L'EDPB, l'istituzione europea che raggruppa i Garanti per uniformare l'interpretazione della privacy, ha realizzato una opinion.
Le opinion sono strumenti di interpretazione ufficiale del testo normativo.
Il testo commentato e interpretato ancora non è stato ufficialmente pubblicato, nè è definitivo.
Statement 3/2019 on an ePrivacy regulation Adopted on 13 March 2019 The European Data Protection Board has adopted the following statement;
The EDPB calls on the EU legislators to intensify efforts towards the adoption of an ePrivacy Regulation, which is necessary to complete the EU’s framework for data protection and confidentiality of communications. The EDPB wishes to reiterate the positions previously adopted by data protection authorities in the EU, including the Opinion 1/2017 of the Article 29 Working Party and the Statement adopted on 25 May 2018. The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC and must complement the GDPR by providing additional strong guarantees for all types of electronic communications. Far from being an obstacle to the development of new technologies and services, the ePrivacy Regulation is necessary to ensure a level playing field and legal certainty for market operators. The EDPB invites Member States, under the leadership of the Presidency of the Council, to ensure a high level of protection and to proceed to the finalisation of their negotiating position without further delay, so that negotiations with the European Parliament can begin as soon as possible.
For the European Data Protection Board The Chair (Andrea Jelinek)
A questo link un interessante elenco di fonti documentali da conoscere:
- Opinion on the interplay between the ePrivacy Directive and the General Data Protection Regulation
- Statement on the future ePrivacy Regulation
- Opinion on the draft DPIA list submitted by Spain
- Opinion on the draft DPIA list submitted by Iceland
- Statement on the use of personal data in the course of political campaigns
Queste le conclusioni:
Does the mere fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limit the competences, tasks and powers of data protection authorities under the GDPR? In other words, is there a subset of data processing operations they should set aside, and if so when?
86. When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.
87. Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR. When exercising their competences, tasks and powers under the GDPR, should data protection authorities take into account the provisions of the ePrivacy Directive, and if so to what extent? In other words, should infringements of national ePrivacy rules be set aside when in assessing compliance with the GDPR, and if so when?
88. The authority or authorities that are appointed as competent in the meaning of the ePrivacy Directive by Member States is exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specifics rules contained in the ePrivacy Directive.
89. An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g., when assessing compliance with the lawfulness or fairness principle under article 5(1)a GDPR). However, any enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by Member State law.
90. If national law designates the data protection authority as competent authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR (otherwise it does not). adopted 25 To what extent is the cooperation and consistency mechanisms applicable in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive?
91. The cooperation and consistency mechanisms available to data protection authorities under Chapter VII of the GDPR, concern the monitoring of the application of GDPR provisions. The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. The cooperation and consistency mechanism remains fully applicable, however, insofar as the processing is subject to the general provisions of the GDPR (and not to a “special rule” contained in the ePrivacy Directive). *** 92. The Board acknowledges that the interpretation above is without prejudice to the outcome of the current negotiations of the ePrivacy Regulation. The proposed Regulation addresses many important elements, including as regards the competences of data protection authorities, but also as regards a range of other very important issues. The Board reiterates its position that the adoption of an ePrivacy Regulation is important.43 For the European Data Protection Board The Chair