International Transfer Subgroup (ITS)

Heiko Roth made this access to documents request to European Data Protection Board

Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

Response to this request is long overdue. By law, under all circumstances, European Data Protection Board should have responded by now (details). You can complain by requesting an internal review.

Dear European Data Protection Board,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

1 Context of my request:

The "Data Protection Conference" in Germany has published an overview of the participation of German supervisory authorities in subgroups of the EDPB as of 12/2018:

https://datenschutzkonferenz-online.de/m.... Erwähnt wird dort u.a. eine "International Transfer Subgroup (ITS)".

2 My Requests

2.1 Current overview of all subgroups of the EDPB with a breakdown of which authorities of which EU member state are represented in which subgroup.

2.2 Minutes, opinions, statements and other documents that have been used by the members of the ITS since 16.07.2020 in the context of the work of the ITS.

2.3 Indication of the relationship of the subgroups to the EDPB (e.g. advisory role only).

Yours faithfully,
HR

European Data Protection Board

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.
The EDPB Secretariat

Dear European Data Protection Board,

according to European Law EU institutions have the obligation to answer within 15 working days on such requests. In exceptional cases, for example when asking for a large number documents, an extension of 15 further working days can be applied to your request. Please provide me with brief feedback on the current status of my request and approximately when I can expect to hear back.

Yours faithfully,
HR

European Data Protection Board

Dear Mr. Roth,

 

We are contacting you regarding your below request.

 

As regards the second part of your request, as far as we understand, you
are requesting access to any document used in the context of the work of
the ITS expert subgroup since 16.07.2020.

 

Following a preliminary assessment based on your request, the EDPB would
incur a disproportionate workload in order to carry out the preliminary
research required to identify the documents potentially related to your
request, based on the information you have provided in your message below.
In this regard, we would like to draw your attention to the EU case law
enabling the institution to not proceed the preliminary research when the
request is not precise ([1]F-121/07, Strack v Commission), or on the
possibility to refuse to identify the documents falling under the scope of
a request if the identification would lead to a disproportionate workload
([2]T-653/16, Malta v Commission).

 

In order to be able to proceed with analysing your request, we would
therefore ask you to provide us with more information, which would allow
us to identify the documents in scope of your request. While you are not
required to provide any reasoning for your request, it may be helpful if
you could provide us with any information on your interest in obtaining
the documents, insofar as this would help us to determine the documents in
scope of your request.

 

Finally, with regard to the third part of your request, "Indication of the
relationship of the subgroups to the EDPB", this appears to be a request
for information, and not a request for access to documents in accordance
with Regulation 1049/2001. For information regarding expert subgroups in
the context of the EDPB, we refer you to Articles 25 – 28 of the [3]EDPB's
rules of procedure.

 

We thank you in advance for your cooperation and remain available in case
of any questions.

 

Best regards

 

EDPB Secretariat

 

show quoted sections

European Data Protection Board

Dear Mr. Roth,

 

We are contacting you following our email below, dated 28 February, and to
which we do not seem to have received a reply.

 

In order to be able to proceed with analysing your request, we would
therefore ask you to provide us with more information regarding the second
point of your request ("Minutes, opinions, statements and other documents
that have been used by the members of the ITS since 16.07.2020 in the
context of the work of the ITS"), which would allow us to identify the
documents in scope of your request. While you are not required to provide
any reasoning for your request, it may be helpful if you could provide us
with any information on your interest in obtaining the documents, insofar
as this would help us to determine the documents in scope of your request.

 

We thank you in advance for your cooperation and remain available in case
of any questions.

 

Best regards

 

EDPB Secretariat

 

 

From: European Data Protection Board <[EDPB request email]>
Sent: 28 February 2022 17:03
To: [FOI #10668 email]
Cc: European Data Protection Board <[EDPB request email]>
Subject: Your access to documents request - International Transfer
Subgroup (ITS) - request for clarifications

 

Dear Mr. Roth,

 

We are contacting you regarding your below request.

 

As regards the second part of your request, as far as we understand, you
are requesting access to any document used in the context of the work of
the ITS expert subgroup since 16.07.2020.

 

Following a preliminary assessment based on your request, the EDPB would
incur a disproportionate workload in order to carry out the preliminary
research required to identify the documents potentially related to your
request, based on the information you have provided in your message below.
In this regard, we would like to draw your attention to the EU case law
enabling the institution to not proceed the preliminary research when the
request is not precise ([1]F-121/07, Strack v Commission), or on the
possibility to refuse to identify the documents falling under the scope of
a request if the identification would lead to a disproportionate workload
([2]T-653/16, Malta v Commission).

 

In order to be able to proceed with analysing your request, we would
therefore ask you to provide us with more information, which would allow
us to identify the documents in scope of your request. While you are not
required to provide any reasoning for your request, it may be helpful if
you could provide us with any information on your interest in obtaining
the documents, insofar as this would help us to determine the documents in
scope of your request.

 

Finally, with regard to the third part of your request, "Indication of the
relationship of the subgroups to the EDPB", this appears to be a request
for information, and not a request for access to documents in accordance
with Regulation 1049/2001. For information regarding expert subgroups in
the context of the EDPB, we refer you to Articles 25 – 28 of the [3]EDPB's
rules of procedure.

 

We thank you in advance for your cooperation and remain available in case
of any questions.

 

Best regards

 

EDPB Secretariat

 

show quoted sections

Dear European Data Protection Board,

thank you for your assessment.

Re: 2.1 "Current overview of all subgroups of the EDPB with a breakdown of which authorities of which EU member state are represented in which subgroup." - I cannot see why this information should only be discoverable with disproportionate effort. An internal organization chart or distribution list should be able to answer this question.

Re: 2.2 Minutes, opinions, statements and other documents that have been used by the members of the ITS since 16.07.2020 in the context of the work of the ITS. - I want to precise this: only documents related to the interpretation of Art. 44-49 GDPR are of interest.

Yours sincerely,
HR

European Data Protection Board

Dear Sir/Madam,

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.

Kind regards,

The EDPB Secretariat  

European Data Protection Board

Dear Mr. Roth,

Thank you for your reply.

As stated in our previous emails, this request for clarifications refers to the second part of your request. ("Minutes, opinions, statements and other documents that have been used by the members of the ITS").

As mentioned in our email of 28 February, as far as we understand, you are requesting access to any document used in the context of the work of the ITS expert subgroup since 16.07.2020. In the same email, we have stated that the EDPB would incur a disproportionate workload in order to carry out the preliminary research required to identify the documents potentially related to your request, based on the information you have provided in your message.

In your message below, you have stated that only documents related to the interpretation of Art. 44-49 GDPR are of interest to you. Given that these articles refer to transfers of personal data to third countries or international organisations, it is unclear to us how the scope of this request differs from our previous understanding, i.e. any document used in the context of the work of the international transfers expert subgroup.

We would therefore kindly ask you to narrow down the scope of your request (e.g. regarding the type of document and/or the time frame concerned) in order to enable the EDOB to handle this request within the deadlines foreseen in Regulation 1049/2001.

While you are not required to provide any reasoning for your request, it may be helpful if you could provide us with any information on your interest in obtaining the documents, insofar as this would help us to determine the documents in scope of your request.

We thank you in advance for your cooperation and remain available in case of any questions.

Best regards

EDPB Secretariat

show quoted sections

European Data Protection Board

Dear Mr. Roth,

 

Until now, we have not received any response to our previous messages of
27 April and 28 February 2022, requesting clarifications on the scope of
point 2.2 of your request ("Minutes, opinions, statements and other
documents that have been used by the members of the ITS since 16.07.2020
in the context of the work of the ITS - only documents related to the
interpretation of Art. 44-49 GDPR"), and asking you to narrow down the
scope of your request (e.g. regarding the type of document and/or the time
frame concerned) in order to enable the EDPB to handle this request within
the deadlines foreseen in Regulation 1049/2001.

 

Please note that the mandate of the ITS is to provide guidance on the
interpretation of Chapter V GDPR. Therefore, the reference that you
provided to Art. 44-49, which is the full list of the provisions included
under Chapter V, was not helpful to narrow down the scope of your request.

 

In order to proceed with handling your request with a fair solution, we
propose to limit this request to the minutes of ITS meetings, which
contain points on the interpretation of Art 44-49 GDPR, between 16.07.2020
and the date your request was received (29.01.2022).

 

We have noted that you have stated that you wish to receive documents
related to the work of the ITS subgroup as of 16.07.2020, which is the
date that the Schrems II judgement was delivered. In this context, would
you agree to limit the scope of this request to minutes of the ITS
meetings in which the interpretation of Art 44-49 GDPR in the context of
Schrems II was discussed?

 

We kindly ask you to provide us with your feedback on this proposal by
next Tuesday, 17 May end of business.

 

In case we do not receive a reply by then, we will register this request
and handle it as mentioned above ("minutes of ITS meetings, which contains
points on the interpretation of Art 44-49 GDPR in the context of Schrems
II, between 16.07.2020 and the date your request was received
(29.01.2022).)

 

This of course does not prevent you from making any requests for access to
documents in the future.

 

Thank you very much in advance.

 

Best regards

 

EDPB Secretariat

 

show quoted sections

Dear European Data Protection Board,

I agree to your proposal:

We have noted that you have stated that you wish to receive documents
related to the work of the ITS subgroup as of 16.07.2020, which is the
date that the Schrems II judgement was delivered. In this context, would
you agree to limit the scope of this request to minutes of the ITS
meetings in which the interpretation of Art 44-49 GDPR in the context of
Schrems II was discussed?

Best regards and thank you
HR

European Data Protection Board

Dear Mr. Roth,

 

Thank you very much for your reply.

 

We confirm registration of your access to documents request and registered
it today under reference 2022/40. Please use this reference for further
correspondence. As regards the third part of your request, this has been
treated as a request for information, and you have received a reply on
28/02/2022.

 

We are currently assessing your request and will provide you with a reply
within 15 working days (13/06/2022).

 

Please note that the EDPB specific privacy statement regarding the
processing of personal data for the purposes of handling requests for
access to documents is available on the EDPB website and can be viewed via
this link: [1]https://edpb.europa.eu/edpb-specific-pri....

 

As mentioned in our email of 28 February 2022, once we have replied to
this request, we will proceed with registering your next request in the
order it has been received, i.e. documents regarding the coordinated
enforcement framework, unless you indicate a different priority.

 

Should you have any further queries, please do not hesitate to contact us.

 

Best regards,

 

The EDPB Secretariat

 

-------------------------

 

From: European Data Protection Board <[2][EDPB request email]>
Sent: 28 February 2022 15:33
To: Heiko Roth <[3][email address]>
Cc: European Data Protection Board <[4][EDPB request email]>;
[5][email address]
Subject: RE: access to documents request - Working Documents for
Guidelines regarding Art. 48 GDPR

 

Dear Mr. Roth,

 

Thank you for your email.

 

As explained in our previous emails (most recently on 17/02), at the
moment the EDPB Secretariat does not have the resources to handle all of
your requests at the same time (also taking into account other requests
for access to documents submitted by other applicants), within the legal
deadlines foreseen in Regulation 1049/2001.

 

We have therefore informed you that your requests will be handled, one by
one, once we have responded to your three currently ongoing requests
(2022-04, 2022-06 and 2022-08). The respective deadlines for replying to
these three requests are, as already communicated to you, 28/02, 02/03 and
03/03.

 

Once the last of these three requests has been replied to, we will
register your next request in chronological order, unless you indicate a
different priority.

 

Please find below a list of your current pending requests, in
chronological order:

 

Received Request
Recommendations
02/2020 on the
European
Essential
Guarantees for
surveillance
measures. 1.
Documentation
showing why
there was no
19/01/2022 public
consultation.
2. Documents
containing
information
used to prepare
Recommendations
02/2020 (e.g.,
legal opinions,
third-party
comments, own
research).
1 All documents
(e.g.
statements,
expert
opinions, press
reports,
guidelines)
related to the
development of
the above
mentioned
29/01/2022 Guidelines on
Art. 48 GDPR.
2. An
indication of
what the
current
progress is in
the development
of the
above-mentioned
Guidelines on
Art. 48 GDPR
1. Current
overview of all
subgroups of
the EDPB with a
breakdown of
which
authorities of
which EU member
state are
represented in
which subgroup
2. Minutes,
opinions,
statements and
29/01/2022 other documents
that have been
used by the
members of the
ITS since
16.07.2020 in
the context of
the work of the
ITS. 3. 3
Indication of
the
relationship of
the subgroups
to the EDPB
(e.g. advisory
role only).
CEF. 1)
Information,
embodied in
particular in
documents such
as sample
questionnaires
or sampling
parameters,
which provide
information on
how contact and
exchange is or
will be made
with the
'public' bodies
mentioned in
the press
15/02/2022 release as part
of the
coordinated
audit on the
part of the
BfDI 2)
Information, in
particular
embodied in
documents,
which provide
information
about when
exactly the
audit mentioned
in the press
release was or
will be
started.
CEF: 1) )
information,
embodied in
particular in
documents,
indicating
which of the
European
regulators are
meant in both
PR that have
joined the
joint
coordinated
review of cloud
15/02/2022 services in the
public sector.
2) information,
embodied in
particular in
documents,
indicating How
the "75" public
bodies
mentioned in
PR2 were
selected and
which public
bodies they are
in detail (name
of the public
bodies).
Opinion 03/2022
on the draft
decision of the
French
Supervisory
Authority
regarding the
Processor
Binding
Corporate Rules
of the WEBHELP
Group - 1.
Documents
provided to the
EDPB by the
French
regulator or by
the WEBHELP
Group such that
the EDPB has
concluded, as
cited in 1
above, that the
BCRs of the
WEBHELP Group
contain
19/02/2022 "adequate
safeguards" as
defined above
(e.g.,
documents
comparable to a
'Transfer
Impact
Assessment').
2. Beyond the
documents in
2.1, such
documents that
provide
information on
how the EDPB
has arrived at
the assessment
by others that
WEBHELP Group's
BCRs contain
"appropriate
safeguards" as
defined above
(e.g., through
internal legal
opinions of the
EDPB).

 

The next request we intend to register is therefore the one you have sent
on 19/02, regarding European Essential Guarantees. In case you prefer to
have a different request handled first, please let us know this no later
than 2 March end of business.

 

Please note we will contact you separately, via the relevant ask-the-eu
email address regarding any of your requests which require clarifications.

 

We remain available in case of any questions.

 

Best regards

 

EDPB Secretariat

 

 

show quoted sections

European Data Protection Board

2 Attachments

Dear Mr. Roth,

 

We refer to your email dated 29/01/2022 in which you made a request for
access to documents, registered on 18/05/2022 under reference number
2022/40.

 

Your application is currently being handled. However, we will not be in a
position to complete the handling of your application within the time
limit of 15 working days, which expires today (13/06/2022).

 

An extended time limit is needed, as your application covers a
considerable number of documents (including a very long document) for
whose identification and assessment we need more time, due to the high
amount of cases currently being dealt with by our team.

 

Therefore, we have to extend the time limit for another 15 working days in
accordance with Article 7(3) of Regulation (EC) No 1049/2001 regarding
public access to documents. The new deadline expires on 04/07/2022.

 

We apologise for this delay and for any inconvenience this may cause.

 

Yours sincerely,

 

Ventsislav Karadjov, deputy chair of the EDPB

 

┌─────────────────────────────────────╥───────────────────────────────────────────────────────┐
│ ║European Data Protection Board │
│ ║ │
│ ║Postal address: Rue Wiertz 60, B-1047 Brussels │
│[1]cid:image001.png@01D42EFC.C1379A70║ │
│ ║Office address: Rue Montoyer 30, B-1000 Brussels │
│ ║ │
│ ║[2]cid:image003.png@01D42EFC.C1379A70 [3]edpb.europa.eu│
└─────────────────────────────────────╨───────────────────────────────────────────────────────┘

 

 

From: European Data Protection Board <[EDPB request email]>
Sent: 18 May 2022 10:39
To: Heiko Roth <[FOI #10668 email]>
Cc: European Data Protection Board <[EDPB request email]>
Subject: Case reference number (2022/40) - Request for access to documents
- acknowledgment of receipt

 

Dear Mr. Roth,

 

Thank you very much for your reply.

 

We confirm registration of your access to documents request and registered
it today under reference 2022/40. Please use this reference for further
correspondence. As regards the third part of your request, this has been
treated as a request for information, and you have received a reply on
28/02/2022.

 

We are currently assessing your request and will provide you with a reply
within 15 working days (13/06/2022).

 

Please note that the EDPB specific privacy statement regarding the
processing of personal data for the purposes of handling requests for
access to documents is available on the EDPB website and can be viewed via
this link: [4]https://edpb.europa.eu/edpb-specific-pri....

 

As mentioned in our email of 28 February 2022, once we have replied to
this request, we will proceed with registering your next request in the
order it has been received, i.e. documents regarding the coordinated
enforcement framework, unless you indicate a different priority.

 

Should you have any further queries, please do not hesitate to contact us.

 

Best regards,

 

The EDPB Secretariat

 

-------------------------

 

From: European Data Protection Board <[5][EDPB request email]>
Sent: 28 February 2022 15:33
To: Heiko Roth <[6][email address]>
Cc: European Data Protection Board <[7][EDPB request email]>;
[8][email address]
Subject: RE: access to documents request - Working Documents for
Guidelines regarding Art. 48 GDPR

 

Dear Mr. Roth,

 

Thank you for your email.

 

As explained in our previous emails (most recently on 17/02), at the
moment the EDPB Secretariat does not have the resources to handle all of
your requests at the same time (also taking into account other requests
for access to documents submitted by other applicants), within the legal
deadlines foreseen in Regulation 1049/2001.

 

We have therefore informed you that your requests will be handled, one by
one, once we have responded to your three currently ongoing requests
(2022-04, 2022-06 and 2022-08). The respective deadlines for replying to
these three requests are, as already communicated to you, 28/02, 02/03 and
03/03.

 

Once the last of these three requests has been replied to, we will
register your next request in chronological order, unless you indicate a
different priority.

 

Please find below a list of your current pending requests, in
chronological order:

 

Received Request
Recommendations
02/2020 on the
European
Essential
Guarantees for
surveillance
measures. 1.
Documentation
showing why
there was no
19/01/2022 public
consultation.
2. Documents
containing
information
used to prepare
Recommendations
02/2020 (e.g.,
legal opinions,
third-party
comments, own
research).
1 All documents
(e.g.
statements,
expert
opinions, press
reports,
guidelines)
related to the
development of
the above
mentioned
29/01/2022 Guidelines on
Art. 48 GDPR.
2. An
indication of
what the
current
progress is in
the development
of the
above-mentioned
Guidelines on
Art. 48 GDPR
1. Current
overview of all
subgroups of
the EDPB with a
breakdown of
which
authorities of
which EU member
state are
represented in
which subgroup
2. Minutes,
opinions,
statements and
29/01/2022 other documents
that have been
used by the
members of the
ITS since
16.07.2020 in
the context of
the work of the
ITS. 3. 3
Indication of
the
relationship of
the subgroups
to the EDPB
(e.g. advisory
role only).
CEF. 1)
Information,
embodied in
particular in
documents such
as sample
questionnaires
or sampling
parameters,
which provide
information on
how contact and
exchange is or
will be made
with the
'public' bodies
mentioned in
the press
15/02/2022 release as part
of the
coordinated
audit on the
part of the
BfDI 2)
Information, in
particular
embodied in
documents,
which provide
information
about when
exactly the
audit mentioned
in the press
release was or
will be
started.
CEF: 1) )
information,
embodied in
particular in
documents,
indicating
which of the
European
regulators are
meant in both
PR that have
joined the
joint
coordinated
review of cloud
15/02/2022 services in the
public sector.
2) information,
embodied in
particular in
documents,
indicating How
the "75" public
bodies
mentioned in
PR2 were
selected and
which public
bodies they are
in detail (name
of the public
bodies).
Opinion 03/2022
on the draft
decision of the
French
Supervisory
Authority
regarding the
Processor
Binding
Corporate Rules
of the WEBHELP
Group - 1.
Documents
provided to the
EDPB by the
French
regulator or by
the WEBHELP
Group such that
the EDPB has
concluded, as
cited in 1
above, that the
BCRs of the
WEBHELP Group
contain
19/02/2022 "adequate
safeguards" as
defined above
(e.g.,
documents
comparable to a
'Transfer
Impact
Assessment').
2. Beyond the
documents in
2.1, such
documents that
provide
information on
how the EDPB
has arrived at
the assessment
by others that
WEBHELP Group's
BCRs contain
"appropriate
safeguards" as
defined above
(e.g., through
internal legal
opinions of the
EDPB).

 

The next request we intend to register is therefore the one you have sent
on 19/02, regarding European Essential Guarantees. In case you prefer to
have a different request handled first, please let us know this no later
than 2 March end of business.

 

Please note we will contact you separately, via the relevant ask-the-eu
email address regarding any of your requests which require clarifications.

 

We remain available in case of any questions.

 

Best regards

 

EDPB Secretariat

 

 

show quoted sections