Data-protection in the

Western Balkans and Eastern

Partnership Region

EDPS Technology &

Privacy unit

EUROPEAN
DATA
PROTECTION Massimo ATTORESI
SUPERVISOR Deputy Head of T&P unit
The EU’s independent data
protection authority 19 September 2023
 A bit about the TP unit: our story

Technology
Technology sector unit grows
becomes Technology to 15 people
Technology Sector and Privacy unit
created 8 people
2 people

2012 2019 2023

Our Composition and Expertise –Multidisciplinary staff with focus on technological and
scientific research

Expertise in Telecommunications, Computer engineering, Computer science, Physics, Auditing,

Information security etc.

2
 Technology & Privacy Unit

The Supervisor
EDPB
Cabinet Secretariat
Secretary/General

Governance
Supervision & Policy & Technology HR, Budget & Information &
& Internal
Enforcement Consultation & Privacy Administration Communication
Compliance

3
 What T&P Unit does?
Technology monitoring & foresight
Techsonar, TechDispatch, IPEN organisation, preparation guidelines specific topics, training
in PETS, collaboration with other organisations in technology matters ( in the EU, such as
ENISA, international, such as IWGDPT/Berlin Group), support Supervisor & Sec Gen

IT Audits
Mainly in the context of Large Scale IT Systems and Coordinated Supervision.
Data Breach Notification Handling
Direct Attributions
IT function
EDPS own IT needs as an institution: IT Strategy, IT Governance, Local IT support. Own
systems, NextCloud, EuVideo-Voice, PKI infrastructure. Auditing tolos such as WEC,
mobile apps lab.

Technology and Support Policy and Consultation Unit

in technologicial matters (informal-formal Consultations, Opinions). Participation
Privacy Unit in EDPB subgroups, international fora (GPA, Spring Conference, int. organisations)

Support Supervision and Enforcement Unit

in technological matters (prior consultations, mainly in AFSJ, joint
Audits/Investigations, Complaints). In a few cases, with high technological focus,
TP is on the lead.
Support functions
Support our Director in Security Functions
LSO and LISO Functions.

4
 How are we organised?
Digital Transformation
• IRM – IT Governance
• ICDT
• IT Strategy, IT Feasibility Study
• SLA EP
• Local IT function
• Innovation Projects
Management
Luis Velasco (HoU)
Massimo Attoresi (DHoU)
System Oversight and Technology Audits
• IT audits on Large Scale IT systems
• Other IT audits outside ASFJ area
• Data breach notifications, DBN
Guidelines and DBN system
• Expertise in AFSJ including support
the other two sectors and to P&C,
S&E and EDPB
• DPO meetings
Technology Monitoring and Foresight Sector
• Technological expertise including support
the other two sectors and to PC and SE in
the rest of topics, Digital Euro, Cloud, AI,
Blockchain, Surveillance, Finance, Health,
eGovernment, Data Spaces....
• Guidelines on technology topics
• Foresight activities. TechSonar &
TechDispatch
• Contributions to EDPB in topics above
• IPEN Organisation
• Berlin Group, GPA....
6
 Personal Data Breaches

EUDPR Art. 3(16)

• “a breach of security leading to the accidental unlawful

destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed”

7
Personal Data Breaches

Root causes of
personal data breaches
2019-2022

8
Our topics of interest

9
Technology Monitoring & Foresight

10
 Technology Monitoring: TechSonar
(Foresight dimension)

TechSonar aims to anticipate emerging

technology trends: the main aim of this
initiative is to better understand future
developments in the technology sector from a
data protection perspective.

11
 Technology Monitoring: TechDispatch

Smart speakers Connected Cars Contact Tracing

with Apps

TechDispatch provides factual descriptions

of a new technology, preliminarily assesses
possible impacts on privacy and the
protection of personal data, as we Quantum Facial Emotion Card Based Federated Social
understand them now, and provides links to Computing Recognition Systems Media Platforms
further recommended reading.

12
 Technology Monitoring: IPEN network
The purpose of exchange with Academia and
Engineers in the IPEN Network is to bring
together developers and data protection experts
with a technical background from different
areas in order to launch and support projects
that build privacy into everyday tools and
develop new tools that can effectively protect
and enhance our privacy.
IPEN 2023 – Explainable AI
IPEN 2022 - CBDC
IPEN 2022 - Digital Identity
IPEN 2021 - Pseudonymisation
IPEN 2021 Synthetic Data Webinar
IPEN 2020 - Contact Tracing Apps webinar
IPEN 2020 - Encryption webinar
IPEN 2020 - Online Workshop
IPEN 2020 - Panel on Web Tracking
IPEN Workshop 2019 - Rome
IPEN Data Protection Day Workshop 2019
IPEN Workshop 2018 - Barcelona
IPEN Workshop 2017 - Vienna
IPEN Workshop 2016 - Frankfurt
IPEN Workshop 2015 - Leuven
IPEN Workshop 2014 – Berlin
13
 Technology & Privacy – EDPS Guidelines

• Guidelines on personal data and electronic communications in the EU institutions

(eCommunications guidelines)
• Guidelines on Personal Data Breach Notification
• IT governance and IT management
• Guidelines on the use of cloud computing services by the European institutions and
bodies
• Mobile Devices
• Mobile Applications
• Web Services
• Security Measures for Personal Data Processing

14
The Web is watching you:
Watch back with the “WEC”

15
 Various Compliance Tools for Website
Controllers
Cloud Solutions On-Premise Solutions
• Qualys SSL Labs (HTTPS check) • OpenWPM by Mozilla
• Cookiebot (Cookie check) • WebXray
• PrivacyScore, Webbkoll • Developer Toolbar
(Cookies, HTTPS, etc.) (Firefox and Chrome)
• OneTrust (Cookie check) • Website Evidence Collector
by the EDPS
Problems
• no scans in intranets
• confidentiality or compliance issues
• transparency, reproducibility of the cloud solution
• Website Evidence Collector
by the EDPS

16
 Website Evidence Collector (WEC)
from the EDPS
Features
• automated, reproducible evidence collection
• records screenshots, cookies, traffic,
potential web beacons, HTTPS security
• no legal judgements: data protection law agnostic

Output
• machine- and human-readable output
• with many details to identify tracking issues

17
 Digital Sovereignty – EDPS Fediverse
pilots

• EDPS launched on 28 April 2022 Fediverse pilot

and invites other EU institutions to participate.

• EU Voice powered by Mastodon with

35 accounts of EU institutions, bodies, agencies
https://social.network.europa.eu

• EU Video powered by Peertube with

about 6 accounts
https://tube.network.europa.eu (originally EU Tube)

...and an ongoing Pilot on a sovereign Cloud - NextCloud collaboration tools

18
 Legislative proposals followed by T&P

T&P unit follows closely EU legislative developments with a significant technology

dimension. Files include:

• The Artificial Intelligence Act (AIA)

• Digital Services Act (DSA), the Digital Markets Act (DMA), the Data
Governance Act (DGA) and the Data Act
• Regulation as regards establishing a framework for a European Digital Identity
• Digital Euro joint Opinion with the EDPB
• Regulation laying down rules to prevent and combat child sexual abuse
• Regulation on the digitalisation of the visa procedure
• Directive on information exchange between law enforcement authorities of
Member States

19
 Collaboration with EDPB and EDPB
secretariat
• Interface with the European Parliament for the provision of general basic services
to all the EDPS units including the EDPB Secretariat
• Collaboration with EDPB Secretariat in the organisation of the Website Audit
BootCamp
• Participation in the EDPB “ChatGPT taskforce”
• Management of projects using EDPB Expert pool of experts in the field of
Artificial Intelligence.
• Collaboration in TECH subgroup within the EDPB. Co-rapporteurs in multiple
documents such pseudo-anonymisation, blockchain, ....
• Supervision of Large Scale IT Systems and contribution to the Coordianted
Supervision Committee

20
 Artificial Intelligence & AI Act

• EDPS has been identifying and assessing AI risks under

GDPR/EUDPR

• AI Act identifies the EDPS as the AI competent authority for

the EU institutions

• Preparations will start to understand our tasks, interaction

with MSs national competent and market authorities,
interaction with applicable data protection law, the role of
« regulatory sandboxes »

21
 EUROPEAN
DATA
PROTECTION
SUPERVISOR
The EU’s independent data
protection authority

@EU_EDPS

Some icons from https://www.flaticon.com/ European Data

Protection Supervison

Word cloud created in https://wordart.com EDPS