The 49th meeting of the EDPS and the European institutions, bodies and agencies’ network of data protection officers (DPO) took place on 4 June 2021.
I am proud that we managed to organise, with the precious help of a number of DPOs from a support group, two rounds of online workshops on different topics of interest for our DPO colleagues. With these online workshops, we try to recreate the interactive and dynamic environment akin to our traditional in-person meetings pre-COVID-19.
Our first workshop focussed on the EDPS Guidelines on personal data breach notifications. DPOs shared both their practical experiences with the personal data breach process and their expectations when notifying personal data breaches to the EDPS, including the feedback provided by the EDPS following a breach notification. DPOs also identified areas in which more specific guidance and support from the EDPS is needed and we took good note of this.
The second workshop was dedicated to the use of software alternatives to large-scale providers. Two case studies were presented to kick off the discussions. The first case study addressed issues stemming from procurement procedures of a typical large-scale vendor in the context of an EU institution’s activities. The second one reviewed a successful migration to an alternative offering based on free software. DPOs exchanged their views on the feasibility and the pros and cons of software alternatives from a data protection compliance perspective.
International transfers and cloud services were the central issues discussed during the third workshop. EDPS staff presented their findings and planned actions for the future. During the follow-up discussions, DPOs shared their practical experiences of the reporting exercise on transfers of data to non-EU countries ordered by the EDPS following the “Schrems II” Judgement and, in general, with transfers of personal data to non-EU countries. They also shared their experiences of looking for possible and pragmatic solutions to the challenges faced by all EUIs in this area.
The purpose of the fourth workshop was to reinforce trust and to improve communication between the EDPS and DPOs for better cooperation. Areas for improvement were explored as well as practical solutions for a stronger and more efficient way of working together. DPOs of law enforcement agencies met in a separate virtual room to discuss the same topic but from a different angle, taking into account the specificities of their respective core businesses and their legislative framework on data protection.
The challenges and opportunities for DPOs when dealing with data protection impact assessments (DPIAs) was another unmissable hot topic of our workshops. Participants raised issues related to prior consultations addressed to the EDPS for processing operations considered high risk for individuals. The optimal level of detail required when drafting DPIAs, the support available for this drafting and the criteria to identify processing operations presenting high risk(s) to individuals’ personal data were some of the issues discussed.
I believe that the interactive setup of these workshops - organised jointly with the DPO support group - was very beneficial both for the network of DPOs and for the EDPS as it made possible many interesting exchanges and the identification of best practices. At the EDPS, we are convinced that cooperating closely with the DPO network is the way forward to be able to face many upcoming challenges in data protection efficiently and collectively. I am looking forward to celebrating the golden jubilee - the 50th anniversary meeting of the EDPS-DPO network this autumn!