Denmark – The European Data Protection Board takes stock
The European Data Protection Board (EDPB) has issued its annual report for 2018. The report provides information on the EDPB’s work in the first seven months after the GDPR entered into force and outlines the EDPB’s plans for the future.
Since the entry into force of the GDPR on 25 May 2018, the European Data Protection Board (EDPB) has been tasked with ensuring consistent application of the GDPR across the EEA and promoting effective cooperation between the national supervisory authorities. The EDPB replaced the Article 29 Working Party and is composed of representatives of the national supervisory authorities, including the Danish Data Protection Agency.
The EDPB recently issued its annual report for 2018, taking stock of its work and activities in 2018. These activities included the following:
- Endorsement of 16 guidelines established by the former Article 29 Working Party and adoption of four additional guidelines, including guidelines on the territorial scope of the GDPR and international transfers.
- Adoption of 26 Consistency Opinions under article 64 of the GDPR regarding the national supervisory authorities’ obligation to request an opinion by the EDPB in a number of situations, including by the adoption of a list of the processing operations subject to the requirement for a data protection impact assessment.
- Consultation of stakeholders and ensuring transparency with regard to the EDPB’s work for the purpose of ensuring the widest degree of harmonisation in the application of the rules of the GDPR.
- Strengthening the cooperation between national supervisory authorities.
- The report further describes a number of decisions made by the national supervisory authorities after the GDPR took effect.
In early 2019, the EDPB adopted a two-year work programme for 2019-2020, which is also mentioned in the report. The work programme describes the EDPB’s intention to adopt more guidelines as well as its focus areas, including data subjects’ rights and the controller’s legitimate interest.