EDPB adopts new guidelines including on concepts of controller and processor

July 14, 2021

The European Data Protection Board has held its latest plenary session. During the session, the EDPB adopted a final version of the guidelines on the concepts of controller and processor. These guidelines aim to clarify fundamental concepts such as (joint) controller and processor. The final version reflects feedback from the EDPB’s consultation.

It also adopted guidelines on codes of conduct as a tool for data transfers. The main purpose of the guidelines is to clarify how articles 40(3) and 46(2)(e) of the GDPR apply. These provisions stipulate that once approved by a competent supervisory authority and after having been granted general validity within the EEA by the European Commission, a code of conduct may also be followed by controllers and processors not subject to the GDPR to provide appropriate safeguards to transfers of data outside of the EU. The guidelines complement the EDPB Guidelines 1/2019 on codes of conduct which establish the general framework for their adoption.

The EDPB also adopted a final version of the guidelines on virtual voice assistants. The guidelines aim to provide recommendations about how to address some of the most relevant compliance challenges for virtual voice assistants. They have been updated following public consultation.

Following the establishment of TikTok in the EU and the identification of its main establishment in Ireland for the ongoing cases related to the TikTok app, the EDPB has decided to disband its TikTok Taskforce. It had been created to coordinate potential actions from the EEA supervisory authorities and to acquire a more comprehensive  overview of TikTok’s processing and practices across the EU. At the time the Taskforce was created, there was no main establishment for TikTok in the EU and the Taskforce aimed to facilitate the exchange of information between supervisory authorities. The One-Stop-Shop procedure now applies and the Irish DPC has been designated as the lead authority. 

Finally, the EDPB discussed possible topics for its first coordinated enforcement action, following its decision to set up a Coordinated Enforcement Framework last year. The EDPB decided that the first action will concern the use of cloud-based services by public sector bodies and further work will be carried out to specify the details and the scope in the upcoming months.