The EDPB had found that new and more practical guidance on the concepts of controller and processor was needed, and so the Guidelines adopted consist of a first part, in which the different concepts are explained, and a second part, which contains detailed guidance on the main obligations of controllers/joint controllers and processors.

The purpose of the new Guidelines on the targeting of social media users is to clarify the roles and responsibilities of the social media provider and the data subject. The Guidelines provide practical guidance and contain examples of different situations, especially with respect to potential risks for the freedom of the individual, the main actors and their roles, the application of key data protection requirements, as well as key elements of arrangements between social media providers and the targeted individuals.

Moreover, in view of the impact of the Court of Justice of the European Union (CJEU)’s decision in the Schrems II case, during the Plenary session, the EDPB decided to create a taskforce to analyse the complaints received by the supervisory authorities in relation to the transfer of personal data under the Privacy Shield or standard contractual clauses. The taskforce will carry out an analysis and ensure cooperation among the EDPB’s members.

Further, another taskforce has been created, whose role is to prepare recommendations that are useful to controllers and processors in the process of identifying and implementing additional measures to ensure adequate protection when transferring personal data to third countries.

The full communication of the EDPB is available here.

The Guidelines on the concepts of controller and processor (version for public consultation) are available here.

The Guidelines on the targeting of social media users (version for public consultation) are available here.