Europrivacy News
Europrivacy presented in the session "Data Protection Certification for International Data Transfer" at eCommerce Week 2022

Europrivacy was presented in the session „Data Protection Certification for International Data Transfer” which took place on April 27th at 16:00 CET during eCommerce Week 2022.
This year’s edition, themed “Data and Digitalization for Development”, put a dedicated focus on data and cross-border data flows and highlighted their crucial role in economical and social development.
The panel “Data Protection Certification for International Data Transfer” recognized that the evolution of data protection regulations is directly impacting cross-border data flows and trade-related activities. Certification mechanisms have been integrated by several regulations to facilitate cross-border data transfer with data controllers and processors located in third countries. While these legal provisions come with specific requirements, new models of data protection certifications are emerging that can contribute to extending the geographic scope of such certifications.
Chaired by Dr. Sébastien Ziegler, Director of Mandat International and Chairman of the Europrivacy International Board of Experts, expert speakers Luca Bolognini, Prof. Romeo Kadir, Adrian Quesada Rodriguez, and Renato Opice Blum presented the latest developments in this domain, including the APEC Privacy Framework and the Europrivacy certification scheme.
ECCP delighted to support and attend the first edition of the Privacy Symposium

ECCP is delighted to support and attend the first edition of the Privacy Symposium.
With 78 sessions, the Privacy Symposium conference gave the floor to 245 experts in data protection, including national authorities, European institutions, and international organizations. It brought together about 500 registered participants plus 350 remote participants, in line with its ambition to support international dialogue, cooperation and knowledge sharing.
It was also an opportunity to present Europrivacy innovative approach towards assessing and certifying the compliance of data processing activities with the GDPR and complementary data protection regulations.
From health data protection to artificial intelligence and quantum computing, the conference demonstrated how important it is to bring together the legal experts, the practitioners and the research community. It highlighted the potential of joining forces to support and enhance data protection across borders and technologies.
The conference also made clear that most participants share the same fundamental values and vision across countries and regions, with a strong potential to learn from each other, and to enhance personal data protection by working together.
Hosting the conference in Venice has been highly inspiring in this human and intellectual encounter. It brought new perspectives on privacy and data protection and contributed to set the foundations of new collaboration bridges.
We look forward to attending the next edition in 2023 in Venice again!
CALL FOR PAPERS: International Conference on Data Protection, Regulatory Compliance, and Innovative Technologies
The Privacy Symposium is an international conference established to attract, present, and discuss original and innovative research results and technology developments related to personal data protection and compliance with data protection legislation. To this end, it brings together legal and technology experts together with data protection authorities to share their knowledge and to support international dialogue and cooperation. The Call for Papers intends to identify original research results and innovative approaches to address the challenges related to data protection compliance, including with regards to innovative technologies.
4 tracks
- Law and Data Protection
- Technology and compliance
- Cybersecurity and data protection
- Data protection in practice
Paper submissions and publication guidelines
The Privacy Symposium solicits submission of original papers (unpublished) for:
- Academic papers will typically adopt a more theoretical approach and will ideally inform academics as well as practitioners (up to 20 pages).
- Industry papers address relevant topics from a more practical perspective and should also help ‘ground’ academic research (up to 20 pages).
- Short papers and work-in-progress papers report and discuss ongoing activities or report new ideas or early work in progress (up to 10 pages).
Special session proposal submission
The Privacy Symposium will be hosting a series of special sessions and invites the submission of special session proposals. They should emphasize on current topics relevant to the data protection and compliance community on the latest research, studies, innovations, societal and business issues and should include a mix of regular and invited presentations. Special Sessions should complement the regular program with new and emerging topics of interest.
For more information, please visit the website of the Privacy Symposium.
Call for papers detailed information is available here.
Post-doc job opportunity - join our team!
The European Centre for Certification and Privacy (ECCP) is looking for a post-doctoral fellow with a demonstrated interest in personal data protection and privacy, cybersecurity, and emerging technologies, as well as a deep understanding of the General Data Protection Regulation (GDPR).
We will consider candidates with a PhD in law, cybersecurity, international relations, or political sciences. We are looking for an enthusiastic candidate with international experience, strong communication skills (written and spoken fluency in English, knowledge of legal terminology).
The deadline for application is May 15th 2021. For more information please visit: https://euraxess.ec.europa.eu/jobs/hos...technology
We look forward to receiving your applications!
Undeniable reputational and competitive advantage

Europrivacy Certification Scheme presented at EY Webinar series on Data Protection Certification
Advantages, issues and perspectives of Europrivacy Certification were key aspects in the Webinar series “Data Protection Certification” held by Europrivacy’s partner EY Société d'Avocats on Friday, 12th March 2021. Amongst the guest-speakers was Dr Sébastien Ziegler, Chairman of the Europrivacy International Board of Experts. Together with EY’s legal experts, and Oliver Guillo, Founder and CEO of Smart Global Governance, Dr Ziegler clarified the significance of certification in terms of GDPR and presented the scope of the Europrivacy Certification Scheme.
Europrivacy certification enables companies and organisations to reduce their legal and financial risks, by assessing and demonstrating the compliance of their data processing with The General Data Protection Regulation (GDPR). Europrivacy’s official partner EY Société d'Avocats assists its clients in preparing the certification of their data processing with Europrivacy Data Protection Certification as this attainment constitutes an undeniable reputational and competitive advantage.
The presentation was then supported by the introduction of the Smart Global platform and how it facilitates the process of obtaining certification by documenting the compliance of data processing with the GDPR through the Europrivacy criteria.
You can reply the webcast by signing up HERE.
EDPB News
Twenty-fourth Plenary session: EDPB doubles down on COVID-19 guidance in newly adopted letters
During its 24th plenary session, the European Data Protection Board (EDPB) adopted three letters, reinforcing several elements from its earlier guidance on data protection in the context of fighting the COVID-19 outbreak.
In reply to a letter from the United States Mission to the European Union, the EDPB looks into transfers of health data for research purposes, enabling international cooperation for the development of a vaccine. The US Mission enquired into the possibility of relying on a derogation of Art. 49 European General Data Protection Regulation (GDPR) to enable international flows.
The EDPB tackled this topic in detail in its recently adopted guidelines (03/2020) on the processing of health data for scientific research. In its letter, the EDPB reiterates that the GDPR allows for collaboration between EEA and non-EEA scientists in the search for vaccines and treatments against COVID-19, while simultaneously protecting fundamental data protection rights in the EEA.
When data are transferred outside of the EEA, solutions that guarantee the continuous protection of data subjects’ fundamental rights, such as adequacy decisions or appropriate safeguards (included in Article 46 GDPR) should be favoured, according to the EDPB.
However, the EDPB considers that the fight against COVID-19 has been recognised by the EU and Member States as an important public interest, as it has caused an exceptional sanitary crisis of an unprecedented nature and scale. This may require urgent action in the field of scientific research, necessitating transfers of personal data to third countries or international organisations.
In the absence of an adequacy decision or appropriate safeguards, public authorities and private entities may also rely upon derogations included in Article 49 GDPR
Andrea Jelinek, the Chair of the EDPB, said: “The global scientific community is racing against the clock to develop a COVID-19 vaccine or treatment. The EDPB confirms that the GDPR offers tools giving the best guarantees for international transfers of health data and is flexible enough to offer faster temporary solutions in the face of the urgent medical situation.”
The EDPB also adopted a response to a request from MEPs Lucia Ďuriš Nicholsonová and Eugen Jurzyca.
The EDPB replies that data protection laws already take into account data processing operations necessary to contribute to fighting an epidemic, therefore - according to the EDPB - there is no reason to lift GDPR provisions, but to observe them. In addition, the EDPB refers to the guidelines on the issues of geolocation and other tracing tools, as well as the processing of health data for research purposes in the context of the COVID-19 outbreak.
Andrea Jelinek, Chair of the EDPB, added: “The GDPR is designed to be flexible. As a result, it can enable an efficient response to support the fight against the pandemic, while at the same time protecting fundamental human rights and freedoms. When the processing of personal data is necessary in the context of COVID-19, data protection is indispensable to build trust, to create the conditions for social acceptability of any possible solution and, therefore, to guarantee the effectiveness of these measures”.
The EDPB received two letters from Sophie In 't Veld MEP, raising a series of questions regarding the latest technologies that are being developed in order to fight the spread of COVID-19.
In its reply, the EDPB refers to its recently adopted guidelines (04/2020) on the use of location data and contact tracing apps, which highlight – among other elements - that such schemes should have a voluntary nature, use the least amount of data possible, and should not trace individual movements, but rather use proximity information of users.
The agenda of the 23rd plenary is available here
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
Twenty-third Plenary Session: adopted documents
During its 23rd Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:
European Data Protection Board - Twenty-third Plenary session: EDPB adopts further COVID-19 guidance
During its 23rd plenary session, the European Data Protection Board (EDPB) adopted guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak and guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.
The guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak aim to shed light on the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.
The guidelines state that the European General Data Protection Regulation (GDPR) contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the respective national legislations. The GDPR foresees the possibility to process certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.
In addition, the guidelines address legal questions concerning international data transfers involving health data for research purposes related to the fight against COVID-19, in particular in the absence of an adequacy decision or other appropriate safeguards.
Andrea Jelinek, Chair of the EDPB, said: “Currently, great research efforts are being made in the fight against COVID-19. Researchers hope to produce results as quickly as possible. The GDPR does not stand in the way of scientific research, but enables the lawful processing of health data to support the purpose of finding a vaccine or treatment for COVID-19”.
The guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:
- using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
- using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.
The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.
The EDPB stands by and underlines the position expressed in its letter to the European Commission (14 April) that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.
Dr. Jelinek added: “Apps can never replace nurses and doctors. While data and technology can be important tools, we need to keep in mind that they have intrinsic limitations. Apps can only complement the effectiveness of public health measures and the dedication of healthcare workers that is necessary to fight COVID-19. At any rate, people should not have to choose between an efficient response to the crisis and the protection of fundamental rights.”
In addition, the EDPB adopted a guide for contact tracing apps as an annex to the guidelines. The purpose of this guide, which is non-exhaustive, is to provide general guidance to designers and implementers of contact tracing apps, underlining that any assessment must be carried out on a case-by-case basis.
Both sets of guidelines will exceptionally not be submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.
The agenda of the 23rd plenary is available here
Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
Twenty-second plenary session of the European Data Protection Board
On April 17th, the European Data Protection Board (EDPB) held its 22nd Plenary Session. For further information, please consult the agenda:
Twenty-first plenary session of the European Data Protection Board - Letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic
Following a request for consultation from the European Commission, the European Data Protection Board (EDPB) adopted a letter concerning the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic. This Guidance on data protection and privacy implications complements the European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.
Andrea Jelinek, Chair of the EDPB, said: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”
In its letter, the EDPB specifically addresses the use of apps for the contact tracing and warning functionality, because this is where increased attention must be paid in order to minimise interferences with private life while still allowing data processing with the goal of preserving public health.
The EDPB considers that the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms. In addition, the source code should be made publicly available for the widest possible scrutiny by the scientific community.
The EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility.
Finally, the EDPB underlined the need for the Board and its Members, in charge of advising and ensuring the correct application of the European General Data Protection Regulation (GDPR) and the E-Privacy Directive, to be fully involved in the whole process of elaboration and implementation of these measures. The EDPB recalls that it intends to publish Guidelines in the upcoming days on geolocation and tracing tools in the context of the COVID-19 out-break.
The EDPB’s letter is available here: https://edpb.europa.eu/letters_en
The agenda of the 21th plenary session is available here: https://edpb.europa.eu/our-work-tools/agenda/2020_en#agenda_490
Twentieth plenary session of the European Data Protection Board - scope of upcoming guidance on data processing in the fight against COVID-19
During its 20th plenary session on April 7th, the European Data Protection Board (EDPB) assigned concrete mandates to its expert subgroups to develop guidance on several aspects of data processing in the fight against COVID-19. This follows the decision made on April 3rd during the EDPB's 19th plenary session.
- geolocation and other tracing tools in the context of the COVID-19 outbreak – a mandate was given to the technology expert subgroup for leading this work;
- processing of health data for research purposes in the context of the COVID-19 outbreak – a mandate was given to the compliance, e-government and health expert subgroup for leading this work.
Considering the high priority of these 2 topics, the EDPB decided to postpone the guidance work on teleworking tools and practices in the context of the COVID-19 outbreak, for the time being.
Andrea Jelinek, Chair of the EDPB, said: “The EDPB will move swiftly to issue guidance on these topics within the shortest possible notice to help make sure that technology is used in a responsible way to support and hopefully win the battle against the corona pandemic. I strongly believe data protection and public health go hand in hand."
The agenda of the 20th plenary session is available here
Twentieth Plenary Session: adopted documents
During its April Plenary Session, the European Data Protection Board (EDPB) adopted the following documents:
European Data Protection Board to issue guidance on data processing in the fight against COVID-19
The European Data Protection Board (EDPB) is speeding up its guidance work in response to the COVID-19 crisis. Its monthly plenary meetings are being replaced by weekly remote meetings with the Members of the Board.
Andrea Jelinek, Chair of the EDPB, said: "The Board will prioritise providing guidance on the following issues: use of location data and anonymisation of data; processing of health data for scientific and research purposes and the processing of data by technologies used to enable remote working. The EDPB will adopt a horizontal approach and plans to issue general guidance with regard to the appropriate legal bases and applicable legal principles."
The agenda of today's remote meeting is available here
Fine imposed for preventing the Supervisory Authority from performing an inspection
The President of the Personal Data Protection Office imposed a fine of PLN 20 000 on Vis Consulting Sp. z o.o. in liquidation with the seat in Katowice, a company from telemarketing industry, for making it impossible to conduct inspection. Additionally, the company’s owner is subject to criminal liability for this.
The President of the Personal Data Protection Office (UODO) decided to conduct inspection activities at the penalised company, in connection with the findings made in the course of another inspection performed at the company conducting telemarketing activities. It was established that the company has a cooperation contract with regard to outsourcing of telemarketing services with Vis Consulting Sp. z o.o. Therefore, the supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data.
Unfortunately, the UODO’s inspectors, after prior notification on the planned inspection, did not find anyone at the address indicated in the National Court Register (KRS). On the spot, there was only a company which leased office space to Vis Consulting Sp. z o.o. (so called virtual office).
The inspectors managed, however, to contact Vis Consulting by telephone, and its proxy informed that the inspection would not take place.
Therefore, the President of the UODO concluded that the company in no way wished to cooperate with the personal data protection authority. On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity.
In the opinion of the President of the Office, this company does not comply with the obligations relating to the processing of personal data and, at least intentionally, avoids to be subject of inspection by the supervisory authority. Thus the company infringed the provisions of Article 31 of the European General Data Protection Regulation (GDPR) with regard to Article 58(1)(e) and (f) of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. In determining the amount of the fine, the supervisory authority did not identify any attenuating circumstances affecting the amount of the fine.
In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. The Public Prosecutor’s Office has already lodged an indictment against the President of the Company to the court.
To read the press release is Polish, click here
To read the full decision in Polish, click here
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news release should be directed to the supervisory authority concerned.
EDPB April Plenary Cancelled
Following a decision by the European Data Protection Board (EDPB) Chair, the EDPB April Plenary Session has been cancelled due to safety concerns surrounding the outbreak of the Coronavirus (COVID-19). The EDPB hereby follows the example of other EU institutions, such as the European Parliament, which have restricted the number of large-scale meetings.
The April Plenary Session was scheduled to take place on 20 and 21 April. Earlier, the EDPB March Plenary was also cancelled for the same reasons. You can find an overview of upcoming EDPB Plenary Meetings here