Privacy News 19/11/2021

by | Nov 22, 2021

European Union

EDPB publishes guidelines on the interplay between the application of Article 3 and Chapter V of the GDPR

The EDPB published, on 19 November 2021, its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.

These guidelines aim to clarify the interplay between Article 3 of the GDPR and the provisions on international transfers in Chapter V in order to assist controllers and processors in the EU in identifying whether data processing constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.

3 cumulative criterias are identified in the guidelines to qualify a data processing as a transfer:

  • a controller or a processor is subject to the GDPR for the given processing;
  • this controller or processor discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor;
  • the importer is in a third country or is an international organisation, irrespective of whether or not it is subject to the GDPR in respect of the given processing in accordance with Article 3.

You can read the guidelines here.

 

National Authorities

CNIL publishes guide for DPOs

The CNIL published, on 16 November 2021, a guide on the role of the DPO under the GDPR.

The guide focuses on the role of the DPO, the designation and the independance of the DPO, the exercise of the tasks of the DPO…

You can read the press release here and the guide here, both only available in French.

CNIL adopts standard on health data warehouses

The CNIL announced, on 17 November 2021, that it had adopted a new standard on the processing of data within health data warehouses.

The standard specifies the application of the GDPR to health data warehouses, providing rules and guidance as to key compliance areas including data retention, transparency, data subject rights, data security, vendor management, data transfers, and DPIAs.

You can read the press release here and the standard here, both only available in French.