Data protection of users of communications services
Dear European Data Protection Board,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am submitting the following access to documents request.
I seek access to the documents that contain the following information regarding Directive (EU) 2018/1972 on the European Electronic Communications Code (EECC):
1. Documents such as reports, evaluations, guidelines, and meetings notes, on rules, measures and actions taken by Member States concerning the protection of personal data of users of communications services, both in general and, specifically, in the face of security breaches.
2. Copies of reports on security measures and incidents received from Member State data protection authorities.
My postal address is calle vinaroz, [ADDRESS], Spain. Please do not send hard copies, electronic responses will suffice.
Yours faithfully,
Rachel Hanna
Dear Sir/Madam,
Thank you for your message and for your interest in data protection.
We will look into your request and get back to you within due time.
Kind regards,
The EDPB secretariat
Dear Ms Rachel Hanna,
Thank you for your email.
First of all, we would like to point out that Directive 2018/1792 doesn't
entrust the EDPB with any official role or task.
As a consequence, the EDPB doesn't receive reports on security measures
and incidents from Member State data protection authorities. If you were
referring to the obligations under Article 40 of that Directive, we
understand from paragraph 2, last subparagraph, that competent authorities
have the obligation to submit reports to the European Commission and
ENISA. Therefore, we kindly invite you to address them access to documents
requests in order to get the information you are looking for.
In the light of the above, I would kindly ask you to confirm if you wish
to maintain your access to documents request. If this is the case, we
kindly invite you to rephrase it taking into account the fact that
Directive 2018/1792 doesn't entrust the EDPB with any official role or
task.
Thank you for your cooperation.
Kind regards,
The EDPB Secretariat
┌─────────────────────────────────────┬──────────────────────────────────────────────────────┐
│ │European Data Protection Board │
│ │ │
│ │Postal address: Rue Wiertz 60, B-1047 Brussels │
│[1]cid:image001.png@01D42EFC.C1379A70│ │
│ │Office address: Rue Montoyer 30, B-1000 Brussels │
│ │ │
│ │[2]cid:image003.png@01D42EFC.C1379A70[3]edpb.europa.eu│
└─────────────────────────────────────┴──────────────────────────────────────────────────────┘
References
Visible links
3. https://www.edpb.europa.eu/
Dear European Data Protection Board,
Thank you for your quick response. In light of your clarification, I would like to accept your invitation to reword my access to documents request.
Understanding that you do not have an official role or tasks under Directive 2018/1792, I would like to receive any documents you may hold, directed at the EU level and/or national level, concerning the implementation of data protection of users in the area of electronic communications networks and services , specifically concerning security measures and incident reporting.
Yours sincerely,
Rachel Hanna
Dear Ms Rachel Hanna,
Thank you for your email. However, the broad description given in your
request does not enable us to adequately identify the scope of your
request and, as a result, the concrete documents you are seeking access
to.
In accordance with Article 6(1) of Regulation 1049/2001, applications for
access to a document shall be made in a sufficiently precise manner to
enable the institution to identify the document (s) in scope of a request.
We therefore invite you, in accordance with Article 6(2) of Regulation
(EC) No 1049/2001 regarding public access to documents, to provide us with
more precise information on the documents you request, such as the type of
document (eg. draft documents, meeting minutes, guidelines) references,
dates or periods during which the documents would have been drafted. There
is no obligation to tell us what the purpose of your request is, but maybe
this could help us better understand what documents you are looking for.
If you need further assistance to define more clearly the documents you
are seeking access to, please do not hesitate to let us know.
We kindly ask you to provide these clarifications so that we may identify
the documents in scope of your request. Please note that this request will
be considered closed if no reply is received within 15 working days (i.e.
by 21 December). Of course, this does not prevent you from making another
request at any stage in the future.
Thank you for your cooperation.
Kind regards,
The EDPB Secretariat
┌─────────────────────────────────────╥──────────────────────────────────────────────────────┐
│ ║European Data Protection Board │
│ ║ │
│ ║Postal address: Rue Wiertz 60, B-1047 Brussels │
│[1]cid:image001.png@01D42EFC.C1379A70║ │
│ ║Office address: Rue Montoyer 30, B-1000 Brussels │
│ ║ │
│ ║[2]cid:image003.png@01D42EFC.C1379A70[3]edpb.europa.eu│
└─────────────────────────────────────╨──────────────────────────────────────────────────────┘
References
Visible links
3. https://www.edpb.europa.eu/
Dear European Data Protection Board,
Apologies if my request has not been sufficiently precise, allow me to clarify.
I would like to find out more about the data protection of users of electronic communications networks and services, such as those regulated under Directive 2018/1792.
Concerning narrowing the request, I would like to request guidelines only in relation to Directive 2018/1792.
To that effect, I would request access to any documents the European Data Protection Board may hold/have produced concerning:
• Guidelines on how to ensure the protection of personal data of users of electronic communications networks and services, specifically concerning security measures and incident reporting (under Directive 2018/1792).
These documents could be directed at the national or EU level.
As I do not know what documents you hold in this area, I am unable to narrow my request to specific documents.
Yours sincerely,
Rachel Hanna
Dear Ms Rachel Hanna,
Thank you for clarifying your request.
Firstly, we would like to clarify that the EDPB does not have a specific mandate for Guidelines regarding the Directive 2018/1972, which is allocated to other EU and Member State entities.
Secondly, considering your question on EDPB "Guidelines on how to ensure the protection of personal data of users of electronic communications networks and services specifically concerning security measures and incident reporting (under Directive 2018/1792(SIC))" we would kindly like to clarify that, in general, all EDPB Guidelines are aimed at assisting controllers and processors to ensure the protection of personal data, regardless of whether this concerns users of electronic communication networks and services or not.
As you are indicating specifically incident reporting, there exist two EDPB Guidelines on notifications of personal data breaches under the GDPR:
• Guidelines 01/2021 on Examples regarding Personal Data Breach Notification https://edpb.europa.eu/our-work-tools/ou...
• Guidelines 9/2022 on personal data breach notification under GDPR https://edpb.europa.eu/our-work-tools/do...
These Guidelines provide guidance on the notification obligations under the GDPR, but also indicate a non-exhaustive list of other acts requiring a notification of a breach (e.g. under Directive 2002/58/EC)
Directive 2002/58/EC provides specific protection for personal data for processing in the electronic communications sector. In this regard, the following EDPB Guidelines exist:
• Guidelines 02/2021 on virtual voice assistants https://edpb.europa.eu/our-work-tools/ou...
• Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications https://edpb.europa.eu/our-work-tools/ou...
• Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive https://edpb.europa.eu/our-work-tools/do...
Can we kindly ask you, whether this satisfies your request?
Thank you very much.
The EDPB Secretariat
Dear Ms Rachel Hanna,
I am writing in reference to your request for access to documents dated
27/11/2023.
Given that, following our last email of 15 December 2023 we did not get
any feedback from your side, the EDPB Secretariat considers this request
to be closed.
Of course this does not prevent you from making a request for access to
documents in the future.
Best regards
EDPB Secretariat
┌─────────────────────────────────────╥──────────────────────────────────────────────────────┐
│ ║European Data Protection Board │
│ ║ │
│ ║Postal address: Rue Wiertz 60, B-1047 Brussels │
│[1]cid:image001.png@01D42EFC.C1379A70║ │
│ ║Office address: Rue Montoyer 30, B-1000 Brussels │
│ ║ │
│ ║[2]cid:image003.png@01D42EFC.C1379A70[3]edpb.europa.eu│
└─────────────────────────────────────╨──────────────────────────────────────────────────────┘
References
Visible links
3. https://www.edpb.europa.eu/
Dear EDPB Secretariat,
Thank you for your response, it was very helpful
Yours sincerely,
Rachel Hanna
Dear Sir/Madam,
Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.
Kind regards,
The EDPB Secretariat