12 fev 2022

EDPB’s consultation on personal data and letter on cookies could provide helpful clarity for online platforms

The recent European Data Protection Board (EDPB) plenary session held on 18 January 2022 saw the EDPB adopt two key points of importance for online platforms (OPs): (1) guidelines on the right of access for data subjects; and (2) a letter in response to concerns surrounding cookie consent requirements.

Guidelines on the right of access

The EDPB has opened a consultation on its guidelines on the Right of Access for data subjects who wish to access their personal data. These provide guidance on the rights data subjects have to access their personal data from data controllers, along with the duties the controllers have in providing the data in its proper form. They provide details on the scope of the right of access, how controllers can approach such requests, and the limits placed on requests. Useful examples are provided to assist controllers.

The aim of the guidelines is to provide transparent and readily accessible information for individuals to increase their awareness of the process of their personal data. The guidelines also assist controllers in complying with the GDPR when answering access requests.

The consultation will be open for comments for six weeks.

Letter in response to cookie consent concerns

The EDPB also adopted a letter written in response to concerns about the inconsistent approach to cookie consent interpretation across the EU. In this letter, Andrea Jelinek, Chair of the EDPB, emphasised their commitment to ensuring a harmonised application of data protection rules throughout the EU. She also reminds the addressees about the EDPB taskforce established for cookie banners, and the recent update on EDPB guidelines on consent to ensure a harmonised approach to cookie consent.

Importance for online platforms

These two adoptions by the EDPB are important considerations for OPs based in the EU, and those based in the UK but sell products in the EU, as it is hoped they will provide important clarification to data controllers on how to respond to customers’ data subject access requests, and ensure the consent requirements surrounding cookies are consistent and clear throughout the EU.

Data held by OPs on data subjects can be very expansive, ranging from basic personal data such as names and addresses to purchase history, activity logs, and search history. In addition, as cookie usage allows OPs to predict and recommend products for customers, what follows from the consultation and letter should be followed by OPs in order to ensure the correct guidance is adhered to in order to stay GDPR compliant.