Draft
Technology Expert Subgroup meeting
20-21 March 2019, Brussels, Rue Montoyer 30, 00x082-062
Items
Approval of the Agenda
The draft agenda was amended and approved. The Coordinator requested to add a short update on
the OECD work on Data Breach Notifications. In the DPIA item also the submission by the EDPS will be
discussed. The Secretariat asked to add an item on Confluence for the Technology ESG.
Welcome and update from the Plenary
The coordinator informed the participants that the two Art 35.4 GDPR lists submitted by Spain and
Iceland were adopted at the last EDPB Plenary. Further, the approach proposed on the Art 35.5 GDPR
lists was approved. An update on the outcome of the ePrivacy interplay matter will be given in a
separate agenda point.
Opinion on ePrivacy-GDPR interplay- Follow up
The rapporteur provided an update on the adoption of the Opinion at the EDPB Plenary. The opinion
was presented at the last EDPB Plenary on the 12 of March 2019. The document was amended by an
ad-hoc drafting team to implement the requests from the Plenary. The revised Opinion was adopted.
Further, a statement was produced at the Plenary regarding the current state on e-Privacy on the 2nd
day of the EDPB Plenary.
Data Breach Notifications
State of Play (rapporteur:
The rapporteur presented a state of play of their observations. A particular point to note was, that the
possibility of bundling notifications may require further guidance.
Discussion on the draft mandate
The group that had volunteered to work on a draft request for mandate presented the outcome of
their discussions.
1
29/03/2019
OECD work on Data Breaches
Coordinator informed the participants on the latest development on the work of the OECD regarding
Data Breach Notifications.
DPIA list of kinds of processing
Art 35.5 GDPR: state of play & timeline for submission
The rapporteur presented the timeline and the outcome of the adoption of the infonote at the March
Plenary.
Art 39 Reg 1725/2018: submission by the EDPS
The EDPS clarified the differences applicable to their DPIA lists and the procedure of consulting the
EDPB.
Certification & accreditation (
The Rapporteur proposed some amendments to the paragraph 45 of the guidelines.
These amendments, excluding the examples, have been accepted by the participants and will be
presented for adoption to the EDPB Plenary in April. The annex will need to be updated analogously
when addressing the result of the public consultation. An Infonote will be provided by the Rapporteur
and the Secretariat and submitted for the Plenary by 28 March 2019.
The lead rapporteur then presented the input received during the public consultation on the annex
on accreditation. The updated version of the annex on accreditation will be discussed at the next
Technology ESG meeting in April. The aim is to provide the amended version to the EDPB Plenary in
May. Comments shall be provided to the lead rapporteur by the 29 March 2019. The updated annex
will be send by the 14 April 2019 to the ESG.
The result of the public consultation on the Annex of the Certification guidelines will be discussed at
the May meeting of the Technology ESG.
Video Surveillance
The rapporteurs presented a discussion note focused on biometric data. Drafting options were
discussed and it was proposed to liaise with the Key Provision Expert Subgroup. Paragraph 65 will need
to be redrafted and Paragraphs 78-80 were deleted.
Paragraph 85 will be moved to an earlier part to clarify its purpose. As the group of rapporteurs have
a drafting team meeting in the days following the ESG meeting, they will provide information on a
timeline after the drafting team meeting. They will present a new version on the next Technology ESG
meeting.
2
29/03/2019
AoB, Conclusion, next steps
The coordinator has circulated an updated version of the ISO Standard table.
The EDPS provided further information on the Workshop it is organising jointly with ENISA on the 4
April 2019.
The Secretariat will provide a note to the EDPB Plenary regarding the Art 39 1725/2018 Regulation list
of the EDPS for the April EDPB Plenary.
To-do/Next steps
Next meeting on the 24-25/04. The other dates are listed hereafter.
1 Welcome
The agenda has been adopted.
Minutes of the last meeting were adopted electronically.
The Art 64.2 opinion has been adopted.
A statement on ePrivacy was also drafted at the plenary
2 ePrivacy
The subgroup will work on a new opinion once more progress has been made at
the Council.
to finalise a draft mandate for the 28th March (to be circulated to the Tech ESG
2
Data
Breach
before being uploaded on CIRCA) DPAs are invited to send comments on the OECD
Notification
questionnaire until the 31/03. Comments should be sent to the coordinator.
At the April meeting, IT will report on the EDPS-ENISA DBN workshop.
DPAs are invited to send their list through IMI via an Art 64.2 procedure before the
03/04.
EDPB
opinions
will
be
adopted
at
the
July
plenary.
4 Art 35.5 lists
If the list is not ready yet at national level, it will be possible to send the list in June
(with the aim of adopting an EDPB opinion in September).
Opinions should be prepared for the July plenary.
The updated guidelines, with an amended version of paragraph 45, will be
proposed for adoption at the April plenary.
5 Certification
The update of the accreditation annex should follow in May, and the certification
annex in June.
6 Video surveillance An updated version of the guidelines will be sent for the April TECH meeting.
7 AOB
The Manual on DBN in IMI will be discussed in the IT user ESG.
Annex: Attendance List
- SAs: AT, BE, BG, CZ, DK, DE, EE, IE, ES, FR, HR, IT, LU, HU, NL, PL, RO, SI, SK, FI, SE, UK, NO
- EDPS
- European Commission
- EDPB Secretariat
3
29/03/2019