During its latest plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Article 48 GDPR about data transfers to third country authorities. The EDPB also discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of record-keeping obligation under the GDPR. Finally, the EDPB presented two new Support Pool of Experts (SPE) projects providing training material on artificial intelligence and data protection.
Data transfers to third country authorities
Following consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB covers Article 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities.
The EDPB explains that judgements or decisions from third country authorities cannot automatically be recognised or enforced in Europe. Generally, an international agreement may provide for both a legal basis and a ground for transfer. If there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.
The updated guidelines aim to provide further clarification on certain issues raised during the consultation. For example, the updated guidelines cover where the recipient of a request is a processor. In addition, they provide additional details about when a holding company in a third country receives a request from that third country authority and then requests the personal data from its subsidiary in Europe.
Simplification of record-keeping obligation under the GDPR
The Board also discussed the European Commission’s request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this topic within eight weeks.
Upskilling and reskilling on AI and data protection
Finally, the EDPB also presented two new Support Pool of Experts (SPE) projects: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection. The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI.
