Data Protection Weekly 43/2022

Oct 28, 2022

European Union 

EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority 

The targeted update and this public consultation concern paragraphs 29-34 and points ii. and iii. under 2.d. of the Annex (marked in yellow in the document). Such comments on the updated parts only should be sent on 2nd December 2022 at the latest using the provided form. 

This consultation is important because as it is, the GDPR does not specifically deal with the issue of designating a lead supervisory authority in cases of joint-controllerships.

The document is available here.


National Authorities


The German state of Baden-Wurttemberg highlights the legal uncertainties on President Biden’s executive order on US-EU data transfer 

Despite the positive development and issuing of the Executive Order, the state commission for data protection (Der Landesbeauftragte für den Datenschutz und Informationsfreiheit -LfDI) has identified considerable legal uncertainties. 

In its press statement, the head of LfDI Dr. Stefan Brink sees considerable legal uncertainties. These include: 

  • The very nature of an executive order which is an internal instruction to the government and subordinate authorities and is not a law that has been passed by Congress. Therefore, it would not be an effective instrument for implementing the requirements of the GDPR 
  • Compliance with a mere executive order is not enforceable, especially for EU citizens 
  • How it would relate to the Cloud Act 
  • Differences between the interpretation of the legal concept of proportionality in the U.S. and the EU 
  • The establishment of a Data Protection Review Court under the Attorney General’s Order within the DOJ is a source of conflict and will be contrary to judicial independence 
  • It is vital to recognise that the Court of Justice of the European Union (CJEU) in Schrems II had not only demanded legal remedies against state spying, but also an end to warrantless surveillance itself. 


United Kingdom: ‘Biggest cyber risk is complacency, not hackers’- UK Information Commissioner issues warning as construction company fined £ 4.4 million 

The UK Information Commission (ICO) has warned that companies are exposing themselves to cyber-attacks by ignoring critical measures like updating software and staff training. 

The warning comes as ICO issued a fine of £4.4 million to Interserve Group Ltd, a construction company, for failing to keep personal information of its staff secure, which amounted to a breach of Data protection law. 

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.