Privacy Resources
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Opinions

2022

  1. Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group - Adopted on 7/2/2022;
  2. Opinion 02/2022 on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules of the WEBHELP Group - Adopted on 7/2/2022;
  3. Opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR – CARPA certification criteria - Adopted on 1/2/2022;

2021

EDPB-EDPS Joint Opinions

  1. EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) - Adopted on 18/6/2021;
  2. EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery - Adopted on 8/4/2021 (v.1.1);
  3. EDPB-EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act) - Adopted on 9/6/2021 (v.1.1);
  4. EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries - Adopted on 14/1/2021;
  5. EDPB-EDPS Joint Opinion 1/2021 on standard contractual clauses between controllers and processors - Adopted on 14/1/2021;

EDPB Opinions

  1. Opinion 39/2021 on whether Article 58(2)(g) GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of personal data, in a situation where such request was not submitted by the data subject - Adopted on 14/12/2021;
  2. Opinion 38/2021 on the draft decision of the competent supervisory authority of Latvia regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 20/11/2021;
  3. Opinion 37/2021 on the draft decision of the competent supervisory authority of Malta regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 30/11/2021;
  4. Opinion 36/2021 on the draft decision of the competent supervisory authority of Norway regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 30/11/2021;
  5. Opinion 35/2021 on the draft decision of the competent supervisory authority of Belgium regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 30/11/2021;
  6. Opinion 34/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Otis - Adopted on 26/10/2021;
  7. Opinion 33/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Carrier - Adopted on 26/10/2021;
  8. Opinion 32/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the Republic of Korea - Adopted on 24/9/2021;
  9. Opinion 31/2021 on the draft decision of the Spanish Supervisory Authority regarding the Processor Binding Corporate Rules of the COLT Group - Adopted on 2/8/2021;
  10. Opinion 30/2021 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of the COLT Group - Adopted on 2/8/2021;
  11. Opinion 29/2021 on the draft decision of the Belgian Supervisory Authority regarding the Processor Binding Corporate Rules of Oregon Tool, Inc (Formerly “Blount”) - Adopted on 2/8/2021;
  12. Opinion 28/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Oregon Tool, Inc (formerly “Blount”) - Adopted on 2/8/2021;
  13. Opinion 27/2021 on the draft decision of the Supervisory Authority of North Rhine-Westphalia (Germany) regarding the Processor Binding Corporate Rules of the Internet Initiative Japan Group - Adopted on 2/8/2021;
  14. Opinion 26/2021 on the draft decision of the Supervisory Authority of North Rhine-Westphalia (Germany) regarding the Controller Binding Corporate Rules of the Internet Initiative Japan Group - Adopted on 2/8/2021;
  15. Opinion 25/2021 on the draft decision of the competent supervisory authority of Lithuania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 20/7/2021;
  16. Opinion 24/2021 on the draft decision of the competent supervisory authority of Slovakia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 20/7/2021;
  17. Opinion 23/2021 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 20/7/2021;
  18. Opinion 22/2021 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the CGI Group - Adopted on 1/7/2021;
  19. Opinion 21/2021 on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules of the CGI Group - Adopted on 1/7/2021;
  20. Opinion 20/2021 on Tobacco Traceability System - Adopted on 18/6/2021;
  21. Opinion 19/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 1/6/2021;
  22. Opinion 18/2021 on the draft Standard Contractual Clauses submitted by the LT SA (Article 28(8) GDPR) - Adopted on 19/5/2021;
  23. Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE) - Adopted on 19/5/2021;
  24. Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe - Adopted on 19/5/2021;
  25. Opinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom - Adopted on 13/4/2021;
  26. Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom - Adopted on 13/4/2021;
  27. Opinion 13/2021 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/3/2021;
  28. Opinion 12/2021 on the draft decision of the competent supervisory authority of Portugal regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/3/2021;
  29. Opinion 11/2021 on the draft decision of the competent supervisory authority of Norway regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/3/2021;
  30. Opinion 10/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/3/2021;
  31. Opinion 09/2021 on the draft decision of the Baden- Wurttemberg Supervisory Authority regarding the Controller Binding Corporate Rules of Luxoft Group - Adopted on 16/2/2021;
  32. Opinion 08/2021 on the draft decision of the Baden- Wurttemberg Supervisory Authority regarding the Processor Binding Corporate Rules of Luxoft Group - Adopted on 16/2/2021;
  33. Opinion 07/2021 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Kumon Group - Adopted on 16/2/2021;
  34. Opinion 06/2021 on the draft decision of the Spanish Supervisory Authority regarding the Processor Binding Corporate Rules of Kumon Group - Adopted on 16/2/2021;
  35. Opinion 05/2021 on the draft Administrative Arrangement for the transfer of personal data between the Haut Conseil du Commissariat aux Comptes (H3C) and the Public Company Accounting Oversight Board (PCAOB) - Adopted on 2/2/2021;
  36. Opinion 04/2021 on the draft decision of the Belgian Supervisory Authority regarding the Processor Binding Corporate Rules of BDO - Adopted on 22/1/2021;
  37. Opinion 03/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of BDO - Adopted on 22/1/2021;
  38. Opinion 02/2021 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Elanders Group - Adopted on 22/1/2021;
  39. Opinion 01/2021 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Saxo Bank Group - Adopted on 22/1/2021.

2020

EDPB Opinions

  1. Opinion 32/2020 on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of Equinix - Adopted on 15/12/2020;
  2. Opinion 31/2020 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 7/12/2020;
  3. Opinion 30/2020 on the draft decision of the competent supervisory authority of Austria regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 7/12/2020;
  4. Opinion 29/2020 on the draft decision of the Lower Saxony Supervisory Authority regarding the Controller Binding Corporate Rules of Novelis Group - Adopted on 8/12/2020;
  5. Opinion 28/2020 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Iberdrola Group - Adopted on 8/12/2020;
  6. Opinion 27/2020 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of Coloplast Group - Adopted on 8/12/2020;
  7. Opinion 26/2020 on the draft decision of the competent supervisory authority of Denmark regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 7/12/2020;
  8. Opinion 25/2020 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Tetra Pak - Adopted on 31/7/2020;
  9. Opinion 24/2020 on the draft decision of the Norwegian Supervisory Authority regarding the Controller Binding Corporate Rules of Jotun - Adopted on 31/7/2020;
  10. Opinion 23/2020 on the draft decision of the competent supervisory authority of Italy regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  11. Opinion 22/2020 on the draft decision of the competent supervisory authority of Greece regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  12. Opinion 21/2020 on the draft decision of the competent supervisory authority of the Netherlands regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 23/7/2020;
  13. Opinion 20/2020 on the draft decision of the competent supervisory authority of Greece regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  14. Opinion 19/2020 on the draft decision of the competent supervisory authority of Denmark regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  15. Opinion 18/2020 on the draft decision of the competent supervisory authority of the Netherlands regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 23/7/2020;
  16. Opinion 17/2020 on the draft Standard Contractual Clauses submitted by the SI SA (Article 28(8) GDPR) - Adopted on 19/5/2020;
  17. Opinion 16/2020 on the draft decision of the competent supervisory authority of the Czech Republic regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  18. Opinion 15/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  19. Opinion 14/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 (GDPR) - Adopted on 25/5/2020;
  20. Opinion 13/2020 on the draft decision of the competent supervisory authority of Italy regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  21. Opinion 12/2020 on the draft decision of the competent supervisory authority of Finland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  22. Opinion 11/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  23. Opinion 10/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 25/5/2020;
  24. Opinion 9/2020 on the draft decision of the Irish Supervisory Authority regarding the Processor Binding Corporate Rules of Reinsurance Group of America Adopted on 14/4/2020;
  25. Opinion 8/2020 on the draft decision of the Irish Supervisory Authority regarding the Controller Binding Corporate Rules of Reinsurance Group of America - Adopted on 14/4/2020;
  26. Opinion 7/2020 on the draft list of the competent supervisory authority of France regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 22/4/2020;
  27. Opinion 6/2020 on the draft decision of the Spanish Supervisory Authority regarding the Controller Binding Corporate Rules of Fujikura Automotive Europe Group (FAE Group) - Adopted on 29/1/2020;
  28. Opinion 5/2020 on the draft decision of the competent supervisory authority of Luxembourg regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 GDPR - Adopted on 29/1/2020;
  29. Opinion 4/2020 on the draft decision of the competent supervisory authority of the United Kingdom regarding the approval of the requirements for accreditation of a certification body pursuant to Article 43.3 GDPR - Adopted on 29/1/2020;
  30. Opinion 3/2020 on the France data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;
  31. Opinion 2/2020 on the Belgium data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;
  32. 33.Opinion 1/2020 on the Spanish data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 28/1/2020;

2019

EDPB-EDPS Joint Opinions

  1. EDPB-EDPS Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI) - Adopted on 12/7/2019;

EDPB Opinions

  1. Opinion 16/2019 on the draft decision of the Belgian Supervisory Authority regarding the Binding Corporate Rules of ExxonMobil Corporation - Adopted on 12/11/2019.
  2. Opinion 15/2019 on the draft decision of the competent supervisory authority of the United Kingdom regarding the Binding Corporate Rules of Equinix Inc. - Adopted on 8/10/2019;
  3. Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) - Adopted on 9/7/2019;
  4. Opinion 13/2019 on the draft list of the competent supervisory authority of France regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  5. Opinion 12/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  6. Opinion 11/2019 on the draft list of the competent supervisory authority of the Czech Republic regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR) - Adopted on 10/7/2019;
  7. Opinion 10/2019 on the draft list of the competent supervisory authority of Cyprus regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35(4) GDPR) - Adopted on 9/7/2019;
  8. Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR - Adopted on 9/7/2019;
  9. Opinion 8/2019 on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment - Adopted on 9/7/2019;
  10. Opinion 7/2019 on the draft list of the competent supervisory authority of Iceland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 12/3/2019;
  11. Opinion 6/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 12/3/2019;
  12. Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities - Adopted on 12/3/2019;
  13. Opinion 4/2019 on the draft AA between EEA and non-EEA Financial Supervisory Authorities - Adopted on 12/2/2019;
  14. Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) - Adopted on 23/1/2019;
  15. Opinion 2/2019 on the draft list of the competent supervisory authority of Norway regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 23/1/2019;
  16. Opinion 01/2019 on the draft list of the competent supervisory authority of the Principality of Liechtenstein regarding the processing operations subject to the requirement of a data protection impact assessment (Article 17.4 GDPR) - Adopted on 23/1/2019.

2018

EDPB Opinions

  1. Opinion 28/2018 regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan - Adopted on 5/12/2018;
  2. Opinion 27/2018 on the draft list of the competent supervisory authority of Slovenia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  3. Opinion 26/2018 on the draft list of the competent supervisory authority of Luxembourg regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  4. Opinion 25/2018 on the draft list of the competent supervisory authority of Croatia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  5. Opinion 24/2018 on the draft list of the competent supervisory authority of Denmark regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 4/12/2018;
  6. Opinion 23/2018 on Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters (Art. 70.1.b) - Adopted on 23/9/2018;
  7. Opinion 22/2018 on the draft list of the competent supervisory authority of the United Kingdom regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  8. Opinion 21/2018 on the draft list of the competent supervisory authority of Slovakia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  9. Opinion 20/2018 on the draft list of the competent supervisory authority of Sweden regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  10. Opinion 19/2018 on the draft list of the competent supervisory authority of Romania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  11. Opinion 18/2018 on the draft list of the competent supervisory authority of Portugal regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  12. Opinion 17/2018 on the draft list of the competent supervisory authority of Poland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  13. Opinion 16/2018 on the draft list of the competent supervisory authority of the Netherlands regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  14. Opinion 15/2018 on the draft list of the competent supervisory authority of Malta regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  15. Opinion 14/2018 on the draft list of the competent supervisory authority of Latvia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  16. Opinion 13/2018 on the draft list of the competent supervisory authority of Lithuania regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  17. Opinion 12/2018 on the draft list of the competent supervisory authority of Italy regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  18. Opinion 11/2018 on the draft list of the competent supervisory authority of Ireland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  19. Opinion 10/2018 on the draft list of the competent supervisory authority of Hungary regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  20. Opinion 9/2018 on the draft list of the competent supervisory authority of France regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  21. Opinion 8/2018 on the draft list of the competent supervisory authority of Finland regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  22. Opinion 7/2018 on the draft list of the competent supervisory authority of Greece regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  23. Opinion 6/2018 on the draft list of the competent supervisory authority of Estonia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  24. Opinion 5/2018 on the draft list of the competent supervisory authorities of Germany regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  25. Opinion 4/2018 on the draft list of the competent supervisory authority of Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  26. Opinion 3/2018 on the draft list of the competent supervisory authority of Bulgaria regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  27. Opinion 2/2018 on the draft list of the competent supervisory authority of Belgium regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018;
  28. Opinion 1/2018 on the draft list of the competent supervisory authority of Austria regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR) - Adopted on 25/9/2018.