff working in EEA data protection authorities considered
together has increased by 42% between 2016 and 2019 (by 62% if one considers the
2020 forecast).
The number of staff has increased in most authorities during this period, with the
biggest increase (as a percentage) registered for authorities in Ireland (+169%), the
Netherlands (+145%), Iceland (+143%), Luxembourg (+126%) and Finland (+114%).
On the other hand, the number of staff decreased in several data protection authorities,
with the sharpest decreases observed in Greece (-15%), Bulgaria (-14%), Estonia (-
11%), Latvia (-10%) and Lithuania (-8%). In some authorities, the decrease in staff is
also due to the departure of data protection experts to the private sector offering more
attractive conditions.
45
Guidelines from the Board on controllers and processors are currently in preparation.
46
See Article 52(4) GDPR.
47
The Regulation entered into force in May 2016 and into application in May 2018, following a 2-
year transition period.
48
See contribution from the Board, pages 26-30.
13
In general, the forecast for 2020 provides for an increase of staff compared to 2019,
except for authorities in Austria, Bulgaria, Italy, Sweden and Iceland (where staff
numbers are expected to remain stable), Cyprus and Denmark (where staff numbers
are expected to decrease).
The German data protection authorities49
together have the highest number of staff
(888 in 2019/1002 in 2020 forecast), followed by the data protection authorities in
Poland (238/260), France (215/225), Spain (170/220), the Netherlands (179/188),
Italy (170/170) and Ireland (140/176).
The data protection authorities with the lowest staff numbers are those in Cyprus
(24/22), Latvia (19/31), Iceland (17/17), Estonia (16/18) and Malta (13/15).
Budget of national data protection authorities
The total budget of EEA data protection authorities considered together has increased
by 49% between 2016 and 2019 (by 64% if one considers the 2020 forecast).
The budget of most authorities increased during this period, with the biggest increase
(as a percentage) registered for authorities in Ireland (+223%), Iceland (+167%),
Luxembourg (+165%), the Netherland (+130%) and Cyprus (+114%). On the other
hand, some authorities saw only a small budget increase, with the smallest increases
registered for data protection authorities in Estonia (7%), Latvia (4%), Romania (3%)
and Belgium (1%), while the authority in France experienced a decrease (-2%).
In general, the forecast for 2020 provides for an increase in budget compared to 2019,
except for the authorities in Austria, Bulgaria, Estonia and the Netherlands (whose
budgets are expected to remain stable).
The data protection authorities with the highest budget are those of Germany (EUR
76.6 million in 2019/EUR 85.8 million in the 2020 forecast), Italy (29.1/30.1), The
Netherlands (18.6/18.6), France (18.5/20.1) and Ireland (15.2/16.9).
The authorities with the lowest budget are those of Croatia (EUR 1.2 million in
2019/EUR 1.4 million in the 2020 forecast), Romania (1.1/1.3), Latvia (0.6/1.2),
Cyprus (0.5/0.5) and Malta (0.5/0.6).
The table in Annex II provides an overview of the human and budgetary resources of
national data protection authorities.
Besides impacting their capacity to enforce rules at national level, the lack of
resources also limits data protection authorities’ capacity to participate in and
contribute to the cooperation and consistency mechanisms, and to the work carried
out within the Board. As highlighted by the Board, the success of the one-stop-shop
mechanism depends on the time and effort that data protection authorities can
dedicate to the handling of and cooperation on individual cross-border cases. The
resource issue is compounded by the authorities’ increased role in the supervision of
large-scale IT systems that are currently being developed. Furthermore, the data
49
There are 18 authorities in Germany, of which one is a federal authority and 17 are regional
authorities (including two in Bavaria).
14
protection authorities in Ireland and Luxembourg have specific resource needs given
their role as lead authorities for the enforcement of the GDPR vis-à-vis big tech
companies, which are located mostly in these Member States.
While the Council points to the impact of the cooperation mechanism and its
deadlines on the work of data protection authorities50
, the GDPR obliges Member
States to provide their national data protection authorities with adequate human,
financial and technical resources51
.
The secretariat of the Board, which is provided by the European Data Protection
Supervisor52
, is currently composed of 20 people, including legal, IT and
communication experts. It is to be assessed whether this figure needs to evolve in the
future in light of the effective fulfilment of its function of analytical, administrative
and logistical support to the Board and its subgroups, including through the
management of the information exchange system,
3 HARMONISED RULES BUT STILL A DEGREE OF FRAGMENTATION AND DIVERGING
APPROACHES
The GDPR provides for a consistent approach to data protection rules throughout the
EU, replacing the different national regimes that existed under the 1995 Data
Protection Directive.
3.1 Implementation of the GDPR by the Member States
The GDPR has been directly applicable in all Member States since 25 May 2018. It
obliged Member States to legislate, in particular to set up national data protection
authorities and the general conditions for their members, in order to ensure that each
authority acts with complete independence in performing its tasks and exercising its
powers in accordance with the GDPR. Legal obligations and public tasks can
constitute a legal ground for the processing of personal data only if they are laid down
in (Union or) national law. In addition, Member States must lay down rules on
penalties in particular for infringements not subject to administrative fines and must
reconcile the right to the protection of personal data with the right to freedom of
expression and information. National law can also provide for a legal basis for the
exemption from the general prohibition for processing special categories of personal
data, for example for reasons of substantial public interest in the area of public health,
including protection against serious cross-border threats to health. Furthermore,
Member States must ensure the accreditation of certification bodies.
The Commission is monitoring the implementation of the GDPR in national
legislation. At the time of writing this report, all Member States except Slovenia has
adopted new data protection legislation or adapted their law in this area. The
50
Article 60 GDPR.
51
Article 52(4) GDPR.
52
Article 75 GDPR.
15
Commission therefore requested Slovenia to provide clarification on the progress
made to date and urged it to finalise that process53
.
In addition, the compliance of national legislation with data protection rules as
regards the Schengen acquis is also assessed in the context of the Schengen
Evaluation Mechanism coordinated by the Commission. The Commission and
Member States jointly evaluate how countries implement and apply the Schengen
acquis in a number of areas; for data protection this concerns large-scale IT systems
like the Schengen Information System and the Via Information System and includes
the role of data protection authorities in supervising the processing of personal data
within those systems.
Work on adapting sectoral laws is still on-going at national level. Following the
GDPR’s incorporation into the European Economic Area Agreement, its application
was extended to Norway, Iceland and Lichtenstein. These countries have also adopted
their national data protection laws.
The Commission will make use of all the tools at its disposal, including infringement
procedures, to ensure that Member States comply with the GDPR.
Main issues relating to national implementation
The main issues identified to date as part of the ongoing assessment of national
legislation and bilateral exchanges with Member States include:
Restrictions to the GDPR’s application: some Member States, for example,
completely exclude the activities of the national parliament ;
Differences in the applicability of national specification laws. Some Member
States link the applicability of their national law to the place where the goods or
services are offered, others to the place of establishment of the controller or
processor. This runs contrary to the objective of harmonisation pursued by the
GDPR;
National laws that raise questions on the proportionality of the interference with
the right to data protection. For example, the Commission launched an
infringement procedure against a Member State that had enacted legislation
requiring judges to disclose specific information about their non-professional
activities, which is incompatible with the right to respect for private life and the
right to the protection of personal data54
;
The absence of an independent body for the supervision of data processing by
courts acting in their judicial capacity55
.
Legislation in areas fully regulated by the GDPR beyond the margin for
specifications or restrictions. This is, in particular, the case where national
53
It has to be noted that the national data protection authority in Slovenia is set up based on the
current national data protection law and supervise the application of the GDPR in that Member
State.
54
This infringement procedure concerns the Polish law on the judiciary of 20 December 2019, which
affects the independence of the judges and concerns, inter alia, the disclosure of the engagement of
judges in non-professional activities:
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772.
55
See Article 8(3) of the Charter; Article 16 TFEU; recital 20 of the GDPR.
16
provisions determine conditions for processing based on legitimate interest, by
providing for the balancing of the respective interests of the controller and of the
individuals concerned, while the GDPR obliges each and every controller to
undertake such balancing individually and avail itself of that legal basis.
Specifications and additional requirements beyond processing for compliance with
a legal obligation or performance of a public task (e.g. for video surveillance in
the private sector or for direct marketing); and for concepts used in the GDPR
(e.g. ‘large scale’ or ‘erasure’).
Some of these issues may be clarified by the Court of Justice in cases that are still
pending56
.
Reconciliation of the right to the protection of personal data with freedom of
expression and information
A specific issue concerns the implementation of the obligation for Member States to
reconcile by law the right to the protection of personal data with freedom of
expression and information57
. This issue is very complex, since an assessment of the
balancing between these fundamental rights must also take into account provisions
and safeguards in press and media laws.
The assessment of Member State legislation shows different approaches to the
reconciliation of the right to the protection of personal data with freedom of
expression and information:
Some Member States lay down the principle of precedence of freedom of
expression or exempt in principle the application of entire chapters mentioned in
Article 85(2) GDPR if processing for journalistic purposes and for academic,
artistic and literary expression is at stake. To a certain extent, media laws provide
for some safeguards as regards data subject rights.
Some Member States lay down the precedence of the protection of personal data
and exempt the application of data protection rules only in specific situations,
such as where a person with public status is concerned.
Other Member States provide for a certain balancing by the legislator and/or a
case-by-case assessment as regards derogations from certain provisions of the
GDPR.
The Commission will continue its assessment of national legislation on the basis of
the requirements of the Charter. The reconciliation must be provided for by law,
respect the essence of those fundamental rights, and be proportional and necessary
(Article 52(1) of the Charter). Data protection rules should not affect the exercise of
freedom of expression and information especially by creating a chilling effect or by
being interpreted as a way to put pressure on journalists to disclose their sources.
56
For example, the exemption of a parliamentary committee from the application of the GDPR is
subject to a pending court case for a preliminary ruling (C-272/19).
57
Article 85 GDPR.
17
3.2 Facultative specification clauses and their limits
The GDPR gives Member States the possibility to further specify its application in a
limited number of areas. This margin for national legislation is to be distinguished
from the obligation to implement certain other provisions of the GDPR as mentioned
above. The clauses for facultative specifications are listed in Annex I.
The margins for Member State law are subject to the conditions and limits set by the
GDPR and do not allow for a parallel national data protection regime58
. Member
States are obliged to amend or repeal the national data protection laws, including
sectoral legislation with data protection aspects.
Furthermore, related Member State legislation must not include provisions which
might create confusion regarding the direct application of the GDPR. Therefore,
where the GDPR provides for specifications or restrictions of its rules by Member
State law, Member States may incorporate elements of the GDPR in their national
law, to the extent necessary to ensure coherence and to render the national provisions
comprehensible to the persons to whom they apply59
.
Stakeholders consider that Member States should reduce or refrain from using
facultative specification clauses since they do not contribute to harmonisation. The
national divergences in both the implementation of the laws and their interpretation by
data protection authorities considerably increase the cost of legal compliance across
the EU.
Fragmentation linked to the use of facultative specification clauses
Age limit for children consent for information society services
A number of Member States have made use of the possibility to provide for a lower
age than 16 years for consent in relation to information society services (Article 8(1)
GDPR). Whereas nine Member States apply the 16 years’ age limit, eight Member
States opted for 13 years, six for 14 years and three for 15 years.60
Consequently, a company providing information society services to minors across the
EU has to distinguish between the ages of potential users, depending in which
Member State they reside. This is contrary to the key objective of the GDPR to
provide for an equal level of protection to individuals and of business opportunities in
all Member States.
Such differences lead to situations where the Member State in which the controller is
established provides for another age limit than the Member States where the data
subjects are residing.
58
The widely used term of “opening clauses” to mean specification clauses is misleading since it
might give the impression that Member States have margins of manoeuvre beyond the provisions of
the Regulation.
59
Recital 8 of the GDPR.
60
13 years for Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal and Sweden; 14 years for
Austria, Bulgaria, Cyprus, Spain, Italy and Lithuania; 15 years for Czech Republic, Greece and
France; 16 years for Germany, Hungary, Croatia, Ireland, Luxembourg, the Netherlands, Poland,
Romania and Slovakia.
18
Health and research
When implementing derogations from the general prohibition for processing special
categories of personal data61
, Member State legislation follows different approaches
as regards the level of specification and safeguards, including for health and research
purposes. Most Member States introduced or maintained further conditions for the
processing of genetic data, biometric data or data concerning health. This is also true
for derogations related to data subject rights for research purposes62
, both as regards
the extent of the derogations and the related safeguards.
The Board’s future guidelines on the use of personal data in the field of scientific
research will contribute to a harmonised approach in this area. The Commission will
provide input to the Board, in particular as regards health research, including in the
form of concrete questions and analysis of concrete scenarios that it received from the
research community. It would be helpful if these guidelines could be adopted before
the launch of Horizon Europe Framework Programme in view of harmonising data
protection practices and facilitating data sharing for research advancements.
Guidelines from the Board on the processing of personal data in the area of health
could also be useful.
The GDPR provides a robust framework for national legislation in the area of public
health and explicitly includes cross-border health threats and the monitoring of
epidemics and their spread63
, which was relevant in the context of the fight against the
COVID-19 pandemic.
At EU level, on 8 April 2020 the Commission adopted a Recommendation for a
toolbox for the use of technology and data in this context, including mobile
applications and the use of anonymised mobility data64
, and on 16 April 2020 a
guidance on apps supporting the fight against the pandemic in relation to data
protection65
. The Board published a statement on data processing in this context on 19
March 202066
, followed on 21 April 2020 by guidelines on data processing for
research purposes and on the use of localisation data and contact tracing tools in this
context67
. These recommendations and guidelines clarify how the principles and rules
on the protection of personal data apply in the context of the fight against the
pandemic.
Extensive restrictions of data subjects’ rights
Most national data protection laws that restrict data subject’s rights do not specify the
objectives of general public interest safeguarded by these restrictions and/or do not
sufficiently meet the conditions and safeguards required by Article 23(2) of the
61
Article 9 GDPR.
62
Article 89(2) GDPR.
63
See Article 9(2)(i) GDPR and recital 46.
64
https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf .
65
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from =
EN.
66
https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-
outbreak_en.
67
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-
practices_en.
19
GDPR68
. Several Member States leave no room for the proportionality test or extend
the restrictions even beyond the scope of Article 23(1) of the GDPR. For example,
some national laws deny the right of access for reasons of disproportionate effort on
the side of controller, for personal data which are stored on the basis of a retention
obligation or related to the performance of public tasks without limiting such
restriction to objectives of general public interest.
Additional requirements for companies
Although the requirement of a mandatory data protection officer is based on the risk-
based approach69
, one Member State70
extended it to a quantitative criteria, obliging
companies in which 20 employees or more are permanently involved in the automated
processing of personal data to designate a data protection officer, independently of the
risks connected with the processing activities71
. This has led to additional burdens.
4 EMPOWERING INDIVIDUALS TO CONTROL THEIR DATA
The GDPR makes fundamental rights effective, in particular the right to the protection
of personal data, but also the other fundamental rights recognised by the Charter,
including the respect for private and family life, freedom of expression and
information, non-discrimination, freedom of thought, conscience and religion,
freedom to conduct a business and the right to an effective remedy. These rights must
be balanced against each other in accordance with the principle of proportionality72
.
The GDPR provides individuals with enforceable rights, such as the right of access,
rectification, erasure, objection, portability and enhanced transparency. It also gives
individuals the right to lodge a complaint with a data protection authority, including
through representative actions, and to judicial redress.
Individuals are increasingly aware of their rights, as shown in the results of the July
2019 Eurobarometer73
and the survey carried out by the Fundamental Rights
Agency74
.
According to the Fundamental Rights Survey carried out by the Fundamental Rights
Agency:
69% of the population aged 16+ in the EU have heard about the GDPR;
71% of respondents in the EU have heard about their national data protection
authority; this figure ranges from 90% in the Czech Republic to 44% in Belgium;
68
For instance because they simply repeat the wording of Article 23(1) GDPR.
69
Article 37(1) GDPR.
70
Germany.
71
Making use of the specification clause in Article 37(4) GDPR.
72
Cf. recital 4 of the GDPR.
73
https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2956
74
European Union Agency for Fundamental Rights (FRA) (2020): Fundamental Rights Survey 2019.
Data protection and technology: https://fra.europa.eu/en/publication/2020/fundamental-rights-
survey-data-protection
20
60% of respondents in the EU are aware of a law that allows them to access their
personal data as held by public administration; however, this percentage decreases
to 51% for private companies;
more than one in five respondents (23%) in the EU do not want to share personal
data (such as one’s address, citizenship or date of birth) with public
administration, and 41% do not want to share these data with private companies.
Individuals are increasingly using their right to lodge complaints with data protection
authorities, either individually or by representative actions75
. Only a few Member
States have allowed non-governmental organisations to launch actions without a
mandate, in line with the possibility provided by the GDPR. The proposed Directive
on representative actions for the protection of the collective interests of consumers76
is
expected, once adopted, to strengthen the framework for representative actions also in
the field of data protection.
Complaints
The total number of complaints between May 2018 and end of November 2019 as
reported by the Board is around 275 00077
. However, this figure should be considered
with much caution given that the definition of a complaint is not identical among
authorities. The absolute number of complaints received by data protection
authorities78
is very different between Member States. The highest numbers of
complaints were registered in Germany (67 000), the Netherlands (37 000), Spain and
France (18 000 each), Italy (14 000), Poland and Ireland (12 000 each). Two-thirds of
authorities reported the number of complaints as ranging between 8 000 and 600. The
lowest numbers of complaints were registered in Estonia and Belgium (around 500
each), Malta and Iceland (fewer than 200 each).
The number of complaints is not necessarily correlated to the size of the population or
GDP, with for instance close to twice as many complaints in Germany compared to
the Netherlands, and four times as many compared to Spain and France.
Feedback from the Multi-stakeholder Group shows that organisations have put in
place a variety of measures to facilitate the exercise of data subjects’ rights, including
implementing processes that ensure individual review of requests and a reply from the
controller, the use of several channels (mail, dedicated email address, website, etc.),
updated internal procedures and policies on the timely internal handling of requests,
and staff training. Some companies have put in place digital portals accessible
through the company’s website (or the company’s intranet for employees) to facilitate
the exercise of rights by data subjects.
However, further progress is needed on the following points:
Not all data controllers comply with their obligation to facilitate the exercise of
data subjects’ rights79
. They need to ensure that data subjects have an effective
point of contact to whom they can explain their problems. This can be the data
75
Article 80 GDPR.
76
COM/2018/0184 final - 2018/089 (COD)
77
Both under Articles 77 and 80 GDPR.
78
See contribution from the Board, pages 31-32.
79
Article 12(2) GDPR.
21
protection officer, whose contact details have to be provided pro-actively to the
data subject80
. The contact modalities must not be limited to e-mails, but must also
enable the data subject to address the controller through other means.
Individuals still face difficulties when requesting access to their data, for instance
from platforms, data brokers and adtech companies.
The right to data portability is not used to its full potential. The European Strategy
for Data (hereafter Data Strategy)81
, adopted by the Commission on 19 February
2020, emphasised the need to facilitate all possible uses of this right (e.g. by
mandating technical interfaces and machine-readably formats allowing portability
of data in (near-to) real-time). Operators note that there are sometimes difficulties
in providing the data in a structured, commonly used machine-readable format
(due to the lack of standard). Only organisations in particular sectors, such as
banking, telecommunications, water and heating meters, report having
implemented the necessary interfaces82
. New technological tools have been
developed to facilitate the exercise by individuals of their rights under the GDPR,
not limited to data portability (e.g. personal data spaces and personal information
management services).
Rights of children: Several members of the Multi-stakeholder Group stress the
need to provide information to children and the fact that many organisations
ignore that children may be concerned by their data processing. The Council
stressed that particular attention could be paid to the protection of children when
drafting codes of conduct. The protection of children is also a focus of data
protection authorities83
.
Right to information: some companies have a very legalistic approach, taking data
protection notices as a legal exercise, with information being quite complex,
difficult to understand or incomplete, whereas the GDPR requires that any
information should be concise and use clear and plain language84
. It seems that
some companies do not follow the Board’s recommendations, for example as
regards listing the names of the entities with whom they share data.
Several Member States extensively restricted data subjects’ rights through
national law, and some even beyond the margins of Article 23 of the GDPR.
The exercise of the rights of individuals is sometimes hampered by the practices
of a few major digital players that make it difficult for individuals to choose the
settings that most protect their privacy (in violation of the requirement of data
protection by design and default85
)86
.
80
Article 13(1)(b) and Article 14 (1)(b) GDPR.
81
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf
82
See report from the Multi-stakeholder Group.
83
See the results of a public consultation on children’s data protection rights carried out by the Irish
data protection authority: https://www.dataprotection.ie/sites/default/files/uploads/2019-
09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20S
tream%201.pdf. The French data protection authority also launched a public consultation in April
2020: https://www.cnil.fr/fr/la-cnil-lance-une-consultation-publique-sur-les-droits-des-mineurs-
dans-lenvironnement-numerique
84
Article 12(1) GDPR.
85
Article 25 GDPR.
22
The Board’s guidelines on data subjects’ rights are eagerly awaited by stakeholders.
5 OPPORTUNITIES AND CHALLENGES FOR ORGANISATIONS, IN PARTICULAR
SMALL AND MEDIUM SIZE ENTERPRISES
Opportunities for organisations
The GDPR fosters competition and innovation. Together with the Free Flow of Non-
Personal Data Regulation87
, it ensures the free flow of data within the EU and creates
a level playing field with companies not established in the EU. By creating a
harmonised framework for the protection of personal data, the GDPR ensures that all
actors in the internal market are bound by the same rules and benefit from the same
opportunities, regardless of whether they are established and where the processing
takes place. The technological neutrality of the GDPR provides the data protection
framework for new technological developments. The principles of data protection by
design and by default incentivises innovative solutions, which include data protection
considerations from the outset and may reduce the cost of compliance with data
protection rules.
In addition, privacy becomes an important competitive parameter that individuals
increasingly take into consideration when choosing their services. Those who are
more informed and sensitive to data protection considerations look for products and
services that ensure effective protection of personal data. The implementation of the
right to data portability has the potential to lower the barriers to entry for businesses
offering innovative, data-protection-friendly services. The effects of a potentially
broader use of this right on the market in different sectors should be monitored.
Compliance with the data protection rules and their transparent application will create
trust on the use of the people’s personal data and thus new opportunities for
businesses.
Like all regulation, data protection rules have inherent compliance costs for
companies. However, these costs are outweighed by the opportunities and advantages
of strengthened trust in digital innovation and the societal benefits resulting from
respecting a fundamental right. By ensuring a level playing field and equipping data
protection authorities with what they need to enforce the rules effectively, the GDPR
prevents non-compliant companies from free-riding on the trust built by those who
follow the rules.
Specific challenges for Small and Medium size Enterprises (SMEs)
86
See report by the Norwegian Consumer Council, Deceived by Design, which highlighted the “dark
patterns”, default settings and other features and techniques used by companies to nudge users
towards intrusive options:
https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/
See also the research published in December 2019 by the Transatlantic Consumer Dialogue and the
Heinrich-Böll-Stiftung Brussels European Union analysing the practices of three major global
platforms:
https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global-
platforms
87
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018
on a framework for the free flow of non-personal data in the European Union - OJ L 303,
28.11.2018, p. 59–68
23
There is a general perception by stakeholders, but also by the European Parliament,
the Council and data protection authorities that applying the GDPR is especially
challenging for micro, small and medium size enterprises, and to small voluntary and
charitable organisations.
According to the risk-based approach, it would not be appropriate to provide
derogations based on the size of the operators, as their size is not in itself an
indication of the risks the processing of personal data that it undertakes can create for
individuals. The risk-based approach pairs flexibility with effective protection. It
takes into account the needs of SMEs that do not have processing of data as their core
business, and calibrates their obligations in particular based on the likelihood and
severity of the risks related to the specific processing they carry out.88
Small and low-risk processing should not be treated in the same way as high risk and
frequent processing – independently of the size of the company that undertakes it.
Therefore, as the Board concluded, “in any case, the risk-based approach promoted by
the legislator in the text should be maintained, as risks for data subjects do not depend
on the size of controllers”89
. The data protection authorities should fully take on board
this principle when enforcing the GDPR, preferably within a common European
approach in order not to create barriers to the Single Market.
The data protection authorities developed several tools and stressed their intention to
further improve them. Some authorities have launched awareness campaigns and will
even hold free “GDPR classes” for SMEs.
Examples of guidance and tools provided by data protection authorities specifically to
SMEs
publication of information addressed to SMEs;
seminars for data protection officers and events for SMEs that do not need to
designate a data protection officer;
interactive guides to assist SMEs;
hotlines for consultations;
templates for processing contracts and records on processing activities.
A description of activities carried out by data protection authorities is presented in the
Board’s contribution90
.
Several of the actions that specifically support SMEs received EU funding. The
Commission provided financial support through three waves of grants, for a total of
EUR 5 million, with the two most recent ones specifically aimed at supporting
national data protection authorities in their efforts to reach out to individuals and
SMEs. As a result, in 2018, EUR 2 million were allocated to nine data protection
authorities for activities in 2018-2019 (Belgium, Bulgaria, Denmark, Hungary,
88
Article 24(1) GDPR.
89
See contribution from the Board, p. 35.
90
See contribution from the Board, pages 35-45.
24
Lithuania, Latvia, the Netherlands, Slovenia, and Iceland)91
, and in 2019 EUR 1
million was allocated to four data protection authorities for activities in 2020
(Belgium, Malta, Slovenia and Croatia in partnership with Ireland)92. An additional
EUR 1 million will be allocated in 2020.
Despite these initiatives, SMEs and start-ups often report that they struggle with the
implementation of the accountability principle set forth under the GDPR93
. They
notably report that they do not always get enough guidance and practical advice from
the national data protection authorities, or that the time it takes to get guidance and
advice is too long. There have also been cases where authorities were reluctant to
engage in legal issues. When confronted with such situations, SMEs often turn to
external advisors and lawyers to deal with the implementation of the accountability
principle and the risk-based approach (including transparency requirements, records
of processing and data breach notifications). This may also create further costs for
them.
One specific issue is the recording of processing activities, which is considered by
SMEs and small associations as a cumbersome administrative burden. The exemption
from that obligation in Article 30(5) GDPR is indeed very narrow. However, the
related efforts for complying with that obligation should not be over-estimated. Where
the core business of SMEs does not involve the processing of personal data, such
records may be simple and not burdensome. The same applies for voluntary and other
associations. Such simplified records would be facilitated by records templates, as is
already the practice of some data protection authorities. In any case, everyone who
processes personal data should have an overview on their data processing as a basic
requirement of the accountability principle.
The development of practical tools at EU level by the Board, such as harmonised
forms for data breaches and simplified records of processing activities, may help
SMEs and small associations94
whose main activities do not focus on the processing
of personal data to meet their obligations.
Various industry associations have made efforts to raise awareness and inform their
members, for instance through conferences and seminars, providing businesses with
information on available guidance, or developing a privacy assistance service for
members. They also report an increasing number of seminars, meetings and events
organised by think tanks and SME associations on matters related to the GDPR.
In order to enhance the free movement of all data within the EU and to establish a
coherent application of the GDPR and the Free Flow of Non-Personal Data
Regulation, the Commission also issued a practical guidance on rules governing the
91
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec-
rdat-trai- ag-2017.
92
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding-
supporting-implementation-gdpr_en
93
See report from the Multi-stakeholder Group.
94
See contribution from the Council.
25
processing of mixed datasets, composed of both personal and non-personal data, and
targeting especially SMEs95
.
Toolbox for businesses
The GDPR provides for tools that help demonstrate compliance, such as codes of
conduct, certification mechanisms, and standard contractual clauses.
Codes of conduct
The Board has issued guidelines96
to support and facilitate “code owners” in drafting,
amending or extending codes, and to provide practical guidance and interpretative
assistance. These guidelines also clarify the procedures for the submission, approval
and publication of codes at both national and EU level by setting out the minimum
criteria required.
Stakeholders consider codes of conduct as very useful tools. Although many codes are
implemented at national level, a number of EU wide codes of conduct are currently in
preparation (for instance on mobile health apps, health research in genomics, cloud
computing, direct marketing, insurance, processing by prevention and counselling
services for children)97
. Operators believe that EU-wide codes of conduct should be
promoted more prominently as they foster the consistent application of the GDPR
across all Member States.
However, codes of conduct also require time and investment from operators both for
their development and for the setting up of the required independent monitoring
bodies. Representatives from SMEs stress the importance and usefulness of codes of
conduct tailored to their situation and not entailing disproportionate costs.
Consequently, business associations in a number of sectors implemented other kinds
of self-regulatory tools such as codes of good practice or guidance. While such tools
may provide useful information, they do not have the approval of data protection
authorities and cannot serve as a tool to help demonstrate compliance with the GDPR.
The Council stresses that codes of conduct must pay particular attention to the
processing of children’s data and health data. The Commission is supporting code(s)
of conducts that would harmonise the approach in health and research and facilitate
the cross-border processing of personal data98
. The Board is in the process of
approving draft accreditation requirements for codes of conduct monitoring bodies put
forward by a number of data protection authorities99
. Once transnational or EU codes
of conduct are ready to be submitted to data protection authorities for approval, they
will undergo consultation of the Board. Having transnational codes of conduct rapidly
in place is especially important for areas involving the processing of significant
amounts of data (e.g. cloud computing) or sensitive data (e.g. health/research).
95
Communication from the Commission to the European Parliament and the Council - Guidance on
the Regulation on a framework for the free flow of non-personal data in the European Union,
COM/2019/250 final.
96
https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct-
and-monitoring-bodies-under_en.
97
See report from the Multi-stakeholder Group.
98
See actions announced in the European Strategy for Data, page 30.
99
Under Article 41(3) GDPR. See EDPB opinions at: https://edpb.europa.eu/our-work-
tools/consistency-findings/opinions_en
26
Certification
Certification can be a useful instrument to demonstrate compliance with specific
requirements of the GDPR. It can increase legal certainty for businesses and promote
the GDPR globally.
As pointed out in the study on certification published in April 2019100
, the objective
should be to facilitate the uptake of relevant schemes. The development of
certification schemes in the EU will be supported by the guidelines issued by the
Board on certification criteria 101
and on the accreditation of certification bodies102
.
Security and data protection by design are key elements to be considered in
certification schemes under the GDPR and would benefit from a common and
ambitious approach throughout the EU. The Commission will continue to support the
current contacts between the European Union Agency for Cybersecurity (ENISA), the
data protection authorities and the Board.
As regards cybersecurity, following the adoption of the Cybersecurity Act the
Commission requested that ENISA prepare two certification schemes including one
scheme for cloud services103
. Further schemes addressing the cybersecurity of
services and products for consumers are under consideration. While these certification
schemes established under the Cybersecurity Act, do not explicitly address data
protection and privacy, they contribute to increasing consumers’ trust in digital
services and products. Such schemes may provide evidence of adherence to the
principles of security by design as well as the implementation of appropriate technical
and organisational measures related to the security of processing of personal data.
Standard contractual clauses
The Commission is working on standard contractual clauses between controllers and
processors104
, also in light of the modernisation of the standard contractual clauses for
international transfers (see Section 7.2). A Union act, adopted by the Commission,
will have EU-wide binding effect which will ensure full harmonisation and legal
certainty.
6 THE APPLICATION OF THE GDPR TO NEW TECHNOLOGIES
A technology neutral framework open to new technologies
The GDPR is technology-neutral, trust-enabling, and based on principles105
. These
principles, including lawful and transparent processing, purpose limitation and data
100
https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en
101
https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and-
identifying-certification_en.
102
https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation-
certification-bodies_en. Several supervisory authorities have already submitted their accreditation
requirements to the EDBP, both for code of conduct monitoring bodies and for certification bodies.
See the overview at: https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en.
103
https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe
104
Article 28(7) GDPR.
105
As recalled by the Council, the European Parliament and the Board in their contributions to the
evaluation.
27
minimisation, provide for a solid basis for the protection of personal data, irrespective
of the processing operations and techniques applied.
Members of the Multi-stakeholder Group report that overall the GDPR has a positive
impact on the development of new technologies and provides a good basis for
innovation. The GDPR is seen as an essential and flexible tool for ensuring the
development of new technologies in accordance with fundamental rights. The
implementation of its core principles is particularly crucial for data intensive
processing. The GDPR’s risk based and technology neutral approach provides a level
of data protection that is adequate to address the risk of processing, including by
emerging technologies.
In particular, stakeholders mention that the GDPR’s principles of purpose limitation
and further compatible processing, data minimisation, storage limitation,
transparency, accountability and the conditions under which automated decision
making processes106
can be legally deployed to a large extent address the concerns
related to the use of artificial intelligence.
The future-proof and risk based approach of the GDPR will also be applied in the
possible future framework for artificial intelligence and when implementing the Data
Strategy. The Data strategy aims at fostering data availability and at the creation of
common European data spaces supported by federated cloud infrastructure services.
As regards personal data, the GDPR provides the main legal framework, within which
effective solutions can be devised on a case-by-case basis depending on the nature
and content of each data space.
The GDPR has increased awareness about the protection of personal data both within
and outside the EU and has prompted companies to adapt their practices to take into
account data protection principles when innovating. However, civil society
organisations note that, although the GDPR’s impact on the development of new
technologies appears positive, the practices of major digital players have not yet
fundamentally changed towards more privacy-friendly processing. Strong and
effective enforcement of the GDPR vis-à-vis large digital platforms and integrated
companies, including in areas such as online advertising and micro-targeting, is an
essential element for protecting individuals.
The Commission is analysing the broader issues related to the market behaviours of
large digital players in the context of the Digital Services Act package107
. As regards
research in the field of social media, the Commission recalls that the GDPR cannot be
used as an excuse by social media platforms to limit researchers’ and fact-checkers’
access to non-personal data such as statistics on which targeted ads have been sent to
which categories of people, the criteria for designing this targeting, information on
fake accounts, etc.
The GDPR’s technologically-neutral and future-proof approach was put to the test
during the COVID-19 pandemic and has proven to be successful. Its principles based
rules supported the development of tools to combat and monitor the spread of the
virus.
106
However, stakeholders observe that not all automated decision-making processes in an artificial
intelligence context fall under Article 22 GDPR.
107
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_962
28
Challenges to be addressed
The development and application of new technologies do not put these principles into
question. The challenges lie in clarifying how to apply the proven principles to the use
of specific technologies such as artificial intelligence, blockchain, Internet of Things,
facial recognition or quantum computing.
In this context, the European Parliament and the Council stressed the need for a
continuous monitoring to clarify how the GDPR applies to new technologies and big
tech companies. In addition, stakeholders warn that the assessment of whether the
GDPR remains fit for purpose also requires a constant monitoring.
Industry stakeholders stress that innovation requires that the GDPR is applied in a
principle-based way, in line with its design, rather than in a rigid and formal manner.
They are of the view that Board’s guidelines on how to apply the GDPR principles,
concepts and rules to new technologies such as artificial intelligence, blockchain or
Internet of Things, taking into account the risk-based approach, would help provide
clarifications and more legal certainty. Such soft law tools are well suited to
accompany the GDPR’s application to the new technologies since they provide for
more legal certainty and can be reviewed in line with technological developments.
Some stakeholders also suggest that sectoral guidance on how to apply the GDPR to
new technologies could be helpful.
The Board stated that it will continue to consider the impact of emerging technologies
on the protection of personal data.
Stakeholders also underline the importance for regulators to get a thorough
understanding of how technology is being used and to engage in a dialogue with
industry on the development of emerging technologies. They consider that a
‘regulatory sandbox’ approach – as a means to obtain guidance on the application of
the rules – could be an interesting option to test new technologies and help businesses
apply the data protection by design and by default principle in new technologies.
In terms of further policy action, stakeholders recommend that any future policy
proposals on artificial intelligence should build on the existing legal frameworks and
be aligned with the GDPR. Potential specific issues should be carefully assessed,
based on relevant evidence, before new prescriptive rules are proposed.
The Commission White Paper on Artificial Intelligence puts forward a number of
policy options on which stakeholders’ views were sought until 14 June 2020. As
regards facial recognition, a technology that may significantly impact individuals’
rights, the White Paper recalled the current legislative framework and opened a public
debate on the specific circumstances, if any, which might justify the use of artificial
intelligence for facial recognition and other remote biometric identification purposes
in public places, and on common safeguards.
7 INTERNATIONAL TRANSFERS AND GLOBAL COOPERATION
7.1 Privacy: a global issue
The demand for the protection of personal data knows no borders, as individuals
around the world increasingly cherish and value the privacy and security of their data.
29
At the same time, the importance of data flows for individuals, governments,
companies and, more generally, society at large is an inescapable fact in our
interconnected world. They constitute an integral part of trade, cooperation between
public authorities and social interactions. In that respect, the current COVID-19
pandemic also highlights how critical the transfer and exchange of personal data are
for many essential activities, including ensuring the continuity of government and
business operations – by enabling teleworking and other solutions that heavily rely on
information and communication technologies – developing cooperation in scientific
research on diagnostics, treatments and vaccines, and fighting new forms of
cybercrime such as online fraud schemes offering counterfeit medicines claiming to
prevent or cure COVID-19.
Against this background, and more than ever before, protecting privacy and
facilitating data flows have to go hand in hand. The EU, with its data protection
regime combining openness to international transfers with a high level of protection
for individuals, is very well placed to promote safe and trusted data flows. The GDPR
has already emerged as a reference point at international level and acted as a catalyst
for many countries around the world to consider introducing modern privacy rules.
This is a truly global trend running, to mention just a few examples, from Chile to
South Korea, from Brazil to Japan, from Kenya to India, from Tunisia to Indonesia,
and from California to Taiwan. These developments are remarkable not only from a
quantitative but also from a qualitative point of view: many of the privacy laws
recently adopted, or in the process of being adopted, are based on a core set of
common safeguards, rights and enforcement mechanisms that are shared by the EU.
In a world that is too often characterised by different, if not divergent, regulatory
approaches, this trend towards global convergence is a very positive development that
brings new opportunities for increasing the protection of individuals in Europe while,
at the same time, facilitating data flows and lowering transaction costs for business
operators.
To seize these opportunities and implement the strategy set out in its 2017
Communication on “Exchanging and Protecting Personal Data in a Globalised
World”108
, the Commission has significantly stepped up its work on the international
dimension of privacy making full use of the available transfer ‘toolbox’, as explained
below. This included actively engaging with key partners with a view to reaching an
“adequacy finding” and yielded important results, such as the creation of the world’s
largest area of free and safe data flows between the EU and Japan.
Besides its adequacy work, the Commission has worked closely with data protection
authorities within the Board, as well as with other stakeholders, to harness the full
potential of the GDPR’s flexible rules for international transfers. This concerns the
modernisation of instruments such as standard contractual clauses, the development of
certification schemes, codes of conduct or administrative arrangements for data
exchanges between public authorities, as well as the clarification of key concepts
108
Communication from the Commission to the European Parliament and the Council ‘Exchanging
and Protecting Personal Data in a Globalised World’, 10.1.2017 (COM(2017) 7 final).
30
relating to, for example, the territorial scope of EU data protection rules or the use of
so-called “derogations” to transfer personal data.
Finally, the Commission intensified its dialogue in a number of bilateral, regional and
multilateral fora to foster a global culture of respect for privacy and develop elements
of convergence between different privacy systems. In its efforts, the Commission
could count on the active support of the European External Action Service and the
network of EU delegations in third countries and missions to international
organisations. This also ensured coherence and greater complementarity between
different aspects of the external dimension of EU policies – from trade to the new
Africa-EU Partnership.
7.2 The GDPR transfer toolbox
As more and more private and public operators rely on international data flows as part
of their routine operations, there is an increasing need for flexible instruments that can
be adapted to different sectors, business models and transfer situations. Reflecting
these needs, the GDPR offers a modernised toolbox that facilitates the transfer of
personal data from the EU to a third country or international organisation, while
ensuring that the data continues to benefit from a high level of protection. This
continuity of protection is important, given that in today’s world data moves easily
across borders and the protections guaranteed by the GDPR would be incomplete if
they were limited to processing inside the EU.
With Chapter V of the GDPR, the legislator confirmed the architecture of the transfer
rules that already existed under Directive 95/46: data transfers may take place where
the Commission has made an adequacy finding with respect to a third country or
international organisation or, in the absence thereof, where the controller or processor
in the EU (“data exporter”) has provided appropriate safeguards, for instance through
a contract with the recipient (“data importer”). In addition, statutory grounds for
transfers (so-called derogations), remain available for specific situations for which the
legislator has decided that the balance of interests allows a data transfer under certain
conditions. At the same time, the reform has clarified and simplified the existing
rules, for instance by stipulating in detail the conditions for an adequacy finding or
binding corporate rules, by limiting authorisation requirements to very few, specific
cases and completely abolishing notification requirements. Moreover, new transfer
tools like codes of conduct or certification schemes have been introduced and the
possibilities for using existing instruments (e.g. standard contractual clauses) have
been expanded.
Today’s digital economy allows foreign operators to (remotely but) directly
participate in the EU internal market and to compete for European customers and their
personal data. Where they specifically target Europeans through the offering of goods
or services, or monitoring of their behaviour, they should comply with EU law in the
same way as EU operators. This is reflected in Article 3 of the GDPR, which extends
the direct applicability of EU data protection rules to certain processing operations of
controllers and processors outside the EU. This guarantees the necessary safeguards,
and moreover a level playing field for all companies operating in the EU market.
Its broad reach is one of the reasons why the effects of the GDPR have also been felt
in other parts of the world. The detailed guidance issued by the Board on the GDPR
territorial scope, following a comprehensive public consultation, is therefore
31
important to help foreign operators determine whether and which processing activities
are directly subject to its safeguards, including by providing concrete examples 109
.
The extension of the scope of application of EU data protection law, however, in and
of itself is not sufficient to guarantee its respect in practice. As also highlighted by the
Council110
, it is crucial to ensure compliance by, and effective enforcement against,
foreign operators. The appointment of a representative in the EU (Article 27(1), (2) of
the GDPR), who can be addressed by individuals and supervisory authorities in
addition to or instead of the responsible company acting from abroad111
should play a
key role in this regard. This approach, which is also increasingly taken in other
contexts112
, should be pursued more vigorously to send a clear message that the lack
of an establishment in the EU does not relieve foreign operators of their responsibility
under the GDPR. Where these operators fail to meet their obligation to appoint a
representative113
, supervisory authorities should make use of the full enforcement
toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans
on processing in the EU, enforcement against joint controllers established in the EU).
Finally, it is very important that the Board finalises its work on further clarifying the
relationship between Article 3 on the direct application of the GDPR and the rules on
international transfers in Chapter V114
.
Adequacy decisions
The input received from stakeholders confirms that adequacy decisions continue to be
an essential tool for EU operators to safely transfer personal data to third countries115
.
Such decisions provide the most comprehensive, straightforward and cost-effective
solution for data transfers as these are assimilated to intra-EU transmissions, thus
ensuring the safe and free flow of personal data without further conditions or need for
authorisation. Adequacy decisions therefore open up commercial channels for EU
operators and facilitate cooperation between public authorities, while providing
109
EDPB, Guidelines 2/2018 on the territorial scope of the GDPR, 12.11.2019. The Guidelines address
several of the points raised during the public consultation, for instance the interpretation of the
targeting and monitoring criteria.
110
See Council position and findings, paras 34, 35 and 38.
111
See Article 27(4) and Recital 80 GDPR (“The designated representative should be subject to
enforcement proceedings in the event of non-compliance by the controller or processor”).
112
Proposal for a Directive of the European Parliament and of the Council laying down harmonised
rules on the appointment of legal representatives for the purpose of gathering evidence in criminal
proceedings (COM/2018/226 final), Article 3; Proposal for a Regulation of the European
Parliament and of the Council on preventing the dissemination of terrorist content online
(COM(2018) 640 final), Article 16(2), (3).
113
According to one submission to the public consultation, one of the main points to address “is
effective enforcement and real consequences for those who chose to ignore this requirement […] It
should be borne in mind in particular that this also places businesses established in the Union at a
competitive disadvantage to those noncompliant businesses established outside the Union trading
into the Union.” See EU Business Partners, submission of 29 April 2020.
114
Several submissions to the public consultation have raised this point, for instance as regards the
transmission of personal data to recipients outside the EU but covered by the GDPR.
115
Council position and findings, paragraph 17; Contribution from the Board, pp. 5-6. Several
submissions to the public consultation, including from a number of business associations (like the
French Association of Large Companies, Digital Europe, the Global Data Alliance/BSA, the
Computer & Communication Industry Association (CCIA) or the US Chamber of Commerce) have
called for stepping-up the work on adequacy findings, especially with important trading partners.
32
privileged access to the EU single market. Building on the practice under the 1995
Directive, the GDPR explicitly allows for an adequacy determination to be made with
respect to a particular territory of a third country or to a specific sector or industry
within a third country (so-called ‘partial’ adequacy).
The GDPR builds upon the experience of the past years and the clarifications
provided by the Court of Justice by setting out a detailed catalogue of elements that
the Commission must take into account in its assessment. The adequacy standard
requires a level of protection that is comparable (or ‘essentially equivalent’) to that
ensured within the EU116
. This involves a comprehensive assessment of the third
country’s system as a whole, including the substance of privacy protections, their
effective implementation and enforcement, as well as the rules on access to personal
data by public authorities, in particular for law enforcement and national security
purposes117
.
This is also reflected in the guidance adopted by the former Article 29 Working Party
(and endorsed by the Board), in particular the so-called ‘adequacy referential’, which
further clarifies the elements that the Commission must take into account when
carrying out an adequacy assessment, including by providing an overview of
‘essential guarantees’ for access to personal data by public authorities118
. The latter
builds in particular on the case law of the European Court of Human Rights. While
the standard of ‘essential equivalence’ does not involve a point-to-point replication
(‘photocopy’) of EU rules, given that the means of ensuring a comparable level of
protection may vary between different privacy systems, often reflecting different legal
traditions, it nevertheless requires a strong level of protection.
This standard is justified by the fact that an adequacy decision essentially extends to a
third country the benefits of the single market in terms of the free flow of data.
However, it also means that sometimes there will be relevant differences between the
level of protection ensured in the third country in question compared to the GDPR
that need to be bridged, for instance through the negotiation of additional safeguards.
Such safeguards should be viewed positively as they further strengthen the protections
available to individuals in the EU. At the same time, the Commission agrees with the
Board on the importance of continuously monitoring their application in practice,
including effective enforcement by the third country data protection authority119
.
The GDPR clarifies that adequacy decisions are ‘living instruments’ that should be
continuously monitored and periodically reviewed120
. In line with these requirements,
116
Judgment of the Court of Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian
Schrems v Data Protection Commissioner (‘Schrems’), points 73, 74 and 96. See also Recital 104 of
the GDPR, which refers to the standard of essential equivalence.
117
Article 45(2) and Recital 104 GDPR. See also Schrems , points 75, 91-91.
118
Adequacy Referential, WP 254 rev. 01, 6 February 2018 (available at:
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108).
119
Contribution from the Board, pp. 5-6.
120
Article 45(4) and (5) GDPR require the Commission to monitor developments in third countries on
an ongoing basis and to regularly – at least every four years – review an adequacy finding. They
also give the Commission the power to repeal, amend or suspend an adequacy decision if it finds
that the country or international organisation concerned no longer ensures an adequate level of
protection. Article 97(2)(a) GDPR furthermore requires the Commission to submit an evaluation
report to the European Parliament and the Council by 2020. See also the judgment of the Court of
33
the Commission has regular exchanges with the relevant authorities to pro-actively
follow-up on new developments. For example, since the adoption of the decision on
the EU-U.S. Privacy Shield in 2016121
, the Commission, together with representatives
from the Board, carried out three annual reviews to evaluate all aspects of the
functioning of the framework.122
These reviews relied on information obtained
through exchanges with the U.S. authorities as well as input from other stakeholders,
such as EU data protection authorities, civil society and trade associations. They have
allowed to improve the practical functioning of various elements of the framework. In
a wider perspective, the annual reviews contributed to establishing a broader dialogue
with the U.S. administration on privacy in general, and the limitations and safeguards
with respect to national security in particular.
As part of its first evaluation of the GDPR, the Commission is also required to review
the adequacy decisions adopted under the 1995 Directive123
. The Commission
services have engaged in an intense dialogue with each of the 11 concerned countries
and territories to assess how their personal data protection systems have evolved since
the adequacy decision was adopted and whether they meet the standard set by the
GDPR. The need to ensure the continuity of such decisions, as they are a key tool for
trade and international cooperation, is one of the factors that has prompted several of
these countries and territories to modernise and strengthen their privacy laws. These
are certainly welcome developments. Additional safeguards are being discussed with
some of these countries and territories to address relevant differences in protection.
However, given that the Court of Justice in a judgment to be delivered on 16 July may
provide clarifications that could be relevant for certain elements of the adequacy
standard, the Commission will report separately on the evaluation of the mentioned 11
adequacy decisions after the Court of Justice has handed down its judgment in that
case.124
Justice of the EU of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection
Commissioner, point 76.
121
Commission implementing decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive
95/46/EC of the European Parliament and of the Council on the adequacy of the protection
provided by the EU-U.S. Privacy Shield. This adequacy decision is a specific case that, in the
absence of general data protection legislation in the U.S., relies on commitments made by
participating companies (that are enforceable under U.S. law) to apply the data protection standards
set out by this arrangement. Moreover, the Privacy Shield builds on the specific representations and
assurances made by the U.S. government as regards access for national security purposes that
underpin the adequacy finding
122
Reviews took place in 2017 (Report from the Commission to the European Parliament and the
Council on the first annual review of the functioning of the EU-U.S. Privacy Shield, COM(2017)
611 final), 2018 (Report from the Commission to the European Parliament and the Council on the
second annual review of the functioning of the EU-U.S. Privacy Shield, COM(2018) 860 final) and
2019 (Report from the Commission to the Parliament and the Council on the third annual review of
the functioning of the EU-U.S. Privacy Shield, COM(2019) 495 final).
123
These existing adequacy decisions concern countries that are closely integrated with the European
Union and its Member States (Switzerland, Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man),
important trading partners (e.g. Argentina, Canada, Israel), and countries that played a pioneering
role in developing data protection laws in their region (New Zealand, Uruguay)
124
Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
(“Schrems II”), concerns a reference for a preliminary ruling on the so-called standard contractual
clauses. However, certain elements of the adequacy standard may also be further clarified by the
34
Implementing the strategy laid down in its 2017 Communication on “Exchanging and
Protecting Personal Data in a Globalised World”, the Commission also engaged in
new adequacy dialogues125
. This work already yielded significant results involving
key partners of the EU. In January 2019, the Commission adopted its adequacy
decision for Japan, which is based on a high degree of convergence, including through
specific safeguards such as in the area of onward transfers and through the creation of
a mechanism to investigate and resolve individuals’ complaints concerning
government access to personal data for law enforcement and national security
purposes.
As the first adequacy finding adopted under the GDPR, the framework agreed with
Japan provides a useful precedent for future decisions126
. This includes the fact that it
was reciprocated on the Japanese side with an “adequacy” finding for the EU.
Together, these mutual adequacy findings create the largest area of safe and free
personal data flows in the world, thereby complementing the EU-Japan Economic
Partnership Agreement. In fact, the arrangement supports around EUR 124 billion of
trade in goods and EUR 42.5 billion of trade in services every year.
The adequacy process is also at an advanced stage with South Korea. One important
outcome thereof is South Korea’s recent legislative reform that led to the
establishment of an independent data protection authority equipped with strong
enforcement powers. This illustrates how an adequacy dialogue can contribute to
increased convergence between the EU’s data protection rules and those of a foreign
country.
The Commission fully agrees with the call from stakeholders to intensify the dialogue
with selected third countries in view of possible new adequacy findings127
. It is
actively exploring this possibility with other important partners in Asia, Latin
America and the Neighbourhood, building on the current trend towards upward global
convergence in data protection standards. For example, comprehensive privacy
legislation has been adopted or is at an advanced stage of the legislative process in
Latin America (Brazil, Chile), and promising developments are taking place in Asia
(e.g. India, Indonesia, Malaysia, Sri Lanka, Taiwan and Thailand), Africa (e.g.
Ethiopia, Kenya) as well as in the European Eastern and Southern neighbourhood
Court. The hearing in this case took place on 9 July 2019 and the judgment has been announced for
16 July 2020.
125
See supra fn 109. The Commission explained that the following criteria will be taken into account
when assessing with which third countries a dialogue on adequacy should be pursued: (i) the extent
of the EU's (actual or potential) commercial relations with the third country, including the existence
of a free trade agreement or ongoing negotiations; (ii) the extent of personal data flows from the
EU, reflecting geographical and/or cultural ties; (iii) the country’s pioneering role in the field of
privacy and data protection that could serve as a model for other countries in its region; and (iv) the
overall political relationship with the country, in particular as regards the promotion of common
values and shared objectives at international level.
126
European Parliament, Resolution of 13 December 2018 on the adequacy of the protection of
personal data afforded by Japan (2018/2979(RSP)), point 27; Contribution from the Board, pp. 5-6.
127
See e.g. European Parliament, Resolution of 12 December 2017 on ‘Towards a digital trade
strategy’ (2017/2065(INI)), points 8, 9; Council position and findings on the application of the
General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraph 17; Contribution
from the Board, p. 5.
35
(e.g. Georgia, Tunisia). Where possible, the Commission will work towards achieving
comprehensive adequacy decisions covering both the private and public sector128
.
Moreover, the GDPR also introduced the possibility for the Commission to adopt
adequacy findings for international organisations. At a time when some international
organisations are modernising their data protection regimes by putting in place
comprehensive rules, as well as mechanisms that provide independent oversight and
redress, this avenue could be explored for the first time.
Adequacy also plays an important role in the context of the relationship with the
United Kingdom following Brexit, provided that the applicable conditions are met. It
constitutes an enabling factor for trade, including digital trade, and an essential
prerequisite for a close and ambitious cooperation in the area of law enforcement and
security129
. Moreover, given the significance of data flows with the UK and its
proximity to the EU market, a high degree of convergence between data protection
rules on both sides of the Channel is an important element for ensuring a level
playing field. In line with the Political Declaration on the Future Relationship
between the EU and the UK, the Commission is currently carrying out an adequacy
assessment under both the GDPR and the Law Enforcement Directive130
.
Considering the autonomous and unilateral nature of an adequacy assessment, these
talks follow a separate track from the negotiations on an agreement on the future
relationship between the EU and the UK.
Finally, the Commission welcomes that other countries are putting in place data
transfer mechanisms similar to an adequacy finding. In doing so, they often recognise
the EU and countries for which the Commission has adopted an adequacy decision, as
safe destinations for transfers131
. The growing number of countries benefitting from
EU adequacy decisions, on the one hand, and this form of recognition by other
countries, on the other hand, has the potential of creating a network of countries
where data can flow freely and safely. The Commission considers this a welcome
development that will further increase the benefits of an adequacy decision for third
countries and contribute to global convergence. This type of synergies can also
usefully contribute to the development of frameworks for the safe and free flow of
data, such as in the context of the ‘data free flow with trust’ initiative (see below).
Appropriate safeguards
The GDPR provides for a number of other transfer instruments beyond the
comprehensive solution of an adequacy finding. The flexibility of this “toolbox” is
128
As also requested by the Council, see Council position and findings on the application of the
General Data Protection Regulation (GDPR), 19.12.2019 (14994/1/19), paragraphs 17 and 40.
However, this requires that the conditions for an adequacy finding concerning data transfers to
public authorities are met, including as regards independent oversight.
129
See the negotiating directives annexed to the Council Decision authorising the opening of
negotiations with the United Kingdom of Great Britain and Northern Ireland for a new partnership
agreement (ST 5870/20 ADD 1 REV 3), paragraphs 13 and 118.
130
See revised text of the political declaration setting out the framework for the future relationship
between the European Union and the United Kingdom as agreed at negotiators’ level on 17 October
2019, paragraphs 8-10 (available at https://ec.europa.eu/commission/sites/beta-
political/files/revised_political_declaration.pdf ).
131
For example, by Argentina, Colombia, Israel, Switzerland or Uruguay.
36
demonstrated by Article 46 GDPR, which regulates data transfers based on
“appropriate safeguards”, including enforceable data subject rights and effective legal
remedies. To guarantee appropriate safeguards, different instruments are available in
order to cater to the transfer needs of both commercial operators and public bodies.
Standard contractual clauses (SCCs)
The first group of these instruments concerns contractual tools, which can be either
tailor-made, ad hoc data protection clauses agreed between an EU data exporter and a
data importer outside the EU authorised by the competent data protection authority
(Article 46(3)(a) GDPR) or model clauses pre-approved by the Commission (Article
46(2)(c), (d) GDPR132
). The most important of these instruments are so-called
standard contractual clauses (SCCs), i.e. model data protection clauses which the data
exporter and the data importer can incorporate into their contractual arrangements
(e.g. a service contract requiring the transfer of personal data) on a voluntary basis
and that set out the requirements related to appropriate safeguards.
SCCs represent by far the most widely used data transfer mechanism133
. Thousands of
EU companies rely on SCCs in order to provide a wide range of services to their
clients, suppliers, partners and employees, including services essential to the
functioning of the economy. Their broad use indicates that they are very helpful to
businesses in their compliance efforts and of particular benefit to companies that do
not have the resources to negotiate individual contracts with each of their commercial
partners. Through their standardisation and pre-approval, SCCs provide companies
with an easy-to-implement tool to meet data protection requirements in a transfer
context.
The existing sets of SCCs134
were adopted and approved on the basis of the 1995
Directive. These SCCs remain in force until amended, replaced or repealed, if
necessary, by a Commission decision (Article 46(5) of the GDPR). The GDPR
expands the possibilities to use SCCs both within the EU and for international
transfers. The Commission is working together with stakeholders to make use of these
possibilities and to update existing clauses135
. In order to ensure that the future design
of SCCs is fit for purpose, the Commission has been collecting feedback on
132
Standard contractual clauses (SCCs) for international transfers always require Commission
approval, but may be prepared either by the Commission itself or by a national DPA. All existing
SCCs fall into the first category.
133
According to the IAPP-EY Annual Privacy Governance Report 2019, “the most popular of these
[transfer] tools – year over year – are overwhelmingly standard contractual contracts: 88% of
respondents in this year’s survey reported SCCs as their top method for extraterritorial data
transfers, followed by compliance with the EU-U.S. Privacy Shield arrangement (60%). For
respondents transferring data from the EU to the U.K. (52%), 91% report they intend to use SCCs
for data-transfer compliance after Brexit”.
134
There are currently three sets of standard contractual clauses adopted by the Commission for the
transfer of personal data to third countries: two for transfers from an EEA-controller to a non-EEA
controller and one for transfers from an EEA-controller to a non-EEA-processor. They were
amended in 2016, further to the judgment of the Court of Justice in the Schrems I case (C-362/14),
to remove any restrictions on the competent supervisory authorities to exercise their powers to
oversee data transfers. See https://ec.europa.eu/info/law/law-topic/data-protection/international-
dimension-data-protection/standard-contractual-clauses-scc_en.
135
See also Contribution from the Board, pp. 6-7. Likewise, the Council has called on the Commission
“to review and revise [the SCCs] in the near future to take into account the needs of controllers and
processors”. See Council position and findings.
37
stakeholders’ experiences with SCCs, through the ‘Multi-stakeholder Group on the
GDPR’ and a dedicated workshop held in September 2019, but also via multiple
contacts with companies using SCCs as well as civil society organisations. The Board
is also updating a number of guidelines that could be relevant for the review of SCCs,
for instance on the concepts of controller and processor.
Building on the feedback received, the Commission services are currently working on
revising the SCCs. In that context, a number of areas for improvement have been
identified, in particular with regard to the following aspects:
1. Updating the SCCs in light of new requirements introduced by the GDPR, such
as those concerning the controller-processor relationship under Article 28 GDPR
(in particular the processor obligations), the transparency obligations of the data
importer (in terms of the necessary information to be provided to the data
subject), etc.
2. Addressing a number of transfer scenarios that are not covered by the current
SCCs, such as the transfer of data from an EU processor to a non-EU (sub)
processor, but also for instance situations where the controller is located outside
the EU136
.
3. Better reflecting the realities of processing operations in the modern digital
economy, where such operations often involve multiple data importers and
exporters, long and often complex processing chains, evolving business
relationships, etc. In order to cater for such situations, solutions being explored
include, for example, the possibility to enable the signing of SCCs by multiple
parties or accession of new parties throughout the lifetime of the contract.
In addressing these points, the Commission is also considering ways to make the
current ‘architecture’ of the SCCs more user friendly, for example by replacing
multiple sets of SCCs by a single comprehensive document. The challenge is to strike
a good balance between the need for clarity and a certain degree of standardisation, on
the one hand, and the necessary flexibility that will allow the clauses to be used by a
number of operators with different requirements, in different contexts and for
different types of transfers, on the other hand.
Another important aspect to consider is the possible need, in light of current litigation
before the Court of Justice137
, to further clarify the safeguards as regards access by
foreign public authorities to data transferred based on SCCs, in particular for national
security purposes. This may include requiring the data importer or the data exporter,
or both, to take action, and to clarify the role of data protection authorities in that
context. Although the revision of the SCCs is well-advanced, it will be necessary to
wait for the judgment of the Court to reflect any possible additional requirement in the
revised clauses, before a draft decision on a new set of SCCs can be submitted to the
136
Several submissions to the public consultation have commented on this last scenario, often raising
concerns that requiring EU processors to ensure appropriate safeguards in their relationship with
non-EU controllers would place them at a competitive disadvantage vis-à-vis foreign processors
offering similar services.
137
See Schrems II case.
38
Board for its opinion and then proposed for adoption through the “comitology
procedure”138
.
In parallel, the Commission is in contact with international partners that are
developing similar tools.139
This dialogue, allowing for an exchange of experiences
and best practices, could significantly contribute to further developing convergence
‘on the ground’, and in this way facilitate compliance with cross-border transfer rules
for companies operating across different regions of the world.
Binding corporate rules (BCRs)
Another important instrument are the so-called binding corporate rules (BCRs). These
are legally binding policies and arrangements that apply to the members of a
corporate group, including their employees (Articles, 46(2)(b), 47 of the GDPR). The
use of BCRs allows personal data to move freely among the various group members
worldwide – dispensing with the need to have contractual arrangements between each
and every corporate entity – while ensuring that the same high level of protection of
personal data is complied with throughout the group. They offer a particularly good
solution for complex and large corporate groups and for close cooperation of
enterprises exchanging data across multiple jurisdictions. Unlike for the 1995
Directive, under the GDPR BCRs can be used by a group of enterprises engaged in a
joint economic activity but not forming part of the same corporate group.
Procedurally, BCRs have to be approved by the competent data protection authorities,
based on a non-binding opinion by the Board140
. To guide this process, the Board has
reviewed the BCR ‘referentials’ (setting out substantive standards) for controllers141
and processors142
in light of the GDPR, and continues to update these documents on
the basis of the practical experience gained by supervisory authorities. It has also
adopted various guidance documents to help applicants, and streamline the
application and approval process for BCRs143
. According to the Board, more than 40
BCRs are currently in the pipeline for approval, half of which are expected to be
approved by the end of 2020144
. It is important that data protection authorities
continue working on further streamlining the approval process, as the length of such
138
In accordance with Article 46(2)(c) GDPR, standard contractual clauses have to be adopted through
the examination procedure laid down under Article 5 of Regulation (EU) No 182/2011 of the
European Parliament and of the Council of 16 February 2011 laying down the rules and general
principles concerning mechanisms for control by Member States of the Commission’s exercise of
implementing powers - OJ L 55, 28.2.2011, p. 13–18. This involves in particular a positive decision
from a committee composed of representatives of the Member States.
139
This includes, for instance, the work currently being carried out by the ASEAN Member States to
develop ‘ASEAN model contractual clauses’. See ASEAN, Key Approaches for ASEAN Cross
Border Data Flows Mechanism (available at: https://asean.org/storage/2012/05/Key-Approaches-
for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf).
140
For an overview of the EDPB opinions rendered so far, see https://edpb.europa.eu/our-work-
tools/consistency-findings/opinions_en.
141
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109.
142
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110.
143
These documents were adopted (by the former Article 29 Working Party) following the entry into
force of the GDPR, but before the end of the transition period. See WP263
(https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264
(https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf);
WP265 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848).
144
Contribution from the Board, p. 7.
39
procedures is often mentioned by stakeholders as a practical obstacle to the broader
use of BCRs.
Finally, regarding specifically BCRs approved by the UK data protection authority –
the Information Commissioner Office – companies will be able to continue to use
them as a valid transfer mechanism under the GDPR after the end of the transition
period under the EU-UK Withdrawal Agreement, but only if they are amended so that
any connection to the UK legal order is replaced with appropriate references to
corporate entities and competent authorities within the EU. The approval of any new
BCRs should be sought from one of the supervisory authorities in the EU.
Certification mechanisms and codes of conduct
In addition to modernising and broadening the application of the already existing
transfer tools, the GDPR has also introduced new instruments, thereby expanding the
possibilities for international transfers. This includes the use, under certain conditions,
of approved codes of conduct and certification mechanisms (such as privacy seals or
marks) for ensuring appropriate safeguards. These are bottom-up tools that allow for
tailor-made solutions – as a general accountability mechanism (see Articles 40 to 42
of the GDPR) and, specifically, for international data transfers – reflecting, for
instance, the specific features and needs of a given sector or industry, or of particular
data flows. By calibrating the obligations with the risks, Codes of Conduct can also be
a very useful and cost-effective way for small and medium-sized businesses to meet
their GDPR obligations.
As regards certification mechanisms, although the Board adopted guidelines to foster
their use within the EU, its work on developing criteria to approve certification
mechanisms as international transfer tools is still ongoing. The same is true for codes
of conduct, regarding which the Board is currently working on guidelines for using
them as a tool for transfers.
Given the importance of providing operators with a broad range of transfer
instruments that are adapted to their needs, and the potential that in particular
certification mechanisms hold for facilitating data transfers while ensuring a high
level of data protection, the Commission urges the Board to finalise as soon as
possible its guidance in this regard. This concerns both substantive (criteria) and
procedural aspects (approval, monitoring, etc.). Stakeholders have expressed a lot of
interest in these transfer mechanisms and should be able to make full use of the
GDPR’s toolkit. The Board’s guidelines would also contribute to promoting the EU
model for data protection globally and foster convergence as other privacy systems
are using similar instruments.
Valuable lessons can be drawn from existing standardisation efforts in the area of
privacy, both at European and international level. One interesting example is the
recently released international standard ISO 27701145
, which aims to help businesses
meet privacy requirements and manage risks related to the processing of personal data
through ‘privacy information management systems’ . Although certification under the
standard as such does not fulfil the requirements of Articles 42 and 43 of the GDPR,
145
The list of specific requirements making up this ISO standard is available at:
https://www.iso.org/standard/71670.html.
40
applying Privacy Information Management Systems can contribute to accountability,
including in the context of international data transfers.
International agreements and administrative arrangements
The GDPR also makes it possible to ensure appropriate safeguards for data transfers
between public authorities or bodies on the basis of international agreements (Article
46(2)(a)) or administrative arrangements (Article 46(3)(b)). While both instruments
have to guarantee the same outcome in terms of safeguards, including enforceable
data subject rights and effective legal remedies, they differ as to their legal nature and
adoption procedure.
Unlike international agreements, which create binding obligations under international
law, administrative arrangements (e.g. in the form of a Memorandum of
Understanding) are typically non-binding and therefore require prior authorisation by
the competent data protection authority (see also Recital 108 of the GDPR). One early
example concerns the administrative arrangement for the transfer of personal data
between EEA and non-EEA financial supervisors cooperating under the umbrella of
the International Organisation of Securities Commission (IOSCO), on which the
Board gave its Opinion146
in early 2019. Since then, the Board has further developed
its interpretation of the ‘minimum safeguards’ that international (cooperation)
agreements and administrative arrangements between public authorities or bodies
(including international organisations) need to ensure to comply with the requirements
of Article 46 GDPR. On 18 January 2020 it adopted draft guidelines147
, thereby
addressing the Member States’ request for further clarification and guidance as to
what may be considered appropriate safeguards for transfers between public
authorities148
. The Board strongly recommends that public authorities use these
guidelines as a reference point for their negotiations with third parties149
.
The guidelines demonstrate the flexibility in the design of such instruments, including
on important aspects such as oversight150
and redress151
. This should allow public
146
EDPB, Opinion 4/2019 on the draft Administrative Arrangement for the transfer of personal data
between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA
Financial Supervisory Authorities, 12.2.2019.
147
EDPB, Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for transfers of
personal data between EEA and non-EEA public authorities and bodies (draft available at:
https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles-
46-2-and-46-3-b_en ). According to the EDPB, “[t]he competent [supervisory authority] will base
its examination on the general recommendations set out in these guidelines, but might also ask for
more guarantees depending on the specific case.” The EDPB submitted these draft guidelines to a
public consultation that ended on 18 May 2020.
148
Council position and findings, paragraph 20.
149
At the same time, the EDPB clarifies that public authorities remain “free to rely on other relevant
tools providing for appropriate safeguards in accordance with Article 46 GDPR.” Regarding the
choice of instrument, the EDPB underlines that “[i]t should be carefully assessed whether or not to
make use of non-legally binding administrative arrangements to provide safeguards in the public
sector, in view of the purpose of the processing and the nature of the data at hand. If data protection
rights and redress for EEA individuals are not provided for in the domestic law of the third country,
preference should be given to concluding a legally binding agreement. Irrespective of the type of
instrument adopted, the measures in place have to be effective to ensure the appropriate
implementation, enforcement and supervision” (paragraph 67).
150
This may include, for instance, combining internal checks (with a commitment to inform the other
party of any instance of non-compliance with independent oversight through external or at least
41
authorities to overcome the difficulties in, for instance, ensuring enforceable data
subject rights through non-binding arrangements. An important element of such
arrangements is their continuous monitoring by the competent data protection
authority – supported by information and record-keeping requirements – and the
suspension of data flows if appropriate safeguards can no longer be ensured in
practice.
Derogations
Finally, the GDPR clarifies the use of so-called ‘derogations’. These are specific
grounds for data transfers (e.g. explicit consent152
, performance of a contract or
important reasons of public interest) recognised in law, and on which entities can rely
in the absence of other transfer tools and under certain conditions.
To clarify the use of such statutory grounds, the Board has issued specific guidance153
and has interpreted Article 49 in a number of cases with respect to specific transfer
scenarios154
. Due to their exceptional character, the Board considers that derogations
have to be interpreted restrictively, on a case-by-case basis. Despite their strict
interpretation, these grounds cover a broad range of transfer scenarios. This includes
in particular data transfers by both public authorities and private entities necessary for
‘important reasons of public interest’, for example between competition, financial, tax
or customs authorities, services competent for social security matters or for public
health (such as in the case of contact tracing for contagious diseases or in order to
eliminate doping in sport)155
. Another area is that of cross-border cooperation for
criminal law enforcement purposes, in particular as regards serious crime156
.
through functionally autonomous mechanisms, as well as the possibility for the transferring public
body to suspend or terminate the transfer.
151
This may include, for instance, quasi-judicial, binding mechanisms (e.g. arbitration) or alternative
dispute resolution mechanisms, combined with the possibility for the transferring public authority
to suspend or terminate the transfer of personal data if the parties do not succeed in resolving a
dispute amicably, plus a commitment from the receiving public body to return or delete the personal
data. When opting for alternative redress mechanisms in binding and enforceable instruments
because there is no possibility to ensure effective judicial redress, the EDPB recommends seeking
the advice of the competent supervisory authority before concluding these instruments.
152
This is a change from Directive 95/46 which merely required ‘unambiguous’ consent. In addition,
the general requirements for consent pursuant to Article 4(11) GDPR apply.
153
EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25.5.2018
(available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf).
154
This includes, for instance, international transfers of health data for research purposes in the context
of the COVID-19 outbreak. See EDPB, Guidelines 03/2020 on the processing of data concerning
health for the purpose of scientific research in the context of the COVID-19 outbreak, 21.4.2020
(available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresea
rchcovid19_en.pdf).
155
See Recital 112.
156
See Brief of the European Commission on behalf of the European Union as Amicus Curiae in
Support of Neither Party in the Case US v. Microsoft, p. 15: “In general, Union as well as Member
State law recognize the importance of the fight against serious crime—and thus criminal law
enforcement and international cooperation in that respect—as an objective of general interest. […]
Article 83 of the TFEU identifies several areas of crime that are particularly serious and have cross-
border dimensions, such as illicit drug trafficking.” (available at:
42
The Board has clarified that, although the relevant public interest must be recognised
in EU or Member State law, this can be also established on the basis of “an
international agreement or convention which recognises a certain objective and
provides for international cooperation to foster that objective can be an indicator when
assessing the existence of a public interest pursuant to Article 49(1)(d), as long as the
EU or the Member States are a party to that agreement or convention”157
.
Decisions by foreign courts or authorities: not a ground for transfers
In addition to positively setting out the grounds for data transfers, Chapter V of the
GDPR also clarifies, in its Article 48, that orders from courts and decisions of
administrative authorities outside of the EU in themselves do not provide such
grounds, unless they are recognised or made enforceable based on an international
agreement (e.g. a Mutual Legal Assistance Treaty). Any disclosure by the requested
entity in the EU to the foreign court or authority in response to such an order or
decision constitutes an international data transfer that needs to be based on one of the
mentioned transfer instruments.158
The GDPR does not constitute a “blocking statute” and will, under certain conditions,
permit a transfer in response to an appropriate law enforcement request from a third
country. The important point is that it is EU law that should determine whether this is
the case and on the basis of which safeguards such transfers can take place.
The Commission explained the functioning of Article 48 GDPR, including the
possible reliance on the public interest derogation, in the context of a production order
(warrant) by a foreign criminal law enforcement authority in the Microsoft case before
the U.S. Supreme Court.159
In its submission, the Commission stressed the EU’s
interest in ensuring that law enforcement cooperation takes place “within a legal
framework that avoids conflicts of law, and is based on […] respect for each others’
fundamental interests in both privacy and law enforcement”160
. In particular, “from
the perspective of public international law, when a public authority requires a
https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17-
2%20ac%20European%20Commission%20for%20filing.pdf).
157
EDPB, Derogation Guidelines (supra fn. 153), p. 10. The EDPB further clarified that, while data
transfers based on the public interest derogation must not be “large scale” or “systematic”, but
“need to be restricted to specific situations and […] meet the strict necessity test”, there is no
requirement for them to be “occasional”.
158
This is made clear by the wording of Article 48 GDPR (“without prejudice to other grounds for
transfer pursuant to this Chapter”) and the accompanying Recital 115 (“[t]ransfers should only be
allowed where the conditions of this Regulation for a transfer to third countries are met. This may
be the case, inter alia, where disclosure is necessary for an important ground of public interest
recognised in Union or Member State law to which the controller is subject”). It is also recognised
by the EDPB, see Derogation Guidelines (supra fn. 153), p. 5. As for all processing operations, the
other safeguards under the Regulation must also be complied with (e.g. that data is transferred for a
specific purpose, is relevant, limited to what is necessary for the purpose of the request, etc.).
159
Microsoft submission (supra fn. 156). As the Commission explained, the GDPR thus makes
MLATs the “preferred option” for transfers as such treaties “provide for collection of evidence by
consent, and embody a carefully negotiated balance between the interests of different states that is
designed to mitigate jurisdictional conflicts that can otherwise arise.” See also EDPB, Derogation
Guidelines (supra fn. 153), p. 5 (“In situations where there is an international agreement, such as a
mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and
refer the requesting third country authority to existing MLAT or agreement”).
160
Microsoft submission (supra fn. 156), p. 4.
43
company established in its own jurisdiction to produce electronic data stored on a
server in a foreign jurisdiction, the principles of territoriality and comity under public
international law are engaged”161
.
This is also reflected in the Commission’s proposal for a Regulation on European
Production and Preservation Orders for electronic evidence in criminal matters162
,
which contains a specific ‘comity clause’ that makes it possible to raise an objection
against a production order if compliance would conflict with the laws of a third
country prohibiting disclosure in particular on the ground that this is necessary to
protect the fundamental rights of the individuals concerned163
.
Ensuring comity is important, given that law enforcement – like crime and in
particular cybercrime – is increasingly cross-border and thus often raises jurisdictional
questions and creates potential conflicts of law164
. Not surprisingly, the best way of
addressing these issues is through international agreements that provide for the
necessary limitations and safeguards for cross-border access to personal data,
including by ensuring a high level of data protection on the side of the requesting
authority.
The Commission, acting on behalf of the EU, is currently engaged in multilateral
negotiations for a Second Additional Protocol to the Council of Europe Cybercrime
(‘Budapest’) Convention, which aims to enhance existing rules to obtain cross-border
access to electronic evidence in criminal investigations while ensuring appropriate
data protection safeguards as part of the Protocol165
. Similarly, bilateral negotiations
have started on an agreement between the EU and the United States on cross-border
161
Microsoft submission (supra fn. 156), p. 6.
162
European Commission, Proposal for a Regulation of the European Parliament and of the Council on
European Production and Preservation Orders for electronic evidence in criminal matters, 17.4.2018
(COM(2018) 225 final). The Council adopted its general approach on the proposed Regulation on
7.12.2018 (available at: https://www.consilium.europa.eu/en/press/press-
releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#).
See also EDPS, Opinion 7/19 on proposals regarding European Production and Preservation Orders
for electronic evidence in criminal matters (available at: https://edps.europa.eu/data-
protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en).
163
The Explanatory Memorandum, p. 21, makes clear that, in addition to ensuring comity with respect
to the sovereign interests of third countries, protecting the individual concerned and avoiding
conflicts of law for service providers, one important motivation for the comity clause is reciprocity,
i.e. to ensure respect for EU rules, including on the protection of personal data (Article 48 GDPR).
See also Statement of the Article 29 Working Party of 29 November 2017, Data protection and
privacy aspects of cross-border access to electronic evidence (WP29 Statement) (available at:
file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempSt
ate/Downloads/20171207_e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9.
164
See WP29 Statement (supra fn. 163), p. 6.
165
See Recommendation for a Council Decision authorising the participation in negotiations on a
second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No. 185),
5.2.2019 (COM(2019) 71 final). See also EDPS, Opinion 3/2019 regarding the participation in the
negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention,
2.4.2019 (available at: https://edps.europa.eu/sites/edp/files/publication/19-04-
02_edps_opinion_budapest_convention_en.pdf); EDPB, Contribution to the consultation on a draft
second additional protocol to the Council of Europe Convention on Cybercrime (Budapest
Convention), 13.11.2019 (available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf).
44
access to electronic evidence for judicial cooperation in criminal matters166
. The
Commission counts on the support of the European Parliament and the Council, and
the guidance of the EDPB, throughout these negotiations.
More generally, it is important to ensure that when companies active in the European
market are called on the basis of a legitimate request to share data for law
enforcement purposes, they can do so without facing conflicts of law and in full
respect of EU fundamental rights. To improve such transfers, the Commission is
committed to develop appropriate legal frameworks with its international partners to
avoid conflicts of law and support effective forms of cooperation, notably by
providing for the necessary data protection safeguards, and thereby contribute to a
more effective fight against crime.
7.3 International cooperation in the area of data protection
Fostering convergence between different privacy systems also means learning from
each other, through the exchange of knowledge, experience and best practices. Such
exchanges are essential to address new challenges that are increasingly global in
nature and scope. This is why the Commission has intensified its dialogue on data
protection and data flows with a broad range of actors and in different fora, at
bilateral, regional and multilateral level.
The bilateral dimension
Following the adoption of the GDPR, there has been an increasing interest in the EU’s
experience in the design, negotiation and implementation of modern privacy rules.
Dialogue with countries going through similar processes has taken several forms.
The Commission services have made submissions to a number of public consultations
organised by foreign governments considering legislation in the area of privacy, for
example by the US167
, India168
, Malaysia and Ethiopia. In some third countries, the
Commission’s services had the privilege to testify before the competent parliamentary
bodies, for example in Brazil169
, Chile170
, Ecuador, and Tunisia171
.
166
See Recommendation for a Council Decision authorising the opening of negotiations in view of an
agreement between the EU and the United States of America on cross-border access to electronic
evidence for judicial cooperation in criminal matters, 5.2.2019 (COM(2019) 70 final). See also
EDPS, Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access
to electronic evidence (available at: https://edps.europa.eu/sites/edp/files/publication/19-04-
02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf).
167
See DG Justice and Consumers submission of 9 November 2018 in response to a request for public
comments on a proposed approach to consumer privacy [Docket No. 180821780-8780-01] by the
US National Telecommunications and Information Administration (available at:
https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approa
ch_to_consumer_privacy.pdf )
168
See DG Justice and Consumers submission of 19 November 2018 on the draft Personal Data
Protection Bill of India 2018 to the Ministry of Electronics and Information Technology (available
at:https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill-
india-2018-directorate-general-justice_en).
169
See plenary meeting of 17 April 2018 of the Brazilian Senate
(https://www25.senado.leg.br/web/atividade/sessao-plenaria/-/pauta/23384 ), meeting of the 10
April 2019 of the Joint Committee on MP 869/2018 of the Brazilian
Congress(https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), and meeting
45
Moreover, within the context of ongoing reforms of data protection laws, dedicated
meetings took place with government representatives or parliamentary delegations
from many regions of the world (e.g. Georgia, Kenya, Taiwan, Thailand, Morocco).
This included the organisation of seminars and study visits, for example with
representatives of the Indonesian government and a delegation of staffers from the US
Congress. This provided opportunities to clarify important concepts of the GDPR,
improve mutual understanding of privacy matters and illustrate the benefits of
convergence for ensuring a high level of protection of individual rights, trade and
cooperation. In some cases, it also allowed cautioning against certain misconceptions
of data protection that can lead to the introduction of protectionist measures such as
forced localisation requirements.
Since the adoption of the GDPR, the Commission has also engaged with several
international organisations, including in light of the importance of data exchanges
with those organisations in a number of policy areas. In particular, a specific dialogue
has been established with the United Nations, with a view to facilitate discussions
with all involved stakeholders to ensure smooth data transfers and develop further
convergence between the respective data protection regimes. As part of this dialogue,
the Commission will work closely with the EDPB to further clarify how EU public
and private operators can comply with their GDPR obligations when exchanging data
with international organisation such as the UN.
The Commission stands ready to continue sharing the lessons learned from its reform
process with interested countries and international organisations, in the same way it
learned from other systems when developing its proposal for new EU data protection
rules. This type of dialogue is mutually beneficial for the EU and its partners as it
allows to obtain a better understanding of the fast evolving privacy landscape and to
exchange views on emerging legal and technological solutions.
It is in this spirit that the Commission is setting up a “Data Protection Academy” to
foster exchanges between European and third country regulators and, in this way,
improve cooperation ‘on the ground’.
In addition there is a need to develop appropriate legal instruments for closer forms of
cooperation and mutual assistance, including by allowing the necessary exchange of
information in the context of investigations. The Commission will therefore make use
of the powers granted in this area by Article 50 of the GDPR and, in particular, seek
authorisation to open negotiations for the conclusion of enforcement cooperation
of 26 November 2019 of the Special Committee of the Brazilian Chamber of Deputies
(https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no-ambito-das-
constituicoes-de-outros-paises/).
170
See meetings of 29 May 2018
(https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&i
dsesion=12513&idpunto=15909&sesion=29/05/2018&listado=1), 24 April 2019
(https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomisio
n=186&tipo=3&legi=485&ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listad
o=2) and of the Constitutional, Legislative and Justice Affairs Committee of the Chilean Senate.
171
See meeting of 2 November 2018 of the Rights, Freedoms and External Relations Committee of the
Tunisian Assembly of the Representatives of the People
(https://www.facebook.com/1515094915436499/posts/2264094487203201/ ).
46
agreements with relevant third countries. In this context, it will also take into account
the Board’s views as to which countries should be prioritised in light of the volume of
data transfers, the role and powers of the privacy enforcer in the third country and the
need for enforcement cooperation to address cases of common interest.
The multilateral dimension
Beyond bilateral exchanges, the Commission is also actively participating in a number
of multilateral fora to promote shared values and build convergence at regional and
global level.
The increasingly universal membership of the Council of Europe’s ‘Convention 108’,
the only legally binding multilateral instrument in the area of personal data protection,
is a clear sign of this trend towards (upward) convergence172
. The Convention, which
is also open to non-members of the Council of Europe, has already been ratified by 55
countries, including a number of African and Latin American States173
. The
Commission significantly contributed to the successful outcome of the negotiations on
the modernisation of the Convention174
, and ensured that it reflected the same
principles as those enshrined in the EU data protection rules. Most EU Member States
have now signed the Amending Protocol, although the signatures of Denmark, Malta
and Romania are still outstanding. Only four Member States (Bulgaria, Croatia,
Lithuania and Poland) have so far ratified the Amending Protocol. The Commission
urges the three remaining Member States to sign the modernised Convention, and all
Member States to swiftly proceed to ratification, to allow for its entry into force in the
near future175
. Beyond that, it will continue to proactively encourage accession by
third countries.
Data flows and protection have recently also been addressed within the G20 and G7.
In 2019, global leaders for the first time endorsed the idea that data protection
contributes to trust in the digital economy and facilitates data flows. With the
172
Importantly, the modernised Convention is not just a treaty setting out strong data protection
safeguards, but also creates a network of supervisory authorities with tools for enforcement
cooperation and, with the Convention Committee, a forum for discussions, exchange of best
practices and development of international standards.
173
See full list of members: https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/108/signatures. Countries from Africa include Cabo Verde, Mauritius,
Morocco, Senegal and Tunisia, from Latin America Argentina, Mexico and Uruguay. Burkina Faso
has been invited to join the Convention.
174
See the text of the modernised Convention:
https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf.
175
According to its Decision on the Amending Protocol of 18 May 2018, the Committee of Ministers
“urged member States and other Parties to the Convention to take without delay the necessary
measures to allow the entry into force of the Protocol within three years from its opening for
signature and to initiate immediately, but in any case no later than one year after the date on which
the Protocol has been opened for signature, the process under their national law leading to
ratification...” It also “instructed its Deputies to examine bi-annually, and for the first time one year
after the date of opening for signature of the Protocol, the overall progress made towards
ratification on the basis of the information to be provided to the Secretary General by each of the
member States and other Parties to the Convention at the latest one month ahead of such an
examination.” See https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f.
47
Commission’s active support176
, leaders endorsed the concept of “data free flow with
trust” (DFFT) originally proposed by Japan in the G20 Osaka Declaration177
as well
as the G7 summit in Biarritz178
. This approach is also reflected in the Commission’s
2020 Communication on “A European strategy for data”179
which highlights its
intention to continue promoting data sharing with trusted partners while fighting
against abuses such as disproportionate access of (foreign) public authorities to data.
In doing so, the EU will also be able to rely on a number of tools in different policy
areas that increasingly take into account the impact on privacy: for example the first-
ever EU framework for the screening of foreign investment, which will become fully
applicable in October 2020, gives the EU and its Member States the possibility to
screen investment transactions that have effects on “access to sensitive information,
including personal data, or the ability to control such information” if they affect
security or public order180
.
The Commission is working with like-minded countries in several other multilateral
fora to actively promote its values and standards. One important forum is the OECD’s
recently created Working Party on Data Governance and Privacy (DGP), which is
pursuing a number of important initiatives related to data protection, data sharing, and
data transfers. This includes the evaluation of the 2013 OECD Privacy Guidelines.
Moreover, the Commission actively contributed to the OECD Council
Recommendation on Artificial Intelligence181
and ensured that the EU human-centric
approach, meaning that AI applications must comply with fundamental rights and in
particular data protection, was reflected in the final text. Importantly, the AI
Recommendation – which has subsequently been incorporated into the G20 AI
Principles annexed to the G20 Osaka Leaders’ Declaration182
– stipulates the
principles of transparency and explainability with a view “to enable those adversely
affected by an AI system to challenge its outcome based on plain and easy-to-
understand information on the factors and the logic that served as the basis for the
prediction, recommendation or decision”, thereby closely mirroring the principles of
the GDPR as regards automated-decision making183
.
176
In the margin of the April 2019 EU-Japan Summit, President Juncker expressed support for
Japan’s ‘data free flow with trust’ initiative and the launching of the ‘Osaka Track’ and
committed the Commission to “play an active role in both initiatives”.
177
See text of the G20 Osaka Leaders’ Declaration:
https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf
178
See text of the G7 Biarritz Strategy for an open, free and secure digital transformation:
https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9
d.pdf
179
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A European strategy for data,
19.2.2020 (COM(2020) 66 final) (https://ec.europa.eu/info/sites/info/files/communication-
european-strategy-data-19feb2020_en.pdf), pp. 23-24.
180
Art. 4(1)(d) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19.03.2019
establishing a framework for the screening of foreign direct investment into the Union (OJ L 79I,
21.03.2019).
181
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449
182
G20 Ministerial Statement on Trade and Digital Economy: https://g20trade-
digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf
183
See Articles 13(2)(f), 14(2)(g), 22 GDPR.
48
The Commission is also stepping up its dialogue with regional organisations and
networks that are increasingly playing a central role in shaping common data
protection standards184
, promoting the exchange of best practices, and fostering
cooperation between enforcers. This concerns, in particular, the Association of
Southeast Asian Nations (ASEAN) – including in the context of its ongoing work on
data transfer tools –, the African Union, the Asia Pacific Privacy Authorities (APPA)
forum and the Ibero-American Data Protection Network, all of which launched
important initiatives in this area and provide fora for fruitful dialogue between privacy
regulators and other stakeholders.
Africa is a telling example of the complementarity between the national, regional
and global dimensions of privacy. Digital technologies are quickly and deeply
transforming the African continent. This has the potential to accelerate the
achievement of the Sustainable Development Goals by boosting economic growth,
alleviating poverty and improving people’s lives. Having in place a modern data
protection framework attracting investment and fostering the development of
competitive business while contributing to the respect for human rights, democracy
and the rule of law is a key element of this transformation. The harmonisation of
data protection rules across Africa would enable digital market integration, while
convergence with global standards would facilitate data exchanges with the EU.
These different dimensions of data protection are interlinked and mutually
reinforcing.
There is now a growing interest in data protection in many African countries, and
the number of African countries that have adopted or are in the process of adopting
modern data protection rules, have ratified Convention 108185
or the Malabo
Convention186
continues to increase187
. At the same time, the regulatory framework
remains highly uneven and fragmented across the African continent. Many
countries still offer few or no data protection safeguards. Measures restricting data
flows are still widespread and hamper the development of a regional digital
economy.
To harness the mutual benefits of convergent data protection rules, the Commission
will engage with its African partners both bilaterally and in regional fora188
. This
184
See, for instance, the African Union Convention on Cyber Security and Personal Data Protection
(‘Malabo Convention’) and the Standards for Data Protection for the Ibero-American States
developed by the Ibero-American Data Protection Network.
185
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/108/signatures?p_auth=DW5jevqD
186
African Union Convention on Cyber Security and Personal Data Protection
https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection. In
addition, several of the Regional Economic Communities (RECs) have developed data protection rules,
for instance, the Economic Community of West African States (ECOWAS) and the Southern African
Development Community (SADC). See, respectively, http://www.tit.comm.ecowas.int/wp-
content/uploads/2015/11/SIGNED-Data-Protection-Act.pdf and http://www.itu.int/ITU-
D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf.
188
Inter alia, through the Policy and Regulation Initiative for Digital Africa (PRIDA), see information
at: https://www.africa-eu-partnership.org/en/projects/policy-and-regulation-initiative-digital-africa-
prida.
49
builds on the work of the EU-AU Digital Economy Task Force within the context
of the New Africa-Europe Digital Economy Partnership189
. It is also in furtherance
of such objectives that the scope of the Commission’s partnership instrument
‘Enhanced Data Protection and Data Flows’ has been extended to include Africa.
The project will be mobilised to support African countries that intend to develop
modern data protection frameworks or that wish to strengthen the capacity of their
regulatory authorities, through training, knowledge sharing and exchange of best
practices.
Finally, while promoting convergence of data protection standards at international
level, as a way to facilitate data flows and thus trade, the Commission is also
determined to tackle digital protectionism, as recently highlighted in the Data
Strategy.190
To that end, it has developed specific provisions on data flows and data
protection in trade agreements which it systematically tables in its bilateral – most
recently with Australia, New Zealand, and the UK – and multilateral negotiations
such as the current WTO e-commerce talks. These horizontal provisions rule out
unjustified restrictions, such as forced data localisation requirements, while
preserving the regulatory autonomy of the parties to protect the fundamental right to
data protection.
Whereas dialogues on data protection and trade negotiations must follow separate
tracks, they can complement each other. In fact, convergence, based on high
standards and backed-up by effective enforcement, provides the strongest foundation
for the exchange of personal data, something that is increasingly recognised by our
international partners. Given that companies more and more operate across borders
and prefer to apply similar sets of rules in all their business operations worldwide,
such convergence helps creating an environment conducive to direct investment,
facilitating trade and improving trust between commercial partners. Synergies
between trade and data protection instruments should thus be further explored to
ensure free and safe international data flows that are essential for the business
operations, competitiveness and growth of European companies, including SMEs, in
our increasingly digitalised economy.
189
See Joint Communication of the European Commission and the High Representative for Foreign
Affairs and Security Policy ‘Towards a comprehensive strategy for Africa’ (available at:
https://ec.europa.eu/international-partnerships/system/files/communication-eu-africa-strategy-join-
2020-4-final_en.pdf); Digital Economy Task Force, New Africa-Europe Digital Economy Partnership:
Accelerating the Achievement of the Sustainable Development Goals (available at: https://www.africa-
eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf).
190
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf,
p. 23.
50
ANNEX I – Clauses for facultative specifications by national legislation
Subject Scope GDPR articles
Specifications for legal
obligations and public task
Adapting the application of provisions
with regard to the processing for
compliance with a legal obligation or a
public task, including for specific
processing situations under Chapter IX
Article 6(2) and
6(3)
Age limit for consent in
relation to information
society services
Determination of the minimum age
between 13 and 16 years
Article 8(1)
Processing of special
categories of data
Maintaining or introducing further
conditions, including limitations, for
the processing of genetic data,
biometric data or data concerning
health.
Article 9(4)
Derogation from information
requirements
Obtaining or disclosure expressly laid
down by law or for professional
secrecy regulated by law
Article 14(5)(c)
and (d)
Automated individual
decision-making
Authorisation for automated decision-
making in derogation from the general
prohibition
Article 22(2)(b)
Restrictions of data subject
rights
Restrictions from Articles 12 to 22,
Article 34 and corresponding
provisions in Article 5, when necessary
and proportionate to safeguard
exhaustively listed important
objectives
Article 23(1)
Consultation and
authorisation requirement
Requirement for controllers to consult
or obtain authorisation from the data
protection authority for processing for
a task in the public interest
Article 36(5)
Designation of a data
protection officer in
additional cases
Designation of a data protection officer
in cases other than the ones in
paragraph 1 of Article 37
Article 37(4)
Limitations of transfers Limitation of transfers of specific
categories of personal data
Article 49(5)
Complaints and court actions
of organisations in their own
right
Authorisation of privacy organisations
to lodge complaints and court actions
independently from a mandate by data
subjects
Article 80(2)
Access to official documents Reconciliation of public access to
official documents with the right to the
protection of personal data
Article 86
51
Processing of the national
identification number
Specific conditions for the processing
of the national identification number
Article 87
Processing in the
employment context
More specific rules for processing
employees’ personal data
Article 88
Derogations for processing
for archiving in the public
interest, research or
statistical purposes
Derogations from specified data
subject rights in so far as such rights
are likely to render impossible or
seriously impair the achievement of
specific purposes
Article 89(2) and
(3)
Reconciliation of data
protection with obligations
of secrecy
Specific rules on investigative powers
of data protection authorities in relation
to controllers or processors subject to
obligations of professional secrecy
Article 90
52
ANNEX II – Overview of the resources of data protection authorities
The table below presents an overview of the resources (staff and budget) of data
protection authorities per EU/EEA Member State191
.
When comparing the figures between Member States, it is important to bear in mind
that authorities may have tasks assigned to them beyond those under the GDPR, and
that these may vary between Member States. The ratio of staff employed by the
authorities to one million inhabitants and the ratio of the budget of the authorities to
one million euro of GDP are only included to provide additional elements of
comparison among Member States of similar size and should not be looked at in
isolation. The absolute figures, ratios and evolution over the past years should be
considered together when assessing the resources of a given authority.
STAFF (Full Time Equivalents) BUDGET (EUR)
EU/EEA
Member
States
2019
Forecast
2020
%
growth
2016-
2019
% growth
2016-
2020
(forecast)
Staff per
million
inhabitants
(2019)
2019
Forecast
2020
%
growth
2016-
2019
% growth
2016-
2020
(forecast)
Budget per
million EUR
of GDP
(2019)
Austria 34 34 48% 48% 3,8 2.282.000 2.282.000 29% 29% 5,7
Belgium 59 65 9% 20% 5,2 8.197.400 8.962.200 1% 10% 17,3
Bulgaria 60 60 -14% -14% 8,6 1.446.956 1.446.956 24% 24% 23,8
Croatia 39 60 39% 114% 9,6 1.157.300 1.405.000 57% 91% 21,5
Cyprus 24 22 NA NA 27,4 503.855 NA 114% NA 23,0
Czech Rep. 101 109 0% 8% 9,5 6.541.288 6.720.533 10% 13% 29,7
Denmark 66 63 106% 97% 11,4 5.610.128 5.623.114 101% 101% 18,0
Estonia 16 18 -11% 0% 12,1 750.331 750.331 7% 7% 26,8
Finland 45 55 114% 162% 8,2 3.500.000 4.500.000 94% 150% 14,6
France 215 225 9% 14% 3,2 18.506.734 20.143.889 -2% 7% 7,7
Germany 888 1002 52% 72% 10,7 76.599.800 85.837.500 48% 66% 22,3
Greece 33 46 -15% 18% 3,1 2.849.000 3.101.000 38% 50% 15,2
Hungary 104 117 42% 60% 10,6 3.505.152 4.437.576 102% 155% 24,4
Iceland 17 17 143% 143% 47,6 2.272.490 2.294.104 167% 170% 105,2
Ireland 140 176 169% 238% 28,5 15.200.000 16.900.000 223% 260% 43,8
Italy 170 170 40% 40% 2,8 29.127.273 30.127.273 46% 51% 16,3
Latvia 19 31 -10% 48% 9,9 640.998 1.218.978 4% 98% 21,0
Lithuania 46 52 -8% 4% 16,5 1.482.000 1.581.000 40% 49% 30,6
Luxembourg 43 48 126% 153% 70,0 5.442.416 6.691.563 165% 226% 85,7
Malta 13 15 30% 50% 26,3 480.000 550.000 41% 62% 36,3
Netherlands 179 188 145% 158% 10,4 18.600.000 18.600.000 130% 130% 22,9
Norway 49 58 2% 21% 9,2 5.708.950 6.580.660 27% 46% 15,9
Poland 238 260 54% 68% 6,3 7.506.345 9.413.381 66% 108% 14,2
Portugal 25 27 -4% 4% 2,4 2.152.000 2.385.000 67% 86% 10,1
Romania 39 47 -3% 18% 2,0 1.103.388 1.304.813 3% 22% 4,9
Slovakia 49 51 20% 24% 9,0 1.731.419 1.859.514 47% 58% 18,4
Slovenia 47 49 42% 48% 22,6 2.242.236 2.266.485 68% 70% 46,7
Spain 170 220 13% 47% 3,6 15.187.680 16.500.000 8% 17% 12,2
Sweden 87 87 81% 81% 8,5 8.800.000 10.300.000 96% 129% 18,5
TOTAL 2.966 3.372 42% 62% 6,6 249.127.139 273.782.870 49% 64% 17,4
Source of raw figures: contribution from the Board. Calculations from the Commission.
191
Except for Liechtenstein.
1_DA_autre_document_travail_service_part1_v2.pdf
https://www.ft.dk/samling/20201/kommissionsforslag/kom(2020)0264/forslag/1675383/2242053.pdf
DA DA
EUROPA-
KOMMISSIONEN
Bruxelles, den 24.6.2020
SWD(2020) 115 final
ARBEJDSDOKUMENT FRA KOMMISSIONENS TJENESTEGRENE
[…]
Ledsagedokument til
MEDDELELSE FRA KOMMISSIONEN TIL EUROPA-PARLAMENTET OG
RÅDET
Databeskyttelse som en hjørnesten i borgernes indflydelse og EU's tilgang til den digitale
omstilling - to års anvendelse af den generelle forordning om databeskyttelse
{COM(2020) 264 final}
Europaudvalget 2020
KOM (2020) 0264
Offentligt
1
Indholdsfortegnelse
1 Kontekst..................................................................................................................3
2 Håndhævelse af persondataforordningen og samarbejds- og ..................................
sammenhængsmekanismernes funktion .................................................................4
2.1 Brug af databeskyttelsesmyndighedernes styrkede beføjelser........................4
Specifikke forhold gældende for den offentlige sektor..........................................5
Samarbejde med andre reguleringsorganer............................................................5
2.2 Samarbejds- og sammenhængsmekanismerne................................................6
One-stop-shop........................................................................................................6
Gensidig bistand.....................................................................................................7
Sammenhængsmekanisme.....................................................................................8
Udfordringer ..........................................................................................................8
2.3 Rådgivning og vejledning ...............................................................................9
Databeskyttelsesmyndighedernes oplysningsaktiviteter og rådgivning ................9
Retningslinjer fra Det Europæiske Databeskyttelsesråd......................................10
2.4 Databeskyttelsesmyndighedernes ressourcer................................................11
3 Harmoniserede regler, men fortsat en vis grad af fragmentering og .......................
divergerende strategier .........................................................................................12
3.1 Medlemsstaternes gennemførelse af persondataforordningen ......................12
De vigtigste problemstillinger i forbindelse med national gennemførelse ..........13
Afstemning af retten til beskyttelse af personoplysninger med ..............................
ytrings- og informationsfrihed .............................................................................14
3.2 Bestemmelser om fakultativ specifikation og deres begrænsninger .............15
Fragmentering i forbindelse med anvendelse af klausuler .....................................
om fakultative specifikationer..............................................................................15
4 Sætte enkeltpersoner i stand til at kontrollere deres data .....................................17
5 Muligheder og udfordringer for organisationer, navnlig små .................................
og mellemstore virksomheder ..............................................................................19
Værktøjskasse for virksomheder..........................................................................21
6 Anvendelsen af persondataforordningen på nye teknologier ...............................23
7 Internationale overførsler og globalt samarbejde .................................................25
7.1 Privatlivets fred: et globalt problem..............................................................25
7.2 Værktøjskassen for overførsler i persondataforordningen............................26
Afgørelser om tilstrækkeligheden af beskyttelsesniveauet..................................27
Fornødne garantier...............................................................................................31
Undtagelser ..........................................................................................................36
Afgørelser truffet af udenlandske domstole eller ....................................................
myndigheder: ingen grund til overførsler ............................................................37
2
7.3 Internationalt samarbejde på databeskyttelsesområdet .................................39
Den bilaterale dimension .....................................................................................39
Den multilaterale dimension................................................................................40
Bilag I: Bestemmelser om fakultative specifikationer i national lovgivning
Bilag II Oversigt over databeskyttelsesmyndighedernes ressourcer
3
1 KONTEKST
Den generelle forordning om databeskyttelse1
(i det følgende "persondataforordningen") er resultatet af otte
års forberedelse, udarbejdelse og forhandlinger mellem institutionerne, og den trådte i kraft den 25. maj
2018 efter en overgangsperiode på to år (maj 2016–maj 2018). I henhold til artikel 97 i
persondataforordningen aflægger Kommissionen rapport om evalueringen og revisionen af forordningen,
første gang efter to års anvendelse og derefter hvert fjerde år.
Evalueringen er ligeledes en del af en mangesidet tilgang, som Kommissionen allerede har fulgt, før
persondataforordningen trådte i kraft, og som den er fortsat med at følge aktivt siden da. Som led i denne
tilgang indledte Kommissionen løbende bilaterale dialoger med medlemsstaterne om national lovgivnings
overholdelse af persondataforordningen, og bidrog aktivt til arbejdet i Det Europæiske Databeskyttelsesråd
(i det følgende benævnt "Databeskyttelsesrådet") ved at stille sin erfaring og ekspertise til rådighed, støttede
databeskyttelsesmyndighederne og opretholdt tætte forbindelser med en lang række interessenter om den
praktiske anvendelse af forordningen.
Evalueringen bygger på den statusopgørelse, som Kommissionen har foretaget i det første år af
persondataforordningens anvendelse, og som blev sammenfattet i den meddelelse, der blev udsendt i juli
20192
. Den følger også op på meddelelsen om anvendelsen af GDPR, der blev offentliggjort i januar 20183
.
Kommissionen vedtog også vejledningen om anvendelse af personoplysninger i en valgsammenhæng, som
blev offentliggjort i september 2018, og vejledningen om apps, der støtter bekæmpelsen af covid-19-
pandemien, der blev offentliggjort i april 2020.
Selv om dens fokus er på de to spørgsmål, der er fremhævet i artikel 97, stk. 2, i persondataforordningen,
nemlig internationale overførsler og samarbejds- og sammenhængsmekanismer, anlægger denne evaluering
en bredere tilgang for at behandle spørgsmål, der er blevet rejst af forskellige aktører i løbet af de seneste to
år.
For at forberede evalueringen har Kommissionen inddraget bidragene fra:
Rådet4
Europa-Parlamentet (Udvalget om Borgernes Rettigheder og Retlige og Indre Anliggender)5
Databeskyttelsesrådet6
og de individuelle databeskyttelsesmyndigheder7
, baseret på et spørgeskema fra
Kommissionen
Feedback fra medlemmerne af flerpartsekspertgruppen til støtte for anvendelsen af
persondataforordningen8
, ligeledes baseret på et spørgeskema fra Kommissionen
1
Europa-Parlamentets og Rådets forordning (EU) 2016/679 af 27. april 2016 om beskyttelse af fysiske personer i
forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger og om ophævelse af
direktiv 95/46/EF (EUT L 119 af 4.5.2016, s. 1).
2
Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet, Databeskyttelsesregler som en tillidsskabende katalysator i og
uden for EU – status (COM(2019) 374 final af 24.7.2019).
3
Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet: Stærkere beskyttelse, nye muligheder – Kommissionens
vejledning om den direkte anvendelse af den generelle forordning om databeskyttelse fra den 25. maj 2018 (COM/2018/043
final).
4
Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om databeskyttelse (GDPR) (14994/2/19
Rev2 af 15.1.2020):
https://data.consilium.europa.eu/doc/document/ST-14994-2019-REV-2/en/pdf
5
Skrivelse fra Europa-Parlamentets LIBE-Udvalg af 21.2.2020 til kommissær Reynders, ref.: IPOL-COM-LIBE D (2020) 6525.
6
Databeskyttelsesrådets bidrag til evalueringen af persondataforordningen i henhold til artikel 97, vedtaget den 18.2.2020:
https://edpb.europa.eu/our-work-tools/our-documents/other/contribution-edpb-evaluation-gdpr-under-article-97_en
7
https://edpb.europa.eu/individual-replies-data-protection-supervisory-authorities_en
8
Flerpartsekspertgruppen vedrørende persondataforordningen, der er oprettet af Kommissionen, inddrager civilsamfundet og
repræsentanter for erhvervslivet, akademikere og fagfolk:
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537
Flerpartsgruppens rapport findes på:
4
og ad hoc-bidrag fra interessenter.
2 HÅNDHÆVELSE AF PERSONDATAFORORDNINGEN OG SAMARBEJDS- OG
SAMMENHÆNGSMEKANISMERNES FUNKTION
Persondataforordningen indførte et innovativt forvaltningssystem og skabte grundlaget for en egentlig
europæisk databeskyttelseskultur, der har til formål at sikre ikke blot en harmoniseret fortolkning, men også
en harmoniseret anvendelse og håndhævelse af databeskyttelsesreglerne. Dens søjler er de uafhængige
nationale databeskyttelsesmyndigheder og det nyligt oprettede Databeskyttelsesråd.
Da databeskyttelsesmyndighederne er af afgørende betydning for, at hele EU's databeskyttelsessystem
fungerer, overvåger Kommissionen nøje deres reelle uafhængighed, herunder for så vidt angår tilstrækkelige
finansielle, menneskelige og tekniske ressourcer.
Det er endnu for tidligt at foretage en fuldstændig vurdering af samarbejds- og
sammenhængsmekanismernes funktion på grund af den korte periode til at indsamle erfaringer9
. Desuden
har databeskyttelsesmyndighederne endnu ikke udnyttet den fulde palet af værktøjer, som
persondataforordningen har stillet til rådighed til at styrke deres samarbejde yderligere.
2.1 Brug af databeskyttelsesmyndighedernes styrkede beføjelser
Ved databeskyttelsesforordningen oprettes uafhængige databeskyttelsesmyndigheder, som tildeles
harmoniserede og styrkede håndhævelsesbeføjelser. Eftersom persondataforordningen finder anvendelse,
har disse myndigheder taget en bred vifte af korrigerende beføjelser i brug i henhold til
persondataforordningen, f.eks. administrative bøder (22 EU-/EØS-myndigheder)10
, advarsler og kritik (23),
påbud om at imødekomme den registreredes anmodninger (26), påbud om at bringe behandlingsaktiviteter i
overensstemmelse med persondataforordningen (27), og påbud om berigtigelse, sletning eller begrænsning
af behandling (17). Omkring halvdelen af databeskyttelsesmyndighederne (13) har indført midlertidige eller
definitive begrænsninger i behandlingen, herunder forbud. Dette er bevis på en bevidst brug af alle de
korrigerende foranstaltninger, der er fastsat i persondataforordningen. Databeskyttelsesmyndighederne holdt
sig ikke tilbage fra at pålægge administrative bøder ud over eller i stedet for andre korrigerende
foranstaltninger afhængigt af omstændighederne i de enkelte sager.
Administrative bøder:
Mellem 25. maj 2018 og 30. november 2019 udstedte 22 databeskyttelsesmyndigheder i EU/EØS omkring
785 bøder. Kun få myndigheder har endnu ikke pålagt administrative bøder, selv om de igangværende
procedurer kan føre til sådanne bøder. De fleste bøder vedrørte overtrædelser af: princippet om lovlighed
gyldigt samtykke beskyttelse af følsomme oplysninger forpligtelsen til gennemsigtighed, de registreredes
rettigheder og brud på persondatasikkerheden.
Eksempler på bøder pålagt af databeskyttelsesmyndigheder omfatter11
:
- 200 000 EUR for manglende overholdelse af retten til at modsætte sig direkte markedsføring i
Grækenland
https://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupMeeting&meetingId=21356
9
Dette forhold fremhæves navnlig af Rådet i dets holdning og konklusioner vedrørende anvendelsen persondataforordningen og
af Databeskyttelsesrådet i dets bidrag til evalueringen.
10
Tallene i parentes angiver antallet af EU/EØS-databeskyttelsesmyndigheder, der har gjort brug af den anførte beføjelse mellem
maj 2018 og slutningen af november 2019. Se Databeskyttelsesrådets bidrag, s. 32-33.
11
En række afgørelser om bøder er stadig ved at blive prøvet ved domstolene.
5
- 220 000 EUR til et dataformidlingsselskab i Polen, som ikke havde oplyst kunderne om, at deres
oplysninger blev behandlet
- 250 000 EUR til den spanske fodboldliga La Liga på grund af manglende gennemsigtighed i
udformningen af dens smartphone-applikation
- 14,5 mio. EUR til en tysk ejendomsvirksomheds overtrædelse af databeskyttelsesprincipperne, navnlig
ulovlig lagring
- 18 mio. EUR til de østrigske posttjenester for ulovlig behandling af særlige kategorier af oplysninger i
stor skala
- 50 mio. EUR til Google i Frankrig på grund af betingelserne for at opnå samtykke fra brugere.
Persondataforordningens succes bør ikke måles på antallet af udstedte bøder, idet persondataforordningen
opstiller en bredere palet af korrigerende beføjelser. Afhængigt af omstændighederne kan den afskrækkende
virkning af et forbud mod behandling eller suspension af overførsel af oplysninger være meget stærkere.
Specifikke forhold gældende for den offentlige sektor
Persondataforordningen giver medlemsstaterne mulighed for at afgøre, om og i hvilket omfang offentlige
myndigheder og organer kan pålægges administrative bøder. Hvis medlemsstaterne gør brug af denne
mulighed, fratager dette ikke databeskyttelsesmyndighederne muligheden for at anvende alle de øvrige
korrigerende beføjelser over for offentlige myndigheder og organer12
.
Et andet specifikt forhold er tilsynet med domstolene: selv om persondataforordningen også finder
anvendelse på domstolenes aktiviteter, er disse fritaget for databeskyttelsesmyndigheders tilsyn, når de
handler i deres egenskab af domstol. Chartret og TEUF forpligter imidlertid medlemsstaterne til at overlade
det til et uafhængigt organ at føre tilsyn med sådanne databehandlingsaktiviteter13
.
Samarbejde med andre reguleringsorganer
Som anført i meddelelsen af juli 2019 støtter Kommissionen interaktionen med andre reguleringsorganer,
idet den fuldt ud respekterer deres respektive kompetencer. Lovende samarbejdsområder omfatter
forbrugerbeskyttelse og konkurrence. Databeskyttelsesrådet gav udtryk for sin villighed til at samarbejde
med andre tilsynsmyndigheder, navnlig i forbindelse med koncentration på de digitale markeder14
.
Kommissionen anerkendte betydningen af privatlivets fred og databeskyttelse som et kvalitetsparameter for
konkurrencen15
. Databeskyttelsesrådets medlemmer deltog i fælles workshopper med netværket for
forbrugerbeskyttelsessamarbejde om samarbejde om bedre håndhævelse af EU's forbruger- og
databeskyttelseslovgivning. Denne tilgang vil blive anvendt til at fremme en fælles forståelse og udvikle
praktiske måder til løsning af konkrete problemer, som forbrugere oplever, navnlig i den digitale økonomi.
For at sikre en konsekvent tilgang til beskyttelse af privatlivets fred og beskyttelse af personoplysninger, og
indtil e-databeskyttelsesforordningen er vedtaget, er et tæt samarbejde med de myndigheder, der har
kompetence til at håndhæve e-databeskyttelsesdirektivet16
, som er lex specialis i forhold til elektronisk
kommunikation, helt uomgængeligt. Et tættere samarbejde med de kompetente myndigheder i henhold til
12
Persondataforordningens artikel 83, stk. 7.
13
Chartrets artikel 8, stk. 3, artikel 16, stk. 2, i TEUF, betragtning 20 i persondataforordningen.
14
Jf. Databeskyttelsesrådets erklæring om virkningerne af økonomisk koncentration,
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_economic_concentration_en.pdf.
15
Se sag COMP M. 8124, Microsoft/LinkedIn.
16
Europa-Parlamentets og Rådets direktiv 2002/58/EF af 12. juli 2002 om behandling af personoplysninger og beskyttelse af
privatlivets fred i den elektroniske kommunikationssektor (direktivet om databeskyttelse inden for elektronisk
kommunikation) (EFT L 201 af 31.7.2002, s. 37).
6
NIS-direktivet17
, og NIS-samarbejdsgruppen vil være til gensidig fordel for disse myndigheder og
databeskyttelsesmyndighederne.
2.2 Samarbejds- og sammenhængsmekanismerne
Ved persondataforordningen blev samarbejdsmekanismen (one-stop-shop-system for operatører, fælles
aktiviteter og gensidig bistand mellem databeskyttelsesmyndigheder) og sammenhængsmekanismen oprettet
med det formål at fremme en ensartet anvendelse af databeskyttelsesreglerne gennem en konsekvent
fortolkning og løsning af eventuel uenighed mellem myndighederne.
Databeskyttelsesrådet, der samler alle databeskyttelsesmyndigheder, er oprettet som et EU-organ med status
som juridisk person og er fuldt operationelt med støtte fra et sekretariat18
. Det er afgørende for de to
ovennævnte mekanismers funktion. Ved udgangen af 2019 havde Databeskyttelsesrådet vedtaget 67
dokumenter, herunder 10 nye retningslinjer19
og 43 udtalelser2021
.
Den vigtige rolle, som Databeskyttelsesrådet spiller, opstod, hvor der var behov for hurtigt at sikre en
ensartet fortolkning af persondataforordningen og finde løsninger, der kunne finde øjeblikkelig anvendelse
på EU-plan. I forbindelse med covid-19-udbruddet vedtog Databeskyttelsesrådet f.eks. i marts 2020 en
erklæring om behandling af personoplysninger, der bl.a. omhandler lovligheden af behandling og
anvendelse af mobile lokaliseringsdata i denne forbindelse22
, og i april 2020 vedtog det retningslinjer for
behandling af helbredsoplysninger til videnskabelig forskning i forbindelse med covid-19-udbruddet 23
samt
retningslinjer for anvendelse af lokaliseringsdata og kontaktopsporingsredskaber i forbindelse med covid-
19-udbruddet24
. Udvalget ydede også et betydeligt bidrag til udformningen af EU's strategi til
Kommissionens og medlemsstaternes sporings-apps.
Det daglige samarbejde mellem databeskyttelsesmyndighederne, hvad enten de handler på egne vegne eller
som medlemmer af Databeskyttelsesrådet, er baseret på udveksling af oplysninger og meddelelser om sager,
der er indledt af myndighederne. For at lette kommunikationen mellem myndighederne ydede
Kommissionen betydelig støtte ved at give dem et informationsudvekslingssystem25
. De fleste myndigheder
mener, at den er tilpasset samarbejds- og sammenhængsmekanismerne, selv om den kan finjusteres
yderligere, f.eks. ved at gøre den mere brugervenlig.
Selv om det stadig er tidligt, kan der allerede nu afdækkes en række resultater og udfordringer, som
præsenteres nedenfor. De viser, at databeskyttelsesmyndighederne hidtil har gjort effektiv brug af
samarbejdsværktøjerne med præference for mere fleksible løsninger.
One-stop-shop
17
Europa-Parlamentets og Rådets direktiv (EU) 2016/1148 af 6. juli 2016 om foranstaltninger, der skal sikre et højt fælles
sikkerhedsniveau for net- og informationssystemer i hele Unionen (EUT L 194 af 19.7.2016, s. 1).
18
Se nærmere oplysninger om sekretariatets aktiviteter i Databeskyttelsesrådets bidrag, s. 24-26.
19
Ud over de 10 retningslinjer, som Artikel 29-Gruppen har vedtaget op til persondataforordningens ikrafttræden, og som
Databeskyttelsesrådet har godkendt. Desuden har Databeskyttelsesrådet vedtaget yderligere 4 retningslinjer mellem januar og
maj 2020 og ajourført en eksisterende vejledning.
20
42 af disse udtalelser blev vedtaget i henhold til persondataforordningens artikel 64, og én blev vedtaget i henhold til
persondataforordningens artikel 70, stk. 1, litra s), og vedrørte afgørelsen om tilstrækkeligheden af beskyttelsesniveauet
vedrørende Japan.
21
Se Databeskyttelsesrådets bidrag, s. 18-23, for et fuldstændigt overblik over Databeskyttelsesrådets aktiviteter.
22
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_
processingpersonaldataandcovid-19_en.pdf.
23
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-
purpose_en.
24
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_
with_annex_da.pdf.
25
Informationssystemet for det indre marked (IMI).
7
I grænseoverskridende sager kan en medlemsstats databeskyttelsesmyndighed generelt være involveret
enten i) som ledende myndighed, når operatørens hovedvirksomhed er beliggende i denne medlemsstat, eller
ii) som berørt myndighed, når operatøren har en virksomhed på denne medlemsstats område, når personer i
denne medlemsstat berøres væsentligt, eller når der er indgivet en klage til dem.
Et sådant tæt samarbejde er blevet daglig praksis: Siden datoen for persondataforordningens anvendelse er
databeskyttelsesmyndigheder i alle medlemsstater på et tidspunkt blevet konstateret enten som ledende
myndigheder eller som berørte myndigheder i grænseoverskridende sager, om end i forskelligt omfang.
Fra maj 2018 til slutningen af 2019 fungerede databeskyttelsesmyndigheden i Irland som ledende
myndighed i det højeste antal grænseoverskridende sager (127), efterfulgt af Tyskland (92), Luxembourg
(87), Frankrig (64) og Nederlandene (45). Denne rækkefølge afspejler især den særlige situation i Irland og
Luxembourg, som er værtslande for flere store multinationale teknologivirksomheder.
Anderledes ser rækkefølgen ud, for så vidt angår berørte myndigheder, hvor myndighederne i Tyskland er
involveret i det højeste antal sager (435), efterfulgt af Spanien (337), Danmark (327), Frankrig (332) og
Italien (306)26
.
Mellem 25. maj 2018 og 31. december 2019 blev der indgivet 141 udkast til afgørelser via one-stop-shop-
proceduren, hvoraf 79 førte til endelige afgørelser. Pr. datoen for offentliggørelsen af denne rapport afventes
der i flere vigtige sager med en grænseoverskridende dimension, og som er omfattet af one-stop-shop-
mekanismen, en afgørelse. Nogle af disse afgørelser involverer store multinationale
teknologivirksomheder27
. De forventes at skabe klarhed og bidrage til en mere samordnet fortolkning af
persondataforordningen.
Gensidig bistand
Databeskyttelsesmyndigheder har i vid udstrækning gjort brug af redskabet til gensidig bistand.
Ved udgangen af 2019 havde der været 115 procedurer for gensidig bistand28
, navnlig til gennemførelse af
undersøgelser, hvoraf de fleste var foretaget af databeskyttelsesmyndighederne i Spanien (26), Tyskland
(20), Danmark (13), Polen (12) og Tjekkiet (10). På den anden side havde Irland (19), Frankrig (11), Østrig
(10), Tyskland (10) og Luxembourg (9) modtaget de fleste anmodninger 29
.
Langt de fleste myndigheder anser gensidig bistand for at være et meget nyttigt samarbejdsværktøj og er
ikke stødt på væsentlige hindringer for anvendelsen af proceduren for gensidig bistand. Den frivillige
udveksling af gensidig bistand, for hvilken der ikke er nogen juridisk frist, eller hvor der ikke er streng pligt
til at svare, er blevet anvendt hyppigere, nemlig i 2 427 procedurer. Irlands databeskyttelsesmyndighed
sendte og modtog det højeste antal anmodninger om gensidig bistand (527 sendt og 359 modtaget),
efterfulgt af de tyske myndigheder (260 sent/356 modtaget).
Omvendt er der ikke endnu blevet gennemført fælles aktiviteter30
, der ville gøre det muligt for flere
medlemsstaters databeskyttelsesmyndigheder at blive involveret allerede i undersøgelserne af
grænseoverskridende sager. Der er løbende overvejelser i gang i Databeskyttelsesrådet om den praktiske
gennemførelse af dette redskab, og hvordan dets brug kan fremmes.
26
Se Databeskyttelsesrådets bidrag, s. 8.
27
F.eks. har den irske databeskyttelsesmyndighed den 22.5.2020 fremsendt et udkast til afgørelse til andre berørte myndigheder i
overensstemmelse med forordningens artikel 60 vedrørende en undersøgelse af Twitter International Company i forbindelse
med en underretning om brud på datasikkerheden. Samme dag meddelte den irske databeskyttelsesmyndighed tillige, at et
udkast til afgørelse om WhatsApp Ireland Limited i medfør af artikel 60 var under forberedelse i forbindelse med
gennemsigtighed, herunder gennemsigtighed med hensyn til, hvilke oplysninger der deles med Facebook.
28
Persondataforordningens artikel 61.
29
Se Databeskyttelsesrådets bidrag, s. 12-14.
30
Persondataforordningens artikel 62.
8
Sammenhængsmekanisme
Indtil videre er kun sammenhængsmekanismens første del blevet udnyttet, nemlig vedtagelsen af
Databeskyttelsesrådets udtalelser31
. Omvendt er der endnu ikke forekommet tilfælde af tvistbilæggelse i
Databeskyttelsesrådet32
eller taget en hasteprocedure i brug33
.
I perioden fra 25. maj 2018 til 31. december 2019 afgav Databeskyttelsesrådet 36 udtalelser i forbindelse
med et af dets medlemmers vedtagelse af foranstaltningers34
. De fleste af disse (31) vedrørte vedtagelsen af
nationale lister over aktiviteter, der kræver en konsekvensanalyse vedrørende databeskyttelse. To udtalelser
vedrørte bindende virksomhedsregler, to andre vedrørte udkast til akkrediteringskrav til et kontrolorgan for
adfærdskodeks, og én vedrørte standardkontraktbestemmelsers35
.
Bestyrelsen vedtog endvidere efter anmodning seks udtalelsers36
. Tre af disse udtalelser vedrørte nationale
lister til bestemmelse af behandlinger, der ikke kræver en konsekvensanalyse vedrørende databeskyttelse.
De andre vedrørte henholdsvis en administrativ ordning for overførsel af personoplysninger mellem
finanstilsynsmyndigheder inden for EØS og finanstilsynsmyndigheder uden for EØS, samspillet mellem e-
databeskyttelsesdirektivet og persondataforordningen og en tilsynsmyndigheds kompetence i tilfælde af en
ændring i omstændighederne vedrørende hovedvirksomhed eller eneste etablering37
.
Udfordringer
Selv om databeskyttelsesmyndighederne har samarbejdet meget aktivt i Databeskyttelsesrådet og i forvejen
intensivt anvender samarbejdsværktøjet for gensidig bistand, er opbygningen af en egentlig fælles kultur
stadig en pågående proces.
Navnlig kræver håndteringen af grænseoverskridende sager en mere effektiv og harmoniseret tilgang og en
effektiv anvendelse af alle samarbejdsværktøjer i persondataforordningen. Der er bred enighed om dette
punkt, da det blev rejst på forskellige måder af Europa-Parlamentet, Rådet, Den Europæiske Tilsynsførende
for Databeskyttelse, interessenter (inden for og uden for flerpartsgruppen) og
databeskyttelsesmyndighederne.
De vigtigste forhold, der skal tages op i denne forbindelse, er forskelle i:
nationale administrative procedurer, navnlig vedrørende: klagebehandlingsprocedurer,
antagelighedskriterier for klager, varigheden af procedurer på grund af forskellige tidsrammer eller
manglende frister, det tidspunkt i proceduren, hvor retten til at blive hørt bevilges, oplysninger om og
inddragelse af klagerne i proceduren
fortolkninger af begreber vedrørende samarbejdsmekanismen, f.eks. relevante oplysninger, begrebet
"straks", "klage", det dokument, der defineres som "udkastet til afgørelse" af den ledende
databeskyttelsesmyndighed, mindelig løsning (navnlig den procedure, der fører til en mindelig løsning,
løsningens retlige form), og
på hvilken måde samarbejdsproceduren skal indledes, inddrage de berørte databeskyttelsesmyndigheder
og formidle oplysninger til dem. Klagerne savner også klarhed om, hvordan deres sager håndteres i
grænseoverskridende situationer, hvilket flere medlemmer af flerpartsgruppen har understreget. Desuden
nævner virksomhederne, at de nationale databeskyttelsesmyndigheder i visse tilfælde ikke henviste sager
til den ledende databeskyttelsesmyndighed, men håndterede dem som lokale sager.
31
Baseret på persondataforordningens artikel 64.
32
Persondataforordningens artikel 65.
33
Persondataforordningens artikel 66.
34
I henhold til persondataforordningens artikel 64, stk. 1.
35
Persondataforordningens artikel 28, stk. 8.
36
I henhold til persondataforordningens artikel 64, stk. 2.
37
Se Databeskyttelsesrådets bidrag, s. 15.
9
Kommissionen er tilfreds med, at Databeskyttelsesrådet har meddelt, at det er begyndt at gøre sig
overvejelser om, hvordan man kan løse disse problemer. Databeskyttelsesrådet anførte navnlig, at det vil
præcisere de proceduremæssige skridt, der er taget i samarbejdet mellem den ledende
databeskyttelsesmyndighed og de berørte databeskyttelsesmyndigheder, analysere de nationale
administrative procedureregler, arbejde hen imod en fælles fortolkning af nøglebegreber og styrke
kommunikation og samarbejde (herunder fælles aktiviteter). Databeskyttelsesrådets overvejelser og analyser
bør føre til mere effektive arbejdsordninger i grænseoverskridende sager38
, herunder ved at bygge på
medlemmernes ekspertise og ved at styrke inddragelsen af dets sekretariat. Det skal desuden bemærkes, at
Databeskyttelsesrådets ansvar med hensyn til at sikre en konsekvent fortolkning af persondataforordningen
ikke kan opfyldes ved blot at finde den laveste fællesnævner.
Endelig skal Databeskyttelsesrådet som EU-organ også anvende EU's forvaltningsret og sikre
gennemsigtighed i beslutningsprocessen.
2.3 Rådgivning og vejledning
Databeskyttelsesmyndighedernes oplysningsaktiviteter og rådgivning
Flere databeskyttelsesmyndigheder har skabt nye værktøjer, herunder hjælp til enkeltpersoner og
virksomheder, og værktøjssæt til virksomheder39
. Mange operatører glæder sig over den pragmatisme, som
disse myndigheder har udvist med hensyn til at bistå med anvendelsen af persondataforordningen. Især har
flere af dem aktivt kommunikeret og haft et tæt samarbejde med databeskyttelsesrådgivere, bl.a. gennem
sammenslutninger af databeskyttelsesansvarlige. Mange myndigheder har også udstedt retningslinjer for de
databeskyttelsesansvarliges rolle og forpligtelser med det formål at støtte de databeskyttelsesansvarlige i
deres daglige aktiviteter og afholdt seminarer, der var specifikt henvendt til dem. Dette gælder imidlertid
ikke for alle databeskyttelsesmyndigheder.
Ligeledes peger feedback fra interessenter på en række problemfelter omkring vejledning og rådgivning:
manglen på en konsekvent strategi og vejledning mellem de nationale databeskyttelsesmyndigheder om
visse forhold (f.eks. om cookies40
, anvendelsen af legitime interesser, anmeldelser af brud på
persondatasikkerheden eller konsekvensanalyser vedrørende databeskyttelse) eller endda mellem
databeskyttelsesmyndigheder i de samme medlemsstater (f.eks. i Tyskland om begreberne dataansvarlig
og databehandler)
uoverensstemmelsen mellem de retningslinjer, der vedtages på nationalt plan, og dem, der vedtages af
Databeskyttelsesrådet
manglende offentlige høringer om visse retningslinjer, der er vedtaget på nationalt plan
forskellige niveauer af inddragelse af interessenter blandt databeskyttelsesmyndighederne
forsinkelser i modtagelsen af svar på anmodninger om oplysninger
vanskeligheder med at få praktisk og værdifuld rådgivning fra databeskyttelsesmyndighederne
behovet for at øge den sektorspecifikke ekspertise hos nogle databeskyttelsesmyndigheder (f.eks. inden
for sundhedssektoren og lægemiddelindustrien).
38
Som påpeget i Rådets holdning og konklusioner.
39
Se nedenfor under punkt 7.
40
Indtil e-databeskyttelsesforordningen bliver vedtaget, er det vigtigt med et tæt samarbejde med de kompetente myndigheder,
der er ansvarlige for håndhævelsen af e-databeskyttelsesdirektivet i medlemsstaterne. I overensstemmelse med dette direktiv er
de myndigheder, der er kompetente til at håndhæve artikel 5, stk. 3, i e-databeskyttelsesdirektivet (som fastsætter betingelserne
for brug af og adgang til "cookies" på en brugers terminaludstyr), i nogle medlemsstater ikke de samme som
tilsynsmyndighederne i henhold til persondataforordningen.
10
Flere af disse forhold hænger også sammen med manglen på ressourcer hos flere
databeskyttelsesmyndigheder (se nedenfor).
Afvigende praksis med hensyn til anmeldelse af brud på datasikkerheden41
Selv om Rådet fremhæver den byrde, der er forbundet med sådanne anmeldelser, er der betydelige forskelle
i antallet af anmeldelser mellem medlemsstaterne: hvor der i perioden fra maj 2018 til udgangen af
november 2019 i de fleste medlemsstater samlet set var under 2 000 anmeldelser, og i 7 medlemsstater
mellem 2 000 og 10 000, indberettede de nederlandske og tyske databeskyttelsesmyndigheder i perioden
hhv. 37 400 og 45 600 anmeldelser42
.
Dette kan tyde på, at der savnes en konsekvent fortolkning og gennemførelse, til trods for at der på EU-
niveau findes retningslinjer for anmeldelser af brud på datasikkerheden.
Retningslinjer fra Det Europæiske Databeskyttelsesråd
Hidtil har Databeskyttelsesrådet vedtaget mere end 20 retningslinjer, der dækker centrale aspekter af
persondataforordningen43
. Retningslinjerne er et vigtigt redskab til at sikre en ensartet anvendelse af
persondataforordningen og er derfor i stort omfang blevet modtaget positivt af interessenterne.
Interessenterne har været glade for den systematiske offentlige høring (6-8 uger). De efterspørger imidlertid
mere dialog med Databeskyttelsesrådet. I den forbindelse bør praksis med at arrangere workshopper om
målrettede emner inden udarbejdelsen af retningslinjer fortsættes og styrkes for at sikre gennemsigtighed,
inddragelse og relevans i Databeskyttelsesrådets arbejde. Interessenterne anmoder også om, at fortolkningen
af de mest omstridte problemer behandles i retningslinjerne, da disse er genstand for offentlig høring, og
ikke i udtalelser i henhold til persondataforordningens artikel 64, stk. 2. Nogle interessenter efterlyser også
mere praktiske retningslinjer, der beskriver anvendelsen af begreber og bestemmelser i
persondataforordningen44
. Medlemmer af flerpartsgruppen understreger, at der er behov for mere konkrete
eksempler, der så vidt muligt skal mindske risikoen for divergerende fortolkninger mellem
databeskyttelsesmyndigheder. Samtidig bør anmodningerne om at præcisere, hvordan
persondataforordningen skal anvendes, og om at skabe retssikkerhed, ikke føre til yderligere krav eller
reducere fordelene ved den risikobaserede tilgang og ansvarlighedsprincippet.
De emner, som interessenterne gerne vil have yderligere retningslinjer for i Databeskyttelsesrådet, omfatter:
rækkevidden af de registreredes rettigheder (herunder i ansættelsesforhold) ajourføring af udtalelsen om
behandling på grundlag af legitime interesser begreberne den dataansvarlige, den fælles dataansvarlige og
registerføreren samt de nødvendige aftaler mellem parterne45
anvendelsen af persondataforordningen på nye
teknologier (såsom blockchain og kunstig intelligens) behandling i forbindelse med videnskabelig forskning
(herunder i forbindelse med internationalt samarbejde) behandling af børns personoplysninger
pseudonymisering og anonymisering samt behandling af sundhedsdata.
Databeskyttelsesrådet har allerede tilkendegivet, at det vil udstede retningslinjer for mange af disse emner,
og det arbejde, der allerede er påbegyndt for fleres vedkommende (f.eks. om anvendelsen af legitim
interesse som retsgrundlag for behandling).
Interessenterne anmoder Databeskyttelsesrådet om at ajourføre og i givet fald revidere eksisterende
retningslinjer under hensyntagen til de erfaringer, der er gjort siden deres offentliggørelse, og under
hensyntagen til muligheden for at gå mere i detaljer, når det er nødvendigt.
41
Persondataforordningens artikel 33.
42
Se Databeskyttelsesrådets bidrag, s. 35.
43
Arbejdet med retningslinjer blev allerede indledt inden persondataforordningens ikrafttræden den 25. maj 2018 inden for
rammerne af Artikel 29-Gruppen. Se den fulde liste over retningslinjer på https://edpb.europa.eu/our-work-tools/general-
guidance/gdpr-guidelines-recommendations-best-practices_en.
44
Dette har også Europa-Parlamentet og Rådet peget på.
45
Databeskyttelsesrådet er i gang med at udforme retningslinjer om dataansvarlige og databehandlere.
11
2.4 Databeskyttelsesmyndighedernes ressourcer
Det er en forudsætning for en effektiv udførelse af deres opgaver og udøvelsen af deres beføjelser, at de
enkelte databeskyttelsesmyndigheder råder over de nødvendige menneskelige, tekniske og finansielle
ressourcer, lokaler og infrastrukturer, og er derfor en væsentlig betingelse for deres uafhængighed46
.
De fleste databeskyttelsesmyndigheder har nydt godt af stigende personale og ressourcer, siden
persondataforordningen trådte i kraft i 201647
. Mange af dem beretter dog stadig, at de ikke råder over
tilstrækkelige ressourcer48
.
Antal medarbejdere, der arbejder for nationale databeskyttelsesmyndigheder
Det samlede antal medarbejdere hos databeskyttelsesmyndigheder i EØS steg over en kam med 42 %
mellem 2016 og 2019 (med 62 %, hvis prognosen for 2020 tages med).
Antallet af medarbejdere hos de fleste myndigheder er steget i denne periode med den største stigning (i
procent) registreret for myndigheder i Irland (+ 169 %), Nederlandene (+ 145 %), Island (+ 143 %),
Luxembourg (+ 126 %) og Finland (+ 114 %). Omvendt faldt antallet af ansatte hos flere
databeskyttelsesmyndigheder, med de mest markante fald i Grækenland (-15 %), Bulgarien (-14 %), Estland
(-11 %), Letland (-10 %) og Litauen (-8 %). Hos nogle myndigheder skyldes faldet i antallet af
medarbejdere også databeskyttelseseksperters fratrædelse til fordel for ansættelse i den private sektor, som
kan tilbyde mere attraktive vilkår.
Generelt anslår prognosen for 2020, at der har været en stigning i antallet af medarbejdere i forhold til 2019,
med undtagelse hos myndighederne i Østrig, Bulgarien, Italien, Sverige og Island (hvor antallet af
medarbejdere forventes at forblive stabilt), Cypern og Danmark (hvor antallet af medarbejdere forventes at
falde).
De tyske databeskyttelsesmyndigheder49
har tilsammen det største antal medarbejdere (888 i 2019/anslået
1002 i 2020), efterfulgt af databeskyttelsesmyndighederne i Polen (238/260), Frankrig (215/225), Spanien
(170/220), Nederlandene (179/188), Italien (170/170) og Irland (140/176).
De databeskyttelsesmyndigheder, der har det laveste antal medarbejdere, er i Cypern (24/22), Letland
(19/31), Island (17/17), Estland (16/18) og Malta (13/15).
De nationale databeskyttelsesmyndigheders budget
Det samlede budget for databeskyttelsesmyndigheder i EØS er over en kam steget med 49 % mellem 2016
og 2019 (med 64 %, hvis prognosen for 2020 medregnes).
De fleste myndigheders budget steg i denne periode, med den største stigning (i procent) registreret for
myndigheder i Irland (+ 223 %), Island (+ 167 %), Luxembourg (+ 165 %), Nederlandene (+ 130 %) og
Cypern (+ 114 %). Omvendt oplevede nogle myndigheder kun en lille stigning i budgettet, med de mindste
stigninger registreret for databeskyttelsesmyndigheder i Estland (7 %), Letland (4 %), Rumænien (3 %) og
Belgien (1 %), mens myndigheden i Frankrig oplevede et fald (-2 %).
Generelt skønnes det ifølge prognosen for 2020, at der vil være en stigning i budgettet i forhold til 2019,
undtagen for myndighederne i Østrig, Bulgarien, Estland og Nederlandene (hvis budgetter forventes at
forblive stabile).
46
Se persondataforordningens artikel 52, stk. 4.
47
Forordningen trådte i kraft i maj 2016 og blev taget i anvendelse i maj 2018 efter en overgangsperiode på 2 år.
48
Se Databeskyttelsesrådets bidrag, s. 26-30
49
Der er 18 myndigheder i Tyskland, hvoraf den ene er en føderal myndighed, og 17 er regionale myndigheder (herunder to i
Bayern).
12
De databeskyttelsesmyndigheder, der har det største budget, er Tyskland (76,6 mio. EUR i 2019/anslået 85,8
mio. EUR i 2020-prognosen), Italien (29,1/30,1), Nederlandene (18,6/18,6), Frankrig (18,5/20,1) og Irland
(15,2/16,9).
De myndigheder, der har det laveste budget, er Kroatien (1,2 mio. EUR i 2019/anslået EUR 1,4 mio. EUR i
2020-prognosen), Rumænien (1,1/1,3), Letland (0,6/1,2), Cypern (0,5/0,5) og Malta (0,5/0,6).
Tabellen i bilag II giver et overblik over de nationale databeskyttelsesmyndigheders menneskelige og
budgetmæssige ressourcer.
Ud over at påvirke deres evne til at håndhæve reglerne på nationalt plan begrænser manglen på ressourcer
også databeskyttelsesmyndighedernes kapacitet til at deltage i og bidrage til samarbejds- og
sammenhængsmekanismen og til det arbejde, der udføres i Databeskyttelsesrådet. Som fremhævet af
Databeskyttelsesrådet afhænger den succes, som one-stop-shop-mekanismen har, af den tid og indsats, som
databeskyttelsesmyndighederne kan bruge til håndtering af og samarbejde om individuelle
grænseoverskridende sager. Ressourceproblemet forstærkes yderligere af myndighedernes øgede rolle i
tilsynet med store IT-systemer, der i øjeblikket er under udvikling. Databeskyttelsesmyndighederne i Irland
og Luxembourg har desuden specifikke ressourcebehov set i lyset af deres rolle som ledende myndigheder
med hensyn til håndhævelsen af persondataforordningen over for store teknologivirksomheder, som befinder
sig primært i disse medlemsstater.
Mens Rådet peger på virkningen af samarbejdsmekanismen og dens frister på
databeskyttelsesmyndighedernes arbejde50
, er medlemsstaterne i henhold til persondataforordningen
forpligtet til at tilføre deres nationale databeskyttelsesmyndigheder tilstrækkelige menneskelige, finansielle
og tekniske ressourcer51
.
Databeskyttelsesrådets sekretariat, som forestås af Den Europæiske Tilsynsførende for Databeskyttelser52
,
består i øjeblikket af 20 personer, herunder juridiske eksperter, IT-eksperter og kommunikationseksperter.
Det skal vurderes, om dette tal skal udvides fremadrettet, således at det på effektiv vis kan opfylde sin
funktion som analytisk, administrativ og logistisk støtte til Databeskyttelsesrådet og dets undergrupper, bl.a.
ved forvaltningen af informationsudvekslingssystemet.
3 HARMONISEREDE REGLER, MEN FORTSAT EN VIS GRAD AF FRAGMENTERING OG DIVERGERENDE
STRATEGIER
Persondataforordningen indeholder bestemmelser om en konsekvent tilgang til databeskyttelsesreglerne i
hele EU, som erstatter de forskellige nationale ordninger, der eksisterede inden for rammerne af
databeskyttelsesdirektivet af 1995.
3.1 Medlemsstaternes gennemførelse af persondataforordningen
Persondataforordningen har været direkte gældende i alle medlemsstater siden 25. maj 2018. Den
forpligtede medlemsstaterne til at lovgive, navnlig for at oprette nationale databeskyttelsesmyndigheder og
indføre generelle betingelser for deres medlemmer, for at sikre, at hver enkelt myndighed handler i fuld
uafhængighed, når den udfører sine opgaver og udøver sine beføjelser i overensstemmelse med
persondataforordningen. Retlige forpligtelser og offentlige opgaver kan kun udgøre retsgrundlaget for
behandling af personoplysninger, hvis de er nedfældet i (EU-lovgivningen eller) national lovgivning.
50
Persondataforordningens artikel 60.
51
Persondataforordningens artikel 52, stk. 4.
52
Persondataforordningens artikel 75.
13
Desuden skal medlemsstaterne fastsætte regler om sanktioner, navnlig for overtrædelser, der ikke er
underlagt administrative bøder, og de skal skabe sammenhæng mellem retten til beskyttelse af
personoplysninger og retten til ytrings- og informationsfrihed. National ret kan også fastsætte et
retsgrundlag for undtagelsen fra det generelle forbud mod behandling af særlige kategorier af
personoplysninger, f.eks. af hensyn til den væsentlige offentlige interesse på folkesundhedsområdet,
herunder beskyttelse mod alvorlige grænseoverskridende sundhedstrusler. Desuden skal medlemsstaterne
sikre akkreditering af certificeringsorganer.
Kommissionen overvåger gennemførelsen af persondataforordningen i national lovgivning. Alle
medlemsstater, med undtagelse af Slovenien, har på tidspunktet for udarbejdelsen af denne rapport vedtaget
ny databeskyttelseslovgivning eller tilpasset deres lovgivning på dette område. Kommissionen anmodede
derfor Slovenien om at redegøre nærmere for de hidtidige fremskridt og opfordrede det indtrængende til at
afslutte denne proces53
.
Desuden vurderes den nationale lovgivnings overensstemmelse med reglerne om databeskyttelse med
hensyn til Schengenreglerne også i forbindelse med den Schengenevalueringsmekanismen, der koordineres
af Kommissionen. Kommissionen og medlemsstaterne evaluerer i fællesskab, hvordan landene gennemfører
og anvender Schengenreglerne på en række områder. For så vidt angår databeskyttelse vedrører dette store
IT-systemer, som f.eks. Schengeninformationssystemet og visuminformationssystemet, og omfatter
databeskyttelsesmyndighedernes rolle i forbindelse med overvågning af behandlingen af personoplysninger
inden for disse systemer.
Arbejdet med at tilpasse sektorlovgivningen er stadig i gang på nationalt plan. Efter
persondataforordningens indarbejdelse i aftalen om Det Europæiske Økonomiske Samarbejdsområde blev
dens anvendelse udvidet til også at omfatte Norge, Island og Liechtenstein. Disse lande har ligeledes
vedtaget nationale databeskyttelseslove.
Kommissionen vil gøre brug af alle de redskaber, den har til rådighed, herunder traktatbrudssager, for at
sikre, at medlemsstaterne overholder persondataforordningen.
De vigtigste problemstillinger i forbindelse med national gennemførelse
De vigtigste problemstillinger, der hidtil er blevet afdækket som led i den igangværende vurdering af
national lovgivning og de bilaterale udvekslinger med medlemsstaterne, omfatter:
Begrænsninger i anvendelsen af persondataforordningen: nogle medlemsstater udelukker f.eks.
fuldstændig det nationale parlaments aktiviteter.
Forskelle i anvendelsen af nationale specificerende love. Nogle medlemsstater forbinder anvendelsen af
deres nationale lovgivning med det sted, hvor varerne eller ydelserne udbydes, andre til den
dataansvarliges eller databehandlerens hjemsted. Dette er i strid med den harmoniseringsmålsætning, der
forfølges med persondataforordningen.
Nationale love, der rejser tvivl om proportionaliteten af indgrebet i retten til databeskyttelse.
Kommissionen indledte f.eks. en traktatbrudssag mod en medlemsstat, som havde vedtaget lovgivning,
der pålagde dommere at offentliggøre specifikke oplysninger om deres ikke-erhvervsmæssige aktiviteter,
hvilket er uforeneligt med retten til respekt for privatlivets fred og retten til beskyttelse af
personoplysninger54
53
Det skal bemærkes, at den nationale databeskyttelsesmyndighed i Slovenien er oprettet på grundlag af den nuværende
nationale databeskyttelseslovgivning og fører tilsyn med anvendelsen af persondataforordningen i denne medlemsstat.
54
Denne traktatbrudssag vedrører den polske lov om retsvæsenet af 20. december 2019, som griber ind i dommernes
uafhængighed, og som bl.a. vedrører videregivelse af oplysninger om dommeres ansættelse i ikke-erhvervsmæssige aktiviteter:
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_772.
14
Mangel på et uafhængigt organ til at føre tilsyn med domstolenes behandling af oplysninger ved
domstole, der handler i deres egenskab af domstole55
.
Lovgivning på områder, der er fuldt reguleret af persondataforordningen, der går videre end
manøvremargenen for specifikationer eller begrænsninger. Dette er navnlig tilfældet, når nationale
bestemmelser fastsætter betingelser for behandling på grundlag af legitime interesser, ved at give
anvisninger for, hvordan der foretages en afvejning mellem den dataansvarliges og de berørte personers
respektive interesser, mens persondataforordningen forpligter hver enkelt dataansvarlige til at foretage
en sådan afvejning individuelt og påberåbe sig dette retsgrundlag.
Specifikationer og yderligere krav ud over behandling med henblik på overholdelse af en lovbestemt
forpligtelse eller udførelse af en offentlig opgave (f.eks. videoovervågning i den private sektor eller
direkte markedsføring) og for begreber, der anvendes i persondataforordningen (f.eks. "stor skala" eller
"sletning").
Nogle af disse spørgsmål kan blive afklaret af Domstolen i fortsat verserende sager56
.
Afstemning af retten til beskyttelse af personoplysninger med ytrings- og informationsfrihed
Et specifikt forhold vedrører gennemførelsen af medlemsstaternes forpligtelse til ved lov at forene retten til
beskyttelse af personoplysninger med ytrings- og informationsfriheden57
. Dette forhold er meget komplekst,
idet der ved en vurdering af balancen mellem disse grundlæggende rettigheder også skal tages hensyn til
bestemmelser og sikkerhedsforanstaltninger i presse- og medielovgivning.
Vurderingen af medlemsstaternes lovgivning viser forskellige tilgange til tilpasningen mellem retten til
beskyttelse af personoplysninger og ytrings- og informationsfrihed:
Nogle medlemsstater fastsætter princippet om ytringsfrihedens forrang eller fritager i forbindelse med
behandling af personoplysninger, der udelukkende finder sted i journalistisk øjemed eller med henblik
på akademisk, kunstnerisk eller litterær virksomhed, hele kapitler, der er nævnt i
persondataforordningens artikel 85, stk. 2. I en vis udstrækning indeholder medielove bestemmelser om
visse garantier, for så vidt angår den registreredes rettigheder.
Nogle medlemsstater har fastsat bestemmelser om, at beskyttelsen af personoplysninger har forrang, og
giver kun mulighed for ikke at anvende databeskyttelsesreglerne i specifikke situationer, f.eks. hvor en
person med offentlig status er berørt.
Andre medlemsstater giver mulighed for, at lovgiveren i et vist omfang kan foretage en afvejning,
og/eller at der kan foretages en vurdering i det enkelte tilfælde, for så vidt angår undtagelser fra visse
bestemmelser i persondataforordningen.
Kommissionen vil fortsætte sin vurdering af national lovgivning med afsæt i kravene i chartret.
Afstemningen skal være fastlagt i lovgivningen og skal respektere disse grundlæggende rettigheders
væsentligste indhold og være proportionel og nødvendig (artikel 52, stk. 1, i chartret).
Databeskyttelsesreglerne bør ikke påvirke udøvelsen af ytrings- og informationsfriheden, navnlig ved at
skabe en begrænsende virkning eller ved at blive fortolket som et middel til at lægge pres på journalister for
at afsløre deres kilder.
55
Se chartrets artikel 8, stk. 3, artikel 16 i TEUF, betragtning 20 i persondataforordningen.
56
F.eks. er fritagelsen af et parlamentarisk udvalg for anvendelsen af persondataforordningen genstand for en verserende retssag
(C-272/19).
57
Persondataforordningens artikel 85.
15
3.2 Bestemmelser om fakultativ specifikation og deres begrænsninger
Persondataforordningen giver medlemsstaterne mulighed for yderligere at specificere dens anvendelse på et
begrænset antal områder. Denne manøvremargen for national lovgivning adskiller sig fra forpligtelsen til at
gennemføre visse andre bestemmelser i persondataforordningen som nævnt ovenfor. Bestemmelserne om
fakultative specifikationer er anført i bilag I.
Manøvremargenerne for medlemsstaternes lovgivning er underlagt de betingelser og begrænsninger, der er
fastsat i persondataforordningen, og giver ikke mulighed for en samtidig national databeskyttelsesordning58
.
Medlemsstaterne er forpligtet til at ændre eller ophæve den nationale databeskyttelseslovgivning, herunder
sektorspecifik lovgivning med databeskyttelsesaspekter.
Dertil kommer, at en medlemsstats relaterede lovgivning ikke må indeholde bestemmelser, der kunne skabe
forvirring om den direkte anvendelse af persondataforordningen. Når persondataforordningen fastsætter, at
der kan indføres specifikationer eller begrænsninger af dens regler ved medlemsstaternes nationale ret, kan
medlemsstaterne, i det omfang det er nødvendigt af hensyn til sammenhængen og for at gøre de nationale
bestemmelser forståelige for de personer, som de finder anvendelse på, indarbejde elementer af
persondataforordningen i deres nationale ret59
.
Der er interessenter, der mener, at medlemsstaterne bør begrænse eller undlade at anvende bestemmelser om
fakultative specifikationer, da de ikke bidrager til harmonisering. De nationale forskelle i både
gennemførelsen af lovene og databeskyttelsesmyndighedernes fortolkning heraf øger omkostningerne ved
overholdelse af lovgivningen i hele EU markant.
Fragmentering i forbindelse med anvendelse af klausuler om fakultative specifikationer
Aldersgrænse for børns samtykke til informationssamfundstjenester
En række medlemsstater har gjort brug af muligheden for at fastsætte en lavere aldersgrænse end 16 år for
samtykke i forbindelse med informationssamfundstjenester (persondataforordningens artikel 8, stk. 1). Ni
medlemsstater anvender aldersgrænsen på 16 år, mens otte medlemsstater har valgt en grænse på 13 år, seks
på 14 år og tre på 15 år60
.
Som følge heraf skal en virksomhed, der leverer informationssamfundstjenester til mindreårige i hele EU,
sondre mellem de potentielle brugeres alder, afhængigt af hvilken medlemsstat de er bosiddende i. Dette er i
strid med det generelle mål i persondataforordningen om at sikre ensartet beskyttelse af personer og
forretningsmuligheder i alle medlemsstater.
Sådanne forskelle fører til situationer, hvor den medlemsstat, hvor den dataansvarlige er etableret, fastsætter
en anden aldersgrænse end den medlemsstat, hvor de registrerede er bosiddende.
Sundhed og forskning
Ved gennemførelsen af undtagelser fra det generelle forbud mod behandling af særlige kategorier af
personoplysninger61
følger medlemsstaternes lovgivning forskellige metoder, for så vidt angår
specifikationernes og garantiernes niveau, herunder til sundheds- og forskningsformål. De fleste
medlemsstater har indført eller opretholdt yderligere betingelser for behandling af genetiske data,
58
Det meget anvendte begreb "åbningsbestemmelser" som udtryk for bestemmelser om specifikation er vildledende, da det
kunne give indtryk af, at medlemsstaterne har manøvremargener ud over forordningens bestemmelser.
59
Betragtning 8 i persondataforordningen.
60
13 år for Belgien, Danmark, Estland, Finland, Letland, Malta, Portugal og Sverige 14 år for Østrig, Bulgarien, Cypern,
Spanien, Italien og Litauen 15 år for Tjekkiet, Grækenland og Frankrig 16 år for Tyskland, Ungarn, Kroatien, Irland,
Luxembourg, Nederlandene, Polen, Rumænien og Slovakiet.
61
Persondataforordningens artikel 9.
16
biometriske data eller sundhedsdata. Det gælder også for undtagelser i forbindelse med de registreredes
rettigheder til forskningsmæssige formål62
, både med hensyn til omfanget af undtagelserne og de dertil
knyttede garantier.
Databeskyttelsesrådets kommende retningslinjer for anvendelse af personoplysninger inden for
videnskabelig forskning vil bidrage til en harmoniseret fremgangsmåde på dette område. Kommissionen vil
komme med input til Databeskyttelsesrådet, navnlig for så vidt angår sundhedsforskning, herunder i form af
konkrete spørgsmål og analyse af konkrete scenarier, som den har modtaget fra forskersamfundet. Det ville
være nyttigt, om disse retningslinjer kunne vedtages inden lanceringen af Horisont Europa-
rammeprogrammet med henblik på at harmonisere databeskyttelsespraksis og lette udvekslingen af data
vedrørende forskningsresultater. Retningslinjer fra Databeskyttelsesrådet om behandling af
personoplysninger på sundhedsområdet kunne også være nyttige.
Persondataforordningen udgør en solid ramme for national lovgivning på folkesundhedsområdet og omfatter
udtrykkeligt grænseoverskridende sundhedstrusler og overvågning af epidemier og deres spredning63
,
hvilket var relevant i forbindelse med bekæmpelsen af covid-19-pandemien.
På EU-plan vedtog Kommissionen den 8. april 2020 en henstilling om en fælles værktøjskasse med henblik
på at udnytte teknik og data i denne forbindelse, herunder mobilapplikationer og anvendelse af
anonymiserede mobilitetsdata64
, og den 16. april 2020 en vejledning om apps til støtte for bekæmpelse af
pandemien i forbindelse med databeskyttelse65
. I denne forbindelse offentliggjorde Databeskyttelsesrådet
den 19. marts 2020 en erklæring om databehandling66
, efterfulgt den 21. april 2020 af retningslinjer om
databehandling til forskningsformål og brug af lokaliseringsdata og kontaktopsporingsredskaber i
forbindelse hermed67
. Disse henstillinger og retningslinjer præciserer, hvordan principperne og reglerne for
beskyttelse af personoplysninger finder anvendelse i forbindelse med bekæmpelsen af pandemien.
Omfattende begrænsninger i registreredes rettigheder
De fleste nationale databeskyttelseslove, der begrænser den registreredes rettigheder, specificerer ikke de
mål af almen offentlig interesse, der er sikret ved disse begrænsninger, og/eller opfylder ikke i tilstrækkelig
grad de betingelser og garantier, der kræves i persondataforordningens artikel 23, stk. 268
. Flere
medlemsstater giver ikke mulighed for en proportionalitetstest eller udvider restriktionerne selv ud over
anvendelsesområdet for persondataforordningens artikel 23, stk. 1. For eksempel giver visse nationale love
under henvisning til, at det vil kræve en uforholdsmæssig stor indsats fra den dataansvarliges side, ikke ret
til adgang til personoplysninger, der lagres på grundlag af en opbevaringspligt eller i forbindelse med
udførelsen af offentlige opgaver, uden at der sker en afgræsning af en sådan begrænsning til formål af
generel samfundsinteresse.
Yderligere krav til selskaber
Selv om kravet om en obligatorisk databeskyttelsesansvarlig er baseret på en risikobaseret tilgang69
, har én
medlemsstat70
udvidet den til et kvantitativt kriterium, der forpligter virksomheder, hvor mindst 20
medarbejdere er fast beskæftiget med automatiseret behandling af personoplysninger, til at udpege en
62
Persondataforordningens artikel 89, stk. 2.
63
Se persondataforordningens artikel 9, stk. 2, litra i), og betragtning 46.
64
https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf.
65
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020XC0417 (08) & from = EN.
66
https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-outbreak_en.
67
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en.
68
F.eks. fordi de blot gentager ordlyden af persondataforordningens artikel 23, stk. 1.
69
Persondataforordningens artikel 37, stk. 1.
70
Tyskland.
17
databeskyttelsesansvarlig. uafhængigt af de risici, der er forbundet med behandlingsaktiviteterne71
. Dette har
medført yderligere byrder.
4 SÆTTE ENKELTPERSONER I STAND TIL AT KONTROLLERE DERES DATA
Persondataforordningen bringer de grundlæggende rettigheder i anvendelse, navnlig retten til beskyttelse af
personoplysninger, men også de andre grundlæggende rettigheder, der er anerkendt i chartret, herunder
respekten for privatliv og familieliv, ytrings- og informationsfriheden, ikke-forskelsbehandling, retten til at
tænke frit, samvittigheds- og religionsfriheden, friheden til at oprette og drive egen virksomhed og adgangen
til effektive retsmidler. Disse rettigheder skal vejes op mod hinanden i overensstemmelse med
proportionalitetsprincippet72
.
Persondataforordningen giver borgerne rettigheder, der kan håndhæves, såsom retten til indsigt, berigtigelse,
sletning, indsigelse, portabilitet og øget gennemsigtighed. Det giver også enkeltpersoner ret til at indgive
klage til en databeskyttelsesmyndighed, herunder gennem sager til varetagelse af forbrugerinteresser, og til
domstolsprøvelse.
Borgerne er i stigende grad opmærksomme på deres rettigheder, som det fremgår af resultaterne af
Eurobarometerundersøgelsen fra juli 201973
og undersøgelsen fra Agenturet for Grundlæggende
Rettigheder74
.
Ifølge undersøgelsen om grundlæggende rettigheder foretaget af Agenturet for Grundlæggende Rettigheder:
69 % af befolkningen på 16 år og derover i EU har hørt om persondataforordningen
71 % af respondenterne i EU har hørt om deres nationale databeskyttelsesmyndighed; dette tal varierer
fra 90 % i Tjekkiet til 44 % i Belgien
60 % af respondenterne i EU har kendskab til en lov, der gør det muligt for dem at få adgang til
personoplysninger, som den offentlige forvaltning har om dem; denne procentsats falder dog til 51 % for
private virksomheder
mere end én ud af fem respondenter (23 %) i EU ønsker ikke at dele personoplysninger (f.eks. en
persons adresse, statsborgerskab eller fødselsdato) med en offentlig administration, og 41 % ønsker ikke
at dele disse data med private virksomheder.
Borgerne benytter sig i stigende grad af deres ret til at indgive klager til databeskyttelsesmyndigheder, enten
individuelt eller gennem sager til varetagelse af forbrugerinteresser75
. Kun nogle få medlemsstater har gjort
det muligt for ikke-statslige organisationer at iværksætte foranstaltninger uden mandat i overensstemmelse
med den mulighed, der er fastsat i persondataforordningen. Forslaget til direktiv om adgang til indbringelse
af sager til varetagelse af forbrugernes kollektive interesser76
vil, når det er vedtaget, styrke rammerne for
sager til varetagelse af forbrugerinteresser, også på databeskyttelsesområdet.
Klager
Det samlede antal klager mellem maj 2018 og udgangen af november 2019 som indberettet af
Databeskyttelsesrådet er ca. 275 00077
. Dette tal bør dog tages med et gran salt, idet en klage ikke defineres
71
Gøre brug af specifikationsbestemmelsen i persondataforordningens artikel 37, stk. 4.
72
Jf. betragtning 4 i persondataforordningen.
73
https://ec.europa.eu/commission/presscorner/detail/da/IP_19_2956
74
Den Europæiske Unions Agentur for Grundlæggende Rettigheder (2020): Undersøgelse af grundlæggende rettigheder 2019.
Databeskyttelse og teknologi: https://fra.europa.eu/en/publication/2020/fundamental-rights-survey-data-protection
75
Persondataforordningens artikel 80.
76
COM/2018/0184 final - 2018/089 (COD)
77
Både i henhold til persondataforordningens artikel 77 og 80.
18
på samme måde af forskellige myndigheder. Det absolutte antal klager, som databeskyttelsesmyndigheder78
modtager, er meget forskelligt fra medlemsstat til medlemsstat. Det største antal klager blev registreret i
Tyskland (67 000), Nederlandene (37 000), Spanien og Frankrig (18 000 hver), Italien (14 000), Polen og
Irland (med hver 12 000). To tredjedele af myndighederne rapporterede om mellem 8 000 og 600 klager.
Det laveste antal klager blev registreret i Estland og Belgien (med hver ca. 500), Malta og Island (med hver
under 200).
Antallet af klager modsvarer ikke nødvendigvis befolkningens størrelse eller BNP. F.eks. er der i Tyskland
tæt på dobbelt så mange klager end i Nederlandene, og fire gange så mange klager som i Spanien og
Frankrig.
Feedback fra flerpartsgruppen viser, at organisationer har iværksat en række foranstaltninger for at lette
udøvelsen af de registreredes rettigheder, herunder gennemførelsesprocesser, der sikrer individuel
behandling af anmodninger og svar fra den dataansvarlige, brug af flere kanaler (post, dedikeret e-
mailadresse, websted osv.), ajourførte interne procedurer og politikker for rettidig intern behandling af
anmodninger samt uddannelse af medarbejdere. Nogle virksomheder har indført digitale portaler, som kan
tilgås via virksomhedens websted (eller selskabets intranet for medarbejdere) for at gøre det lettere for de
registrerede at udøve deres rettigheder.
Der er dog behov for yderligere fremskridt på følgende punkter:
Ikke alle dataansvarlige overholder deres forpligtelse til at lette udøvelsen af de registreredes
rettigheder79
. De skal sikre, at de registrerede har et effektivt kontaktpunkt, hvor de kan forklare om
deres problemer. Dette kan være den databeskyttelsesansvarlige, hvis kontaktoplysninger skal gives
proaktivt til den registrerede80
. Kontaktmåderne må ikke være begrænset til e-mail, men skal også give
den registrerede mulighed for at henvende sig til den dataansvarlige med andre midler.
Enkeltpersoner støder fortsat på problemer, når de anmoder om adgang til deres data, f.eks. fra
platforme, dataformidlere og AdTech-virksomheder.
Retten til dataportabilitet udnyttes ikke fuldt ud. I den europæiske strategi for data (i det følgende
benævnt "datastrategien")81
, som Kommissionen vedtog den 19. februar 2020, blev det understreget, at
der er behov for at lette alle mulige anvendelser af denne ret (f.eks. ved at give mandat til tekniske
grænseflader og maskinlæsbare formater, der tillader dataportabilitet i (nær) realtid). Erhvervsdrivende
bemærker, at der undertiden er problemer med at levere dataene i et struktureret, almindeligt anvendt
maskinlæsbart format (grundet manglende standarder). Det er kun organisationer i bestemte sektorer,
f.eks. inden for bankvirksomhed, telekommunikation, vand- og varmemålere, der beretter, at de har
oprettet de nødvendige grænseflader82
. Der er udviklet nye teknologiske værktøjer, der skal gøre det
lettere for personer at udøve deres rettigheder i henhold til persondataforordningen, der ikke er
begrænset til dataportabilitet (f.eks. personlige dataområder og tjenester til forvaltning af personlige
oplysninger).
Børns rettigheder: Flere medlemmer af flerpartsgruppen understreger behovet for at give oplysninger til
børn og det forhold, at mange organisationer ignorerer, at børn kan blive bekymret over behandlingen af
deres personoplysninger. Rådet understregede, at man kunne være særlig opmærksom på beskyttelsen af
78
Se Databeskyttelsesrådets bidrag, s. 31-32
79
Persondataforordningens artikel 12, stk. 2.
80
Persondataforordningens artikel 13, stk. 1, litra b), og artikel 14, stk. 1, litra b).
81
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf.
82
Se flerpartsgruppens rapport.
19
børn ved udarbejdelsen af adfærdskodekser. Beskyttelse af børn er også et fokusområde for
databeskyttelsesmyndigheder83
.
Ret til information: nogle virksomheder har en meget legalistisk tilgang, idet de anser
databeskyttelsesmeddelelser for at være en juridisk øvelse med oplysninger, der er ret komplekse,
vanskelige at forstå eller ufuldstændige, hvorimod enhver information ifølge persondataforordningen
skal være kortfattet, lettilgængelig og letforståelig84
. Nogle virksomheder følger tilsyneladende ikke
Databeskyttelsesrådets anbefalinger, f.eks. med hensyn til navnene på de enheder, som de deler data
med.
Flere medlemsstater har begrænset de registreredes rettigheder væsentligt gennem national ret, og nogle
endda uden for den manøvremargen, der er fastsat i persondataforordningens artikel 23.
Udøvelsen af enkeltpersoners rettigheder hindres af og til af nogle få store digitale aktørers praksis, som
gør det vanskeligt for enkeltpersoner at vælge de indstillinger, der bedst beskytter deres privatliv (i strid
med kravet om databeskyttelse gennem design og databeskyttelse gennem standardindstillinger85
)86
.
Interessenterne venter utålmodigt på Databeskyttelsesrådets retningslinjer for registreredes rettigheder.
5 MULIGHEDER OG UDFORDRINGER FOR ORGANISATIONER, NAVNLIG SMÅ OG MELLEMSTORE
VIRKSOMHEDER
Muligheder for organisationer
Persondataforordningen fremmer konkurrence og innovation. Sammen med forordningen om fri udveksling
af andre data end personoplysninger87
sikrer den fri udveksling af data inden for EU og skaber lige
konkurrencevilkår for virksomheder, der ikke er etableret i EU. Ved at skabe en harmoniseret ramme for
beskyttelse af personoplysninger sikrer persondataforordningen, at alle aktører på det indre marked er
bundet af de samme regler og nyder samme muligheder, uanset om de er etableret, og hvor
databehandlingen finder sted. Persondataforordningens teknologiske neutralitet skaber
databeskyttelsesrammen for ny teknologisk udvikling. Principperne om databeskyttelse gennem design og
databeskyttelse gennem standardindstillinger tilskynder til innovative løsninger, som fra starten omfatter
databeskyttelseshensyn og kan reducere omkostningerne ved overholdelse af databeskyttelsesreglerne.
Desuden bliver privatlivets fred en vigtig konkurrenceparameter, som personer i stigende grad tager med i
deres overvejelser, når de skal vælge deres tjenester. Personer, der er mere informerede og opmærksomme
på overvejelser om databeskyttelse, søger efter produkter og tjenesteydelser, der sikrer en effektiv
beskyttelse af personoplysninger. Gennemførelsen af retten til dataportabilitet kan sikre virksomheder, der
tilbyder innovative, databeskyttelsesvenlige tjenester, lettere adgang. Virkningerne af en potentielt bredere
83
Se resultaterne af en offentlig høring om børns databeskyttelsesrettigheder, der blev gennemført af den irske
databeskyttelsesmyndighed: https://www.dataprotection.ie/sites/default/files/uploads/2019-
09/Whose%20Rights%20Are%20They%20Anyway_Trends%20and%20Hightlights%20from%20Stream%201.pdf. Ligeledes
iværksatte den franske databeskyttelsesmyndighed en offentlig høring i april 2020: https://www.cnil.fr/fr/la-cnil-lance-une-
consultation-publique-sur-les-droits-des-mineurs-dans-lenvironnement-numerique.
84
Persondataforordningens artikel 12, stk. 1.
85
Persondataforordningens artikel 25.
86
Se rapport fra det norske forbrugerråd, Deceived by Design, som satte fokus på de "mørke mønstre", standardindstillinger og
andre funktioner og teknikker, som virksomheder gør brug af for at puffe brugere i retning af indgribende løsninger:
https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design/
Se også den forskning, der blev offentliggjort i december 2019 af Transatlantic Consumer Dialogue og Heinrich-Böll-Stiftung
Brussels European Union, der analyserer praksis på tre store globale platforme:
https://eu.boell.org/en/2019/12/11/privacy-eu-and-us-consumer-experiences-across-three-global-platforms.
87
Europa-Parlamentets og Rådets forordning (EU) 2018/1807 af 14. november 2018 om en ramme for fri udveksling af andre
data end personoplysninger i Den Europæiske Union (EUT L 303 af 28.11.2018, s. 59).
20
anvendelse af denne ret på markedet i forskellige sektorer bør overvåges. Overholdelse af
databeskyttelsesreglerne og gennemskuelig anvendelse heraf vil skabe tillid til brugen af folks
personoplysninger og dermed nye muligheder for virksomhederne.
I lighed med enhver anden regulering medfører databeskyttelsesreglerne overholdelsesomkostninger for
virksomhederne. Disse omkostninger opvejes imidlertid af de muligheder og fordele, der ligger i at styrke
tilliden til digital innovation og de samfundsmæssige fordele ved at respektere en grundlæggende rettighed.
Ved at sikre lige vilkår og udstyre databeskyttelsesmyndighederne med det, de har brug for til at håndhæve
reglerne effektivt, forhindrer persondataforordningen, at virksomheder, der ikke overholder reglerne, kan
snylte på den tillid, der opbygges af dem, der følger reglerne.
Særlige udfordringer for små og mellemstore virksomheder (SMV'er)
Det er en almindelig opfattelse blandt interessenter, som også deles af Europa-Parlamentet, Rådet og
databeskyttelsesmyndigheder, at anvendelsen af persondataforordningen skaber særlige udfordringer for
mikrovirksomheder og små og mellemstore virksomheder, og for små frivillige og velgørende
organisationer.
Ifølge den risikobaserede tilgang ville det ikke være hensigtsmæssigt at give mulighed for undtagelser
baseret på operatørernes størrelse, da deres størrelse ikke i sig selv er en indikator for, hvilke risici deres
databehandling kan medføre for personer. Den risikobaserede tilgang parrer fleksibilitet med effektiv
beskyttelse. Den tager hensyn til behovene hos SMV'er, hvis hovedaktivitet ikke er behandling af
personoplysninger, og justerer deres forpligtelser især med afsæt i sandsynligheden for og alvoren af de
risici, der er forbundet med den specifikke databehandling, de udfører88
.
Databehandling, der indebærer en lille eller lav risiko, bør ikke behandles på samme måde som
databehandling, der indebærer en høj risiko eller sker hyppigt – uafhængigt af størrelsen af den virksomhed,
der udfører den. Derfor konkluderede udvalget, at "den risikobaserede tilgang, som lovgiveren har fremmet i
teksten, under alle omstændigheder bør bibeholdes, da risiciene for de registrerede ikke afhænger af de
dataansvarliges størrelse"89
. Databeskyttelsesmyndighederne bør fuldt ud tage dette princip til sig, når de
håndhæver persondataforordningen, helst med en fælles europæisk tilgang for ikke at skabe hindringer for
det indre marked
Databeskyttelsesmyndighederne har udviklet flere værktøjer og har understreget, at de har til hensigt at
forbedre dem yderligere. Nogle myndigheder har iværksat oplysningskampagner og vil endda afholde gratis
"persondataforordningen-klasser" for SMV'er.
Eksempler på vejledning og værktøjer, som databeskyttelsesmyndigheder stiller til rådighed specifikt til
SMV'er
offentliggørelse af oplysninger til SMV'er
seminarer for databeskyttelsesansvarlige og arrangementer for SMV'er, der ikke behøver at udpege en
databeskyttelsesansvarlig
interaktive vejledninger til støtte for SMV'er
hotlines til konsultationer
modeller for behandlingskontrakter og fortegnelser over behandlingsaktiviteter.
Databeskyttelsesrådets bidrag indeholder en beskrivelse af de aktiviteter, der udføres af
databeskyttelsesmyndigheder90
.
88
Persondataforordningens artikel 24, stk. 1.
89
Se Databeskyttelsesrådets bidrag, s. 35.
90
Se Databeskyttelsesrådets bidrag, s. 35-45.
21
Flere af de aktioner, der specifikt støtter SMV'er, har modtaget EU-støtte. Kommissionen ydede finansiel
støtte i form af tilskud ad tre omgange på i alt 5 mio. EUR, hvor de seneste to specifikt havde til formål at
hjælpe de nationale tilsynsmyndigheder i deres bestræbelser på at nå ud til personer og SMV'er. Som følge
heraf blev der i 2018 tildelt 2 mio. EUR til ni databeskyttelsesmyndigheder til aktiviteter i 2018-2019
(Belgien, Bulgarien, Danmark, Ungarn, Litauen, Letland, Nederlandene, Slovenien og Island)91
, og i 2019
blev der tildelt 1 mio. EUR til fire databeskyttelsesmyndigheder til aktiviteter i 2020 (Belgien, Malta,
Slovenien og Kroatien i partnerskab med Irland)92. Der vil i 2020 blive tildelt yderligere 1 mio. EUR.
Trods disse initiativer rapporterer SMV'er og nystartede virksomheder ofte om, at de kæmper med
gennemførelsen af princippet om ansvarlighed, der er fastsat i persondataforordningen93
. De gør især
opmærksom på, at de ikke altid får tilstrækkelig vejledning og praktisk rådgivning fra de nationale
databeskyttelsesmyndigheder, eller at den tid, det tager at få vejledning og råd, er for lang. Der har også
været tilfælde, hvor myndighederne har været tilbageholdende med at gå ind i juridiske problemstillinger.
Når SMV'er står over for sådanne situationer, henvender de sig ofte til eksterne rådgivere og advokater for at
få dem til at tage sig af gennemførelsen af ansvarlighedsprincippet og den risikobaserede tilgang (herunder
krav om gennemsigtighed, fortegnelser over databehandling og anmeldelser af brud på datasikkerheden).
Dette kan også medføre yderligere omkostninger for dem.
Et specifikt problem er registreringen af behandlingsaktiviteter, som SMV'er og små sammenslutninger
betragter som en tung administrativ byrde. Undtagelsen fra denne forpligtelse i persondataforordningens
artikel 30, stk. 5, er ganske vist meget snæver. De bestræbelser, der er gjort for at overholde denne
forpligtelse, bør dog ikke overvurderes. Hvis SMV'ers hovedaktivitet ikke involverer behandling af
personoplysninger, kan sådanne fortegnelser være enkle og ikke byrdefulde. Det samme gælder for frivillige
og andre foreninger. Det ville blive lettere at udarbejde sådanne forenklede fortegnelser ved hjælp af
modeller for registreringer, således som det allerede er praksis hos nogle databeskyttelsesmyndigheder. Et
grundlæggende krav i forbindelse med ansvarlighedsprincippet er, at alle, der behandler personoplysninger,
under alle omstændigheder bør have et overblik over deres databehandling.
Udviklingen af praktiske redskaber på EU-niveau, såsom harmoniserede formularer til brug ved brud på
datasikkerheden og forenklede fortegnelser over behandlingsaktiviteter, kan hjælpe SMV'er og små
foreninger94
, hvis hovedaktivitet ikke fokuserer på behandling af personoplysninger, til at opfylde deres
forpligtelser.
Forskellige erhvervssammenslutninger har gjort en indsats for at øge bevidstheden og informere deres
medlemmer, f.eks. gennem konferencer og seminarer, der giver virksomheder oplysninger om de
tilgængelige retningslinjer, eller ved at udvikle en tjeneste for medlemmerne for hjælp til beskyttelse af
privatlivets fred. De melder også om et stigende antal seminarer, møder og arrangementer tilrettelagt af
tænketanke og sammenslutninger af SMV'er om forhold, der vedrører persondataforordningen.
For at forbedre den frie bevægelighed for alle data i EU og sikre en konsekvent anvendelse af
persondataforordningen og forordningen om fri udveksling af andre data end personoplysninger udsendte
Kommissionen også en praktisk vejledning om regler for behandling af blandede datasæt, der består af både
personoplysninger og andre data end personoplysninger; Den er især rettet mod SMV'er95
.
Værktøjskasse for virksomheder
91
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/rec-rdat-trai- ag-2017.
92
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules/eu-funding-supporting-implementation-
gdpr_en.
93
Se rapporten fra flerpartsgruppen.
94
Se Rådets bidrag.
95
Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet – Vejledning vedrørende forordningen om en ramme for fri
udveksling af andre data end personoplysninger i Den Europæiske Union (COM/2019/250 final).
22
Persondataforordningen stiller værktøjer til rådighed, som kan hjælpe til med at påvise, at reglerne
overholdes, f.eks. adfærdskodekser, certificeringsmekanismer og standardkontraktbestemmelser.
Adfærdskodekser
Databeskyttelsesrådet har udstedt retningslinjer96
, der skal give støtte til og gøre det nemmere for
"kodeksindehavere" at udarbejde, ændre eller udvide kodekser, og yde praktisk vejledning og hjælp til
fortolkning. Disse retningslinjer præciserer også procedurerne for indgivelse, godkendelse og
offentliggørelse af regler på både nationalt plan og EU-plan ved at fastsætte de minimumskrav, der skal
opfyldes.
Interessenterne mener, at adfærdskodekser er meget nyttige værktøjer. Selv om mange kodekser
gennemføres på nationalt plan, er en række EU-adfærdskodekser i øjeblikket under udarbejdelse (f.eks.
vedrørende mobile sundhedsapps, sundhedsforskning i genomik, cloud computing, direkte markedsføring,
forsikring, behandling gennem forebyggelse og rådgivningstjenester for børn)97
. Erhvervsdrivende mener, at
EU-dækkende adfærdskodekser bør indtage en mere fremtrædende plads, da de fremmer en ensartet
anvendelse af persondataforordningen i alle medlemsstaterne.
Men adfærdskodekser kræver også tid og investeringer fra operatørerne, både i forbindelse med udviklingen
af disse og med oprettelsen af de nødvendige uafhængige kontrolorganer. Repræsentanter for SMV'er
understreger betydningen og nytten af adfærdskodekser, som er skræddersyet til deres situation, og som ikke
medfører uforholdsmæssigt store omkostninger.
I konsekvens heraf har erhvervssammenslutninger i en række sektorer gennemført andre former for
selvreguleringsværktøjer, såsom kodekser for god praksis eller vejledning. Selv om sådanne værktøjer kan
give nyttige oplysninger, er de ikke godkendt af databeskyttelsesmyndigheder og kan ikke tjene som et
redskab til at påvise overensstemmelse med persondataforordningen.
Rådet understreger, at adfærdskodekser skal lægge særlig vægt på behandlingen af børns data og
sundhedsdata. Kommissionen støtter adfærdskodekser, der vil harmonisere strategien inden for sundhed og
forskning og lette den grænseoverskridende behandling af personoplysninger98
. Databeskyttelsesrådet er i
færd med at godkende et udkast til akkrediteringskrav til organer for tilsyn med adfærdskodekser, således
som en række databeskyttelsesmyndigheder har talt for99
. Når tværnationale adfærdskodekser eller EU-
adfærdskodekser er klar til at blive forelagt for databeskyttelsesmyndigheder til godkendelse, skal de sendes
til høring i Databeskyttelsesrådet. En hurtig indførelse af tværnationale adfærdskodekser er særlig vigtig for
områder, der omfatter behandling af betydelige datamængder (f.eks. cloud computing) eller følsomme data
(f.eks. sundhed/forskning).
Certificering
Certificering kan være et nyttigt instrument til at påvise overholdelse af specifikke krav i
persondataforordningen. Det kan øge retssikkerheden for virksomheder og fremme persondataforordningen
globalt.
Som påpeget i undersøgelsen om certificering, der blev offentliggjort i april 2019100
, bør målet være at
fremme indførelsen af relevante ordninger. Udviklingen af certificeringsordninger i EU vil blive understøttet
96
https://edpb.europa.eu/our-work-tools/our-documents/wytyczne/guidelines-12019-codes-conduct-and-monitoring-bodies-
under_en.
97
Se flerpartsgruppens rapport.
98
Se de foranstaltninger, der er bebudet i den europæiske strategi for data, s. 30.
99
I henhold til persondataforordningens artikel 41, stk. 3. Se Det Europæiske Databeskyttelsesråds udtalelser på:
https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en.
100
https://ec.europa.eu/info/study-data-protection-certification-mechanisms_en.
23
af de retningslinjer, som Databeskyttelsesrådet har udstedt om certificeringskriterier101
og om akkreditering
af certificeringsorganer102
.
Sikkerhed og databeskyttelse gennem design er vigtige elementer, som skal tages i betragtning i henhold til
persondataforordningen, og til hvilke der med fordel kunne anlægges en fælles og ambitiøs tilgang i hele
EU. Kommissionen vil fortsat støtte de nuværende kontakter mellem Den Europæiske Unions Agentur for
Cybersikkerhed (ENISA), databeskyttelsesmyndighederne og Databeskyttelsesrådet.
Med hensyn til cybersikkerhed anmodede Kommissionen efter vedtagelsen af forordningen om
cybersikkerhed om, at ENISA udarbejder to certificeringsordninger, herunder en ordning for
cloudtjenester103
. Yderligere ordninger, der vedrører cybersikkerhed af tjenester og produkter for
forbrugerne, er under overvejelse. Selv om disse certificeringsordninger, der er oprettet i henhold til
forordningen om cybersikkerhed, ikke udtrykkeligt omhandler databeskyttelse og privatlivets fred, bidrager
de til at øge forbrugernes tillid til digitale tjenester og produkter. Sådanne ordninger kan dokumentere, at
principperne om sikkerhed gennem design er overholdt, og at der er gennemført passende tekniske og
organisatoriske foranstaltninger vedrørende sikkerheden i forbindelse med behandling af personoplysninger.
Standardkontraktbestemmelser
Kommissionen arbejder i øjeblikket på standardkontraktbestemmelser mellem dataansvarlige og
databehandlere,104
, også i lyset af moderniseringen af standardkontraktbestemmelserne for internationale
overførsler (se afsnit 7.2). En EU-retsakt vedtaget af Kommissionen vil have bindende virkning for hele EU,
hvilket vil sikre fuld harmonisering og retssikkerhed.
6 ANVENDELSEN AF PERSONDATAFORORDNINGEN PÅ NYE TEKNOLOGIER
En teknologineutral ramme åben for nye teknologier
Persondataforordningen er teknologineutral, tillidsfremmende og baseret på principper105
. Disse principper,
herunder lovlig og gennemskuelig databehandling, formålsbegrænsning og dataminimering, udgør et solidt
grundlag for beskyttelse af personoplysninger, uanset hvilken behandlingsaktivitet og hvilke teknikker der
anvendes.
Medlemmer af flerpartsgruppen rapporterer, at persondataforordningen generelt har en positiv indvirkning
på udviklingen af nye teknologier og udgør et godt grundlag for innovation. Persondataforordningen
betragtes som et væsentligt og fleksibelt redskab til at sikre udviklingen af nye teknologier i
overensstemmelse med de grundlæggende rettigheder. Gennemførelsen af dens hovedprincipper er særlig
vigtig i forbindelse med dataintensiv behandling. Persondataforordningens risikobaserede og
teknologineutrale tilgang sikrer et databeskyttelsesniveau, der er tilstrækkeligt til at håndtere risikoen ved
databehandling, herunder gennem nye teknologier.
Interessenter nævner navnlig, at persondataforordningens principper om formålsbegrænsning og yderligere
forenelig databehandling, dataminimering, opbevaringsbegrænsning, gennemsigtighed, ansvarlighed og
101
https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-12018-certification-and-identifying-
certification_en.
102
https://edpb.europa.eu/our-work-tools/our-documents/retningslinjer/guidelines-42018-accreditation-certification-bodies_da.
Flere tilsynsmyndigheder har allerede indsendt deres akkrediteringskrav til Databeskyttelsesrådet, både for så vidt angår
tilsynsorganer for adfærdskodekser og for certificeringsorganer. Se oversigten på: https://edpb.europa.eu/our-work-
tools/consistency-findings/opinions_en.
103
https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe
104
Persondataforordningens artikel 28, stk. 7.
105
Som anført af Rådet, Europa-Parlamentet og Databeskyttelsesrådet i deres bidrag til evalueringen.
24
betingelserne for, at automatiske beslutningsprocesser106
kan anvendes lovligt, i stort omfang imødekommer
de bekymringer, der er forbundet med brugen af kunstig intelligens.
Den fremtidssikrede og risikobaserede tilgang i persondataforordningen vil også blive anvendt i de mulige
fremtidige rammer for kunstig intelligens og i forbindelse med gennemførelsen af datastrategien.
Datastrategien har til formål at fremme tilgængeligheden af data og oprette fælles europæiske dataområder,
der understøttes af centrale cloudinfrastrukturtjenester. Med hensyn til personoplysninger udgør
persondataforordningen det vigtigste retsgrundlag, inden for hvilket der kan udvikles effektive løsninger fra
sag til sag afhængigt af arten og indholdet af hvert enkelt dataområde.
Persondataforordningen har øget bevidstheden om beskyttelsen af personoplysninger både i og uden for EU
og har fået virksomhederne til at tilpasse deres praksis for at tage hensyn til databeskyttelsesprincipperne i
forbindelse med innovation. Civilsamfundsorganisationer bemærker imidlertid, at selv om
persondataforordningen synes at indvirke positivt på udviklingen af nye teknologier, har de store digitale
aktørers praksis endnu ikke ændret sig grundlæggende i retning af en databehandling, der bedre sikrer
privatlivets fred. En stringent og effektiv håndhævelse af persondataforordningen over for store digitale
platforme og integrerede virksomheder, herunder på områder som onlinereklame og mikromålretning, er et
væsentligt element i beskyttelsen af enkeltpersoner.
Kommissionen er i færd med at analysere de bredere problemstillinger i relation til de store digitale aktørers
adfærd på markedet inden for rammerne af pakken om digitale tjenester107
. Med hensyn til forskning inden
for sociale medier minder Kommissionen om, at persondataforordningen ikke kan bruges som undskyldning
for sociale medieplatforme til at begrænse forskeres og faktatjekkeres adgang til andre data end
personoplysninger, f.eks. statistikker, som er brugt som grundlag for målrettede annoncer til visse kategorier
af personer, kriterierne for at udforme denne målretning, oplysninger om falske konti osv.
Persondataforordningens teknologineutrale og fremtidssikrede tilgang blev sat på prøve under covid-19-
pandemien og har vist sig at være en succes. Dens principbaserede regler støttede udviklingen af værktøjer
til bekæmpelse og overvågning af spredningen af virusset.
Udfordringer
Udviklingen og anvendelsen af nye teknologier sætter ikke spørgsmålstegn ved disse principper.
Udfordringerne ligger i at præcisere, hvordan man anvender de etablerede principper på brugen af specifikke
teknologier såsom kunstig intelligens, blockchain, tingenes internet, ansigtsgenkendelse eller
kvantedatabehandling.
I denne forbindelse understregede Europa-Parlamentet og Rådet behovet for en løbende overvågning for at
præcisere, hvordan persondataforordningen finder anvendelse på nye teknologier og store
teknologivirksomheder. Desuden advarer interessenter om, at vurderingen af, hvorvidt
persondataforordningen fortsat er egnet til formålet, også kræver konstant overvågning.
Interessenter fra industrien understreger, at innovation kræver, at persondataforordningen anvendes på en
principbaseret måde i overensstemmelse med dens udformning snarere end på en usmidig og formel måde.
De er af den opfattelse, at Databeskyttelsesrådets retningslinjer for anvendelsen af principperne i
persondataforordningen, begreber og regler for nye teknologier såsom kunstig intelligens, blockchain eller
tingenes internet, hvor der tages hensyn til den risikobaserede tilgang, vil bidrage til at skabe klarhed og
skabe større retssikkerhed. Sådanne værktøjer med "blød" lovgivning er velegnede til at følge, hvordan
persondataforordningen anvendes på de nye teknologier, da de giver større retssikkerhed og kan revideres i
takt med den teknologiske udvikling. Nogle interessenter foreslår også, at sektorspecifik vejledning om,
hvordan persondataforordningen skal anvendes på nye teknologier, kan være nyttig.
106
Nogle interessenter bemærker imidlertid, at ikke alle automatiske beslutningsprocesser i forbindelse med kunstig intelligens
falder ind under persondataforordningens artikel 22.
107
https://ec.europa.eu/commission/presscorner/detail/da/ip_20_962.
25
Databeskyttelsesrådet har anført, at det fortsat vil tage hensyn til de nye teknologiers indvirkning på
beskyttelsen af personoplysninger.
Nogle interessenter understreger også, at det er vigtigt for reguleringsmyndighederne at få en grundig
forståelse af, hvordan teknologien anvendes, og til at indgå i en dialog med erhvervslivet om udviklingen af
nye teknologier. De mener, at en tilgang, hvor forordningen bruges som en "reguleringsmæssig sandkasse" –
dvs. som en måde at få en rettesnor for anvendelsen af reglerne – kunne være en interessant mulighed for at
afprøve nye teknologier og hjælpe virksomhederne med at anvende princippet om databeskyttelse gennem
design og databeskyttelse gennem standardindstillinger i nye teknologier.
Med hensyn til yderligere politiske tiltag anbefaler interessenter, at alle fremtidige forslag til en politik om
kunstig intelligens bør baseres på de eksisterende retsgrundlag og bringes i overensstemmelse med
persondataforordningen. Potentielle specifikke forhold bør vurderes nøje på grundlag af relevant
dokumentation, før der stilles nye forslag om konkrete forskrifter.
Kommissionens hvidbog om kunstig intelligens foreslår en række politiske løsningsmodeller, som
interessenter blev bedt om at forholde sig til frem til den 14. juni 2020. For så vidt angår ansigtsgenkendelse,
som er en teknologi, der kan påvirke den enkelte persons rettigheder væsentligt, mindede hvidbogen om det
eksisterende retsgrundlag og iværksatte en offentlig debat om, hvorvidt der eventuelt er særlige
omstændigheder, der kan berettige anvendelsen af kunstig intelligens med henblik på biometrisk
fjernidentifikation på offentlige steder, og om fælles garantier.
7 INTERNATIONALE OVERFØRSLER OG GLOBALT SAMARBEJDE
7.1 Privatlivets fred: et globalt problem
Kravet om beskyttelse af personoplysninger kender ingen grænser, da fysiske personer i hele verden i
stigende grad værdsætter og værner om privatlivets fred og sikkerhed for deres data.
Samtidig er betydningen af overførsel af oplysninger for enkeltpersoner, regeringer, virksomheder og mere
generelt samfundet som helhed en uundgåelig kendsgerning i vores indbyrdes forbundne verden. De er en
fast bestanddel af samhandelen, samarbejdet mellem offentlige myndigheder og de sociale interaktioner. I
den forbindelse sætter den aktuelle covid-19-pandemi også fokus på, hvor kritisk overførsel og udveksling
af personoplysninger er for mange vigtige aktiviteter, herunder sikring af kontinuitet i de offentlige og
erhvervslivets aktiviteter – ved at muliggøre fjernarbejde og andre løsninger, der er stærkt afhængige af
informations- og kommunikationsteknologier, udvikling af samarbejde om videnskabelig forskning i
diagnosticering, behandlinger og vacciner og bekæmpelse af nye former for cyberkriminalitet, herunder
onlinesvindel, hvor der tilbydes falske lægemidler, der hævder at forebygge eller helbrede covid-19.
På denne baggrund skal beskyttelsen af privatlivets fred og fremme af overførsel af oplysninger mere end
nogensinde gå hånd i hånd. EU står med sin databeskyttelsesordning, der kombinerer åbenhed over for
internationale overførsler med et højt beskyttelsesniveau for enkeltpersoner, godt rustet til at fremme sikre
overførsel af oplysninger. Persondataforordningen er allerede blevet et centralt referencepunkt på
internationalt plan og har fået mange lande i hele verden til at overveje at indføre moderne regler for
beskyttelse af privatlivets fred.
Det er i sandhed en universel tendens, der pågår, for blot at nævne nogle eksempler fra Chile til Sydkorea,
fra Brasilien til Japan, fra Kenya til Indien, fra Tunesien til Indonesien og fra Californien til Taiwan. Denne
udvikling er bemærkelsesværdig ikke blot i en mængdemæssig, men også kvalitativ synsvinkel: mange af de
bestemmelser om privatlivets fred, der for nylig er blevet vedtaget, eller som er ved at blive vedtaget, er
baseret på et sæt fælles garantier, rettigheder og håndhævelsesmekanismer, der deles af EU. I en verden,
som alt for ofte er kendetegnet ved forskellige, endog afvigende, reguleringsmæssige tilgange, udgør denne
tendens i retning af global konvergens en meget positiv udvikling, som giver nye muligheder for bedre
26
beskyttelse af enkeltpersoner i Europa, samtidig med at der sikres lettere overførsel af oplysninger, og
operatørernes transaktionsomkostninger reduceres.
For at gribe disse muligheder og gennemføre den strategi, der er beskrevet i meddelelsen fra 2017 om
udveksling og beskyttelse af personoplysninger i en globaliseret verden"108
, har Kommissionen i væsentlig
grad optrappet sit arbejde vedrørende den internationale dimension af privatlivets fred ved at gøre fuld brug
af den tilgængelige "værktøjskasse", jf. nedenfor. Dette omfattede aktivt samarbejde med vigtige partnere
med henblik på at nå frem til en "afgørelse om et tilstrækkeligt beskyttelsesniveau", og der blev opnået
vigtige resultater såsom skabelsen af verdens største område med frie og sikre overførsler af oplysninger
mellem EU og Japan.
Ud over indsatsen for at sikre et tilstrækkeligt beskyttelsesniveau har Kommissionen arbejdet tæt sammen
med databeskyttelsesmyndighederne i Databeskyttelsesrådet samt med andre interessenter for at udnytte det
fulde potentiale i persondataforordningen for internationale overførsler. Dette vedrører modernisering af
instrumenter såsom standardkontraktbestemmelser, udvikling af certificeringsordninger, adfærdskodekser
eller administrative ordninger for dataudveksling mellem offentlige myndigheder, samt en præcisering af
nøglebegreber vedrørende f.eks. det territoriale anvendelsesområde for EU's databeskyttelsesregler eller
anvendelsen af såkaldte "undtagelser" til overførsel af personoplysninger.
Endelig har Kommissionen intensiveret sin dialog i en række bilaterale, regionale og multilaterale fora for at
fremme en global kultur med respekt for privatlivets fred og udvikle en række elementer, der skal sikre
konvergens mellem forskellige private systemer til beskyttelse af privatlivets fred. Kommissionen har i sin
indsats kunnet støttet sig til aktiv støtte fra EU-Udenrigstjenesten og nettet af EU-delegationer i tredjelande
og missioner ved internationale organisationer. Dette har også gjort det muligt at skabe større sammenhæng
og komplementaritet mellem de forskellige aspekter af den eksterne dimension af EU's politikker – fra
handel til det nye partnerskab mellem EU og Afrika.
7.2 Værktøjskassen for overførsler i persondataforordningen
I takt med at flere og flere private og offentlige operatører er afhængige af internationale overførsler af
oplysninger som led i deres rutineoperationer, er der et stigende behov for fleksible instrumenter, der kan
tilpasses forskellige sektorer, forretningsmodeller og overførselssituationer. For at afspejle disse behov giver
persondataforordningen mulighed for en moderniseret værktøjskasse til at lette overførslen af
personoplysninger fra EU til et tredjeland eller en international organisation, samtidig med at det sikres, at
oplysningerne fortsat er omfattet af et højt beskyttelsesniveau. Denne kontinuitet i beskyttelse er vigtig i
betragtning af, at det i dag er let at flytte data på tværs af grænserne, og den beskyttelse, der sikres ved
persondataforordningen, ville være ufuldstændig, hvis den var begrænset til behandling inden for EU.
Med kapitel V i persondataforordningen bekræftede lovgiveren arkitekturen i de overførselsregler, der
allerede eksisterede i henhold til direktiv 95/46: dataoverførsler kan finde sted, hvis Kommissionen har
truffet en afgørelse om et tilstrækkeligt beskyttelsesniveau over for et tredjeland eller en international
organisation, eller, hvis dette ikke er sket, hvis den dataansvarlige eller databehandleren i EU
("dataeksportør") har stillet tilstrækkelige garantier, f.eks. gennem en kontrakt med modtageren
("dataimportøren"). Desuden er de lovmæssige begrundelser for overførsler (såkaldte "undtagelser") fortsat
tilgængelige i særlige situationer, hvor lovgiveren har besluttet, at afvejningen mellem interesser gør det
muligt at overføre data på visse betingelser. Samtidig har reformen præciseret og forenklet de eksisterende
regler, f.eks. ved at præcisere betingelserne for en afgørelse om tilstrækkeligt beskyttelsesniveau eller
bindende virksomhedsregler, ved at begrænse godkendelseskravene til meget få, specifikke tilfælde og
108
Meddelelse fra Kommissionen til Europa-Parlamentet og Rådet om udveksling og beskyttelse af personoplysninger i en
globaliseret verden", (COM (2017) 7 final af 10.1.2017).
27
fuldstændigt ophæve anmeldelseskravene. Desuden er der indført nye overførselsværktøjer såsom
adfærdskodekser eller certificeringsordninger, og mulighederne for at anvende eksisterende instrumenter
(f.eks. standardkontraktbestemmelser) er blevet udvidet.
Den digitale økonomi i dag giver udenlandske operatører mulighed for (på afstand, men) direkte at deltage i
EU's indre marked og konkurrere om europæiske kunder og deres personoplysninger. Hvis de specifikt er
rettet mod europæere gennem udbud af varer eller tjenester eller overvågning af deres adfærd, bør de
overholde EU-retten på samme måde som EU-operatører. Dette afspejles i persondataforordningens artikel
3, som udvider den direkte anvendelse af EU's databeskyttelsesregler til visse dataansvarliges eller
databehandleres behandlingsaktiviteter uden for EU. Dette sikrer de nødvendige garantier og desuden lige
vilkår for alle virksomheder, der opererer på EU-markedet.
Dens brede rækkevidde er en af grundene til, at virkningerne af persondataforordningen også er blevet
mærkbare i andre dele af verden. Den detaljerede vejledning, der udsendes af Databeskyttelsesrådet efter en
omfattende offentlig høring, er derfor vigtig for at hjælpe udenlandske operatører med at afgøre, om og
hvilke behandlingsaktiviteter der er direkte underlagt dens garantier, herunder ved at give konkrete
eksempler 109
.
Udvidelsen af EU-databeskyttelseslovgivnings anvendelsesområde er imidlertid ikke i sig selv tilstrækkelig
til at sikre, at den overholdes i praksis. Som Rådet også har fremhævet110
, er det afgørende at sikre, at
udenlandske operatører overholder reglerne, og at de er omfattet af en effektiv håndhævelse. Udpegelsen af
en repræsentant i EU (persondataforordningens artikel 27, stk. 1, stk. 2), som enkeltpersoner og
tilsynsmyndigheder kan henvende sig til ud over eller i stedet for den ansvarlige virksomhed, der arbejder
fra udlandet111
, bør spille en central rolle i denne forbindelse. Denne fremgangsmåde, som også tages mere
og mere i brug i andre sammenhænge112
, bør følges mere energisk for at sende et klart budskab om, at
manglende etablering i EU ikke fritager udenlandske operatører for deres ansvar i henhold til
persondataforordningen. Hvis disse operatører ikke opfylder deres forpligtelse til at udpege en
repræsentant113
, bør tilsynsmyndighederne gøre brug af den fulde håndhævelsesværktøjskasse i
persondataforordningens artikel 58 (f.eks. offentlige advarsler, midlertidige eller endelige forbud mod
behandling i EU, håndhævelse over for fælles dataansvarlige, der er etableret i EU).
Endelig er det meget vigtigt, at Databeskyttelsesrådet færdiggør sit arbejde med yderligere præcisering af
forholdet mellem artikel 3 om den direkte anvendelse af persondataforordningen og reglerne om
internationale overførsler i kapitel V114
.
Afgørelser om tilstrækkeligheden af beskyttelsesniveauet
Input fra interessenter bekræfter, at afgørelser om tilstrækkeligheden af beskyttelsesniveauet fortsat er et
vigtigt værktøj for EU's operatører til at overføre personoplysninger til tredjelande på en sikker måde115
.
109
Databeskyttelsesrådet, Retningslinjer 2/2018 om det territoriale anvendelsesområde for databeskyttelsesforordningen,
12.11.2019. Retningslinjerne omhandler flere af de punkter, der blev rejst under den offentlige høring, f.eks. fortolkningen af
målretningen og overvågningskriterierne.
110
Se Rådets holdning og resultater, stk. 34, 35 og 38.
111
Se artikel 27, stk. 4, og betragtning 80 i persondataforordningen ("Den udpegede repræsentant bør være underlagt
håndhævelsesforanstaltninger i tilfælde af manglende overholdelse fra den dataansvarliges eller databehandlerens side").
112
Forslag til Europa-Parlamentets og Rådets direktiv om harmoniserede regler for udpegning af retlige repræsentanter med
henblik på indsamling af bevismateriale i straffesager (COM(2018) 226 final), artikel 3. Forslag til Europa-Parlamentets og
Rådets forordning om forebyggelse af udbredelse af terrorrelateret onlineindhold (COM(2018) 640 final), artikel 16, stk. 2,
stk. 3.
113
Ifølge ét indlæg til den offentlige høring er et af de hovedpunkter, der skal behandles, "effektiv håndhævelse og reelle
konsekvenser for dem, der har valgt at ignorere dette krav [...]. Det bør navnlig tages i betragtning, at dette også stiller
virksomheder, der er etableret i Unionen, ringere i konkurrencen end virksomheder, der ikke opfylder kravene, og som er
etableret uden for EU og handler i Unionen." Se EU Business Partners, indlæg af 29. april 2020.
114
Flere indlæg i den offentlige høring har rejst dette spørgsmål, f.eks. for så vidt angår videregivelse af personoplysninger til
modtagere uden for EU, men omfattet af persondataforordningen.
28
Sådanne afgørelser sikrer den mest omfattende, enkle og omkostningseffektive løsning for dataoverførsler,
da de sidestilles med overførsler inden for EU, hvilket sikrer sikker og fri udveksling af personoplysninger
uden yderligere betingelser eller krav om tilladelse. Afgørelser om tilstrækkeligheden af
beskyttelsesniveauet åbner derfor de kommercielle kanaler for EU-operatører og letter samarbejdet mellem
offentlige myndigheder, samtidig med at der gives privilegeret adgang til EU's indre marked. Med
udgangspunkt i praksis ifølge direktivet fra 1995 giver persondataforordningen udtrykkeligt mulighed for at
træffe en afgørelse om tilstrækkelighed med hensyn til et bestemt område i et tredjeland eller til en bestemt
sektor eller industri i et tredjeland (den såkaldte "delvise" tilstrækkelighed).
Persondataforordningen bygger på erfaringerne fra de seneste år og på de præciseringer, som Domstolen har
givet, ved at udarbejde et detaljeret katalog over elementer, som Kommissionen skal tage hensyn til i sin
vurdering. Tilstrækkelighedsstandarden kræver et beskyttelsesniveau, der er sammenligneligt (eller "i det
væsentlige svarer til") det beskyttelsesniveau, der sikres i EU116
. Dette indebærer en omfattende vurdering af
det pågældende tredjelands system som helhed, herunder indholdet af beskyttelse af privatlivets fred,
effektiv gennemførelse og håndhævelse samt regler om offentlige myndigheders adgang til
personoplysninger, navnlig med henblik på retshåndhævelse og den nationale sikkerhed117
.
Dette afspejles også i den vejledning, der blev vedtaget af den tidligere artikel 29-Gruppe (og godkendt af
Databeskyttelsesrådet), navnlig "referencen vedrørende et tilstrækkeligt beskyttelsesniveau", som yderligere
præciserer de elementer, som Kommissionen skal tage hensyn til, når den foretager en
tilstrækkelighedsvurdering, herunder ved at give et overblik over "væsentlige garantier" for offentlige
myndigheders adgang til personoplysninger118
. Sidstnævnte bygger navnlig på Den Europæiske
Menneskerettighedsdomstols retspraksis. Selv om standarden "væsentlig ækvivalens" ikke indebærer en
ordret kopiering ("fotokopi") af EU's regler, fordi midlerne til at sikre et sammenligneligt beskyttelsesniveau
kan variere mellem forskellige privatlivssystemer, der ofte afspejler forskellige retstraditioner, kræver det
ikke desto mindre et stærkt beskyttelsesniveau.
Denne standard er begrundet i, at en afgørelse om tilstrækkeligheden af beskyttelsesniveauet i alt væsentligt
udvider fordelene ved det indre marked til et tredjeland, for så vidt angår den frie udveksling af data. Det
betyder dog også, at der undertiden vil være relevante forskelle mellem det beskyttelsesniveau, der sikres i
det pågældende tredjeland, og persondataforordningen, der skal udlignes, f.eks. gennem forhandling af
yderligere garantier. Sådanne garantier bør behandles positivt, da de yderligere styrker den beskyttelse, der
findes for enkeltpersoner i EU. Samtidig er Kommissionen enig med Databeskyttelsesrådet i betydningen af
løbende at overvåge deres anvendelse i praksis, herunder effektiv håndhævelse fra tredjelandes
databeskyttelsesmyndigheds side119
.
I persondataforordningen præciseres det, at afgørelser om tilstrækkeligheden af beskyttelsesniveauet er
"levende instrumenter", som løbende bør overvåges og revideres med jævne mellemrum120
. I
115
Rådets holdning og resultater, stk. 17 Databeskyttelsesrådets bidrag, s. 5-6. Flere indlæg i den offentlige høring, herunder fra
en række erhvervssammenslutninger (f.eks. den franske sammenslutning af store selskaber, Digital Europe, Global Data
Alliance/BSA, Computer & Communication Industry Association (CCIA) eller det amerikanske handelskammer), har
opfordret til at intensivere indsatsen, hvad angår afgørelser om tilstrækkelighed, især med vigtige handelspartnere.
116
EU-Domstolens dom af 6.10.2015, sag C-362/14, Maximillian Schrems mod Data Protection Commissioner (herefter
"Maximillian Schrems "), præmis 73, 74 og 96. Se ligeledes betragtning 104 i persondataforordningen, som henviser til
standarden for grundlæggende ækvivalens.
117
Artikel 45, stk. 2, og betragtning 104 i persondataforordningen. Se ligeledes Schrems, præmis 75, 91-91.
118
Reference vedrørende et tilstrækkeligt beskyttelsesniveau, WP 254, rev. 01, 6.2.2018 (findes på:
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108).
119
Se Databeskyttelsesrådets bidrag, s. 5-6.
120
I henhold til persondataforordningens artikel 45, stk. 4, og 5, overvåger Kommissionen løbende udviklingen i tredjelande og
gennemgår regelmæssigt – mindst hvert fjerde år – afgørelser om tilstrækkeligheden af beskyttelsesniveauet. De giver også
Kommissionen beføjelse til at ophæve, ændre eller suspendere en afgørelse om tilstrækkeligheden af beskyttelsesniveauet,
hvis den finder, at det pågældende land eller den pågældende internationale organisation ikke længere sikrer et tilstrækkeligt
beskyttelsesniveau. I henhold til persondataforordningens artikel 97, stk. 2, litra a), skal Kommissionen desuden forelægge en
29
overensstemmelse med disse krav fører Kommissionen regelmæssige drøftelser med de relevante
myndigheder for proaktivt at følge op på nye udviklinger. Siden vedtagelsen af afgørelsen om EU's og
USA's værn om privatlivets fred i 2016121
har Kommissionen sammen med repræsentanter for
Databeskyttelsesrådet foretaget tre årlige revisioner for at evaluere alle aspekter af rammens funktion122
.
Disse undersøgelser er baseret på oplysninger indhentet gennem udvekslinger med de amerikanske
myndigheder samt input fra andre interessenter, f.eks. EU's databeskyttelsesmyndigheder, civilsamfundet og
brancheorganisationer. De har gjort det muligt at forbedre den praktiske anvendelse af forskellige elementer
i rammen. I et bredere perspektiv bidrog de årlige gennemgange til at etablere en bredere dialog med de
amerikanske myndigheder om beskyttelse af privatlivets fred i almindelighed og de begrænsninger og
garantier, der gælder med hensyn til den nationale sikkerhed i særdeleshed.
Som led i sin første evaluering af persondataforordningen skal Kommissionen også revidere de afgørelser
om tilstrækkeligheden af beskyttelsesniveauet, der blev vedtaget i henhold til direktivet fra 1995123
.
Kommissionens tjenestegrene er gået i intens dialog med hvert af de 11 berørte lande og territorier med
henblik på at vurdere, hvordan deres systemer for beskyttelse af personoplysninger har udviklet sig, siden
afgørelsen om tilstrækkeligheden af beskyttelsesniveauet blev vedtaget, og om de opfylder den standard, der
er fastsat i persondataforordningen. Behovet for at sikre kontinuitet i sådanne afgørelser, da de er et vigtigt
redskab for handel og internationalt samarbejde, er en af de faktorer, der har fået flere af disse lande og
territorier til at modernisere og styrke deres lovgivning om privatlivets fred. Dette er helt klart en positiv
udvikling. Der drøftes yderligere beskyttelsesforanstaltninger med nogle af disse lande og territorier for at
tage højde for relevante forskelle i beskyttelsen.
Da Domstolen imidlertid kan tænkes at give nærmere anvisninger i en dom, der forventes afsagt den 16. juli
i en sag, og som kan være relevante for visse elementer af tilstrækkelighedsstandarden, vil Kommissionen
særskilt aflægge rapport om evalueringen af de nævnte 11 afgørelser om tilstrækkeligheden af
beskyttelsesniveauet, efter at Domstolen har afsagt dom i denne sag124
.
Kommissionen gennemførte også den strategi, der blev fastlagt i meddelelsen fra
2017 om udveksling og beskyttelse af personoplysninger i en globaliseret verden125
.
evalueringsrapport for Europa-Parlamentet og Rådet senest i 2020. Se også EU-Domstolens dom af 6.10.2015, sag C-362/14,
Maximillian Schrems mod Data Protection Commissioner, præmis 76.
121
Kommissionens gennemførelsesafgørelse (EU) 2016/1250 af 12. juli 2016 i henhold til Europa-Parlamentets og Rådets
direktiv 95/46/EF om tilstrækkeligheden af den beskyttelse, der opnås ved hjælp af EU's og USA's værn om privatlivets fred.
Denne afgørelse om tilstrækkeligheden af beskyttelsesniveauet er et specifikt tilfælde, som i mangel af en generel
databeskyttelseslovgivning i USA er afhængigt af tilsagn fra deltagende virksomheder (som kan håndhæves under amerikansk
lovgivning) om anvendelse af de databeskyttelsesstandarder, der er fastsat i denne ordning. Desuden bygger værnet om
privatlivets fred på de specifikke udredninger og garantier, som den amerikanske regering har afgivet med hensyn til adgang
til nationale sikkerhedsformål, som understøtter konstateringen af et tilstrækkeligt beskyttelsesniveau.
122
Revisionen fandt sted i 2017 (Rapport fra Kommissionen til Europa-Parlamentet og Rådet om den første årlige evaluering af
EU's og USA's værn om privatlivets fred (COM (2017) 611 final), 2018 (Rapport fra Kommissionen til Europa-Parlamentet og
Rådet om den anden årlige evaluering af EU's og USA's værn om privatlivets fred (COM (2018) 860 final) og 2019 (Rapport
fra Kommissionen til Europa-Parlamentet og Rådet om den tredje årlige evaluering af EU's og USA's værn om privatlivets
fred (COM (2019) 495 final).
123
Disse eksisterende afgørelser om tilstrækkeligheden af beskyttelsesniveauet vedrører lande, der er tæt integreret med Den
Europæiske Union og dens medlemsstater (Schweiz, Andorra, Færøerne, Guernsey, Jersey, Isle of Man), vigtige
samhandelspartnere (f.eks. Argentina, Canada og Israel) og lande, der har spillet en pionerrolle i udviklingen af
databeskyttelseslove i deres område (New Zealand, Uruguay).
124
Sag C-311/18, Data Protection Commissioner mod Facebook Ireland Limited, Maximillian Schrems ("Schrems II"), vedrører
en anmodning om en præjudiciel afgørelse om de såkaldte standardkontraktbestemmelser.
Der er dog visse elementer af
tilstrækkelighedsstandarden, der også kan blive afklaret yderligere af Domstolen. Retsmødet i denne sag fandt sted den
9.7.2019, og dommen er blevet offentliggjort den 16.7.2020.
125
Se fodnote 109 ovenfor. Kommissionen forklarede , at der vil blive taget hensyn til følgende kriterier ved vurderingen af, med
hvilke lande der bør indledes en dialog om tilstrækkeligheden: i) omfanget af EU's (faktiske eller potentielle)
handelsforbindelser med tredjelandet, herunder eksistensen af en frihandelsaftale eller igangværende forhandlinger ii)
omfanget af strømmene af personoplysninger fra EU, der afspejler geografiske og/eller kulturelle bånd iii) tredjelandets
30
Dette arbejde har allerede givet betydelige resultater, der involverer vigtige partnere i
EU. I januar 2019 vedtog Kommissionen sin afgørelse om tilstrækkeligheden af
beskyttelsesniveauet for Japan, som er baseret på en høj grad af konvergens, herunder
gennem specifikke beskyttelsesforanstaltninger, f.eks. med hensyn til
videreoverførsel, og gennem oprettelsen af en mekanisme til at undersøge og løse
borgeres klager vedrørende statens adgang til personoplysninger til
retshåndhævelsesformål og til nationale sikkerhedsformål.
Som den første afgørelse om tilstrækkeligheden af beskyttelsesniveauet, der blev
vedtaget i henhold til persondataforordningen, danner de rammer, der er aftalt med
Japan, en nyttig præcedens for fremtidige afgørelser126
. Dette omfatter det forhold, at
det blev gengældt fra japansk side med en afgørelse om tilstrækkeligheden af
beskyttelsesniveauet for EU. Tilsammen skaber disse gensidige afgørelser om
tilstrækkelighed det største område med sikker og fri overførsel af oplysninger i
verden og supplerer den økonomiske partnerskabsaftale mellem EU og Japan.
Ordningen er hvert år til støtte for handel med varer for omkring 124 mia. EUR og for
handel med tjenesteydelser for 42,5 mia. EUR.
Tilstrækkelighedsprocessen er også kommet langt i Sydkorea. Et vigtigt resultat heraf er Sydkoreas nylige
lovgivningsreform, der førte til oprettelsen af en uafhængig databeskyttelsesmyndighed, der er udstyret med
omfattende håndhævelsesbeføjelser. Dette illustrerer, hvordan en dialog om tilstrækkelighed kan bidrage til
øget konvergens mellem EU's og et tredjelands databeskyttelsesregler.
Kommissionen er helt enig i opfordringen fra interessenter til at intensivere dialogen med udvalgte
tredjelande med henblik på eventuelle nye afgørelser om tilstrækkeligheden af beskyttelsesniveauet127
. Den
er aktivt gået i gang med at undersøge denne mulighed med andre vigtige partnere på grundlag af den
nuværende tendens til en opadgående global konvergens inden for databeskyttelsesstandarder. F.eks. er den
omfattende lovgivning om privatlivets fred blevet vedtaget eller er langt fremme i lovgivningsprocessen i
Latinamerika (Brasilien, Chile), og udviklingen tegner lovende i Asien (f.eks. Indien, Indonesien, Malaysia,
Sri Lanka, Taiwan og Thailand), Afrika (f.eks. Etiopien og Kenya) samt i de østeuropæiske og sydlige
nabolande (f.eks. Georgien og Tunesien). Hvor det er muligt, vil Kommissionen arbejde på at opnå
omfattende afgørelser om tilstrækkelighed, der omfatter både den private og den offentlige sektor128
.
Desuden blev Kommissionens mulighed for at vedtage afgørelser om tilstrækkeligheden af
beskyttelsesniveauet for internationale organisationer også indført i persondataforordningen. Nu, hvor nogle
internationale organisationer er i færd med at modernisere deres databeskyttelsesordninger ved at indføre
omfattende regler, samt mekanismer, der sikrer uafhængig kontrol og klageadgang, kunne denne mulighed
undersøges for første gang.
pionerrolle inden for beskyttelse af privatlivets fred og databeskyttelse, der kunne tjene som model for andre lande i regionen
og iv) de overordnede politiske forbindelser med tredjelandet, navnlig i forbindelse med fremme af fælles værdier og fælles
mål på internationalt plan.
126
Europa-Parlamentets beslutning af 13. december 2018 om tilstrækkeligheden af den beskyttelse af personoplysninger, der
gives af Japan (2018/2979 (RSP)), punkt 27 Databeskyttelsesrådets bidrag, s. 5-6.
127
Se f.eks. Europa-Parlamentet, beslutning af 12. december 2017 om udvikling af en digital handelsstrategi (2017/2065 (INI)),
punkt 8 og 9 Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om databeskyttelse (GDPR),
19.12.2019 (14994/1/19), punkt 17 Databeskyttelsesrådets bidrag, s. 5.
128
Jf. også Rådets anmodning herom, se Rådets holdning og resultater vedrørende anvendelse af den generelle forordning om
databeskyttelse (GDPR), 19.12.2019 (14994/1/19), punkt 17 og 40. Dette kræver dog, at betingelserne for en afgørelse om
tilstrækkeligheden af beskyttelsesniveauet vedrørende dataoverførsler til offentlige myndigheder er opfyldt, herunder med
hensyn til et uafhængigt tilsyn.
31
Tilstrækkelighed spiller ligeledes en vigtig rolle i sammenhæng med forholdet til Det
Forenede Kongerige efter brexit, forudsat at de gældende betingelser opfyldes. Den
udgør en faktor for fremme af handel, herunder digital handel, og er en afgørende
forudsætning for et tæt og ambitiøst samarbejde om retshåndhævelse og sikkerhed129
.
I betragtning af betydningen af overførsel af oplysninger til Det Forenede Kongerige
og landets nærhed til EU-markedet er en høj grad af konvergens mellem
databeskyttelsesreglerne på begge sider af Kanalen desuden et vigtigt element for at
sikre lige konkurrencevilkår. I overensstemmelse med den politiske erklæring om det
fremtidige forhold mellem EU og Det Forenede Kongerige foretager Kommissionen
i øjeblikket en tilstrækkelighedsvurdering i henhold til både persondataforordningen
og direktivet om retshåndhævelse130
. I betragtning af den selvstændige og ensidige
karakter af en tilstrækkelighedsvurdering følger disse forhandlinger et særskilt spor i
forhold til forhandlingerne om en aftale om det fremtidige forhold mellem EU og Det
Forenede Kongerige.
Endelig har Kommissionen med tilfredshed bemærket, at andre lande er i færd med at indføre mekanismer
til dataoverførsel, der minder om en afgørelse om tilstrækkeligheden af beskyttelsesniveauet. I den
forbindelse anerkender de ofte EU og de lande, for hvilke Kommissionen har vedtaget en afgørelse om
tilstrækkeligheden af beskyttelsesniveauet, som sikre destinationer for overførslers131
. Det stigende antal
lande, der drager fordel af EU's afgørelser om tilstrækkeligheden af beskyttelsesniveauet på den ene side og
denne form for anerkendelse fra andre lande på den anden side, har potentiale til at skabe et netværk af
lande, hvor data kan flyde frit og sikkert. Kommissionen anser dette for at være en velkommen udvikling,
der yderligere vil øge fordelene ved en afgørelse om tilstrækkeligheden af beskyttelsesniveauet for
tredjelande og bidrage til global konvergens. Denne type synergier kan også med fordel bidrage til at
udvikle rammer for sikker og fri udveksling af data, f.eks. i forbindelse med initiativet "Data Free Flow with
Trust" (se nedenfor).
Fornødne garantier
Persondataforordningen indeholder bestemmelser om en række andre overførselsinstrumenter ud over den
omfattende løsning med en afgørelse om tilstrækkeligheden af beskyttelsesniveauet. Fleksibiliteten i denne
"værktøjskasse" fremgår af persondataforordningens artikel 46, som regulerer dataoverførsler baseret på
"passende garantier", herunder rettigheder, der kan håndhæves, og effektive retsmidler. For at sikre passende
sikkerhedsforanstaltninger er der forskellige instrumenter til rådighed til at imødekomme både kommercielle
aktørers og offentlige organers behov for overførsler.
Standardkontraktbestemmelser
Den første gruppe af disse instrumenter vedrører aftalemæssige redskaber, der kan være enten
skræddersyede, ad hoc-databeskyttelsesklausuler aftalt mellem en dataeksportør i EU og en dataimportør
uden for EU, der er godkendt af den kompetente databeskyttelsesmyndighed (persondataforordningens
artikel 46, stk. 3, litra a)), eller standardbestemmelser, som Kommissionen har godkendt
(persondataforordningens artikel 46, stk. 2, litra c), d)132
). De vigtigste af disse instrumenter er såkaldte
129
Se forhandlingsdirektiverne i bilaget til Rådets afgørelse om bemyndigelse til at indlede forhandlinger med Det Forenede
Kongerige Storbritannien og Nordirland om en ny partnerskabsaftale (ST 5870/20 ADD 1 REV 3), punkt 13 og 118.
130
Se den reviderede politiske erklæring om rammen for de fremtidige forbindelser mellem Den Europæiske Union og Det
Forenede Kongerige, som der var opnået enighed om på forhandlerniveau den 17. oktober 2019, punkt 8-10 (findes på
https://ec.europa.eu/commission/sites/beta-political/files/revised_political_declaration.pdf).
131
F.eks. fra Argentina, Colombia, Israel, Schweiz eller Uruguay.
132
Standardkontraktbestemmelser for internationale overførsler kræver altid Kommissionens godkendelse, men kan udarbejdes af
Kommissionen selv eller af en national databeskyttelsesmyndighed. Alle eksisterende standardkontraktbestemmelser falder ind
under den første kategori.
32
standardkontraktbestemmelser, dvs. standardbestemmelser om databeskyttelse, som dataeksportøren og
dataimportøren kan indarbejde i deres aftalemæssige ordninger (f.eks. en tjenesteydelseskontrakt, der kræver
videregivelse af personoplysninger) på frivillig basis, og som fastsætter de krav, der er forbundet med de
fornødne garantier.
Standardkontraktbestemmelser udgør langt den mest udbredte dataoverførselsmekanisme133
. Tusindvis af
virksomheder i EU er afhængige af standardkontraktbestemmelser for at levere en bred vifte af tjenester til
deres kunder, leverandører, partnere og ansatte, herunder tjenesteydelser, der er af afgørende betydning for,
at økonomien kan fungere. Deres brede anvendelse tyder på, at de er meget nyttige for virksomhederne i
deres bestræbelser på at sikre deres overholdelse, og at de især er til fordel for virksomheder, der ikke har
ressourcerne til at forhandle individuelle kontrakter med hver enkelt af deres samhandelspartnere. Gennem
standardisering og forhåndsgodkendelse giver standardkontraktbestemmelser virksomhederne adgang til et
værktøj, der er let at gennemføre for at opfylde databeskyttelseskravene i forbindelse med en overførsel.
De eksisterende standardkontraktbestemmelser134
er blevet vedtaget og godkendt på grundlag af direktivet
fra 1995. Disse standardkontraktbestemmelser forbliver i kraft, indtil de ændres, erstattes eller ophæves, om
nødvendigt ved en kommissionsafgørelse (persondataforordningens artikel 46, stk. 5).
Persondataforordningen udvider mulighederne for at anvende standardkontraktbestemmelser både i EU og i
forbindelse med internationale overførsler. Kommissionen arbejder sammen med interessenterne for at
udnytte disse muligheder og ajourføre eksisterende bestemmelser135
. For at sikre, at den fremtidige
udformning af standardkontraktbestemmelser er egnet til formålet, har Kommissionen indsamlet feedback
om interessenternes erfaringer med standardkontraktbestemmelser gennem flerpartsgruppen vedrørende
persondataforordningen og en særlig workshop, der blev afholdt i september 2019, men også via flere
kontakter med virksomheder, der anvender standardkontraktbestemmelser, samt
civilsamfundsorganisationer. Databeskyttelsesrådet ajourfører ligeledes en række retningslinjer, der kunne
være relevante for revisionen af standardkontraktbestemmelser, f.eks. med hensyn til begreberne
dataansvarlig og databehandler.
På grundlag af den modtagne feedback arbejder Kommissionens tjenestegrene i øjeblikket på at revidere
standardkontraktbestemmelserne. I den forbindelse er der fundet en række områder, hvor der er behov for
forbedringer, navnlig med hensyn til følgende aspekter:
1. Ajourføring af standardkontraktbestemmelserne i lyset af de nye krav, der er indført ved
persondataforordningen, f.eks. vedrørende forholdet mellem dataansvarlig og databehandler i henhold
til persondataforordningens artikel 28(navnlig databehandlerens forpligtelser), dataimportørens
gennemsigtighedsforpligtelser (med hensyn til de påkrævede oplysninger til den registrerede) osv.
2. Håndtering af en række overførselsscenarier, som ikke er omfattet af de nuværende
standardkontraktbestemmelser, f.eks. overførsel af data fra en databehandler i EU til en
133
Ifølge rapporten IAPP-EY Annual Privacy Governance Report 2019 er de mest populære af disse værktøjer [for overførsler] –
år for år – i helt overvældende omfang standardkontraktbestemmelser: 88 % af respondenterne i dette års undersøgelse
berettede, at standardkontraktbestemmelser var den bedste metode til eksterritoriale dataoverførsler, efterfulgt af
overensstemmelse med EU's og USA's værn om privatlivets fred (60 %). Med hensyn til data, der overføres fra EU til Det
Forenede Kongerige (52 %), har 91 % af respondenterne til hensigt at bruge standardkontraktbestemmelser til dataoverførsel
efter
134
Der findes i dag tre standardkontraktbestemmelser, som Kommissionen har vedtaget vedrørende overførsel af
personoplysninger til tredjelande: to for overførsler fra en dataansvarlig i EØS til en dataansvarlig uden for EØS og én for
overførsler fra en dataansvarlig EØS til en databehandler uden for EØS. De blev ændret i 2016 efter Domstolens dom i
Schrems I-sagen (C-362/14), der fjernede enhver begrænsning af de kompetente tilsynsmyndigheders beføjelser til at føre
tilsyn med dataoverførsler. Se https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-
protection/standard-contractual-clauses-scc_en.
135
Se også Databeskyttelsesrådets bidrag, s. 6-7. Tilsvarende har Rådet opfordret Kommissionen til i nær fremtid at gennemgå og
revidere [standardkontraktbestemmelserne] for at tage hensyn til dataansvarliges og databehandleres behov. Se Rådets
holdning og resultater.
33
(under-)databehandler uden for EU, men også situationer, hvor den dataansvarlige befinder sig uden for
EU136
.
3. Bedre hensyntagen til de faktiske forhold i forbindelse med databehandling i den moderne digitale
økonomi, hvor sådanne operationer ofte involverer flere dataimportører og -eksportører, lange og ofte
komplekse behandlingskæder, nye forretningsforbindelser osv. For at tage højde for sådanne situationer
omfatter de løsninger, der undersøges i øjeblikket, f.eks. muligheden for, at flere parter underskriver
standardkontraktbestemmelser, eller at nye parter får adgang i kontraktens løbetid.
Ved behandlingen af disse punkter overvejer Kommissionen også, hvordan den nuværende "arkitektur" kan
gøres mere brugervenlig, f.eks. ved at erstatte flere sæt standardkontraktbestemmelser med et enkelt
omfattende dokument. Udfordringen består i at finde en god balance mellem på den ene side behovet for
klarhed og en vis grad af standardisering og på den anden side den nødvendige fleksibilitet, der gør det
muligt for operatører med forskellige krav at anvende bestemmelserne i forskellige sammenhænge og for
forskellige typer af overførsler.
Et andet vigtigt aspekt, der skal tages i betragtning, er, at der i lyset af de verserende retssager ved
Domstolen137
, kan blive behov for yderligere at præcisere garantierne for udenlandske offentlige
myndigheders adgang til oplysninger, der videregives på grundlag af standardkontraktbestemmelser, navnlig
af hensyn til den nationale sikkerhed. Dette kan omfatte krav om, at dataimportøren eller dataeksportøren,
eller begge, skal træffe foranstaltninger, og at databeskyttelsesmyndighedernes rolle i den forbindelse
præciseres. Selv om revisionen af standardkontraktbestemmelserne er langt fremme, vil det være nødvendigt
at afvente Domstolens dom for at tage hensyn til eventuelle yderligere krav i de reviderede bestemmelser,
før et udkast til afgørelse om et nyt sæt standardkontraktbestemmelser kan forelægges for
Databeskyttelsesrådet til udtalelse og derefter foreslås vedtaget gennem "udvalgsproceduren"138
.
Sideløbende hermed er Kommissionen i kontakt med internationale partnere, der er i færd med at udvikle
lignende værktøjer139
. Denne dialog, der gør det muligt at udveksle erfaringer og bedste praksis, kan i
væsentlig grad bidrage til udvikling af yderligere konvergens i praksis og derved lette overholdelsen af
reglerne om grænseoverskridende overførsler for virksomheder, der opererer på tværs af forskellige regioner
i verden.
Bindende virksomhedsregler
Et andet vigtigt instrument er de såkaldte bindende virksomhedsregler. Her er der tale om juridisk bindende
politikker og ordninger, der gælder for medlemmerne af en koncern, herunder dennes ansatte
(persondataforordningens artikel 46, stk. 2, litra b), og artikel 47). Anvendelsen af bindende
virksomhedsregler tillader fri bevægelighed for personoplysninger mellem de forskellige
koncernmedlemmer globalt – idet behovet for at indgå kontraktordninger mellem hver enkelt juridisk enhed
undgås – samtidig med at det sikres, at det samme høje beskyttelsesniveau for personoplysninger overholdes
i hele koncernen. De udgør en særlig god løsning for komplekse og store koncerner og for et tæt samarbejde
136
Flere indlæg til den offentlige høring indeholder kommentarer til dette sidste scenario, og der er ofte udtrykt bekymring over,
at et krav om, at databehandlere i EU sikrer passende garantier i deres forhold til dataansvarlige uden for EU, ville stille dem
ringere i konkurrencen i forhold til udenlandske databehandlere, der tilbyder lignende tjenester.
137
Se Schrems II-sagen.
138
I overensstemmelse med artikel 46, stk. 2, litra c), i persondataforordningen skal standardkontraktbestemmelser vedtages efter
undersøgelsesproceduren i artikel 5 i Europa-Parlamentets og Rådets forordning (EU) nr. 182/2011 af 16. februar 2011 om de
generelle regler og principper for, hvordan medlemsstaterne skal kontrollere Kommissionens udøvelse af
gennemførelsesbeføjelser (EUT L 55 af 28.2.2011, s. 13). Dette indebærer navnlig en positiv afgørelse fra et udvalg
sammensat af repræsentanter for medlemsstaterne.
139
Dette omfatter f.eks. det arbejde, der i øjeblikket udføres af ASEAN's medlemsstater for at udvikle "ASEAN-
standardkontraktbestemmelser". Se ASEAN, Key Approaches for ASEAN Cross Border Data Flows Mechanism (findes på:
https://asean.org/storage/2012/05/Key-Approaches-for-ASEAN-Cross-Border-Data-Flows-Mechanism.pdf).
34
mellem virksomheder, der udveksler data på tværs af flere jurisdiktioner. I modsætning til direktivet fra
1995 kan bindende virksomhedsregler anvendes af en gruppe af virksomheder, der udøver en fælles
økonomisk aktivitet, men som ikke indgår i samme koncern.
Proceduremæssigt skal de bindende virksomhedsregler godkendes af de kompetente
databeskyttelsesmyndigheder på grundlag af en ikkebindende udtalelse fra Databeskyttelsesrådet140
. For at
styre denne proces har Databeskyttelsesrådet gennemgået referencedataene for de bindende
virksomhedsregler (fastsættelse af materielle standarder) for dataansvarlige141
og databehandlere142
i lyset af
persondataforordningen og ajourfører disse dokumenter fortløbende på grundlag af tilsynsmyndighedernes
praktiske erfaringer. Det har ligeledes vedtaget forskellige vejledninger for hjælpe ansøgere og for at
strømline ansøgnings- og godkendelsesprocessen for bindende virksomhedsregler143
. Ifølge
Databeskyttelsesrådet er der i øjeblikket over 40 bindende virksomhedsregler på vej til godkendelse, hvoraf
halvdelen forventes at blive godkendt inden udgangen af 2020144
. Det er vigtigt, at
databeskyttelsesmyndighederne fortsætter arbejdet med at strømline godkendelsesprocessen yderligere, da
varigheden af sådanne procedurer ofte nævnes af interessenterne som en praktisk hindring for en bredere
anvendelse af bindende virksomhedsregler.
Hvad angår bindende virksomhedsregler, der er godkendt af den britiske databeskyttelsesmyndighed,
Information Commissioner Office, vil virksomheder kunne fortsætte med at anvende dem som en gyldig
overførselsmekanisme i henhold til persondataforordningen efter udløbet af overgangsperioden under
udtrædelsesaftalen mellem EU og Det Forenede Kongerige, men kun hvis de ændres, således at enhver
forbindelse til Det Forenede Kongeriges retsorden erstattes med passende henvisninger til juridiske enheder
og kompetente myndigheder i EU. Der bør indhentes godkendelse af nye bindende virksomhedsregler af en
af tilsynsmyndighederne i EU.
Certificeringsordninger og adfærdskodekser
Ud over at modernisere og udvide anvendelsen af de allerede eksisterende overførselsværktøjer er der ved
persondataforordningen også indført nye instrumenter, hvilket har udvidet mulighederne for internationale
overførsler. Dette omfatter, på visse betingelser, anvendelse af godkendte adfærdskodekser og
certificeringsmekanismer (f.eks. datasikkerhedsmærkninger) med henblik på at sikre passende garantier.
Dette er bottom-up-værktøjer, der giver mulighed for skræddersyede løsninger – som en generel
ansvarlighedsmekanisme (se persondataforordningens artikel 40-42) og specifikt for internationale
overførsler af oplysninger – og afspejler f.eks. de specifikke karakteristika og behov i en given sektor eller
industri, eller med hensyn til overførsel af oplysninger. Adfærdskodekser kan også være en meget nyttig og
omkostningseffektiv måde for små og mellemstore virksomheder at leve op til deres forpligtelser på i
henhold til persondataforordningen.
Databeskyttelsesrådet har vedtaget retningslinjer, der skal fremme brugen af certificeringsmekanismer i EU,
samtidig med at det fortsætter sit arbejde med at udvikle kriterier for godkendelse af disse som
internationale overførselsværktøjer. Det samme gælder adfærdskodekser, hvor Databeskyttelsesrådet i
øjeblikket arbejder på retningslinjer for anvendelsen af disse som overførselsværktøj.
I betragtning af betydningen af at give operatører en bred vifte af overførselsværktøjer, der er tilpasset deres
behov, og det potentiale der ligger i navnlig certificeringsmekanismer, der gør det lettere at foretage
140
Se https://edpb.europa.eu/our-work-tools/consistency-findings/opinions_en for en oversigt over de udtalelser, som
Databeskyttelsesrådet har afgivet til dato.
141
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614109.
142
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614110.
143
Disse dokumenter blev vedtaget (af den tidligere artikel 29-Gruppe) efter persondataforordningens ikrafttræden, men før
overgangsperiodens udløb. Se WP263 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623056); WP264
(https://edpb.europa.eu/sites/edpb/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf); WP265
(https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623848).
144
Databeskyttelsesrådets bidrag, s. 7.
35
dataoverførsler, samtidig med at der sikres et højt databeskyttelsesniveau, opfordrer Kommissionen
indtrængende Databeskyttelsesrådet til så hurtigt som muligt at færdiggøre sin vejledning herom. Dette
vedrører både materielle (kriterier) og proceduremæssige aspekter (godkendelse, overvågning osv.).
Interessenter har udtrykt stor interesse for disse overførselsmekanismer og burde være i stand til at gøre fuld
brug af persondataforordningen. Databeskyttelsesrådets retningslinjer vil også bidrage til at fremme EU's
model for databeskyttelse på globalt plan og fremme konvergens, da andre systemer til beskyttelse af
privatlivets fred anvender lignende instrumenter.
Der kan drages nyttige erfaringer fra eksisterende standardiseringsbestræbelser inden for privatlivets fred,
både på europæisk og internationalt plan. Et interessant eksempel er den nyligt offentliggjorte internationale
standard ISO 27701145
, som har til formål at hjælpe virksomheder med at leve op til krav om
privatlivsbeskyttelse og med at håndtere risici i forbindelse med behandling af personoplysninger ved hjælp
af informationsforvaltningssystemer for privatlivsbeskyttelse. Selv om certificering i henhold til standarden
ikke opfylder kravene i persondataforordningens artikel 42 og 43, kan anvendelsen af
informationsstyringssystemer bidrage til ansvarlighed, herunder i forbindelse med internationale
dataoverførsler.
Internationale aftaler og administrative ordninger
Persondataforordningen gør det også muligt at sikre de fornødne garantier for dataoverførsler mellem
offentlige myndigheder eller organer på grundlag af internationale aftaler (artikel 46, stk. 2, litra a)) eller
administrative ordninger (artikel 46, stk. 3, litra b)). Selv om begge instrumenter skal sikre samme resultat
med hensyn til garantier, herunder tilgængelighed af rettigheder, som kan håndhæves, for registrerede og
effektive retsmidler, er de forskellige med hensyn til deres retlige karakter og vedtagelsesproceduren.
I modsætning til internationale aftaler, som skaber bindende forpligtelser i henhold til folkeretten, er
administrative ordninger (f.eks. i form af et aftalememorandum) typisk ikkebindende og kræver derfor
forudgående tilladelse fra den kompetente databeskyttelsesmyndighed (se også betragtning 108 i
persondataforordningen). Et tidligt eksempel er den administrative ordning for overførsel af
personoplysninger mellem tilsynsmyndigheder inden for EØS og tilsynsmyndigheder uden for EØS, der
samarbejder inden for rammerne af Den Internationale Børstilsynsorganisation (IOSCO), som
Databeskyttelsesrådet afgav udtalelse146
om i begyndelsen af 2019. Siden da har Databeskyttelsesrådet
videreudviklet sin fortolkning af de "minimumsgarantier", som internationale (samarbejds-)aftaler og
administrative ordninger mellem offentlige myndigheder eller organer (herunder internationale
organisationer) skal sikre for at opfylde kravene i persondataforordningens artikel 46. Den 18. januar 2020
vedtog det et udkast til retningslinjer147
, der behandler medlemsstaternes anmodning om yderligere
præcisering og vejledning om, hvad der kan betragtes som fornødne garantier for overførsler mellem
offentlige myndigheder148
. Udvalget anbefaler stærkt, at offentlige myndigheder anvender disse
retningslinjer som referencepunkt for deres forhandlinger med tredjeparter149
.
145
Listen over specifikke krav, der indgår i denne ISO-standard, findes på: https://www.iso.org/standard/71670.html.
146
Det Europæiske Databeskyttelsesråd, Udtalelse 4/2019 om udkast til administrativ ordning for overførsel af personoplysninger
mellem Det Europæiske Økonomiske Samarbejdsområde (EØS) og de finansielle tilsynsmyndigheder uden for EØS,
12.2.2019.
147
Det Europæiske Databeskyttelsesråd, Retningslinjer 2/2020 om artikel 46 (2), litra a), og artikel 46 (3), litra b), i forordning
(EF) nr. 2016/679 om overførsel af personoplysninger mellem myndigheder i EØS og offentlige myndigheder og organer uden
for EØS (udkast findes på: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-22020-articles-
46-2-and-46-3-b_en). Ifølge Det Europæiske Databeskyttelsesråd vil den kompetente tilsynsmyndighed basere sin
undersøgelse på de generelle anbefalinger i disse retningslinjer, men kan også anmode om flere garantier afhængigt af den
konkrete sag. Databeskyttelsesrådet fremsendte disse udkast til retningslinjer i offentlig høring, der sluttede den 18. maj 2020.
148
Rådets holdning og resultater, punkt 20.
149
Med hensyn til valget af instrument understreger Databeskyttelsesrådet samtidig, at offentlige myndigheder fortsat frit kan
henholde sig til andre relevante værktøjer, der giver de fornødne garantier i overensstemmelse med persondataforordningens
artikel 46. Med hensyn til valg af instrument understreger Databeskyttelsesrådet, at det bør vurderes nøje, om der skal gøres
36
Retningslinjerne demonstrerer, hvor fleksibel udformningen af sådanne instrumenter er, herunder vigtige
aspekter som f.eks. tilsyn150
og klageadgang151
. Dette burde give de offentlige myndigheder mulighed for at
overvinde vanskelighederne ved f.eks. at sikre, at de registreredes rettigheder kan håndhæves ved hjælp af
ikkebindende ordninger. Et vigtigt element i sådanne ordninger er den kompetente
databeskyttelsesmyndigheds fortsatte overvågning – understøttet af oplysnings- og registreringskrav – og
suspension af overførsel af oplysninger, hvis der ikke længere kan sikres de fornødne garantier i praksis.
Undtagelser
Endelig præciseres det i persondataforordningen, at der anvendes såkaldte "undtagelser". Der er tale om
særlige grunde til videregivelse af oplysninger (f.eks. udtrykkeligt samtykke152
, opfyldelse af en kontrakt
eller af hensyn til vigtige samfundsinteresser), der er anerkendt ved lov, og som enheder kan henholde sig
til, hvis der ikke findes andre overførselsværktøjer, og på visse betingelser.
For at præcisere anvendelsen af sådanne retlige grunde har Databeskyttelsesrådet udstedt specifikke
retningslinjer153
og har fortolket artikel 49 i en række tilfælde med hensyn til specifikke
overførselsscenarier154
. På grund af deres usædvanlige karakter mener Databeskyttelsesrådet, at
undtagelserne skal fortolkes restriktivt i hvert enkelt tilfælde. Trods en streng fortolkning dækker disse
begrundelser en bred vifte af overførselsscenarier. Dette omfatter navnlig overførsel af oplysninger både fra
offentlige myndigheder og private enheder af hensyn til "vigtige samfundsinteresser", f.eks. mellem
konkurrencemyndigheder, skatte- eller toldforvaltninger, finansielle tilsynsmyndigheder eller
socialsikringsmyndigheder eller med henblik på folkesundhed (f.eks. i tilfælde af kontaktopsporing i
forbindelse med smitsomme sygdomme eller for at nedbringe og/eller afskaffe doping inden for sport)155
. Et
andet område er grænseoverskridende samarbejde med henblik på strafferetlig håndhævelse, navnlig hvad
angår grov kriminalitet156
.
brug af administrative ordninger, der ikke er juridisk bindende, for at tilvejebringe garantier i den offentlige sektor, i
betragtning af formålet med behandlingen og arten af de foreliggende oplysninger. Hvis databeskyttelsesrettigheder og
klageadgang for borgere i EØS ikke er forankret i tredjelandets nationale ret, bør indgåelsen af en juridisk bindende aftale
fremmes. Uanset hvilken type retsakt der er tale om, skal de gældende foranstaltninger være effektive for at sikre passende
gennemførelse, håndhævelse og tilsyn (punkt 67).
150
Dette kan f.eks. omfatte en kombination af intern kontrol (med en forpligtelse til at underrette den anden part om tilfælde af
manglende overholdelse, med uafhængigt tilsyn gennem eksterne eller i det mindste ved hjælp af funktionelt uafhængige
mekanismer, samt muligheden for at det overførende offentlige organ kan suspendere eller afslutte overførslen.
151
Dette kan for eksempel omfatte kvasiretlige, bindende mekanismer (f.eks. voldgift) eller alternative
tvistbilæggelsesmekanismer, kombineret med muligheden for at den overførende offentlige myndighed kan suspendere eller
afslutte overførslen af personoplysninger, hvis det ikke lykkes parterne at bilægge en tvist i mindelighed, plus et tilsagn fra det
modtagende offentlige organ om at returnere eller slette personoplysningerne. Ved valget af alternative klagemekanismer, som
er bindende og kan håndhæves, fordi der ikke er mulighed for at sikre en effektiv retlig prøvelse, anbefaler
Databeskyttelsesrådet, at den kompetente tilsynsmyndighed høres, inden disse instrumenter indgås.
152
Dette er en ændring i forhold til direktiv 95/46, som kun krævede "utvetydigt" samtykke. Desuden gælder de generelle krav til
samtykke i henhold til persondataforordningens artikel 4, stk. 11.
153
Det Europæiske Databeskyttelsesråd, Retningslinjer 2/2018 vedrørende undtagelser i artikel 49 i forordning (EF) nr. 2016/679,
25.5.2018 (findes på: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf).
154
Dette omfatter f.eks. internationale overførsler af sundhedsdata til forskningsformål i forbindelse med covid-19-udbruddet. Se
Det Europæiske Databeskyttelsesråd, Retningslinjer 03/2020 om behandling af helbredsoplysninger med henblik på
videnskabelig forskning i forbindelse med covid-19-udbruddet, 21.4.2020 (findes på:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf).
155
Se betragtning 112.
156
Se amicus curiae-indlæg fra Europa-Kommissionen på vegne af Den Europæiske Union til støtte for ingen af parterne i sag US
mod Microsoft, s. 15: Generelt anerkender EU-lovgivningen såvel som medlemsstaternes lovgivning betydningen af at
bekæmpe grov kriminalitet og dermed strafferetlig håndhævelse og internationalt samarbejde på det pågældende område, som
et mål af almen interesse. [...] artikel 83 i TEUF identificerer flere kriminalitetsområder, der er særligt alvorlige og har
grænseoverskridende dimensioner, såsom ulovlig narkotikahandel.(findes på: (findes på:
https://www.supremecourt.gov/DocketPDF/17/17-2/23655/20171213123137791_17-
2%20ac%20European%20Commission%20for%20filing.pdf).
37
Databeskyttelsesrådet har præciseret, at selv om den relevante samfundsinteresse skal anerkendes i EU-
retten eller en medlemsstats nationale ret, kan dette også fastslås på grundlag af, at "en international aftale
eller konvention, der anerkender et bestemt formål og indeholder bestemmelser om internationalt
samarbejde til fremme af dette formål, kan være en indikator ved vurderingen af eksistensen af
samfundsinteresser i henhold til artikel 49, stk. 1, litra d), når EU eller medlemsstaterne er part i den
pågældende aftale eller konvention"157
.
Afgørelser truffet af udenlandske domstole eller myndigheder: ingen grund til overførsler
Ud over en positiv fastsættelse af grundene til overførsel af oplysninger præciseres det kapitel V i
persondataforordningen ligeledes, i artikel 48, at retsafgørelser eller administrative myndigheders afgørelser
uden for EU ikke i sig selv er legitime grunde til overførsler, medmindre de anerkendes eller kan håndhæves
på grundlag af en international aftale (f.eks. en traktat om gensidig retshjælp). Enhver videregivelse fra den
ansøgte instans til den udenlandske domstol eller myndighed som svar på en sådan dom eller afgørelse
udgør en international overførsel af oplysninger, der skal baseres på et af de nævnte
overførselsinstrumenter158
.
Persondataforordningen udgør ikke en "blokerende bestemmelse" og vil på visse betingelser tillade en
overførsel som reaktion på en passende anmodning om håndhævelse fra et tredjeland. Det vigtige er, at det
er EU-retten, der bør afgøre, om dette er tilfældet, og på grundlag af hvilke garantier sådanne overførsler
kan finde sted.
Kommissionen redegjorde for, hvordan persondataforordningens artikel 48 fungerer,
herunder den mulige anvendelse af undtagelsen vedrørende samfundsinteresser i
forbindelse med en editionskendelse (warrant) af en udenlandsk retshåndhævende
myndighed i Microsoft-sagen ved den amerikanske højesteret159
. Kommissionen
understregede i sit indlæg EU's interesse i at sikre, at retshåndhævelsessamarbejdet
foregår "inden for en retlig ramme, hvorved der undgås lovkonflikter, og som bygger
på [...] respekt for hinandens grundlæggende interesser, både med hensyn til
privatlivets fred og retshåndhævelse"160
. "[n]år en offentlig myndighed kræver, at en
virksomhed, der er etableret i dens egen jurisdiktion, fremlægger elektroniske data,
der er lagret på en server i en udenlandsk jurisdiktion, er det navnlig
territorialprincippet og princippet om anerkendelse af domme under folkeretten, der
finder anvendelse"161
.
157
Det Europæiske Databeskyttelsesråd, Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor), s. 10. Det Europæiske
Databeskyttelsesråd præciserede yderligere, at selv om dataoverførsler baseret på undtagelsen om samfundsinteresser ikke må
finde sted "i stor skala" eller "systematisk", men skal "begrænses til særlige situationer og [...] opfylder den strenge
nødvendighedstest", er der ikke noget krav om, at de skal være "lejlighedsvise".
158
Dette fremgår klart af ordlyden af persondataforordningens artikel 48 ("uden at det berører andre grunde til overførsel i
henhold til dette kapitel") og den ledsagende betragtning 115 ("[O]verførsel af oplysninger bør kun tillades, hvis denne
forordnings betingelser for overførsel til tredjelande er opfyldt. Det kan være tilfældet, bl.a. hvis videregivelse er nødvendig af
hensyn til vigtige samfundsinteresser, der anerkendes i EU-retten eller medlemsstaternes nationale ret, som den dataansvarlige
er omfattet af"). Det anerkendes også af Databeskyttelsesrådet, jf. Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor,
s. 5). Som for alle behandlinger skal også de øvrige garantier i forordningen overholdes (f.eks. at data overføres til et specifikt
formål, er relevante, begrænset til, hvad der er nødvendigt for at imødekomme anmodningen osv.).
159
Indlæg fra Microsoft (fodnote 156 ovenfor). Som Kommissionen har forklaret, betyder persondataforordningen, at traktater
om gensidig retshjælp "foretrækkes" frem for overførsler, da sådanne traktater "giver mulighed for indsamling af
bevismateriale ved samtykke, og er udtryk for en nøje forhandlet balance mellem de forskellige staters interesser, der har til
formål at imødegå de konflikter om jurisdiktion, der ellers kan opstå." Se også Det Europæiske Databeskyttelsesråds
Retningslinjer vedrørende undtagelser (fodnote 153 ovenfor), s. 5 ("I situationer, hvor der er en international aftale, f.eks. en
traktat om gensidig retshjælp, bør virksomheder i EU generelt afvise direkte anmodninger og henvise den anmodende
myndighed i tredjelandet til en eksisterende traktat om gensidig retshjælp eller aftale").
160
Indlæg fra Microsoft (fodnote 156 ovenfor), s. 4.
161
Indlæg fra Microsoft (fodnote 156 ovenfor), s. 6.
38
Dette afspejles også i Kommissionens forslag til forordning om europæiske editions-
og sikringskendelser om elektronisk bevismateriale i straffesager162
, som indeholder
en særlig bestemmelse om anerkendelse af domme, der gør det muligt at gøre
indsigelse mod en editionskendelse, hvis overholdelsen af lovgivningen i et tredjeland
forbyder videregivelse, navnlig med den begrundelse, at dette er nødvendigt for at
beskytte de berørte personers grundlæggende rettigheder163
.
Det er vigtigt at sikre anerkendelse af domme i betragtning af, at retshåndhævelse – som f.eks. kriminalitet
og navnlig cyberkriminalitet – i stigende grad er grænseoverskridende og derfor ofte rejser
jurisdiktionsspørgsmål og skaber potentielle lovkonflikter164
. Ikke overraskende er den bedste måde at
behandle disse spørgsmål på gennem internationale aftaler, der fastsætter de nødvendige begrænsninger og
garantier for grænseoverskridende adgang til personoplysninger, herunder ved at sikre et højt
databeskyttelsesniveau hos den anmodende myndighed.
Kommissionen, der handler på vegne af EU, deltager i øjeblikket i multilaterale forhandlinger om anden
tillægsprotokol til Europarådets konvention om IT-kriminalitet ("Budapestkonventionen"), der har til formål
at styrke de eksisterende regler for at opnå grænseoverskridende adgang til elektronisk bevismateriale i
strafferetlige efterforskninger, samtidig med at der sikres passende databeskyttelsesgarantier som en del af
protokollen165
. Ligeledes er der indledt bilaterale forhandlinger om en aftale mellem EU og USA om
grænseoverskridende adgang til elektronisk bevismateriale med henblik på retligt samarbejde i
straffesager166
. Kommissionen regner med Europa-Parlamentets og Rådets støtte og Det Europæiske
Databeskyttelsesråds vejledning under disse forhandlinger.
Mere generelt er det vigtigt at sikre, at når virksomheder, der er aktive på det europæiske marked, på basis af
en legitim anmodning opfordres til at dele oplysninger med henblik på retshåndhævelse, kan de gøre dette
uden at opleve lovkonflikter og i fuld respekt for EU's grundlæggende rettigheder. For at forbedre sådanne
overførsler forpligter Kommissionen sig til at udvikle passende retlige rammer med sine internationale
162
Europa-Kommissionen, Forslag til Europa-Parlamentets og Rådets forordning om europæiske editions- og sikringskendelser
om elektronisk bevismateriale i straffesager (COM (2018) 225 final af 17.4.2018). Rådet vedtog sin generelle indstilling til
den foreslåede forordning den 7.12.2018 (findes på: https://www.consilium.europa.eu/en/press/press-
releases/2018/12/07/regulation-on-cross-border-access-to-eevidence-council-agrees-its-position/#). Se også EDPS, Udtalelse
7/19 om forslag vedrørende europæiske editions- og sikringskendelser om elektronisk bevismateriale i straffesager (findes på:
https://edps.europa.eu/data-protection/ourwork/publications/opinions/electronic-evidence-criminal-matters_en).
163
I den forklarende note, s. 21, præciseres det, at ud over at sikre anerkendelse af domme i forhold til tredjelandes suveræne
interesser for derved at beskytte den pågældende person og undgå lovkonflikter for tjenesteydere, er gensidighed, dvs. sikring
af respekt for EU's regler, herunder beskyttelse af personoplysninger (persondataforordningens artikel 48), en vigtig
motivation for bestemmelsen om anerkendelse af domme. Se også erklæringen fra Artikel 29-Gruppen af 29.11.2017, aspekter
vedrørende databeskyttelse og privatlivets fred i forbindelse med grænseoverskridende adgang til elektronisk bevismateriale
(WP29-erklæringen) (findes på:
file:///C:/Users/ralfs/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/TempState/Downloads/20171207_
e-Evidence_Statement_FINALpdf%20(1).pdf), p. 9.
164
Se udtalelse fra Artikel-29-Gruppen (fodnote 163 ovenfor), s. 6.
165
Se henstilling med henblik på Rådets afgørelse om bemyndigelse til at deltage i forhandlinger om anden tillægsprotokol til
Europarådets konvention om IT-kriminalitet (CETS nr. 185), 5.2.2019 (COM (2019) 71 final). Jf. også EDPS, Udtalelse
3/2019 om deltagelse i forhandlingerne med henblik på anden tillægsprotokol til Budapestkonventionen om IT-kriminalitet,
2.4.2019 (findes på: https://edps.europa.eu/sites/edp/files/publication/19-04-02_edps_opinion_budapest_convention_en.pdf);
Databeskyttelsesrådet, Bidrag til høringen om udkast til anden tillægsprotokol til Europarådets konvention om IT-kriminalitet
(Budapestkonventionen), 13.11.2019 (findes på:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpbcontributionbudapestconvention_en.pdf).
166
Se henstilling med henblik på Rådets afgørelse om bemyndigelse til at indlede forhandlinger med henblik på en aftale mellem
EU og Amerikas Forenede Stater om grænseoverskridende adgang til elektronisk bevismateriale inden for strafferetligt
samarbejde (COM (2019) 70 final af 5.2.2019). Se også EDPS, Udtalelse 2/2019 om forhandlingsmandatet til en aftale mellem
EU og USA om grænseoverskridende adgang til elektronisk bevismateriale (findes på:
https://edps.europa.eu/sites/edp/files/publication/19-04-02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf).
39
partnere for at undgå lovkonflikter og støtte effektive samarbejdsformer, navnlig ved at tilvejebringe de
nødvendige garantier for databeskyttelse, og derved bidrage til en mere effektiv bekæmpelse af kriminalitet.
7.3 Internationalt samarbejde på databeskyttelsesområdet
Fremme af konvergens mellem forskellige systemer for privatlivsbeskyttelse betyder også, at man lærer af
hinanden gennem udveksling af viden, erfaring og bedste praksis. Sådanne udvekslinger er afgørende for at
imødegå de nye udfordringer, der i stigende grad er af global karakter og rækkevidde. Kommissionen har
derfor intensiveret sin dialog om databeskyttelse og overførsel af oplysninger med en bred vifte af aktører
og i forskellige fora på bilateralt, regionalt og multilateralt plan.
Den bilaterale dimension
Efter vedtagelsen af persondataforordningen har der været en stigende interesse for EU's erfaringer med
udformning, forhandling og gennemførelse af moderne regler for beskyttelse af privatlivets fred. Dialogen
med lande, der gennemlever lignende processer, har antaget forskellige former.
Kommissionens tjenestegrene er kommet med indlæg til en række offentlige høringer arrangeret af
udenlandske regeringer, der overvejer lovgivning om beskyttelse af privatlivets fred, f.eks. af USA167
,
Indien168
, Malaysia og Etiopien. I nogle tredjelande havde Kommissionens tjenestegrene den ære at få lov til
at afgive forklaring til de kompetente parlamentariske organer, f.eks. i Brasilien169
, Chile170
, Ecuador, og
Tunesien171
.
Endelig blev der i forbindelse med de igangværende reformer af databeskyttelseslovene afholdt særlige
møder med regeringsrepræsentanter eller parlamentariske delegationer fra mange regioner i verden (f.eks.
Georgien, Kenya, Taiwan, Thailand og Marokko). Dette omfattede tilrettelæggelse af seminarer og
studiebesøg, f.eks. med repræsentanter for den indonesiske regering og en delegation af medarbejdere fra
den amerikanske kongres. Dette gav mulighed for at præcisere vigtige begreber i persondataforordningen,
forbedre den gensidige forståelse af anliggender om privatlivets fred og illustrere fordelene ved konvergens
for at sikre et højt niveau af beskyttelse af individuelle rettigheder, handel og samarbejde. I nogle tilfælde
har det også gjort det muligt at mane til forsigtighed med hensyn til visse fejlopfattelser af databeskyttelse,
som kan føre til indførelse af protektionistiske foranstaltninger såsom krav om obligatorisk beliggenhed.
167
Se indlægget fra GD Retlige Anliggender og Forbrugere af 9.11.2018 som svar på en anmodning om kommentarer fra
offentligheden om en foreslået tilgang til beskyttelse af forbrugernes privatliv [sag nr. 180821780-8780-01] fra USA's
National Telecommunications and Information Administration (findes på:
https://ec.europa.eu/info/sites/info/files/european_commission_submission_on_a_proposed_approach_to_consumer_privacy.p
df).
168
Se indlægget fra GD Retlige Anliggender og Forbrugere af 19.11.2018 om udkastet til lov om beskyttelse af personoplysninger
i Indien 2018 til ministeriet for elektronik og informationsteknologi (findes på:
https://eeas.europa.eu/delegations/india/53963/submission-draft-personal-data-protection-bill-india-2018-directorate-general-
justice_en).
169
Se plenarmødet den 17.4.2018 i det brasilianske senat (https://www25.senado.leg.br/web/atividade/sessao-plenaria/-
/pauta/23384), mødet den 10.4.2019 i Det Blandede Udvalg om MP 869/2018 under den brasilianske kongres
(https://www12.senado.leg.br/ecidadania/visualizacaoaudiencia?id=15392), og mødet den 26.11.2019 i det brasilianske
Deputeretkammers særlige udvalg (https://www.camara.leg.br/noticias/616579-comissao-discutira-protecao-de-dados-no-
ambito-das-constituicoes-de-outros-paises/).
170
Se mødet den 29.5.2018
(https://senado.cl/appsenado/index.php?mo=comisiones&ac=asistencia_sesion&idcomision=186&idsesion=12513&idpunto=1
5909&sesion=29/05/2018&listado=1) og den 24.4.2019
(https://www.senado.cl/appsenado/index.php?mo=comisiones&ac=sesiones_celebradas&idcomision=186&tipo=3&legi=485
&ano=2019&desde=0&hasta=0&idsesion=13603&idpunto=17283&listado=2) og Udvalget om Konstitutionelle Anliggender,
Lovgivningsmæssige og Retlige Anliggender i det chilenske senat.
171
Se mødet den 2.11.2018 i den tunesiske forsamling af repræsentanter for folket for rettigheder, frihedsrettigheder og eksterne
forbindelser (https://www.facebook.com/1515094915436499/posts/2264094487203201/).
40
Siden vedtagelsen af persondataforordningen har Kommissionen også været i kontakt med flere
internationale organisationer, bl.a. i lyset af betydningen af dataudveksling med disse organisationer på en
række politikområder. Der er navnlig etableret en specifik dialog med De Forenede Nationer med henblik på
at lette drøftelserne med alle involverede interessenter for at sikre problemfri overførsel af oplysninger og
udvikle yderligere konvergens mellem de respektive databeskyttelsesordninger. Som led i denne dialog vil
Kommissionen arbejde tæt sammen med Databeskyttelsesrådet om at få yderligere præciseret, hvordan
offentlige og private operatører i EU kan overholde deres databeskyttelsesforpligtelser, når de udveksler
oplysninger med internationale organisationer som FN.
Kommissionen er parat til fortsat at dele erfaringerne fra sin reformproces med interesserede lande og
internationale organisationer, på samme måde som den lærte det fra andre systemer, da den udarbejdede sit
forslag til nye databeskyttelsesregler i EU. Denne form for dialog er til gensidig gavn for EU og dets
partnere, da den gør det muligt at opnå en bedre forståelse af den nuværende situation med hensyn til
beskyttelse af privatlivets fred og udveksle synspunkter om nye retlige og teknologiske løsninger.
Det er også i denne ånd, at Kommissionen opretter et "databeskyttelsesakademi", der skal
fremme udvekslinger mellem tilsynsmyndigheder i Europa og i tredjelande, og dermed
forbedre samarbejdet i praksis.
Derudover er der behov for, at der udarbejdes hensigtsmæssige retsforskrifter med henblik
på tættere samarbejde og gensidig bistand, bl.a. ved at tillade de nødvendige udvekslinger
af oplysninger i forbindelse med undersøgelser. Kommissionen vil derfor gøre brug af de
beføjelser, den har fået tillagt på dette område i medfør af persondataforordningens artikel
50, og navnlig anmode om bemyndigelse til at indlede forhandlinger om indgåelse af
samarbejdsaftaler vedrørende håndhævelse med relevante tredjelande. I denne forbindelse
vil den også tage hensyn til Databeskyttelsesrådets holdninger med hensyn til, hvilke lande
der bør prioriteres i lyset af omfanget af overførsler af oplysninger, den håndhævende
myndigheds rolle og beføjelser i tredjelandet vedrørende beskyttelse af privatlivets fred,
samt behovet for samarbejde om håndhævelse af sager af fælles interesse.
Den multilaterale dimension
Ud over bilaterale udvekslinger deltager Kommissionen også aktivt i en række multilaterale fora for at
fremme fælles værdier og skabe konvergens på regionalt og globalt plan.
Det stadig mere universelle medlemskab af Europarådets konvention 108, som er det eneste retligt bindende
multilaterale instrument for beskyttelse af personoplysninger, er et klart tegn på denne tendens i retning af
(stigende) konvergens172
. Konventionen, som også er åben for ikkemedlemmer af Europarådet, er allerede
ratificeret af 55 lande, herunder en række afrikanske og latinamerikanske stater173
. Kommissionen bidrog
væsentligt til det vellykkede resultat af forhandlingerne om modernisering af konventionen174
og sikrede, at
den afspejlede de samme principper som dem, der er forankret i EU's databeskyttelsesregler. De fleste EU-
medlemsstater har nu undertegnet ændringsprotokollen, selv om der fortsat mangler underskrifter fra
Danmark, Malta og Rumænien. Kun fire medlemsstater (Bulgarien, Kroatien, Litauen og Polen) har
172
Hvad der er vigtigt, er, at den moderniserede konvention ikke blot er en traktat, der fastsætter strenge
databeskyttelsesgarantier, men også skaber et netværk af tilsynsmyndigheder med værktøjer til håndhævelse af reglerne og,
med konventionsudvalget, et forum for drøftelser, udveksling af bedste praksis og udvikling af internationale standarder.
173
Se den fuldstændige liste over medlemmer: https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/108/signatures. Lande fra Afrika omfatter Kap Verde, Mauritius, Marokko, Senegal og Tunesien, fra
Latinamerika Argentina, Mexico og Uruguay. Burkina Faso er blevet opfordret til at tiltræde konventionen.
174
Se teksten til den moderniserede konvention: https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf.
41
ratificeret ændringsprotokollen. Kommissionen opfordrer de tre resterende medlemsstater til at undertegne
den moderniserede konvention og alle medlemsstaterne til hurtigt at ratificere konventionen, så den kan
træde i kraft i den nærmeste fremtid175
. Derudover vil den fortsætte med proaktivt at tilskynde tredjelande til
tiltrædelse.
Overførsel af oplysninger og databeskyttelse er ligeledes for nylig blevet behandlet i G20 og G7. I 2019
anerkendte verdens ledere for første gang betydningen af databeskyttelse for at skabe tillid til den digitale
økonomi og fremme udvekslingen af oplysninger. Med Kommissionens aktive støtte176
tilsluttede lederne
sig begrebet "Data Free Flow with Trust" (DFFT), som oprindeligt blev foreslået af Japans premierminister
Abe i erklæringen fra G20-topmødet i Osaka177
og G7-topmødet i Biarritz 178
. Denne tilgang afspejles også i
Kommissionens meddelelse fra 2020 om en europæisk strategi for data179
hvori den understreger sin
intention om at fortsætte med at fremme dataudveksling med pålidelige partnere, samtidig med at misbrug
bekæmpes, f.eks. (udenlandske) offentlige myndigheders uforholdsmæssige adgang til data.
I den forbindelse vil EU også kunne anvende en række værktøjer på forskellige politikområder, der i
stigende grad tager hensyn til konsekvenserne for privatlivets fred: F.eks. giver EU's første rammer for
screening af udenlandske investeringer, som vil finde fuld anvendelse fra oktober 2020, EU og dets
medlemsstater mulighed for at screene investeringstransaktioner, der har indvirkning på "adgang til
følsomme oplysninger, herunder personoplysninger, eller muligheden for at kontrollere sådanne
oplysninger", hvis de påvirker sikkerheden eller den offentlige orden180
.
Kommissionen arbejder sammen med ligesindede lande i flere andre multilaterale fora for aktivt at fremme
sine værdier og standarder. Et vigtigt forum er OECD's nyligt oprettede Working Party on Data Governance
and Privacy (DGP), som har iværksat en række vigtige initiativer vedrørende databeskyttelse,
dataudveksling og dataoverførsel. Dette omfatter evaluering af OECD's retningslinjer for beskyttelse af
privatlivets fred fra 2013. Desuden bidrog Kommissionen aktivt til OECD-Rådets henstilling om kunstig
intelligens181
og sikrede, at EU's menneskecentrerede tilgang, dvs. at AI-applikationerne skal overholde de
grundlæggende rettigheder og navnlig databeskyttelse, blev afspejlet i den endelige tekst. Hvad der er nok så
vigtigt er, at henstillingen om kunstig intelligens – som efterfølgende er blevet indarbejdet i G20's principper
for kunstig intelligens, der er knyttet som bilag til erklæringen fra lederne på G20-topmødet i Osaka182
–
fastsætter principperne om gennemsigtighed og forklarlighed med henblik på at gøre det muligt for dem, der
175
Ifølge dens beslutning vedrørende ændringsprotokollen af 18.5.2018 tilskyndede Ministerkomitéen medlemsstater og andre af
konventionens parter til ufortøvet at træffe de nødvendige foranstaltninger til at tillade protokollens ikrafttræden inden for tre
år fra dens åbning for undertegnelse og til straks, men under ingen omstændigheder senere end ét år efter den dato, på hvilken
protokollen er blevet åbnet for undertegnelse, at indlede ratificeringsprocessen i medfør af deres nationale lovgivning. Den
anmodede ligeledes medlemmerne til halvårligt, og første gang ét år efter datoen for åbningen af protokollen for
undertegnelse, at undersøge fremskridtene mod ratificering på basis af de oplysninger, som vil blive tilstillet generalsekretæren
af hver af medlemsstaterne og andre af konventionens parter, senest én måned forud for denne undersøgelse. Se
https://search.coe.int/cm/pages/result_details.aspx?objectid=09000016808a3c9f.
176
I forbindelse med topmødet mellem EU og Japan i april 2019 udtrykte kommissionsformand, Jean-Claude Juncker, sin
støtte til Japans initiativ "Data Free Flow with Trust" og lanceringen af "Osaka-sporet" og forpligtede Kommissionen til at
spille en aktiv rolle i begge initiativer.
177
Se teksten til erklæringen fra lederne på G20-topmødet i Osaka:
https://www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf.
178
Se teksten til strategien fra lederne på G7-topmødet i Biarritz om en åben, fri og sikker digital omstilling:
https://www.elysee.fr/admin/upload/default/0001/05/62a9221e66987d4e0d6ffcb058f3d2c649fc6d9d.pdf.
179
Meddelelse fra Kommissionen til Europa-Parlamentet, Rådet, Det Europæiske Økonomiske og Sociale Udvalg og
Regionsudvalget, En europæisk strategi for data (COM(2020) 66 final af 19.2.2020)
(https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_da.pdf), s. 23-24.
180
Artikel 4, stk. 1, litra d), i Europa-Parlamentets og Rådets forordning (EU) 2019/452 af 19. marts 2019 om et regelsæt for
screening af udenlandske direkte investeringer i Unionen (EUT L 79 I af 21.3.2019).
181
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449.
182
G20-ministererklæring om handel og digital økonomi: https://g20trade-
digital.go.jp/dl/Ministerial_Statement_on_Trade_and_Digital_Economy.pdf.
42
påvirkes negativt af et AI-system, at anfægte dens resultater på grundlag af klar og letforståelig information
om de faktorer og den logik, der lå til grund for forudsigelsen, henstillingen eller beslutningen, og dermed
nøje afspejle principperne i persondataforordningen med hensyn til automatisering af
beslutningsprocessen183
.
Endelig optrapper Kommissionen sin dialog med regionale organisationer og netværk, der i stigende grad
spiller en central rolle i udformningen af fælles databeskyttelsesstandarder184
, fremme udvekslingen af
bedste praksis og samarbejdet mellem håndhævende myndigheder. Dette gælder navnlig Sammenslutningen
af Sydøstasiatiske Nationer (ASEAN) – herunder i forbindelse med det igangværende arbejde med
dataoverførselsværktøjer – Den Afrikanske Union, forummet Asia Pacific Privacy Authorities (APPA) og
Ibero-American Data Protection Network, der alle har iværksat vigtige initiativer på dette område og udgør
fora for en frugtbar dialog mellem tilsynsmyndigheder for privatlivets fred og andre interessenter.
Afrika er et godt eksempel, der illustrerer komplementariteten mellem de nationale,
regionale og globale privatlivsdimensioner. Digitale teknologier er hastigt og
gennemgribende ved at transformere det afrikanske kontinent. Dette kan
fremskynde opfyldelsen af målene for bæredygtig udvikling ved at fremme
økonomisk vækst, bekæmpe fattigdom og forbedre menneskers liv. En moderne
databeskyttelsesramme, der tiltrækker investeringer og fremmer udviklingen af et
konkurrencedygtigt erhvervsliv og samtidig bidrager til respekten for
menneskerettigheder, demokrati og retsstatsprincippet, er et centralt element i
denne omstilling. Harmoniseringen af databeskyttelsesreglerne i Afrika vil gøre det
muligt at integrere digitale markeder, samtidig med at konvergens med globale
standarder vil lette udvekslingen af data med EU. Disse forskellige aspekter af
databeskyttelsen er indbyrdes forbundne og gensidigt forstærkende.
Der er nu en stigende interesse for databeskyttelse i mange afrikanske lande, og
antallet af afrikanske lande, der har vedtaget eller er i færd med at vedtage moderne
databeskyttelsesregler, har ratificeret konvention 108185
, eller
Malabokonventionen186
, stiger fortsat187
. Samtidig er lovrammen fortsat meget
uensartet og fragmenteret på hele det afrikanske kontinent. Mange lande har stadig
kun få eller ingen garantier for databeskyttelse. Foranstaltninger til begrænsning af
overførsel af oplysninger er stadig udbredte og hæmmer udviklingen af en regional
digital økonomi.
For at udnytte de gensidige fordele ved konvergerende regler for databeskyttelse vil
Kommissionen samarbejde med sine afrikanske partnere både bilateralt og i
regionale fora188
. Den bygger på det arbejde, der er udført af EU-AU Digital
183
Se persondataforordningens artikel 13, stk. 2, litra f), artikel 14, stk. 2, litra g), og artikel 22.
184
Se f.eks. Den Afrikanske Unions Convention on Cyber Security and Personal Data Protection ("Malabokonventionen") og
Standards for Data Protection for the Ibero-American States, der er udviklet af Ibero-American Data Protection Network.
185
Europarådets konvention om beskyttelse af det enkelte menneske i forbindelse med elektronisk databehandling af
personoplysninger https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=DW5jevqD.
186
African Union Convention on Cyber Security and Personal Data Protection https://au.int/en/treaties/african-union-convention-
cyber-security-and-personal-data-protection. Desuden har flere af de regionale økonomiske fællesskaber (REC) udviklet
databeskyttelsesregler, f.eks. Det Økonomiske Fællesskab af Vestafrikanske Stater (ECOWAS) og Det Sydlige Afrikas
Udviklingsfællesskab (SADC). Se hhv. http://www.tit.comm.ecowas.int/wp-content/uploads/2015/11/SIGNED-Data-Protection-
Act.pdf and http://www.itu.int/ITU-D/projects/ITU_EC_ACP/hipssa/docs/SA4docs/data%20protection.pdf.
187
188
Bl.a. gennem Policy and Regulation Initiative for Digital Africa (PRIDA), se oplysninger på: https://www.africa-eu-
partnership.org/en/projects/policy-and-regulation-initiative-digital-africa-prida.
43
Economy Task Force inden for rammerne af New Africa-Europe Digital Economy
Partnership189
. Det er også til fremme af sådanne mål, at anvendelsesområdet for
Kommissionens partnerskabsinstrument "Enhanced Data Protection and Data
Flows" udvides til også at omfatte Afrika. Projektet vil blive mobiliseret for at
støtte afrikanske lande, der har til hensigt at udvikle moderne
databeskyttelsesrammer, eller som ønsker at styrke deres tilsynsmyndigheders
kapacitet gennem uddannelse, vidensdeling og udveksling af bedste praksis.
Endelig er Kommissionen også fast besluttet på at bekæmpe digital protektionisme,
som det for nylig blev fremhævet i datastrategien, samtidig med at konvergensen
mellem databeskyttelsesstandarder på internationalt plan fremmes som et middel til at
lette overførsel af oplysninger og dermed samhandelen190
. Med henblik herpå har den
udviklet specifikke bestemmelser om overførsel af oplysninger og databeskyttelse i
handelsaftaler, som den systematisk stiller forslag om i sine bilaterale (senest med
Australien, New Zealand og Det Forenede Kongerige) og multilaterale forhandlinger,
som f.eks. de nuværende WTO-forhandlinger om e-handel. Disse horisontale
bestemmelser udelukker rent protektionistiske foranstaltninger, såsom tvungne
datalokaliseringskrav, samtidig med at parternes reguleringsmæssige autonomi
bevares for at beskytte den grundlæggende ret til databeskyttelse.
Dialogerne om databeskyttelse og handelsforhandlinger skal følge forskellige spor,
men de kan samtidig godt supplere hinanden. Konvergens, baseret på høje standarder
og en effektiv håndhævelse, udgør faktisk det stærkeste grundlag for udveksling af
personoplysninger, hvilket i stigende grad anerkendes af vores internationale partnere.
Eftersom virksomheder i stigende grad opererer på tværs af grænserne og foretrækker
at anvende lignende regelsæt i alle deres forretningsaktiviteter i hele verden, bidrager
en sådan konvergens til at skabe et miljø, der fremmer direkte investeringer,
samhandel og øger tilliden mellem handelspartnere. Synergier mellem samhandel og
instrumenter for databeskyttelse bør således udforskes nærmere for at sikre fri og
sikker overførsel af oplysninger, hvilket er afgørende for forretningsaktiviteter,
konkurrencedygtighed og vækst for europæiske virksomheder, herunder SMV'er, i
vores stadig mere digitaliserede økonomi.
189
Se fælles meddelelse fra Europa-Kommissionen og Unionens Højtstående Repræsentant for Udenrigsanliggender og
Sikkerhedspolitik "Frem mod en omfattende strategi for samarbejdet med Afrika" (findes på: https://ec.europa.eu/international-
partnerships/system/files/communication-eu-africa-strategy-join-2020-4-final_en.pdf); Digital Economy Task Force, New Africa-
Europe Digital Economy Partnership: Accelerating the Achievement of the Sustainable Development Goals (findes på:
https://www.africa-eu-partnership.org/sites/default/files/documents/finaldetfreportpdf.pdf).
190
https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, s. 23.
44
Bilag I – Bestemmelser vedrørende fakultative specifikationer i national lovgivning
Genstand Anvendelsesområde Persondataforordningens
artikler
Specifikationer vedrørende
retlige forpligtelser og
offentlige opgaver
Tilpasning af anvendelsen af
bestemmelser med hensyn til
behandling med henblik på
overholdelse af en retlig
forpligtelse eller en offentlig
opgave, herunder i særlige
behandlingssituationer i henhold
til kapitel IX
Artikel 6, stk. 2, og artikel
6, stk. 3
Aldersgrænse for samtykke i
forbindelse med
informationssamfundstjenester
Fastsættelse af
minimumsalderen mellem 13 og
16 år
Artikel 8, stk. 1
Behandling af særlige
kategorier af oplysninger
Opretholdelse eller indførelse
af yderligere betingelser,
herunder begrænsninger, for
behandling af genetiske data,
biometriske data eller
helbredsoplysninger.
Artikel 9, stk. 4
Undtagelse fra oplysningskrav Indsamling eller videregivelse
af oplysninger, der er
udtrykkeligt lovfæstet eller med
henblik på lovbestemt
tavshedspligt
Artikel 14, stk. 5, litra c)
og d)
Automatisk individuel
beslutningstagning
Bemyndigelse til automatisk
beslutningstagning som
undtagelse fra det generelle
forbud
Artikel 22, stk. 2, litra b)
Begrænsninger af den
registreredes rettigheder
Begrænsninger i henhold til
artikel 12 og 22, artikel 34 og
tilsvarende bestemmelser i
artikel 5, når det er nødvendigt
og forholdsmæssigt for at sikre
udtømmende opregnede vigtige
mål
Artikel 23, stk. 1
Høring og godkendelseskrav Krav om, at dataansvarlige skal
høre eller indhente tilladelse fra
databeskyttelsesmyndigheden
for behandling af en opgave i
samfundets interesse
Artikel 36, stk. 5
Udpegelse af en
databeskyttelsesansvarlig i
yderligere tilfælde
Udpegelse af en
databeskyttelsesansvarlig i
andre tilfælde end dem, der er
omhandlet i artikel 37, stk. 1
Artikel 37, stk. 4
45
Begrænsninger i overførsler Begrænsning af overførsler af
specifikke kategorier af
personoplysninger
Artikel 49, stk. 5
Klager og søgsmål fra
organisationer på egne vegne
Bemyndigelse af organisationer
for beskyttelse af privatlivets
fred til at indgive klager og
anlægge søgsmål uafhængigt af
en bemyndigelse fra de
registrerede
Artikel 80, stk. 2
Aktindsigt i officielle
dokumenter
Afstemning af aktindsigt i
officielle dokumenter med
retten til beskyttelse af
personoplysninger
Artikel 86
Behandling af nationalt
identifikationsnummer
Særlige betingelser for
behandling af det nationale
identifikationsnummer
Artikel 87
Behandling i forbindelse med
ansættelsesforhold
Mere specifikke regler for
behandling af arbejdstageres
personoplysninger
Artikel 88
Undtagelser for behandling til
arkivformål i samfundets
interesse, til forskningsmål
eller til statistiske formål
Undtagelser fra den angivne
registreredes rettigheder, i det
omfang sådanne rettigheder
sandsynligvis vil gøre det
umuligt eller i alvorlig grad
hindre opfyldelse af de
specifikke formål
Artikel 89, stk. 2 og stk. 3
Afstemning af
databeskyttelse med
tavshedspligt
Særlige bestemmelser om
databeskyttelsesmyndighedernes
undersøgelsesbeføjelser over for
dataansvarlige eller
databehandlere, der er omfattet
af tavshedspligt
Artikel 90
46
Bilag II – Oversigt over databeskyttelsesmyndighedernes ressourcer
Nedenstående tabel indeholder en oversigt over databeskyttelsesmyndighedernes ressourcer (personale og
budget) pr. EU/EØS-land191
.
Ved sammenligning af tallene mellem medlemsstaterne er det vigtigt at huske på, at myndighederne kan
have opgaver, der er pålagt dem ud over kravene i persondataforordningen, og at disse kan variere fra
medlemsstat til medlemsstat. Forholdet mellem personale ansat af myndighederne pr. million indbyggere og
myndighedernes budget pr. mio. EUR af BNP er kun medtaget for at tilvejebringe yderligere elementer i
sammenligningen mellem medlemsstater af samme størrelse og bør ikke ses isoleret. De absolutte tal,
forhold og udvikling over de seneste år bør ses i sammenhæng ved vurderingen af en given myndigheds
ressourcer.
PERSONALE (Fuldtidsækvivalenter) BUDGET (EUR)
EU/EØS-
medlemsstater
2019
Prognose
2020
%
vækst
2016-
2019
% vækst
2016-2020
(prognose)
Antal
medarbejdere
pr. mio.
indbyggere
(2019)
2019
Prognose
2020
% vækst 2016-2019
% vækst
2016-
2020
(prognose)
Budget pr.
mio. EUR af
BNP (2019)
Østrig 34 34 48 % 48 % 3,8 2 282 000 2 282 000 29 % 29 % 5,7
Belgien 59 65 9 % 20 % 5,2 8 197 400 8 962 200 1 % 10 % 17,3
Bulgarien 60 60 -14 % -14 % 8,6 1 446 956 1 446 956 24 % 24 % 23,8
Kroatien 39 60 39 % 114 % 9,6 1 157 300 1 405 000 57 % 91 % 21,5
Cypern 24 22
ikke
oplyst
ikke oplyst 27,4 503 855
ikke
oplyst
114 % ikke oplyst 23,0
Tjekkiet 101 109 0 % 8 % 9,5 6 541 288 6 720 533 10 % 13 % 29,7
Danmark 66 63 106 % 97 % 11,4 5 610 128 5 623 114 101 % 101 % 18,0
Estland 16 18 -11 % 0 % 12,1 750 331 750 331 7 % 7 % 26,8
Finland 45 55 114 % 162 % 8,2 3 500 000 4 500 000 94 % 150 % 14,6
Frankrig 215 225 9 % 14 % 3,2 18 506 734 20 143 889 -2 % 7 % 7,7
Tyskland 888 1002 52 % 72 % 10,7 76 599 800 85 837 500 48 % 66 % 22,3
Grækenland 33 46 -15 % 18 % 3,1 2 849 000 3 101 000 38 % 50 % 15,2
Ungarn 104 117 42 % 60 % 10,6 3 505 152 4 437 576 102 % 155 % 24,4
Island 17 17 143 % 143 % 47,6 2 272 490 2 294 104 167 % 170 % 105,2
Irland 140 176 169 % 238 % 28,5 15 200 000 16 900 000 223 % 260 % 43,8
Italien 170 170 40 % 40 % 2,8 29 127 273 30 127 273 46 % 51 % 16,3
Letland 19 31 -10 % 48 % 9,9 640 998 1 218 978 4 % 98 % 21,0
Litauen 46 52 -8 % 4 % 16,5 1 482 000 1 581 000 40 % 49 % 30,6
Luxembourg 43 48 126 % 153 % 70,0 5 442 416 6 691 563 165 % 226 % 85,7
Malta 13 15 30 % 50 % 26,3 480 000 550 000 41 % 62 % 36,3
Nederlandene 179 188 145 % 158 % 10,4 18 600 000 18 600 000 130 % 130 % 22,9
Norge 49 58 2 % 21 % 9,2 5 708 950 6 580 660 27 % 46 % 15,9
Polen 238 260 54 % 68 % 6,3 7 506 345 9 413 381 66 % 108 % 14,2
Portugal 25 27 -4 % 4 % 2,4 2 152 000 2 385 000 67 % 86 % 10,1
Rumænien 39 47 -3 % 18 % 2,0 1 103 388 1 304 813 3 % 22 % 4,9
Slovakiet 49 51 20 % 24 % 9,0 1 731 419 1 859 514 47 % 58 % 18,4
Slovenien 47 49 42 % 48 % 22,6 2 242 236 2 266 485 68 % 70 % 46,7
Spanien 170 220 13 % 47 % 3,6 15 187 680 16 500 000 8 % 17 % 12,2
Sverige 87 87 81 % 81 % 8,5 8 800 000 10 300 000 96 % 129 % 18,5
I ALT
2
966
3 372 42 % 62 % 6,6 249 127 139 273 782 870 49 % 64 % 17,4
Kilde til rådata: Databeskyttelsesrådets bidrag. Beregninger foretaget af Kommissionen.
191
Undtagen Liechtenstein.