Insights European Data Protection Board adopts draft Guidelines on Codes of Conduct as a tool for transfers, as well as final versions of Guidelines on Virtual Voice Assistants and Guidelines on concepts of Controller & Processor

During its 51st plenary session on 8 July 2021 the EDPB adopted draft Guidelines on Codes of Conduct (CoCs) as a tool for transfers. The main purpose of the Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the GDPR, which provide that once approved by a competent Supervisory Authority (SA) and after having been granted general validity within the EEA by the Commission, a CoC may be used by controllers and processors not subject to the GDPR to provide appropriate safeguards to transfers of data outside of the EU. The Guidelines are open for consultation until 1 October 2021.

The EDPB also adopted a final version of the Guidelines on Virtual Voice Assistants (VVA), which aim to provide recommendations to stakeholders on how to address some of the most relevant compliance challenges for VVAs. Following public consultation, the Guidelines were updated to reflect comments received.

Also following public consultation, the EDPB adopted a final version of the Guidelines on the concepts of Controller and Processor, which aim to clarify the fundamental concepts of (joint) controller and processor. The final version includes updated wording and further clarifications in order to address comments and feedback received during the public consultation.

The EDPB also discussed possible topics for its first coordinated enforcement action, following the EDPB’s decision to set up a Coordinated Enforcement Framework on 20 October 2020. The EDPB decided that the first action will concern the use of cloud-based services by public sector bodies, and further work will now be carried out to specify the details and scope in the upcoming months. To read the EDPB’s press release in full and for links to the Guidelines and consultation, click here.