In our last newsletter of 2021, read our TechDispatch on card-based payments; find out more about pseudonymous data; catch up on our latest EDPS-DPO meeting; and more!
In this issue
Pseudonymous data: processing personal data while mitigating risks
The first rule in data protection is: if you do not need personal data, do not collect personal data.
I believe that the second rule in data protection is: if you really need personal data, then start by pseudonymising this personal data.
Pseudonymisation is a foundational technique to mitigate data protection risks. The EU’s personal data protection legislation defines pseudonymisation as the processing of personal data in such a way that this data can no longer be attributed to a specific individual, without the use of additional information.
To explore the topic in more detail, we held an IPEN webinar on 9 December 2021, titled Pseudonymous data: processing personal data while mitigating risks. We focused on the practical use of pseudonymisation techniques to mitigate these data protection risks when processing personal data. Our aim was to provide an opportunity to increase awareness on existing guidance, explore options and challenges, and offer organisations an understanding of the tools and advice available to implement pseudonymisation effectively.
The video recordings and speakers' presentations of each session are available on the IPEN webinar webpage.
Continue to read this blogpost, published on 21 December 2021, written by the Head of the EDPS' Technology and Privacy Unit, Thomas Zerdick.
TechDispatch #2/2021 - Card-based Payments
In the last years, citizens have been using many new technologies that facilitate payments; such increase has also accelerated due to the COVID-19 pandemic. Consumers and businesses are looking for a more simple, personalised, and economically feasible way of conducting their day-to-day transactions. Cash payments are being replaced by cashless payments via an ever-growing landscape of emerging solutions: beyond debit cards or credit cards, contactless payments using Near Field Communication (NFC) or Quick Response (QR) technologies and cardless payments via smartphone apps are just a few examples of new card-based payment methods.
In our TechDispatch published on 21 December 2021, we explore the data protection issues and challenges of card-based payments.
EDPS-DPO meeting: protecting individuals’ data during COVID-19
On what should have been the 50th EDPS-DPO meeting with the 69 data protection officers (DPO) of the EU institutions, bodies and agencies (EUIs), we held a second 49th EDPS-DPO meeting online, on 14 December 2021. The meeting led to fruitful discussions on how to protect individuals’ personal data in times of COVID-19.
Our Supervisor started the meeting with an overview of the most recent and important developments and achievements of the EDPS and the EDPB. The Supervisor also touched on his plans for his upcoming Conference on 16-17 June 2022; he invited all DPOs to attend this event to contribute to the discussions on the future of data protection.
The meeting continued with two workshops, one on manual contact tracing and another on access control, both organised with the precious help of the DPO support group. During both workshops, we reviewed the EDPS’ guidance on COVID-19 matters and EUI’s current practices.
This productive and successful meeting would not have been possible without the active participation of the EDPS’ Supervision & Enforcement Unit, the EDPS’ Technology & Privacy Unit, the DPO support group, and of course all of the EUIs’ DPOs.
Online talk on personal data breaches
With personal data being processed by European institutions, bodies, offices and agencies (EUIs) in their day-to-day work, the EDPS aims to frequently raise awareness of various data protection issues.
As such, the Technology and Privacy Unit of the EDPS delivered an online talk, hosted by the European School of Administration, for staff members of EUIs, on personal data breaches and data breach notifications, on 9 November 2021.
A personal data breach is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
According to Regulation (EU) 2018/1725, all EUIs must notify personal data breaches to the EDPS, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, the EUI in question must inform the individuals concerned without unnecessary delay.
While presenting requirements related to personal data breach notifications, this online talk focused on examples of the common personal data breaches notified by the EUIs to the EDPS since 2018. Examples of these data breaches include errors in postal mail or emails, errors when handling transparency and access to document procedures, technical errors and the effects of external attacks.
With more than 150 participants attending the online talk, discussions focused on common mistakes related to handling and assessing personal data breaches, and the measures to put in place to both prevent and address personal data breaches.
This online talk follows previous activities of the EDPS’ Technology and Privacy Unit to raise awareness on handling and notifying personal data breaches, including the EDPS’ factsheet and video on personal data breaches, titled Personal data breaches in a Nutshell.
EDPS Prior Consultation: remote invigilation of recruitment procedures
Adapting to the outbreak of COVID-19, some of the European institutions, bodies and agencies (EUIs) have carried out certain of their recruitment and selection procedures - including written and practical tests - remotely.
In light of this, an EUI consulted the EDPS on the possibility of having an external contractor, based in the EU, invigilating the remote exams that are part of the EUI’s selection and recruitment procedure. Such process may involve the external invigilator to process personal data, such as asking candidates passing tests for their ID.
The EDPS therefore summarised its recommendations to the EUI in an Opinion published on 26 October 2021.
In this Opinion, the EDPS advises the EUI to:
- identify the risks for candidates’ personal data and to plan any measures to mitigate such risks;
- monitor the evolution of the COVID-19 pandemic to assess whether or not invigilating written tests, or any other aspects of the EUI’s selection procedure, remotely is necessary;
- make sure that the processing envisaged is necessary, lawful and justified, according to the conditions laid down in Article 5 of Regulation (EU) 2018/1725 - the data protection regulation for EUIs - for the task(s) at hand.
In addition, the EDPS recommends that the EUI assesses how likely it is for special categories of personal data - data concerning health, data revealing racial or ethnic origin for example - to be disclosed during the invigilating phase of the recruitment procedure. Not only should the level of such risk be determined and that the EUI in question should plan mitigating measures to protect candidates, but the processing of special categories of data should also be justified, lawful and necessary for the task(s) at hand, according to Article 10 of Regulation (EU) 2018/1725.
Following these recommendations, the EUI has three months to implement the EDPS’ advice and to provide an updated Data Protection Impact Assessment before any processing of individuals’ personal data occurs.
Keeping consumers safe
To ensure that individuals living in the EU, Iceland, Liechtenstein, Norway and Switzerland (EFTA countries) can buy products that are safe to use, market surveillance bodies of these countries share information and expertise to monitor whether non-compliant products are on the EU/EFTA market and to remove them when necessary. Collaboration between EU and EFTA countries is facilitated through an IT platform, the Information and Communication System on Market Surveillance (ICSMS).
Using this platform may involve the exchange of individuals’ personal data, for example information on the manufacturer of the product, which may lead to the identification of a person or people. As such, the EDPS issued Formal Comments concerning the functioning of the ICSMS on 22 October 2021.
Should personal data be exchanged, stored, or processed in any other way, when monitoring the safety of products, the Regulation governing the ICSMS must specify the purpose for which this personal data may be processed, the categories of personal data that may be processed and for how long, writes the EDPS in his Formal Comments.
Examining other data protection provisions included in the draft Regulation on the ICSMS, the EDPS welcomes the consistency of these provisions with the Regulation on the European Union Single Window Environment for Customs. The EU Single Window Environment for Customs’ Regulation seeks to facilitate collaboration between EU countries’ authorities involved in customs controls and trade.