EDPB launches consultation on guidance on certification criteria assessment
The EDPB launched, on 14 April 2021, a public consultation on the guidance on certification criteria assessment.
For the EDPB, this guidance should be read in line with the Guidelines 1/2018 on certification and identifying certification criteria according to Articles 42 and 43 of the Regulation and Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR.
The new guidance aims to refine parts of the Guidelines 1/2018 in order to assist stakeholders involved in the drafting of certification criteria in the context of certification; and supervisory authorities to provide consistent evaluations in the context of certification criteria approval (for both national schemes and EU data protection seals).
It also outlines a non-exhaustive list of recommendations and states that the assessment of certification criteria will be carried out on a case-by-case basis.
Comments can be submitted via the online form by 26 May 2021.
EDPB welcomes with vigilance UK adequacy finding
The EDPB released, on 15 April 2021, its opinions on the European Commission’s draft decision that the UK ensures an adequate level of protection for personal data.
For the EDPB, the UK’s adequacy assessment is unique given it was an EU Member State until recently and therefore acknowledges there are many areas of convergence between the UK and EU regimes. However, a number of “challenges” still remain.
DPC launches inquiry into Facebook following publication of dataset online
The DPC announced, on 14 April 2021, that it had launched an inquiry pursuant to Section 110 of the Data Protection Act 2018 into Facebook Ireland, following the availability of a dataset online. For the DPC, having considered the information provided by Facebook Ireland, provisions of the GDPR may have been or are being infringed.
You can read the press release here.
A decision should be taken before 15 May 2021.
You can read the press release, only available in German, here.
AEPD fines Vodafone Spain €150,000 for unlawful data processing
The AEPD issued, on 13 April 2021, a decision in proceeding PS/00085/2021, fining Vodafone España, S.A.U €150,000 for sending SMS with invoices to the claimant, despite the termination of their contractual relationship.
As the claimant had, in the past, requested the deletion of their personal data upon termination of their telephone contract, by continuing to process the individual’s personal data without a legitimate purpose, Vodafone violated Article 6(1) of the GDPR.
You can read the decision, only available in Spanish, here.