The European Data Protection Board (EDPB) has weighed in on the ePrivacy Regulation:

  • EU legislators should intensify efforts towards the adoption of an ePrivacy Regulation, which is necessary to complete the EU’s framework for data protection and confidentiality of communications.
  • The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC and must complement the GDPR by providing additional strong guarantees for all types of electronic communications.
  • The ePrivacy Regulation is necessary to ensure a level playing field and legal certainty for market operators.

Details from the EDPB.

Data protection and political campaigns – European Data Protection Board (EDPB) issues a statement.

Key points:

  • Personal data revealing political opinions is a special category of data under the GDPR, and, in most cases, processing it will require explicit, specific, fully informed, and freely given consent.
  • Using personal data made public, like on social media, or otherwise shared by individuals, is still subject to obligations concerning transparency, purpose specification and lawfulness.
  • Companies must provide sufficient information to the individuals who are being analyzed and whose personal data are being processed, even if they are data brokers and not consumer-facing.
  • Automated profiling connected to targeted campaign messaging may, in certain circumstances, cause “similarly significant effect” requiring explicit consent of the individual.
  • In case of targeting, companies should provide adequate information explaining why the person is receiving a particular message, who is responsible for it and how the person can exercise his/her rights as a data subject.

Since May 25, 2018, 206,326(!) GDPR cases have been reported by Supervisory Authorities (SAs) from 31 European Economic Area (EEA) countries.

Of those, 94,622 were initiated by individual complaints and 64,684 due to data breach notification by the controller. 52 percent of these cases have already been closed and 1 percent challenged before national court.

The European Data Protection Board (EDPB) has issued the “First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.” Here are some more numbers:

  • SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2 (i) GDPR. The total amount of the fines imposed is €55,955,871.
  • 30 different EEA SAs have registered 281 cases with a cross-border component. Of these, 194 derived from complaints by individuals.
  • The three main topics of the cases are related to:
    • the exercise of data subjects’ rights
    • consumer rights
    • data breaches
  • 45 One-Stop-Shop procedures were initiated by SAs from 14 different EEA countries, but this number is increasing steadily
  • 444 mutual assistance requests have been triggered by SAs to other SAs from 18 different EEA countries

Read the full report.

The Romanian Presidency of the Council of the EU has proposed a compromise on issues that are in the way of the EU e-Privacy Regulation.


  • A user’s consent to cookies should NOT be required for technical storage or access necessary and proportionate for the legitimate use of a service requested by the user. This may include:
    • session cookies for tracking input when filling online form
    • authentication session cookies
    • cookies remembering items selected in shopping basket
    • cookies necessary for the provision of information society services requested by the user (eg those used by connected thermostats)
  • Consent SHOULD be required for cookies collecting information for purposes other than is necessary for the provision of the requested service.
  • To avoid cookie consent fatigue companies can implement technical measures to grant consent through transparent and user-friendly settings. E.g. granting consent to a specific provider re: one or multiple specific purposes across one or more services of that provider, or consent to the use of all or certain types of cookies by whitelisting one or several providers.

Read the full proposal.

Now serving complaint #6241…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidelines on how it will prioritize the handling of complaints filed with it under the EU General Data Protection Regulation (GDPR).

Criteria include:

  1. How harmful is the alleged violation for the individual(s)? This depends on nature of data and nature of the violation.
  2. What is the broader social significance? For example, does the case involve processing of personal data by governments and in healthcare, trade in personal data, unreported data leaks and data leaks caused by serious shortcomings in security.
  3. To what extent will the DPA be able to act effectively, taking into consideration other complaints filed with it and its available manpower and budget?

If a complaint scores high on several criteria, there may be more reason for further investigation by the DPA. In exceptional circumstances, however, further investigation can be started with a low score on all criteria.

Read the full guidelines.

Clinical trials and the EU General Data Protection Regulation (GDPR): The European Data Protection Board (EDPB) has issued a much-awaited opinion on the legal basis for processing clinical trial data.

Key takeaways:

  • The legal basis for processing operations expressly provided by the Clinical Trial Regulation and by relevant national provisions, as related to reliability and safety purposes is “legal obligation(s) to which the controller is subject” (Art 6(1)(c)). – This specifically includes:
    • performance of safety reporting
    • archiving of the clinical trial master file
    • the medical files of subjects
    • any disclosure of clinical trial data to the national competent authorities in the course of an inspection
  •  The legal basis for processing operations purely related to research activities in the context of a clinical trial would, depending on the facts of the case, be:
    • the data subject’s explicit consent (Art 6(1)(a) + Art 9(2)(a)),
    • a task carried out in the public interest (Article 6(1)(e)),
    • the legitimate interests of the controller (Art 6(1)(f)) + Article 9(2)(i) or (j))

Read the full opinion.

Forget me yes, part two.

Austrian Data Protection Authority holds that a data controller can meet its obligations to satisfy a data subject’s erasure request under GDPR by anonymizing personal data.

Some points:

  • Erasure is not the same as destruction; the controller can select means to carry out the erasure.
  • The controller must ensure that neither the controller himself nor a third party can restore a personal reference without disproportionate effort.
  • The fact that a reconstruction of the data may become possible in future due to new technology, does not render the erasure insufficient.
  • The measures used by the company that were deemed to be sufficient for erasure were:
    • delete the contract offer
    • delete all contacts (e.g. mail address, telephone number, etc.)
    • irrevocable manual deletion of the first and last name and replacement by “John Doe” (with the same date of birth)
    • stop communication with the individual
    • merge the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable
    • erase customer in electronic file

Details from the Austrian Data Protection Authority.

Japan is the latest country to be recognized by the European Union as providing adequate protection to data. The decision is one of mutual adequacy and creates the world’s largest area of safe data flows.

Per European commissioner Vera Jourova: “Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market.”

Before the adoption of the decision, Japan implemented additional safeguards to guarantee that data transferred from the EU enjoy protection in line with European standards. This included:

  • a set of supplementary rules to bridge differences between the two data protection systems (specifically regarding sensitive data, the exercise of individual rights and cross border data transfers).
  • assurances from the Japanese government that the access of Japanese public authorities to personal data for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate
  • a complaint handling mechanism to investigate and resolve complaints from Europeans regarding access to their data

Details from the International Association of Privacy Professionals.


A medical center contracted by an insurance company to provide examinations and studies to individuals covered by insurance may be a “data controller” under the EU General Data Protection Regulation (GDPR) says the Commission for the Protection of Personal Data of Bulgaria.

The CPPD determined that in the case before it, the medical center was a data controller and not a “data processor” because:

  1. The processing of personal data in connection with the carrying out of examinations and research cannot be carried out on behalf of the insurer (data controller) because such services are required, by law, to be carried out by an organization having the status of a “medical establishment” within the meaning of the Bulgarian Law on Medical Establishments.
  2. Special legislation in the field of healthcare provides for a number of obligations, measures, mechanisms, procedures and conditions for the protection of health information containing personal data which can not be delegated to a data processor.*

* summary based on an informal translation

View the original CPPD determination.