EDPB

Forget It!: EDPB Announces Focus on Right to Erasure in 2025

By Liisa Thomas on March 11, 2025

Posted in Consumer Privacy, EU Privacy, European Data Protection Board, Rights Requests

Right of erasure (or “right to be forgotten”) has been selected by the European Data Protection Board as its priority enforcement topic for 2025. This work is being done under the “Coordinated Enforcement Framework” or “CEF.” The EDPB created the CEF in 2022 as a way to streamline and coordinate enforcement across EU data protection authorities. Past topics have included the right of access, and the role of data protection officers in organizations.Continue Reading Forget It!: EDPB Announces Focus on Right to Erasure in 2025

EU Regulators to Take Closer Look at DPO Position

By Julia Kadish on September 26, 2022

Posted in EU Privacy

The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these national actions are analyzed and bundled, generating deeper insights into a particular topic. Last year, the EDPB had selected the use of cloud-based services by the public sector for its first coordinated enforcement action. So, this second topic will be of more relevance to a wider set of organizations. Given that the report on the outcome of the 2022 coordinated action is expected to be adopted before the end of the year, companies can expect a report on the DPO position sometime in 2023. Continue Reading EU Regulators to Take Closer Look at DPO Position

What’s the Big Deal About Dark Patterns?

By Liisa Thomas on May 25, 2022

Posted in Dark Patterns, EU Privacy, European Data Protection Board, FTC, US Privacy

Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The…

Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

By Julia Kadish on February 1, 2021

Posted in Data Breach, EU Privacy

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.
Continue Reading Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

EDPB Sheds Post-Schrems II Light on Supplementary Measures for Data Transfers

By Liisa Thomas & Snehal Desai on November 17, 2020

Posted in Consumer Privacy, EU Privacy, Privacy Shield

The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US.
Continue Reading EDPB Sheds Post-Schrems II Light on Supplementary Measures for Data Transfers

Using Mobile Apps and Location Data to Combat COVID-19

By Julia Kadish on April 20, 2020

Posted in COVID-19

A number of private and government entities have released apps and software development kits (SDKs) relying on location tracking data to help tackle the COVID-19 pandemic. While the use of such technologies are being hotly debated, commentary continues to emerge from the EU about developing such applications in compliance with EU data protection laws.
Continue Reading Using Mobile Apps and Location Data to Combat COVID-19

EDPB Announces Scope of COVID-19 Guidance

By Julia Kadish & Liisa Thomas on April 15, 2020

Posted in COVID-19, EU Privacy, GDPR, Healthcare Privacy, Mobile Privacy

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
Continue Reading EDPB Announces Scope of COVID-19 Guidance

EDPB Seeks Comment On Online Services Guidance

By Liisa Thomas on April 23, 2019

Posted in EU Privacy, GDPR

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.
Continue Reading EDPB Seeks Comment On Online Services Guidance

Eye On Privacy