The European Data Protection Board (EDPB) is the joint coordination body of the EU data protection authorities. The EDPB provides guidance on the application of the EU Data Protection Regulation (GDPR). With the GDPR having come into force, the EDPB thus replaces the Art. 29 Data Protection Working Party (Art. 29 Group) which was established under the EU Data Protection Directive and other previously applicable data protection laws. More information about the EDPB can be found on its website.
Confirmation/endorsement of previous working papers and positions of Art. 29 Group
The Art. 29 Group had already published a whole series of working papers with application aids and interpretation notes on the new data protection regime before the GDPR actually became applicable. Some of the statements and conclusions of the Art. 29 Group were criticized as being not very practical and hardly feasible for business operations. At its first constituent meeting on 25 May 2018, the EDPB has now confirmed many of the previous positions of Art. 29 Group. The corresponding overview of the position papers adopted from the EDPB can be found here.
What are the practical consequences of positioning the EDPB?
Many of the interpretations of the GDPR published first by the Art. 29 Group and now endorsed by the EDPB are difficult to implement for companies in practice. The are regarded as excessively strict by many data protection practitioners. The positions of the EDPB are recommendations for the practical application of the GDPR. They have no binding effect for courts. Ultimately, these are views agreed between the different EU authorities – in other words, positions of an executive body which cannot replace EU laws, member state statutes or case law. And the courts, i.e. the judiciary, are not bound by these views of the administration.
However, it is to be expected that courts may very well take the EDPB’s requirements into account when applying and interpreting the GDPR. Companies should therefore be familiar with the position papers of Art. 29 Group and the EDPB when implementing the new EU data protection and, in individual cases, give careful consideration to the legal risks involved if they deviate from the requirements of the authorities. This will be important not only with regard to possible fines under Art. 83 GDPR, but above all in the case of claims for damages under Art. 82 GDPR. Many practitioners currently suspect that so-called warning lawyers could assert claims for injunctive relief and damages under the GDPR on a massive scale in future. A German language overview of the practical aspects of such claims for damages can be found here.
Checklists, working aids and a collection of German language material on the DSGVO for practical use can be found here.