Where better to discuss the important issue of archiving and data protection than the Historical Archives of the European Union in Florence! This was the location of the 46th meeting of Data Protection Officers (DPOs) within the EU institutions and bodies, which took place on 6 and 7 November 2019.
The essence of data protection is of course about protecting the rights and freedoms of individuals, but this does not mean that data protection and archiving in the public interest have to be at odds. On the contrary, archives keep public administrations, governments and society at large accountable, and efficient data protection safeguards support effective records and archives management.
I had the pleasure of kicking off the meeting and giving the floor to the Head of the EDPS Supervision and Enforcement Unit, who presented the results of a survey launched when the new Regulation came into force, along with an online annotated version of Regulation 2018/1725, thanks to which the DPOs will be able to look up the EDPS’ interpretation of the Regulation, article-by-article. I am very grateful to the Supervision and Enforcement team for providing our hard-working DPOs with this great knowledge management tool.
A case study on consent and cookies followed, based on a recent landmark ruling by the Court of Justice known as Planet49. The judgment, published on 1 October 2019 (and covered in our October Newsletter), helped to provide clarification on the topic of consent, confirming that pre-ticked checkboxes authorising the use of cookies and similar technologies do not constitute valid consent under the e-Privacy Directive and the GDPR. It does not matter whether the cookies collect personal data or not, the consent rule applies to any information stored and accessed in an individual’s device.
Raising awareness about mobile applications was the priority for the EDPS IT Policy Unit. Mobile apps often provide a richer experience than traditional websites and therefore attract the ever-increasing number of users who spend the majority of their time on the internet on their mobile phones. The session covered best practices for data protection in mobile apps. The concept of Progressive Web Apps (PWA) and their potential to improve data protection compliance in practice was particularly interesting.
The first session of the afternoon was devoted to the topic of archives. The head of the Record Management Sector of the EDPS gave a presentation on archiving and data protection, which was followed by a lively discussion of a mixed audience of EU DPOs and archiving specialists. The EDPS strongly believes that archivists and DPOs should work towards the same objective: leading the EU institutions in their efforts towards accountability.
Last but not least, the EDPS Supervision and Enforcement Unit held a session on outsourcing. The presentation focused on contracts with IT service providers and practical examples of good and bad practices in a case study. As both controllers and processors are accountable, contractual terms that do not comply with the Regulation may lead to loss of control and jeopardise the rights of individuals.
I closed the meeting with a short summary on recent developments in the European Data Protection Board relevant to the DPOs and with a personal tribute to Giovanni Buttarelli, reaffirming the EDPS’ commitment to honouring and continuing his legacy.
I would like to express my gratitude to the 67 DPOs of EU institutions and bodies who took part in the meeting with the EDPS, with special thanks to the DPO team of the EDPS, Massimo Attoresi and Marco Moreschini, who help me every day, as Head of Administration and Data Controller, to comply with the requirements of Regulation 2018/1725.