European Data Protection Board clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification

During its latest plenary, the European Data Protection Board (EDPB) published guidelines on Art.48 GDPR about data transfers to third country authorities and  approved a new European Data Protection Seal.

Αs stated in a press release from the EDPB, in a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications.

When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether they can lawfully transfer personal data to third country authorities when asked to do so.

Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The guidelines are subject to public consultation until 27 January 2025.

Approval of EU Data Protection Seal

During the plenary meeting, the Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board already adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now be applicable across Europe and as a European Data Protection Seal.

GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency helps people trust the product, service, process or system for which organisations process their personal data. (source:edpb.europa.eu/photo freepik.com)

Comments

Post a Comment

Popular posts from this blog

Annual Report on the execution of the European Court's judgments and decisions

Image
The Secretary General of the Council of Europe, Alain Berset, has called for further efforts to implement judgments from the European Court of Human Rights. Commenting on the  annual report for 2024  on the execution of the Court’s rulings, published today, the Secretary General said: “ This report shows what a concrete, positive impact judgments from the European Court of Human Rights have on the daily lives of the people of Europe. While a lot has been achieved, more needs to be done. The efficient execution of the Court's judgments is essential for the rule of law and democratic accountability in Europe .” The annual report from the Council of Europe’s Committee of Ministers shows that 992 cases were transferred from the European Court of Human Rights to Committee, which supervises their implementation by member states, in 2024. Of those 992 new cases, 194 were “leading” cases – often requiring action to be taken by states to prevent the same violations happ...
Read more

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Fully-funded PhD position in AI, Law and Public Power

Image
Erasmus University Rotterdam School of Law, department Law & Markets, is looking for a fulltime PhD researcher in AI, Law and Public Power (4,5 years with 20% teaching tasks). PhD AI, Law and Public Power Are you curious about how artificial intelligence is changing state actor powers? Do you want to conduct critical and in-depth legal research at the intersection of technology, law and power? And would you like to combine that with academic teaching? Then this PhD position at Erasmus School of Law is for you. Within the Law & Markets team, you will spend 4.5 years researching the legal regulation of AI in the public sector. How do we protect fundamental rights when algorithms help decide on who receives public benefits, how to perform enforcement or how to enact environmental policy? What is the role of the state, and where is the limit of government power in a data-driven society? You will have plenty of space to choose your own research angle and work in a multidisci...
Read more

Dismissal of a public-sector employee for having “Liked” Facebook posts: Violation of her right to freedom of expression

Image
Ιn Chamber's judgment in the case of Melike v. Turkey (application no. 35786/19) the European Court of Human Rights held, unanimously, that there had been a violation of Article 10 (freedom of expression) of the European Convention on Human Rights.  The case concerned the dismissal of Ms Melike, a contractual employee at the Ministry of National Education, for having clicked “Like” on various Facebook articles (posted on the social networking site by a third party).  The authorities considered that the posts in question were likely to disturb the peace and tranquillity of the workplace, on the grounds that they alleged that teachers had committed rapes, contained accusations against political leaders and related to political parties.  The Court noted that the content in question consisted of virulent political criticism of allegedly repressive practices by the authorities, calls and encouragement to demonstrate in protest against those practices, expressions of indignatio...
Read more

Following the tragic death of lawyer Ebru Timtik, the CCBE calls on the EU and Turkish authorities to take urgent measures to prevent the death of lawyer Aytaç Ünsal

Image
The Council of Bars and Law Societies of Europe (CCBE) is deeply shocked by the death of Turkish lawyer Ebru Timtik on 27 August after a 238 days hunger strike. Lawyers Ebru Timtik and Aytaç Ünsal, respectively sentenced to 13 and 6 months and 11 years and 6 months in prison, decided to go on an unlimited hunger strike to denounce their unfair trial as well as the unfair trial of several dozens of Turkish lawyers. ( Read more here ) Since 2017, several Turkish lawyers belonging to the Progressive Lawyers Association and the People's Law Office, among which Ebru Timtik and Aytaç Ünsal, have been victims of judicial harassment. These lawyers who have fought for Justice and the Rule of Law have defended, among others, persons considered to be opponents of the Turkish government, families of miners massacred in Soma and Ermenek, populations expelled from their homes as victims of urban transformation, families of citizens killed under torture in police stations and prisons as well as...
Read more

Harassment During Job Interviews Under Cyprus Law

Image
By Giorgos Kazoleas, LL.M., Lawyer, Managing Partner at Legal Experts Cyprus Harassment or bullying during a job interview can now legally be considered workplace harassment. This is explicitly provided for in recent Cypriot legislation regarding workplace harassment, which widens the scope of application to include candidates for employment. The Legal Framework in Cyprus: Law 42(I)/2025 Law 42(I)/2025 (The Prevention and Combating of Violence and Harassment at Work Law), which came into force on April 11, 2025, explicitly extends protection against harassment and violence to the recruitment process and employment negotiations before a contract is signed. According to the interpretation of terms in Article 2 of the Law, the definition of an "employee" includes, among others, a person: "Whose employment relationship has not yet begun, in cases where the violation of the provisions of this Law has been committed during the recruitment process or at another stage of...
Read more

The Delivery Delay Clause in Residential Construction Contracts: Consumer Protection in Cyprus and Europe

Image
By Giorgos Kazoleas, LL.M., Lawyer, Managing Partner at Legal Experts Cyprus The purchase or construction of a new residence is one of the most significant financial and personal decisions a consumer can make. Residential construction contracts or agreements for the sale of property under construction are a crucial and defining element of the entire process, as certain terms they may contain can be detrimental to the buyer. One of the most critical aspects is the contractual delivery time of the project and the provision for delay, through the so-called delivery delay clause. The Delivery Delay Clause: Its Role and Legal Nature The delivery delay clause (also known as a penalty clause in the event of default) is a term usually included in the contract that specifies a predetermined compensation amount that the contractor or seller must pay to the buyer for every day, week, or month of delay beyond the agreed delivery date. The purpose of the clause is twofold: -Compensatory: ...
Read more