Personal data protection /

Changes in data protection: What does the EDPB document package contain?

On October 9, the European Data Protection Board (EROD) adopted a package of documents consisting of:

  1. opinion on certain obligations related to the use of processors and their subcontractors,
  2. guidelines on legitimate interest,
  3. a statement on additional procedural provisions related to the enforcement of RODO, and the EROD work program for 2024-2025.

The package of documents adopted by the EDPB consists of:

New obligations: processors and subcontractors

The EROD indicates the need for controllers to ensure that they have access to detailed information on all involved entities in order to fulfill their obligations under Article 28 of the RODO. This means that controllers must verify that processors guarantee an adequate level of data protection, and the extent of this verification may depend on the nature of the risk.

Another aspect addressed in the Opinion is the issue of transfer of personal data outside the EEA by a processor. In such a situation, the processor that transfers the data must prepare appropriate documentation. This should include, among other things, a risk assessment and the safeguards applied. Controllers, in turn, are required to check this documentation to ensure that the data transfer meets the requirements of the RODO, particularly those set forth in Article 44.

The opinion also addresses other practical aspects of the rules for using processors and subprocessors. Its full content is available HERE.

Guidelines on legitimate interest – what to look out for?

A key element of the guidelines is to note that the ability to base data processing on the premise of legitimate interest requires that the following requirements be met:

  1. there must be a legitimate interest that is concrete, present and legitimate, for example, related to a customer relationship or other significant bond
  2. data processing must be necessary for the fulfillment of this interest, which means that the purpose cannot be achieved in a less intrusive way, in accordance with the principle of data minimization,
  3. ensure that the interests or fundamental rights and freedoms of data subjects are not overridden by the legitimate interests of the controller. This analysis must take into account, among other things, the expectations of individuals, the impact of the processing, and possible safeguards.

The guidelines detail how controllers should conduct this assessment in practice, taking into account specific situations such as anti-fraud, direct marketing and information security protection. The document also explains how legitimate interest interacts with other rights of data subjects under the RODO. Their full text is available HERE.

Additional procedural provisions and work plan

Work is underway to adopt a regulation on RODO enforcement procedures. The EDPS has given a positive assessment of the changes, highlighting their potential to improve cooperation between data protection authorities and to improve the effectiveness of enforcement.

However, it pointed out the need to further address certain key elements, including the need for a solid legal basis and a harmonized dispute resolution procedure. The Council also recommends actions that can contribute to more effective consensus building on key issues. A statement in this regard is available HERE.

EROD has also developed a work plan for 2024-2025 to implement the 2024-2027 strategy, taking into account key priorities and needs.

The program includes four main pillars of action:

  1. Strengthening compliance and harmonization – EROD will issue clear guidelines to improve compliance and harmonization of EU data protection law.
  2. Building a culture of effective enforcement – EROD will strengthen supervisory cooperation and the handling of cross-border data breaches,
  3. Data protection in a digital and multi-regulatory context – EROD will harmonize data protection laws with other EU regulations and develop guidelines for new technologies,
  4. Global cooperation – EROD will promote high data protection standards and foster international cooperation.

EROD has also developed a work plan for 2024-2025 to implement the 2024-2027 strategy, taking into account key priorities and needs.
The program includes four main pillars of action:

The full work plan is available HERE.

Do you need help?

The law firm’s team follows trends and official publications on the rules for processing personal data in order to advise our clients at the highest possible level. If you process personal data, we can support you in regulating the process. Feel free to contact us!

Author team leader DKP Legal Alicja Mruczkiewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Alicja Mruczkiewicz

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]