EU: EDPB announces 49th plenary outcome, adopts opinions on first transnational codes of conduct
The European Data Protection Board ('EDPB') announced, on 20 May 2021, the outcome of its 49th plenary session. In particular, the EDPB highlighted that it had adopted two Article 64 General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') opinions on the first draft decisions on transnational Codes of Conduct presented to the EDPB by the Belgian Data Protection Authority ('Belgian DPA') and French data protection authority ('CNIL'). Furthermore, the EDPB outlined that the Belgian DPA's draft decision concerns the EU CLOUD Code of Conduct, addressed to cloud service providers, while CNIL's draft decision concerns the Cloud Infrastructure Services Providers in Europe ('CISPE') Code of Conduct, addressed to cloud infrastructure service providers.
The EDPB outlined that both draft codes are compliant with the GDPR and adherence to them may be used to demonstrate legal compliance. Nonetheless, the EDPB noted that while the codes aim to provide practical guidance and outline specific requirements for processors in the EU, they should not be used in the context of international transfers of personal data.
In addition, the EDPB adopted a statement on the Data Governance Act which highlights the need to ensure consistency of the Act with the EU data protection regime and calls for co-legislators to consider the interplay between the Act and the GDPR.
Finally, the EDPB adopted recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. Specifically, the recommendations outline that consent in accordance with Article 6(1)(a) of the GPDR should be considered the sole appropriate legal basis for storing credit card data after a purchase is made.
You can read the press release here.