Newsletter (90)

In a video address, European Data Protection Supervisor Wojciech Wiewiórowski (EDPS) announced that his conference, titled “The future of data protection: effective enforcement in the digital world”, will be held between 16 and 17 June 2022 in Brussels, Belgium.

Explaining in more detail the aim of his conference in a leaflet published on 15 November 2021, the EDPS seeks to bring together stakeholders from the digital regulatory sphere to reflect on and discuss enforcement models pertaining to data protection, competition, digital markets and services, artificial intelligence.

With his conference, the EDPS looks forward to encouraging, in particular, a constructive discussion on the different approaches to data protection enforcement. The conference also aims to facilitate the sharing of best practices in this area.

To find out more, read the EDPS’ Conference Leaflet and watch his video address, available on our website.

As part of the EU’s cybersecurity awareness month, the EDPS produced a short factsheet focusing on the different phishing methods that hackers may use to obtain your personal information.

Did you know that hackers might try to trick you into giving your personal data away by sending emails, text messages, using messaging apps, phone calls? Hackers may use these methods of communication to impersonate a governmental organisation or other legitimate entity that you may use or be in contact with on a regular basis.

The EDPS’ short factsheet, titled Stop, Think and Look, published on 28 October 2021, provides you with some of the tips and tricks to help you recognise phishing attempts so that you can protect your personal information.

Take a look at our factsheet, available on the EDPS website, to stay safe online.

The EDPS took part in the 43rd Global Privacy Assembly, hosted by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) in Mexico, between 18 and 21 October 2021.

The Global Privacy Assembly, previously named International Conference of Data Protection and Privacy Commissioners, is an international forum with more than 130 data protection and privacy authorities.

The Supervisor, Director and EDPS colleagues participated in various online panels. Discussions ranged from the future of privacy and technology to individuals’ digital and privacy rights in a hyper-connected society. The topic of artificial intelligence, its challenges and opportunities, was also on the menu of discussions.

As the Global Privacy Assembly ended, a number of resolutions were adopted concerning:

• the Assembly’s Strategic Direction;
• data sharing for the public good;
• children’s digital rights;
• governments’ access to data; and
• the future of the Global Privacy Assembly.

To find out more about the 43rd Global Privacy Assembly, its reports and resolutions, please consult the following webpage on the EDPS website.

On 18 October 2021, the EDPS issued Formal Comments concerning Regulation (EU) 2021/953 on the Digital COVID Certificate and its technical specifications, in particular the introduction of a booster shot of the COVID-19 vaccine.

Many EU Member States have announced or have already started to administer COVID-19 vaccine doses in addition to the standard primary vaccination series, specifically to individuals who may not have responded adequately to the primary vaccination series. Additionally, EU Member States are considering ‘booster’ doses for individuals who responded adequately to the primary vaccination series. In this regard, special attention should be paid to the situation of vulnerable groups who may receive additional vaccination doses as a matter of priority.

The current Digital COVID Certificate Regulation provides for the number of vaccine doses received by an individual to be included on the Certificate itself. Therefore, conclusions may be drawn about an individual’s pre-existing health condition if the booster dose is indicated on their certificate, leading to an unnecessary or non-consensual disclosure of information related to an individual’s health.

The EDPS welcomes the European Commission’s proposed measures allowing EU Member States, if they decide to administer additional doses to specific groups of the population only, to consider issuing vaccination certificates indicating the administration of such additional dose only upon request and not automatically, since Regulation (EU) 2021/953 offers this flexibility.

By extension, the EDPS supports the fact that individuals concerned will not be required to produce a certificate indicating that they have received a booster dose when exercising their right to free movement within the EU. Such condition will remain valid until EU Member States limit the acceptance of vaccination certificates issued following the completion of the primary vaccination series for the purposes of free movement, if scientific evidence prove that protection afforded by the primary vaccination series decreases below a certain level after a certain period.

Concluding his Formal Comments, the EDPS reiterates the importance of only processing individuals’ data, in this case health data, that is necessary for the purpose envisaged.

Read Formal Comments in English, French and German.

On 13 October 2021, Head of the EDPS’ Technology and Privacy Unit, Thomas Zerdick, contributed to a lecture held at the University of Maastricht in the context of the “Advanced Master in Privacy, Cybersecurity, Data Management and Leadership” course.

During this lecture, Thomas Zerdick exchanged with students on the topic of synthetic data, a technology recently explored in an IPEN webinar. Subsequent discussions were also held on how to ensure that data protection is embedded throughout the different stages of a technology’s development to protect individuals’ privacy.

As a Head of Unit at the EDPS, Thomas Zerdick was able to give an insight into the challenges and opportunities that data protection authorities may face now and in the coming years. To this end, he also presented the EDPS’ technology monitoring and foresight efforts, such as its latest initiative, TechSonar.

As the lecture drew to a close, Thomas Zerdick reiterated that it is crucial to properly enforce data protection legislation as a fundamental building block of the EU’s digital sovereignty efforts.

The EDPS looks forward to continuing discussions with various actors in the field of data protection as part of its work.

The EDPS’ Supervision and Enforcement Unit (S&E) pursued their successful training sessions with an online training delivered to the Directorate‑General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA), on 12 October 2021.

With 65 participants attending the online training, S&E colleagues provided an overview of the data protection principles and rules that DG FISMA should apply in their day-to-day operations, such as sending out newsletters; organising events and conferences; selecting experts.

The training session also focused on the concept of consent, more precisely how DG FISMA should ensure that individuals’ consent to the processing of their personal data is specific, informed and freely given.

During the second part of the training session, S&E colleagues reiterated the importance of communicating to the EDPS if a data breach occurs and the steps to take to protect individuals’ personal data in this context.

The topic of Data Protection Impact Assessments (DPIA) was also touched on. S&E colleagues detailed the steps and purpose of a DPIA, which is to analyse and plan any measures to mitigate the risks that certain processing operations of individuals’ personal data may entail.

To keep the online training session interactive, S&E colleagues prepared online questionnaires and polls for attendees to participate in. This initiative received positive feedback.