6th Plenary meeting
22 & 23 January 2019, Brussels
1 Adoption of the minutes and the agenda1.1
Minutes of the 5th EDPB meeting
The minutes were adopted unanimously.
Draft agenda of the 6th EDPB meeting
The Chair of the Board informed the members that a new point is added to the agenda on the
Brexit, i.e. point 2.1.A after the request of two members of the EDPB.
Items 2.1, 2.1.A (NEW), 3.2.1, 184.108.40.206, 220.127.116.11, 3.3.2, 3.3.3 and 3.3.4 of the agenda were
declared confidential according to Art. 33 EDPB RoP.
The Chair of the Board welcomed the new Commissioner of the DE (Fed) SA.
The Chair of the Board and the FR SA informed the members about the fine imposed by the
French SA on Google.
Observers were present during the plenary meeting except for points 2.1, 18.104.22.168 and 22.214.171.124
of the agenda.
The updated draft agenda was adopted.
2 For discussion and/or adoption - current focus of the EDPB2.1
Privacy Shield: Report on the second annual review - Discussion and adoption -
In October 2018 the second annual joint review of the EU – U.S. Privacy Shield took place in
Brussels. At the last plenaries the joint review team reported orally and in written form about
The EDPB had agreed to provide its own separate report about the review in addition to one
from the COM, as it was done after the first review last year.
The draft report consists of an executive summary, the conclusions on the commercial and
government access aspects of the Privacy Shield as well as an annex on the factual findings of
this year’s review. The factual findings were already communicated during the November
plenary meeting. The analysis of the substantial parts has been discussed, respectively, at the
last meetings of the ITS and the BTLE expert subgroups.
Members of the EDPB made comments on the draft report.
After discussions, the members of the Board unanimously adopted the report taking into
account the comments made.
It was decided that the press release will make a distinction between the essential and
additional concerns regarding the Privacy Shield, also acknowledging the recently appointed
NEW - BREXIT -
Following the discussions, it was agreed to convey a meeting of the Strategic Advisory expert
subgroup on the 31 January 2019. The
was asked to draft an information note on
the transfers of data between the EU and UK in case of a hard Brexit,
This draft will be discussed
during the Strategic Advisory expert subgroup meeting.
Annual Expert SG Working Plans for 2019 - discussion and possible adoption -
Th EDPB SEC explained that this item followed the application of Art. 25.6 of EDPB RoP.
The EDPB SEC has gathered all the working plans provided by the different expert subgroups
and the planning of meetings for 2019 in overview documents. The document was first
discussed with the group of coordinators and the Strategic Advisory expert subgroup.
The EDPB SEC clarified that the adoption of the working plan does not automatically provide
the mandates for the different items.
After discussions, some adjustments were integrated in the document. The members adopted
this document unanimously.
EDPB 2019/2020 work program - Discussion -
The EDPB SEC explained that according to Art. 29 RoP the EDPB has to adopt a two year work
program. The SEC prepared a proposal based on the annual working plans and following the
discussions at the meeting of the Strategic Advisory expert subgroup.
After discussions, some adjustments were introduced to the draft document.
Members of the EDPB were invited to provide comments in written form. The EDPB SEC was
requested to provide a revised version for the next plenary that will integrate the new written
comments that will be sent by the members.
Secretariat - Data protection and Freedom of expression
2.4.1 Draft answer to In’t Veld - Discussion and adoption
The SEC explained that the EDPB has received two letters concerning the request for
information made by the
to the RISE Project, as a result of a complaint made by a
natural person about possible violations of said person’s personal data, following the
publication of specific information by the RISE project in the public domain.
The first letter was submitted on 12 November 2018 by MEP Sophie In ‘t Veld.
The draft reply was presented by the EDPB SEC. After discussions, the letter was adapted and
the members of the EDPB adopted at a majority the modified version of the letter.
2.4.2 Draft answer to civil society privacy organisations - Discussion and adoption
A letter was submitted on 19 November 2018 by several civil society privacy organisations,
that concerned the same subject matter as point 2.4.1.
The draft reply was presented by the EDPB SEC. The members discussed the content of this
letter together with the one from MEP Sophie In ‘t Veld. After discussions, the letter was
adapted and the members of the EDPB adopted the modified version of the letter.
2.4.3 Draft mandate for guidance on the balance between data protection and freedom
of expression - request for mandate
presented the background to their request.
The request for mandate was rejected by the members of the EDPB:
Guidelines on Art. 47 LED - request for mandate
Art. 51 (1) (c) of the Law Enforcement Directive (LED) provides that the EDPB has the task to
draw up guidelines for SAs concerning the application of measures referred to in Art. 47(1)
and (3) LED.
Art. 47 LED deals with the investigative, corrective and advisory powers of national SAs
towards competent authorities, e.g. police and judicial authorities within the EU competent
for the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties.
In addition, according to Art. 51 (1) (b) LED the EDPB may examine, also on its own initiative,
any question covering the application of this Directive and issue guidelines, recommendations
and best practices in order to encourage consistent application of the LED.
The BTLE expert subgroup requested a mandate to work on Art. 47 LED and prepare draft
guidelines. The guidelines should include guidance on the interpretation, transposition as wel
as the application of Art. 47 LED by SAs.
The members of the Board unanimously granted the mandate under the condition that the
guidelines should be without prejudice to national transpositions already enacted.
Questionnaire on the use of personal data by political campaigns - request for
The Chair informed participants that she participated to the first meeting of the European
cooperation network on elections on 21 January, hosted by the European Commission. The
Commission stressed the importance for all SAs to be actively involved at national level in
this network (established as part of the electoral package presented by the Commission in
In light of the upcoming European Parliament elections in May and numerous national
elections scheduled for 2019, the SAESG has discussed the possibility to develop a
questionnaire that EDPB members could send to the political parties in a coordinated manner,
in particular to get information about the manner they collect and process personal data in
the context of the electoral process during its meeting on 9 January 2019.
After discussion, there was no majority to support the mandate proposed.
Instead, the members of the Board agreed to draft a joint statement on the topic. The
will draft a proposal that will be discussed during
the next Social Media expert subgroup meeting.
3 For discussion and/or adoption - Expert subgroups and Secretariat3.1
Compliance, eGovernment and Health Expert Subgroup and Key Provisions
3.1.1 Clinical Trials Regulation Q&A: Consultation from the COM under Art. 70 GDPR -discussion and adoption
On 8 October 2018, the European Commission (DG SANTE) has submitted to the EDPB a
request for consultation under Art. 70 GDPR concerning a document on “Questions and
Answers on the interplay between the Clinical Trials Regulation (CTR)1 and the General Data
Protection regulation (GDPR)” (hereafter the “Q&A”).
The request refers specifically to a compilation of questions that have arisen during the last
months and the respective replies providing possible harmonised views from an EU
perspective on a number of topics which have been drafted by DG SANTE. The Q&A addresses
topics such as the adequate legal basis, informed consent and its withdrawal, information of
data subjects, transfers and secondary uses, always in the context of the clinical trials
In particular, the issue of the appropriate legal basis for the processing of personal data in the
context of the clinical trials Regulation has raised some confusion since the entry into force
of the GDPR.
After discussions by the members of the EDPB, the letter and the opinion were amended in
order to take into account the comments made by the members.
The majority of the members of the Board adopted the new version of the opinion as well as
3.1.2 Art. 64 GDPR Opinion on Contractual Clauses for processors
28.8 GDPR - discussion and confirmation of the drafting team
On 10 December 2018, a request has been issued by the
via IMI for an EDPB opinion
under Art. 64(1)d GDPR on draft contractual clauses under Art. 28(8) GDPR to frame the
relation between controller and processor(s).
The request was broadcasted on 19 December 2018. Since the applicable 8 weeks deadline
will end on 13 February 2019 and due to the complexity of the request, the Compliance,
eGovernment and Health as well as the Key Provisions expert subgroups asked for an
extension of the deadline for an additional six weeks as foreseen in Art. 64.3 GDPR.
The EDPB approved that a drafting team composed of representatives of the Compliance,
eGovernment and Health as well as the Key Provisions expert subgroups will prepare an
opinion, in liaison with the EDPB Secretariat.
Both expert subgroups have issued a call for rapporteurs. For the moment, five SAs have
offered to participate to the drafting team
1 1 Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical
trials on medicinal products for human use, and repealing Directive 2001/20/EC, OJEU
L 158 27/05/2014.
The members of the EDPB granted the extension of the deadline and confirmed the drafting
Technology Expert Subgroup
3.2.1 DPIA Lists -
126.96.36.199 Art. 64 GDPR Opinions on DPIA lists: LI, NO - discussion and adoption -
The rapporteur explained that Art. 35(4) GDPR requires national SAs to establish and make
public a list of the kind of processing operations which are subject to the requirement of a
data protection impact assessment. Following the previous adoption of 22 lists at the
September Plenary and 4 lists at the December Plenary, 2 new lists (LI and NO) are submitted
for adoption during this plenary. The draft opinions were prepared by the same group of co-
rapporteurs as for the September and December Plenary meeting.
Some remarks were made in the draft opinion regarding other issues on which the Plenary
had already expressed its views.
The members of the EDPB unanimously validated the assessment undertaken by the
Technology expert subgroup and adopted the 2 opinions.
188.8.131.52 Fol ow up of the opinions on DPIA Lists issued in September 2018 - discussion
and adoption -
Following their adoption at the September Plenary, the 22 opinions on draft decisions
regarding Art. 35.4 GDPR (DPIA lists) were communicated to the competent SAs. The SAs were
requested to notify the Chair within two weeks after reception of the final opinion, whether
they intend to maintain or amend their draft decision and submit, if any, the amended draft
All 22 SAs indicated that they amended their draft decision and provided their amended draft.
The amendments were discussed in the Technology expert subgroup. In only a few cases did
questions arise as to whether the amendments sufficed to take utmost account of the
One such case involves the wording used in DPIA lists items regarding “biometric data”: some
amended draft decisions reference “biometric data” without specifying that it relates to
“biometric data, for the purpose of uniquely identifying a natural person” as requested in the
Another point related to the need to clarify that the criteria of “biometric data, for the
purpose of uniquely identifying a natural person”, “genetic data” and “vulnerable data
subjects” had to be necessarily combined with another criteria, such as “Large scale”.
With regard to DPIA lists according to Art. 35(5) GDPR, which SAs are not obliged to issue, the
coordinator of the Technology expert subgroup asked all SAs intending to submit such a list
to the Board to indicate the timing as soon as possible.
Guidelines on certification - discussion and adoption
The rapporteur explained that the EDPB adopted the draft guidelines on certification and
identifying certification criteria during its first Plenary meeting in May. These guidelines were
published for public consultation on 30 May 2018. 15 consultation responses were received
and fully analysed by the co-rapporteurs. The drafting team specifically clarified the approval
of criteria and the related European Data Protection Seal.
The updated guidelines also include a new annex aiming to guide the SAs and the EDPB when
reviewing and assessing the certification criteria.
Members of the Board adopted the certification guidelines -
and decided to submit the annex to a public
The results of the public consultation will be analysed by the Technology expert subgroup.
EDPB answer to the Australian SA on data breach notification - discussion and
The coordinator of the Technology expert subgroup explained that the Chair has received a
written request from the office of the Australian Information Commissioner in relation to the
publication of the data breach notifications.
There is a mandatory data breach scheme in Australia since February 2018 that requires
regulated entities to notify the Information Commissioner's office and the affected
individuals in the event of a serious data breach. The Commissioner's office publishes
quarterly statistical reports about notifications. The Commissioner is considering whether
additional information should be published, like the name of the notifying controller.
According to the Australian Commissioner, these obligations are similar to the data breach
notification requirements introduced by the GDPR. Therefore, she contacted the Chair of the
Board to better understand the European approach and in particular to ask if the national
supervisory authorities are publishing the name of controllers being subject to a security
The Technology expert subgroup decided to submit the draft letter to the Board for adoption.
The members of the EDPB adopted the draft letter
3.3.1 Draft answer to In’t Veld - Spanish election law - discussion and adoption
The EDPB SEC explained that on 23 November 2018, MEP Sophie In’ t Veld addressed a letter
to the Chair of the EDPB regarding the recently adopted Spanish electoral law. Given the
Cambridge Analytica case and the forthcoming elections for the European Parliament, MEP
In ‘t Veld requested an urgent reply.
The EDPB SEC has prepared a draft answer following the discussions that took place during
the last Strategic Advisory expert subgroup meeting.
The members of the EDPB unanimously adopted the amended draft reply letter.
3.3.2 EDPB Budget updates - discussion
During the WP29 plenary meeting of 10 April 2018, the EDPS presented the proposed draft
budget for 2019, which was supported by the WP29 Chair and deputy chairs.
On 5 June 2018, the Chair of the EDPB, in cooperation with the EDPS, participated to the
defence of the EDPB budget in front of the EU budget authorities.
The 2019 EDPB budget has been approved by the budget authorities (EP and EU Council) by
12 December 2018 with a budget cut for translations.
The EDPS and the EDPB SEC presented the approved 2019 EDPB budget and the execution of
2018 EDPB budget.
A member raised questions regarding the translations, the external consultants and the total
amount of the budget.
3.3.3 Access request-pending requests - state of play
No discussions took place on this point. This item will be discussed during the next plenary
meeting (12-13 February 2019).
3.3.4 Legislative consultation of the EDPB - discussion and adoption
No discussions took place on this point. This item will be discussed during the next plenary
meeting (12-13 February 2019).
4 Miscel aneous4.1
Quick access to DPO or other responsible staff
The DE SA explained that a recent data leak (doxing) affecting hundreds of politicians and
other high profile people in Germany (e.g. see https://www.zdnet.com/article/massive-
The collected data – partly sensitive personal information of the affected persons - was
distributed on a variety of servers throughout the internet and a Twitter account was used to
publish links needed to access the data.
One SA expressed itself to assist SAs that might encounter the same problem with companies
for which they act as lead authority.
The members of the EDPB decided to discuss this item during the next plenary meeting with
a view to assess if there is a legal basis for the EDPB to act on this.
5 Annex: Attendance list
AT SA, BE SA, BG SA, CY SA, CZ SA, DE SA, DK SA, EDPS, EE SA, EL SA, ES SA, FI SA, FR SA, HR SA, HU SA,
IE SA, IT SA, IS SA, LI SA, LT SA, LU SA, LV SA, MT SA, NL SA, NO SA, PL SA, PT SA, RO SA, SE SA, SI SA, SK
SA, UK SA