The European Data Protection Board (EDPB) released its 2023 Annual Report. The report highlights key achievements, including the adoption of binding decisions and the launch of outreach projects like the EDPB Data Protection Guide for small businesses. It also showcases enforcement actions by national data protection authorities (DPAs) and emphasizes efforts to raise awareness of the GDPR. EDPB Chair Anu Talus expressed pride in the EDPB’s work, focusing on developing guidelines, enhancing cooperation among DPAs, and shaping the digital landscape to protect individuals’ rights.
***
On the same topic, the EDPB has outlined its strategy for 2024-2027, focusing on four pillars: enhancing harmonization and promoting compliance, reinforcing a common enforcement culture, safeguarding data protection in the digital landscape, and contributing to the global dialogue on data protection. Chair Anu Talus emphasizes the collaborative effort of EU DPAs in setting common priorities. Over the next four years, the EDPB will prioritize compliance promotion, enforcement cooperation, and addressing challenges posed by new digital laws and technologies. Additionally, the EDPB has adopted Rules of Procedure and public information notes to facilitate the implementation of redress mechanisms under the EU-US Data Privacy Framework (DPF), focusing on complaints regarding national security or commercial purposes for data transmitted after July 10, 2023.
***
Further to the above, the EDPB issued “Information Note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security”. According to the Note, “complaints have to be sent to the national EU/EEA data protection authority competent for the individual (‘DPA’)”. “The EU/EEA national DPA will verify the identity of the individual complainants” and then “ if the complaint is found complete, the DPA will transmit it, in an encrypted format, to the Secretariat of the European Data Protection Board”. “The latter will then transmit it, in an encrypted format, to the U.S. authorities that are competent to handle the complaint, namely the Office of the Director of National Intelligence’s Civil Liberties Protection Officer (‘CLPO’)”.
***
The Finnish supervisory authority (Tietosuojavaltuutetun toimisto) considered that the controller was entitled to store the data subject’s personal data for two years after the end of the recruitment process. Since a work discrimination claim might be filed within two years, the DPA stated that if the controller deleted the personal data earlier than that, it would not be able to defend itself against possible discrimination claims.
Comments are closed.