Plenary Session of the European Data Protection Board
The National Center for Personal Data Protection (NCPDP), for information purpose, communicates about the participation of National Center for Personal Data Protection management at the 49th Plenary Session of the European Data Protection Board (EDPB), which was held online on 19 May, 2021.
During the Plenary, the EDPB adopted several documents, among which:
· Two Opinions on the first draft decisions on transnational Codes of Conduct presented by the Belgian Supervisory Authority (draft decision concerns the EU CLOUD Code of conduct, addressed to cloud service providers) and French Supervisory Authority (draft decision concerns the CISPE Code of conduct, addressed to cloud infrastructure service providers). These Codes aim to provide practical guidance and define specific requirements (Art. 28 GDPR) for processors in the EU subject to these Codes. They are not to be used in the context of international transfers of personal data. The EDPB is of the opinion that both draft codes comply with the GDPR and fulfil the requirements set forth in Art. 40 and 41 GDPR.
· Statement on the Data Governance Act (DGA) in light of developments in the legislative process. The EDPB reiterates that, without robust data protection safeguards, there is a risk that the trust in the digital economy would not be sustainable. The statement further highlights the need to ensure consistency of the DGA with the EU data protection acquis and urges the co-legislators to carefully consider certain aspects, such as the interplay between the DGA and the GDPR, and the importance of ensuring that the new definitions and concepts are not incompatible with the GDPR.
· Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions. The recommendations cover situations in which data subjects buy a product or pay for a service via a website or an application and provide their credit card data in order to conclude a unique transaction. As such, consent in accordance with Art. 6 (1) (a) GPDR should be considered the sole appropriate legal basis for storing credit card data after the purchase.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the importance of the participation of the Republic of Moldova in the Plenary Sessions organized by the EDPB, as well as the weight of adopted documents.