web analytics

Security of Processing and Data Breach Notification

Rate this post

This report analyses the decisions adopted by Supervisory Authorities (SAS) pursuant to Article 60 GDPR under the One Stop Shop mechanism in the field of security of personal data processing and personal data breaches. The dataset was extracted from the register of final one stop shop decisions made publicly available online by the European Data Protection Board (EDPB). The register was consulted between 10 July and 31 August 2023.

The relevant decisions were initially filtered using the search engine on the EDPB website by setting Article 32 GDPR as the main legal reference. The 62 selected decisions were then analysed to identify the most significant ones. The same process was adopted regarding Articles 33 GDPR and 34 GDPR. The search returned 54 cases for the former and 38 cases for the latter. As, due to the nature of these Articles, they were often found in the same cases, for the purposes of this report 90 decisions were analysed (“Final One Stop Shop Decisions”). In Annex I, a list of these Final One Stop Shop Decisions can be found, where it is clearly indicated which Articles (32, 33 or 34 GDPR) are relevant in each decision. These decisions were adopted between January 2019 and June 2023.

The analysis included in this report depends on the level of detail of the final decisions. For example, the description of the security measures or other factual findings may be more or less detailed depending on the adopted final decisions, which has an impact on the content of this report. In addition, the final decisions refer in certain cases to other non-public documents that were exchanged during the procedure and therefore could not be analysed as part of this report. The analysis often refers to guidance documents adopted at national level cited in the decisions. Since the majority of such guidance documents have been updated since the adoption of the relevant decisions, the references link to the current version of these documents in order to provide a clear picture of the state of the art.

Most of the decisions offer interesting insights on the interpretation and application of Article 32 GDPR by SAs in concrete situations. In addition, the decisions on Articles 33 and 34 GDPR are often linked to security of processing and applied altogether with Article 32 GDPR. For this reason, this report does not follow an analysis of the decisions for each of these three Articles. It rather makes a thematic analysis of the most important topics that have been dealt within the One Stop Shop mechanism.

Views: 0


advisor pick´S post

More Latest Published Posts