EDPL Data Protection Insider 25.11.2021

-  The Right of Access to the EPSO Exam Weighting Coefficients: JR v the European Commission - 

On 1st December, the CJEU ruled on the question of the right of an EPSO applicant to have access not only to the exam grade given to them, but also to the weighting coefficients which formed the final grade. As to the facts of the case, the applicant passed an EPSO written and oral exam, and was informed of the final grades of the two exams. In addition to the information provided in the notification of the grade, the applicant requested access also to the weighting coefficients of the different components of the oral exam, i.e. what factor each one played in forming the final grade. The Commission adopted a formal decision, refusing access to this information. The applicant decided to challenge this Decision in Court, evoking their right of access to their personal data in Article 17 Regulation 2018/1725. The Court noted that the applicant is implicitly raising a claim also under Regulation 1049/2001 on public access to documents of the EU administration, including of the Commission. The Court ruled that Regulation 2018/1725 is not applicable in casu, because the weighting coefficients do not constitute personal data. However, it ruled that access to the weighting coefficients should have been disclosed on the basis of Regulation 2001/1049, e.g. by redacting other information in the document containing these coefficients, which could be covered by obligations of secrecy. We note that the ruling is likely to contribute to the ongoing academic debate about the scope of the right of access to one’s personal data.

Read more: https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-213208%22]}

- EDPB Guidelines on the Relationship between Article 3 and Chapter V -

On 18th November, the EDPB adopted ‘Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR’. According to the EDPB, the Guidelines aim to clarify ‘[the] interplay between Article 3 [concerning territorial scope] and the provisions of the GDPR on international transfers in Chapter V in order to assist controllers and processors in the EU in identifying whether a processing constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.’ In this regard, the EDPB cover the following ground: i) ‘Criteria to Qualify a Processing as a Transfer of Personal Data to a Third Country or to an International Organisation’; and ii) ‘Consequences [of this Qualification]’. Whilst the Guidelines are short, they contain much in terms of substance and should be read by anyone interested in international transfers under the GDPR. Of interest, for example, will likely be: i) the criteria elaborated by the EDPB for the identification of the existence of a ‘transfer of personal data to a third country or to an international organisation’; and ii) the differentiated functionality of Article 3 in relation to transfers outside the EU which do not constitute ‘transfer[s] of personal data to a third country or to an international organisation’ and to those which do constitute ‘transfer[s] of personal data to a third country or to an international organisation. Given the brevity of the Guidelines, further clarification and more extensive argumentation would be welcome in many places – for example concerning the EDPB’s statement, in their criteria, that a transfer may exist when a ‘controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor’. The Guidelines will be open for public consultation until end of January 2022.

Read more: https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf

- Advocate General Delivers Opinion on Data Retention and Market Abuse -

On 18th November, Advocate General Campos Sánchez-Bordona delivered their Opinion in Joined Cases VD (C‑339/20) and SR (C‑397/20). The cases essentially revolved around the legitimacy of legislation requiring telecommunications providers to engage in general data retention schemes to allow authorities responsible for market abuse to be able to effectively investigate and prosecute those involved. Relying heavily on the CJEU’s judgment in La Quadrature du Net, and the relevant distinctions made in that case between ‘national security’ and other forms of crime in relation to the legitimacy of data retention schemes, the Advocate General suggested the Court 'should [consider the issues]…as follows: (1) Article 12(2)(a) and (d) of Directive 2003/6/EC of the European Parliament and of the Council of 28 January 2003 on insider dealing and market manipulation (market abuse), and Article 23(2)(g) and (h) of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC, must be interpreted as meaning that they preclude national legislation which imposes on electronic communications undertakings an obligation to retain traffic data on a general and indiscriminate basis in the context of an investigation into insider dealing or market manipulation and abuse…(2) A national court cannot limit in time the effects of the incompatibility with EU law of domestic legislation which imposes on providers of electronic communications services an obligation to retain traffic data on a general and indiscriminate basis which is incompatible with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, and which allows the administrative authority responsible for carrying out investigations into market abuse to secure the disclosure of connection data without prior review by a court or an independent administrative authority.’ The Opinion is closely related to Opinions delivered, by the same Advocate General, on the same day, in other cases: Cases C‑793/19, SpaceNet, C‑794/19, Telekom Deutschland, and C‑140/20, Commissioner of the Garda Síochána and Others.

Read more: https://curia.europa.eu/juris/document/document.jsf;jsessionid=690E46897182EDCEEA7A06F9B644D000?text=&docid=249524&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=989460

- European Commission Send Belgium a Reasoned Opinion concerning Belgian DPA Independence -

On 12th November, the European Commission sent the Belgian Government a reasoned opinion as concerns the issue of the independence of the Belgian DPA. At the core of the problem lie the allegations that some members of the DPA are not free from external influence, because they report to some governmental entity, or because they are members of the Information Security Committee, or because they have participated in COVID – 19 contact tracing projects. The reasoned opinion is a consequence of the fact that the Belgian government’s response to the Commission’s formal notice of 9th June 2021 ‘did not address the issues raised in the letter of formal notice and the members concerned have remained in their posts.’ If Belgium does not rectify the situation within two months, the Commission may refer the case to the CJEU.

Read more: https://ec.europa.eu/commission/presscorner/detail/en/inf_21_5342

- EDPB Agenda for 57th Plenary -

On 18th November, the EDPB held its 57th Plenary. Several substantive issues were discussed. The agenda included the following points which may be of interest:

‘2. Consistency mechanism and Guidelines’
‘2.1. Guidelines on the interplay between Article 3 and Chapter V’
‘2.2. Internal Guidelines on the practical implementation of amicable settlements’
‘3. Current Focus of the EDPB Members’
‘3.1. Handling of access requests concerning cooperation procedures – request for mandate’
‘3.2. 101 Taskforce’
‘4. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat’
‘4.1. Statement on Digital and Data Strategy’
‘4.2. Follow-up and next steps on the EDPB report to LIBE Committee - request for mandate’
‘4.3. Preparation of a letter on the EU AML/CFT proposal – request for mandate’
‘4.4. EDPB reply to the UN letter sent to the EDPB Chair on 15 July 2021’
‘4.5. Letter to ENISA regarding EUCS compatibility with Schrems II’

At the time of writing, only the agenda of the meeting was available. More information on the meeting may be made available on the EDPB website in the following days.

Read more: https://edpb.europa.eu/system/files/2021-11/20211118plen1.2agenda_public.pdf

- COVID Testing Provider Investigated regarding the Sale of Data -

According to inews, the Covid testing provider Cignpost Diagnostics ‘is being investigated by the UK’s data privacy watchdog over plans to sell customer’s DNA for medical research’. The media outlet reports that, according to documents seen by the Sunday Times, the provider had plans to analyse collected data or to sell data to third parties. Allegedly, the informed consent signed by customers included ‘links to another document outlining the research programme’ – although the relevant parts of the consent form have now allegedly been removed. Cignpost assert that they acted in full compliance with the law, have ‘robust systems and processes [in place] to ensure we protect…customers…[and that] protecting…data is paramount for [the] organisation’ The ICO are now investigating. Whilst there is surely a long way to go before anything is confirmed, and before any actions is taken, the progress of the case will be interesting to follow.

Read more: https://inews.co.uk/news/covid-testing-provider-investigated-watchdog-plans-sell-customers-dna-samples-medical-research-1299909

Never miss a DPI again !
In our online library you can always have a second look on all Data Protection Insider Issues already been published.
Visit online library: https://dev.lexxion.eu/en/dpi/

Recommend this newsletter. If you were forwarded this email, subscribe here https://dev.lexxion.eu/en/newsletter/

Lexxion Verlagsgesellschaft mbH
Güntzelstr. 63
10717 Berlin
Deutschland

+49-(0)30-814506-0

www.lexxion.eu

We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you. If you would like to unsubscribe from the newsletter service, please click here: Manage Subscriptions:

Terms https://dev.lexxion.eu/en/terms-conditions/ | Privacy https://dev.lexxion.eu/en/data-protection/