European Data Protection Board - Thirty-seventh Plenary session: Guidelines controller-processor, Guidelines targeting social media users, taskforce complaints CJEU Schrems II judgement, taskforce supplementary measures

4 September 2020

The Board adopted Guidelines on the concepts of controller and processor in the GDPR and Guidelines on the targeting of social media users. In addition, the EDPB created a taskforce on complaints following the CJEU Schrems II judgement and a taskforce devoted to the supplementary measures that data exporters and importers can be required to take to ensure adequate protection when transferring data in light of the CJEU Schrems II judgement.

The Board adopted Guidelines on the concepts of controller and processor in the GDPR. Since the entry into application of the GDPR, questions have been raised as to what extent the GDPR brought changes to these concepts, particularly regarding the  concept of joint controllership (as laid down in Article 26 GDPR and following several CJEU rulings), as well as the obligations for processors (in particular Article 28 GDPR) laid down in Chapter IV of the GDPR. 

In March 2019, the EDPB together with its Secretariat organised a stakeholder event, which made clear that there was a need for more practical guidance and allowed the Board to better understand the needs and concerns in the field. The new Guidelines consist of two main parts: one explaining the different concepts; the other including detailed guidance on the main consequences of these concepts for controllers, processors and joint controllers. The Guidelines include a flow chart to provide further practical guidance. The Guidelines will be subject to public consultation. 

The EDPB adopted Guidelines on the targeting of social media users. The Guidelines aim to provide practical guidance to stakeholders and contain various examples of different situations so that stakeholders can quickly identify the ‘scenario’ that is closest to the targeting practice they intend to deploy. The main aim of the Guidelines is to clarify the roles and responsibilities of the social media provider and the targeted individual. To this purpose, the Guidelines, among others, identify the potential risks for the freedoms of individual, the main actors and their roles, the application of key data protection requirements, such as lawfulness and transparency and DPIA, as well as key elements of arrangements between social media providers and the targeted individuals. In addition, the Guidelines focus on the different targeting mechanisms, the processing of special categories of data and the obligation for joint controllers to put in place an appropriate arrangement pursuant to Article 26 GDPR. The Plenary will submit the Guidelines for public consultation.

The Board has created a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement. A total of 101 identical complaints have been lodged with EEA Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data. Specifically the complainants, represented by the NGO NOYB, claim that Google/Facebook transfer personal data to the U.S. relying on the EU-U.S. Privacy Shield or Standard Contractual Clauses and that according to the recent CJEU judgment in case C-311/18 the controller is unable to ensure an adequate protection of the complainants' personal data. The taskforce will analyse the matter and ensure a close cooperation among the members of the Board. 

As a follow-up to the CJEU’s Schrems II ruling and in addition to the FAQ adopted on 23 July, the Board has created a taskforce. This taskforce will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.

Andrea Jelinek, Chair of the EDPB: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility. In addition to the statement and the FAQ we put out shortly following the judgment, we will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries. However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”

The agenda to the thirthy-seventh plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB_Press Release_2020_14