EDPB opinion on ePrivacy

On 13 March 2019 European Data Protection Board (EDPB) published an important opinion on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. EDPB also published a statement on the ePrivacy Directive.

In Chapter 7 EDPB draws interesting conclusions:

* Does the mere fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limit the competences, tasks and powers of data protection authorities under the GDPR? In other words, is there a subset of data processing operations they should set aside, and if so when?

86. When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.
87. Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.

* When exercising their competences, tasks and powers under the GDPR, should data protection authorities take into account the provisions of the ePrivacy Directive, and if so to what extent? In other words, should infringements of national ePrivacy rules be set aside when in assessing compliance with the GDPR, and if so when?

88. The authority or authorities that are appointed as competent in the meaning of the ePrivacy Directive by Member States is exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specifics rules contained in the ePrivacy Directive.
89. An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g., when assessing compliance with the lawfulness or fairness principle under article 5(1)a GDPR). However, any enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by Member State law.
90. If national law designates the data protection authority as competent authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR (otherwise it does not).

* To what extent is the cooperation and consistency mechanisms applicable in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive?

91. The cooperation and consistency mechanisms available to data protection authorities under Chapter VII of the GDPR, concern the monitoring of the application of GDPR provisions. The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. The cooperation and consistency mechanism remains fully applicable, however, insofar as the processing is subject to the general provisions of the GDPR (and not to a “special rule” contained in the ePrivacy Directive).


Some reactions on twitter





More information:

Over Ellen Timmer, advocaat ondernemingsrecht @Pellicaan

Verbonden aan Pellicaan Advocaten, http://www.pellicaan.nl/, kantoor Rotterdam, telefoon 088-6272287, fax 088-6272280, e-mail ellen.timmer@pellicaan.nl ||| Weblogs: algemeen: https://ellentimmer.com/ || modernisering ondernemingsrecht: http://flexbv.wordpress.com/ ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, ICT, privacy, e-commerce en getagged met , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s