EU: EDPB adopts guidelines on codes of conduct, virtual voice assistants, and concepts of controller and processor
The European Data Protection Board ('EDPB') announced, on 8 July 2021, that it had adopted Guidelines on Codes of Conduct as a tool for transfers, Guidelines on Virtual Voice Assistants, and Guidelines on the concepts of controller and processor, during its 51st plenary session. In particular, the EDPB highlighted that the main purpose of the Guidelines Codes of Conduct is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which outline that, once approved by a competent supervisory authority and granted general validity by the European Commission, a code of conduct may also be used by controllers and processors which are not subject to the GDPR in order to provide appropriate safeguards to transfers of data outside of the EU.
Furthermore, the EDPB noted that the final version of the Guidelines on Virtual Voice Assistants seek to provide recommendations on how to address virtual voice assistant compliance challenges. Additionally, the EDPB outlined that the final version of the Guidelines on the concepts of controller and processor aim to provide clarifications regarding key concepts, such as joint controllers and processors.
In addition, the EDPB highlighted its decision to disband its Tik Tok Taskforce following the establishment of TikTok Inc. in the EU and the identification of its main establishment in Ireland for ongoing cases. As such, the EDPB outlined that several of the supervisory authorities that were involved in the Taskforce have already transferred their investigations to the Irish Data Protection Commission ('DPC'). However, the EDPB noted that the supervisory authorities will have the opportunity to hold discussions on the matter, within the EDPB, notably within its Enforcement Expert Subgroup.
Finally, the EDPB pointed to its discussion on the possible topics for its first coordinated enforcement action, during which it decided that the first action should concern the use of cloud-based services by public sector bodies.
You can read the press release here.