Technology Expert Subgroup meeting
20-21 February 2019, Brussels, Rue Montoyer 30, 00x072-062
Welcome and Approval of the Agenda
The coordinator welcomed the participants and gave an update from the recent plenary meetings.
The work program of the EDPB has been adopted; the certification guidelines were adopted; the annex
to the guidelines will undergo a public consultation; two opinions on Art 35.4 GDPR lists were adopted.
Additionally the Letter to the Australian authority was adopted.
Additionally the dates of the remaining meetings (in the second half of 2019) were agreed upon except
for September, which is still to be decided. The meetings will take place on 23-24 Oct, 20 Nov and 17
The draft agenda was revised as following: the item “Microsoft Services follow up” was added under
Approval of the Minutes of 16 January 2019
The minutes were adopted in written procedure.
Data Protection by Design and by Default
A presentation was given by the rapporteur. The rapporteurs stated that the timeline will need to be
adjusted. The current draft was discussed and examples and comments were requested, specifically
on which of the examples focusing on the implementation of the principles should be kept.
The rapporteur will add references to EDPB and WP29 Guidelines where available and revise the part
The coordinator gave an introduction of this item in the context of the work program.
The rapporteur presented identified issues to be possibly addressed in Guidelines. The identified
issues and the scope were discussed.
A first draft request for mandate will be provided by the rapporteur by 22 February 2019. Written
comments to be submitted until 1 March 2019. Then the document will be shared with the Financial
Matters Expert Subgroup (because cryptocurrencies based on blockchain is in their workprogram)
aiming for submission of a mandate at the April plenary.
The rapporteur presented the latest version of the document, which was discussed by the participants
of the ESG. Several issues were discussed,
Comments are to be provided until 15 March 2019. A new version will be provided by 1 April 2019 for
discussion at the April Tech ESG meeting
DPIA: Article 35.4 and 35.5 lists
The two draft opinions were discussed. Comments are to be provided by 27 February and the final
version will be circulated by 1 March 2019.
Regarding the Art 35.5 GDPR lists, the Secretariat was requested to provide an infonote for the plenary
with possible timelines and which clarifies the legal basis, by 1 March 2019.
The rapporteur raised issues to be addressed more clearly in the guidelines. The discussion will be
continued at the ESG meeting in March and the rapporteur was requested to provide practical
examples at the end of February. The discussion in March could also include a discussion on a revised
annex, taking into account the results of the public consultation.
Art 64 opinion on ePrivacy-GDPR interplay
The rapporteur gave a presentation on the state of the opinion. Two options were prepared and their
impact, pros and cons were explained. The participants agreed on the methodology. They were also
invited to comment on the two options as to where additions may need to be made. The rapporteur
will incorporate the comments received and finalise the document for the plenary meeting.
The rapporteur reported from the workshops that they conducted with the local security teams on
The Secretariat presented a new version of the “how to” document on data breach cases. A new
version incorporating comments made during the meeting will be shared with the coordinator by the
10 March 2019 and an Infonote will be drafted for the April plenary meeting.
A discussion on the mandate to give further guidance was postponed. A group of volunteering SAs will
start a discussion in writing.
The rapporteur presented the latest version of the document and the comments provided were
discussed. The participants were requested to provide more examples that relate to the mandate
received 15 March 2019. A new version incorporating the discussion will be created by the rapporteurs
by 10 April 2019 for discussion at the April Tech ESG. A discussion on some issues that could not be
addressed in February will also be held at the March Tech ESG.
The EDPB Secretariat presented the work on the collaborative tool (Confluence) as it was discussed in
the IT Users Expert Subgroup. Such a tool was requested initially by the Cooperation Expert Subgroup.
The Participants were requested to provide feedback on the tool, which will be presented by the
secretariat at the march plenary.
For the March plenary
opinions on Art 35.4 GDPR lists:
o Comments until 27 February 2019
o Finalised version by 1 March 2019 to the plenary
opinion on Art 35.5 GDPR lists:
o Infonote to be submitted to plenary on timeline and procedure
opinion on the Interplay of GDPR and ePrivacy Directive:
o Comments and drafting suggestions by noon 25 February 2019
o rapporteur to share updated version and infonote by EOB 27 February 2019
o Final drafting suggestions by EOB 28 February 2019
For the next ESG meeting
Art 25 Guidelines:
o Comments and examples until 27 February 2019, consolidated version to co-
rapporteurs by 1 March 2019
o Updated version by coordinator by 11 March 2019
o Draft Infonote for mandate by 22 February 2019 to interested SAs
o Comments by 1 march
o Circulation to the FMES at the beginning of March 2019
o Draft mandate by 1 April 2019
o Comments to rapporteur by 15 March 2019.
o New version by the rapporteur by 1 April 2019
o rapporteur to provide practical examples by 28 February 2019
o Discussion in March
Data Breach Notifications:
o Comments on manual to Secretariat by 27 February 2019
o New version of manual by 10 March 2019
o The interested SAs (
) will lead a written discussion to prepare the request
o Comments on Sections 3-10 to rapporteur by 15 March 2019
o Updated version by coordinator by 10 April 2019
Annex: Attendance List
- SAs: AT, BE, BG, CZ, DE (Berlin, Federal, Thuringia, Schleswig Holstein), DK, EDPS, EE, EL, ES, FI, FR,
HR, HU, IE, IT, LU, MT, NL, PL, PT, RO, SE, SK, UK
- EEA: NO
- European Commission
- EDPB Secretariat