The European Data Protection Board (EDPB) has issued its annual report for 2018. The report provides information on the EDPB’s work in the first seven months after the GDPR entered into force and outlines the EDPB’s plans for the future.
Since the coming into force of the GDPR on 25 May 2018, the European Data Protection Board (EDPB) has been tasked with ensuring consistent application of the GDPR across the EEA and promoting effective cooperation between the national supervisory authorities. The EDPB replaced the Article 29 Working Party and is composed of representatives of the national supervisory authorities, including the Danish Data Protection Agency.
The EDPB recently issued its annual report for 2018, taking stock of its work and activities in 2018. These activities e.g. included:
The report further describes a number of decisions made by the national supervisory authorities after the GDPR took effect.
In early 2019, the EDPB adopted a two-year work programme for 2019-2020, which is also mentioned in the report. The work programme describes the EDPB’s intention to adopt more guidelines as well as its focus areas, including data subjects’ rights and the controller’s legitimate interest.
The annual report of the EDPB can be read here.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.