GDPR Brief: the role of the European Data Protection Board in interpreting the GDPR

2 Aug 2021

This Brief aims to clarify the roles of the European Data Protection Board (‘the Board’) and the Article 29 Working Party (WP29) in interpreting the GDPR, against the backdrop of their development as well as their most important tasks, powers, and competences.

Avid readers of the GA4GH GDPR Forum will have likely noticed that past briefs have mentioned GDPR interpretations by the European Data Protection Board (‘the Board’) and the Article 29 Working Party (WP29). This Brief aims to clarify their roles in interpreting the GDPR, against the backdrop of their development as well as their most important tasks, powers, and competences, particularly about the Board’s mandate to contribute to the consistent application of the GDPR throughout the EU.

Overview of the European Data Protection Board

The Board is an independent body that has been established to promote the effective and consistent interpretation and application of the GDPR across the EU. The Board is the successor organization to the WP29 since the coming-into-force of the GDPR. The Board has larger powers than its predecessor, especially with regard to dispute resolution and consensus building related to the consistency mechanism introduced by the GDPR where it has co-decision-making powers with SAs, even though its role remains principally an advisory one. The Board may exceptionally work with the European Data Protection Supervisor, which is a SA for EU institutions with certain advisory functions. 

Guidance from the European Data Protection Board

The Board can issue guidance related to the interpretation of the GDPR. In a non-closed list, the GDPR lists 25 areas, including advising the European Commission, and related to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, as well as related to international transfers and particularly to codes of conduct, to list the most relevant advisory tasks for data processing for genomic research.

As was the case with its predecessor, the Board solicits public feedback before issuing guidance, which consists of issuing draft guidance and then giving stakeholders six weeks to comment. (List of open and closed public consultations.)

Opinions from the European Data Protection Board

Within the frame of the consistency mechanism, the Board can issue opinions on draft decisions of SAs and on matters of general application. An example for such an opinion is the case where a draft code of conduct implicates data processing activities in multiple EU Member States. Before a SA approves such a code, it must ask the Board to provide an opinion. The opinion is not binding for the subsequent decision of the European Commission to approve the general validity of a code within the EU. Nevertheless, only a code that has first received an opinion of the Board stating that the code complies with the GDPR’s rigorous standards can be submitted to the Commission. The Board may also issue opinions on other matters, such as determinations from SAs regarding when a data protection impact assessment is required. Any SA or the European Commission may further seize the Board to issue an opinion regarding matters that affect more than one Member State.

Further to this, the Board can issue decisions that bind SAs pursuant to the dispute resolution procedure and the urgency procedure.

Binding Nature of the Guidelines and Opinions

The interpretive guidance in the guidelines and opinions of the Board are not binding for SAs (cf. binding decisions) and for courts. They are better thought of as interpretive aids rather than a bona fide source of law. However, they may have a binding effect on the Board itself, especially where the Board issues a binding decision that is informed by the Board’s own guidelines and opinions. This is why it has particular relevance that the Board has endorsed some WP29 guidelines such as those on consent and transparency. The endorsement of guidelines of the WP29, particularly related to issues that are subject to technological development and their changing legal assessment, risks overlooking the state-of-the-art and becoming ‘frozen in time’ instead of being replaced.

Exceptionally, even non-binding guidelines may come to represent a leading, authoritative interpretation on data protection law when cited with approval by the Court of Justice of the European Union. Although not frequent, we have seen the Court cite the Board in approval of their interpretation.

We have compiled a list of guidelines that are indeed relevant for readers below.

Article 29 Working Party / European Data Protection Board Guidelines Relevant to the GA4GH Community

• Guidelines 04/2021 on codes of conduct as tools for transfers
• Guidelines 01/2021 on Examples regarding Data Breach Notification
• Guidelines 07/2020 on the concepts of controller and processor in the GDPR
• Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
• Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679
• Guidelines 05/2020 on consent under Regulation 2016/679
• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
• Guidelines 4/2019 on Article 25 Data Protection by Design and by Default
• Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
• Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art. 70.1.b)
• Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – version adopted after public consultation
• Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
• Guidelines on transparency under Regulation 2016/679, WP260 rev.01
• Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP251rev.01
• Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP248 rev.01

Relevant GDPR Provisions

• Recital 136 – Consistency mechanism
• Recital 139 – EDPB to replace WP29
• Article 64 – Opinions from the EDPB regarding certain measures taken by national supervisory authorities (consistency mechanism)
• Article 65 – Dispute resolution from the EDPB (consistency mechanism)
• Section 3 of Chapter VII
  • Article 68 – Nature, status, and composition of the EDPB
  • Article 69 – Independence of the EDPB
  • Article 70 – Tasks of the EDPB
  • Article 71 – Reports of the EDPB
  • Article 72 – Procedures of the EDPB
  • Article 73 – Chair of the EDPB
  • Article 74 – Tasks of the Chair of the EDPB
  • Article 75 – EDPB Secretariat
  • Article 76 – Confidentiality of the EDPB

Michael Beauvais is an academic associate at McGill University’s Centre of Genomics and Policy.

Fruzsina Molnar-Gabor is research group leader at the Heidelberg Academy of Sciences and Humanities and lecturer at the Legal Faculty of Heidelberg University.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.