EDPB holds 49th plenary session

May 19, 2021

The European Data Protection Board has held its 49th plenary session. It has adopted two opinions under Article 24 of the GDPR about the first draft decisions on transnational Codes of Conduct presented to the EDPB by the Belgian and French supervisory authorities. In particular, the Belgian authority’s draft decision concerns the EU CLOUD Code of conduct, addressed to cloud service providers. The French authority’s draft decision concerns the CISPE Code of conduct, which is also addressed to cloud infrastructure service providers. The Codes aim to provide practical guidance and define specific requirements (see Article 28 GDPR) for processors in the EU subject to these Codes. They are not to be used in the context of international transfers of personal data. The EDPB is of the opinion that both draft codes comply with the GDPR and fulfil the requirements set out in Articles 40 and 41 GDPR. According to the GDPR, adherence to approved codes of conduct may be used as an element to demonstrate legal compliance.

The EDPB also adopted a statement on the Data Governance Act (DGA) in light of developments in the legislative process. The statement is a follow-up to the joint EDPB-EDPS opinion on the DGA and reinforces its main points. The EDPB reiterates that, without robust data protection safeguards, there is a risk that the trust in the digital economy would not be sustainable. The statement further highlights the need to ensure consistency of the DGA with EU data protection law and calls on the co-legislators to carefully consider certain aspects, such as the relationship between the DGA and the GDPR, and the importance of ensuring that the new definitions and concepts are not incompatible with the GDPR. 

Finally, the EDPB adopted recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. The recommendations cover situations in which data subjects buy a product or pay for a service via a website or an application and provide their credit card data to conclude a unique transaction. It appears that in such situations, the data subject does not reasonably expect the credit card data to be stored for longer than what is necessary to pay the goods or services. In addition, it is not evident that the storage of the credit card data to facilitate future purchases is necessary to pursue the legitimate interest of the controller or a third party. As such, consent in accordance with Article. 6(1)(a) GPDR should be considered the sole appropriate legal basis for storing credit card data after the purchase.