EU: EDPB announces 34th plenary session outcome, adopts guidelines on PSD2 and GDPR interoperability
The European Data Protection Board ('EDPB') announced, on 20 July 2020, the outcome of its 34th plenary session. In particular, the EDPB recalled that it has issued a statement on the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), adopted its guidelines ('the Guidelines') on the interplay between the Payment Services Directive ((EU) 2015/2366) ('PSD2') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and published a response letter ('the Letter') to the Member of Parliament Ďuriš Nicholsonová on contact tracing, interoperability of apps, and Data Protection Impact Assessment ('DPIAs').
In addition, the EDPB outlined that the Guidelines address the application of the GDPR to new payment initiation services and account information services, as introduced by PSD2. Specifically, the EDPB noted that the processing of special categories of personal data in the above circumstances is generally prohibited, in line with Article 9(1) of the GDPR, except when explicit consent is given by the data subject or when the processing is necessary for reasons of substantial public interest.
Lastly, the EDPB highlighted that the Letter addresses questions on the harmonisation and interoperability of contact tracing apps, the requirement of a DPIA for such processing, and the duration for which processing may be put in place.
You can read the press release here.
UPDATE (22 July 2020)
EDPB launches public consultation on guidelines on PSD2 and GDPR interoperability
The EDPB launched, on 22 July 2020, a public consultation on the Guidelines.
The consultation will end on 16 September 2020, and comments can be submitted here.
UPDATE (29 July 2020)
EDPB publishes letter on Coronavirus and data protection
The EDPB published, on 17 July 2020, the Letter.
You can read the Letter here.