The European Data Protection Board ("EDPB") held its first plenary meeting on May 25, 2018, the same day the EU General Data Protection Regulation ("GDPR") came into force.

The EDPB replaces the Article 29 Working Party, which was an advisory body made up of the various data protection authorities under the prior European Union ("EU") data protection law. The EDPB is an independent European body composed of representatives of the national supervisory authorities of each EU member state and the European Data Protection Supervisor ("EDPS"). Its mission is to ensure the consistent application of EU privacy laws and to provide relevant guidance and direction in the area.

As one of its first orders of business during its first meeting, the EDPB adopted guidelines on two separate topics under the GDPR: (1) final Guidelines 2/2018, which address derogations to transferring personal data outside of the EU under Article 49 of the GDPR ("Guidelines on Article 49 Derogations") and (2) draft Guidelines 1/2018, which address certification mechanisms and data protection seals and marks used to demonstrate compliance with the GDPR, in accordance with Articles 42 and 43 of the GDPR ("Guidelines on Certification Mechanisms").

Guidelines on Article 49 Derogations

In order to transfer personal data outside of the EU, organizations must use an approved transfer mechanism. Such mechanisms include: (i) transferring to a country that the EU deems to have adequate data protection laws under Article 45 of the GDPR, (ii) using an appropriate safeguard identified by Article 46 of the GDPR, such as the standard contractual clauses, binding corporate rules, etc., and (iii) relying on a derogation identified in Article 49 of the GDPR, which includes, inter alia, explicit consent from the data subject, contractual necessity and public interest.

The Guidelines on Article 49 Derogations are relevant in a number of context:

  • They confirm that organizations transferring personal data outside of the EU should first endeavor to rely upon one of the mechanisms described in Articles 45 and 46 of the GDPR before relying upon the derogations in Article 49 of the GDPR. The derogations provided in Article 49 of the GDPR should only be used when the standard contractual clauses, binding corporate rules or other mechanisms covered by Articles 45 and 46 cannot be put in motion.
  • The EDPB reaffirms that the consent requirements issued by its predecessor, the Article 29 Working Party are applicable when assessing the conditions of an "explicit consent" in the context of derogations. It cautions organizations on the feasibility of using consent as a long-term solution for transfers to third countries.
  • Available derogations that are not expressly limited to "occasional" or "not repetitive" transfers (e.g., when based on consent or public interest) still have to be interpreted restrictively.
  • The EDPB further provides guidelines on the "occasional" and "necessity" test. In relation to "occasional," the EDPB states, for example, that data transfers taking place within a stable business relationship should not be considered as being "occasional." On "necessity," the Guidelines on Article 49 Derogations, confirm that the necessity test, when applicable, requires an evaluation by the data exporter of a close and substantial connection between the data transfer and the actual purpose.
  • The Guidelines on Article 49 Derogations offer practical examples of the derogations and their use (including in intra-group context, in relation to HR data).

Guidelines on Certification Mechanisms

Article 42 of the GDPR encourages companies to use approved data protection certification mechanisms and data protection seals and marks to allow data subjects to quickly assess the level of data protection being provided by a company and to demonstrate a company's use of appropriate data protection safeguards.

The draft Guidelines on Certification Mechanisms are not construed as a procedural manual for certification but rather identify overarching criteria that may be relevant to all types of certification mechanisms (and provide interesting summary tables allocating the role and power of supervisory authorities in relation to the certification process).

In the draft Guidelines on Certification Mechanisms, the EDPB, among other clarifications:

  • Defines what is meant by certification (by referring to the ISO standard).
  • Explores the rationale for using certification as an accountability tool.
  • Assesses the role of supervisory authorities in developing certification mechanisms and explains the scope of what can be certified (products, services, software, etc.) and the purpose of certification. The guidelines confirm that certification might be a tool to demonstrate that appropriate technical and organizational measures are in place (as per Articles 24 and 32 of the GDPR).
  • Contemplates the idea of a European-wide data protection seal as a means to mitigate the multiplication of national logos and practices.

The Guidelines on Certification Mechanisms are open for public consultation for six weeks. Comments must be sent to EDPB@edpb.europa.eu by July 12, 2018.

Learn more about the EU General Data Protection Regulation.