The European Data Protection Board (EDSA) issues annual guidelines on the implementation and handling of the GDPR. These guidelines are binding for all member states and serve to ensure the uniform application of data protection regulations throughout the European Union.

In 2021, the EDSA has again published several guidelines on various topics.

Guideline 01/2020 – Processing of personal data in the context of connected vehicles and mobility-related applications

Click here to go to Guideline 01/2020. The Guideline 01/2020 deals with the ongoing digitalisation of vehicles and is aimed at car manufacturers and companies involved in the digitalisation of vehicles. Increasingly, sensors and networked on-board devices are being installed that can collect and record driving habits, places visited and possibly even the driver’s eye movements, pulse or biometric data. These data are unambiguously capable of identifying a natural person. The processing operations therefore require a legal basis under Article 6 of the GDPR in order not to be unlawful. The collection of data by law enforcement authorities to detect speeding or other violations is governed by Art. 10 GDPR. The technologies used shall be configured in such a way that the obligation to make data protection-friendly default settings pursuant to Art. 25 DSGVO is complied with. Prior to the processing of personal data, the data subject shall be informed in a transparent and comprehensible manner in accordance with Article 13 of the GDPR.

Guideline 09/2020 – The relevant and reasoned objection within the meaning of Regulation (EU) 2016/679

Click here to go to the Guideline 09/2020. Guideline 09/2020 sets out what the requirements are for an authoritative and reasoned objection within the meaning of EU Regulation (EU) 2016-679 in order for a supervisory authority to be able to object to the lead supervisory authority in cooperation procedures. Art. 4 No. 24 GDPR led to ambiguity as to what exactly constitutes a “relevant & reasoned” objection. A definition was necessary to guarantee consistent application by supervisory authorities. according to the EDSA, an objection is “relevant” if there is a direct link between the objection and the content of the draft decision in question. In particular, the objection must relate either to whether there is a breach of the GDPR or to whether the intended measure against the controller or processor complies with the GDPR. An objection is “well founded” if it contains clarifications and arguments as to why an amendment of the decision is proposed. It must also explain how the amendment would lead to a different conclusion as to whether there is a breach of the GDPR or whether the intended measure against the controller or processor is in compliance with the GDPR.

Guideline 08/2020 – The targeting of social media users

Click here to go to Guideline 08/2020. Guideline 08/2020 addresses the targeting services provided by the platform operator to target users of social media and is addressed to platform operators & natural or legal persons (“targetters”) who use these targeting services for advertising purposes. Targeting services enable natural or legal persons to send specific messages to social media users in order to promote commercial, political or other interests. The mechanisms used to target social media users and the underlying processing activities that enable targeting can pose significant risks. Both consent pursuant to Article 6 I lit. a DSGVO or legitimate interest pursuant to Article 6 I lit. f DSGVO play a greater role as a legal basis. Article 6 I 1 lit. b DSGVO cannot be used as a legal basis for online advertising merely because this advertising indirectly finances the provision of their services. The ECJ ruled that processing can only be based on legitimate interest if three cumulative conditions are met:

  • legitimate interest pursued by the controller or by the third party or parties to whom the data are disclosed
  • The processing of personal data is necessary to achieve the legitimate interest; and
  • no overriding of the fundamental rights and freedoms of the data subject.

The display of online betting advertisements on social media may fall within the scope of Article 22 GDPR, so that explicit consent becomes necessary. The personal data must be collected for specified, explicit and legitimate purposes pursuant to Art. 5 I lit. b DSGVO. The transparency obligations from Art. 12 – 14 of the GDPR and the right to information according to Art. 15 of the GDPR must be observed.

Guideline 02/2021 – Virtual Voice Assistants

Click here to go to Guideline 02/2021. In Guideline 02/2021, the EDSA refers to Virtual Voice Assistants (VVAs) and addresses companies that have already integrated these VVAs into products or want to integrate them. Due to the extensive integration of virtual voice assistants, they have access to intimate information that could affect individuals’ data protection & privacy rights if not operated properly. For the commissioning & consequently the lawful processing of personal data, consent according to Art. 6 DSGVO is required. Furthermore, the transparency requirements of the GDPR pursuant to Art. 5(1)(a), Art. 12 & Art. 13 of the GDPR must be complied with & the specification of a clear purpose of use is required in order to comply with the provision of Art. 5(1) of the GDPR. In order to use voice data to identify users, biometric data within the meaning of Article 4(14) of the GDPR must be processed, for which only explicit consent of the data subject can be considered. For the processing of personal data of children, Article 8(1) of the GDPR must be complied with if the legal basis for this arrangement is consent. VVA providers must also ensure that all user data, including data processed on the basis of legitimate interests of the VVA providers, can be deleted at the request of the user in accordance with Art. 17 of the GDPR.

Guideline on the notions of “controller” and “processor” in the GDPR

Click here to go to the Guideline. In the Guideline, the EDSA addresses the notions of “controller”, “joint controllers” and “processors”. These play a crucial role in the application of the General Data Protection Regulation (EU) 2016/679 (GDPR), as they determine who is responsible for compliance with the various data protection rules and how data subjects can exercise their rights in practice. The controller is defined in Art. 4 No. 7 of the GDPR, the processor in Art. 4 No. 8 of the GDPR. Decisions on non-essential means can be left to the processor. The controller must nevertheless specify certain elements in the processor agreement, such as security requirements. For example, an instruction to take all measures required under Article 32 GDPR. The provisions of Article 28 of the GDPR must be observed.

Guideline 10/2020 – Limitations of Art. 23 GDPR

Click here to go to Guideline 02/2021. Guideline 10/2020 deals with Article 23 of the GDPR, which allows member states to restrict obligations and rights under Articles 12 to 22 and Article 34 as well as Article 5 through legislation and is thus directly addressed to the member states of the EU. The protection of individuals from the processing of personal data is a fundamental right. Article 16(2) TFEU requires EU Member States to adopt provisions for the protection of individuals with regard to the processing of personal data. Article 23 of the GDPR is to be interpreted against this background.