Veiledere, uttalelser, dokumenter mv. fra EUs personvernråd (EDPB)

Et utvalg av de sentrale og mest relevante dokumenter og informasjon fra EUs personvernråd (EDPB) et tatt inn nedenfor. Det er kun tatt inn endelige dokumenter – ikke dokumenter i utkast eller på høring. Samtlige dokumenter fra EDPB finnes her.

^{Merk at uttalelser og retningslinjer fra EDPB er ikke bindende for norske domstoler, se forarbeidene til personopplysningsloven, men det er grunn til å anta at uttalelsene i praksis vil bli tillagt stor vekt. Dette er også gjort i dommer, hvor det fremgår at uttalelser fra EDPB er relevante for fortolkning av GDPR. Personvernnemda har uttalt at slike retningslinjer har begrenset verdi som rettskilde, men gir nyttig veiledning siden de gir uttrykk for forvaltningspraksis hos tilsynene i EU og EØS. Hvilken vekt uttalelsene får rettskildemessig er avhengig av de andre kildene som foreligger.}

Personopplysninger

• Use of facial recognition technology in the area of law enforcement (Guidelines 05/2022)
• Processing personal data in the context of connected vehicles and mobility related applications (Guidelines 01/2020)
• Processing of personal data through video devices (Guidelines 3/2019)

Behandlingsgrunnlag

• Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (Opinion 08/2024)
• Guidelines on Consent (Guidelines 05/2020)
• Processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (Guidelines 2/2019)

Behandlingsansvarlig/databehandler

• Certain obligations following from the reliance on processor(s) and sub-processor(s) (Opinion 22/2024)
• Concepts of controller and processor (Guidelines 07/2020)
• Territorial scope of the GDPR (Article 3) (Guidelines 3/2018)

Behandlingsoversikt

• Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5)

Registrertes rettigheter

• Right of access (Guidelines 01/2022)
• Restrictions under Article 23 (Guidelines 10/2020)
• Criteria of the Right to be Forgotten in the search engines cases (part 1) (Guidelines 5/2019)
• Guidelines on consent (Guidelines 05/2020)
• Guidelines on transparency (WP260)
• Right to data portability (WP242)

Overføring til tredjeland

• Certification as a tool for transfers (Guidelines 07/2022)
• Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Article 47) (Recommendations 1/2022)
• The Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V (Guidelines 05/2021)
• Codes of Conduct as tools for transfers (Guidelines 04/2021)
• Measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations 01/2020)
• Territorial scope of GDPR (Article 3) (Guidelines 3/2018)
• Derogations of Article 49 (Guidelines 2/2018)
• Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data (WP265)
• Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors (WP263)
• Adequacy Referential (WP254)

Personvernkonsekvensvurdering/DPIA

• Data Protection Impact Assessment (DPIA) and determining whether processing is «likely to result in a high risk» (Guidelines WP248)

Teknologi / Innebygd personvern (Privacy by design)

• Certain data protection aspects related to the processing of personal data in the context of AI models (Opinion 28/2024)
• Deceptive design patterns in social media platform interfaces: how to recognise and avoid them (Guidelines 03/2022)
• Virtual voice assistants (Guidelines 02/2021)
• Targeting of social media users (Guidelines 8/2020)
• Processing personal data in the context of connected vehicles and mobility related applications (Guidelines 01/2020)
• Data Protection by Design and by Default (Article 25) (Guidelines 4/2019)
• Processing of personal data through video devices (Guidelines 3/2019)
• Automated individual decision-making and Profiling (WP251)

Personvernombud

• Data Protection Officers (‘DPO’) (WP243)

Personvernbrudd / varsel / sanksjoner («bøter»)

• Personal data breach notification (Guidelines 9/2022)
• Calculation of administrative fines (Guidelines 4/2022)
• Examples regarding Personal Data Breach Notification (Guidelines 01/2021)
• Personal data breach notification (WP250)
• Application and setting of administrative fines (WP253)

Klager til tilsyn

• Preliminary steps to handle a complaint: admissibility and vetting of complaints (Internal EDPB Document 6/2020)

Samarbeid mellom tilsyn

• Identifying a controller or processor’s lead supervisory authority (Guidelines 8/2022)
• Application of Article 60 (Samarbeid mellom ledende tilsynsmyndighet og andre berørte tilsynsmyndigheter) (Guidelines 02/2022)
• Application of Article 65(1)(a) (Tvisteløsning gjennom Personvernrådet) (Guidelines 03/2021)
• Relevant and reasoned objection (Guidelines 09/2020)
• Territorial scope of the GDPR (Article 3) (Guidelines 3/2018)
• Identifying a controller or processor’s lead supervisory authority (WP244)

Informasjonskapsler (cookies)

• Technical Scope of Article 5(3) of ePrivacy Directive (Guidelines 2/2023)