DP News – Week 43. EDPB and ICO are at the forefront of privacy developments.

Both the EDPB and the UK’s ICO have recently been very active in the context of publishing new guidelines.

On 10 October, the EDPB published draft Guidelines 08/2022 “On identifying a controller or processor’s lead supervisory authority”, which is an updated version of the Working Party 29’s guidelines WP244 (rev.01) issued in 2017 and endorsed by the EDPB on 25 May 2018. The update covers joint controllership issues, mentioning that “the decision-making power of joint controllers does not comprise the determination of the competent supervisory authority” and “the notion of main establishment is linked by virtue of the GDPR to a single controller and cannot be extended to a joint controllership situation”. Thus, “joint controllers cannot designate (among the establishments where decisions on the purposes and means of the processing are taken) a common main establishment for both joint controllers”. Comments on the updated parts are accepted until early December.

Further to this, the EDPB issued draft Guidelines 09/2022 “On personal data breach notification under GDPR”, which is a targeted update of the previous guidelines WP250 (rev.01) adopted by the Working Party 29 and endorsed by the EDPB on 25 May 2018. As the EDPB explains in the update, where a controller is subject to Article 3(2) or Article 3(3) GDPR and experiences a breach, it is therefore still bound by the notification obligations and is required to designate a representative in the EU. “However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller”. Comments on the updated parts are accepted until late November.

In turn, the UK’s ICO issued “Guidance on direct marketing using electronic mail”. It explains the concepts of ‘electronic mail’ and ‘direct marketing’, breaks down the rules of PECR, makes a deep-dive into the rules of using soft opt-in, and also covers other direct marketing issues. As the ICO explains, “the notion of direct marketing “covers all types of advertising, marketing or promotional material” and includes “commercial marketing (eg promotion of products and services) and the promotion of aims and ideas (eg fundraising or campaigning)”.