Decision on the European Data Protection Board’s refusal to grant public access to the preparatory documents for its guidelines on the processing of personal data in the context of the provision of online services (case 386/2021/AMF)
Ärende 386/2021/AMF - Undersökning inledd den Tisdag | 02 mars 2021 - Beslut den Tisdag | 07 september 2021 - Berörda institutioner Europeiska dataskyddsstyrelsen (Uppnådd lösning )
The complainant asked the European Data Protection Board (EDPB) for public access to all documents related to the preparation of its guidelines on the processing of personal data in the context of the provision of online services to individuals. The EDPB identified 11 documents as falling under the scope of the complainant´s request, but granted access to only parts of two of those documents. In doing so it invoked exceptions provided for in the EU's rules on public access to documents, arguing notably that disclosure would undermine its internal decision-making process.
The Ombudsman’s inquiry team inspected the relevant documents and found that wider disclosure was unlikely to seriously undermine the EDPB´s decision-making process, given that it is already in the public domain that there were dissenting voices in the process of adopting the Guidelines. The EDPB had also not explained specifically how granting access to anonymised views of its members could lead to external pressure on them.
The Ombudsman therefore made a proposal for a solution to the EDPB that it reconsider its decision on the complainant´s request with a view to granting the widest possible access to the identified documents.
The EDPB reacted positively to the Ombudsman´s proposal and granted wider access to the requested documents, in line with the Ombudsman´s observations. The complainant was satisfied with the EDPB´s reply. The Ombudsman therefore closed the case.
Background to the complaint
1. The European Data Protection Board (EDPB) is composed of representatives of the EU national data protection authorities (National Supervisory Authorities, hereafter “NSAs”), and the European Data Protection Supervisor (EDPS). The EDPB issued Guidelines on the processing of personal data in the context of the provision of online services to data subjects (hereafter, ’the Guidelines’). The Guidelines are based on Article 6(1)(b) of the General Data Protection Regulation (GDPR), which .)foresees that processing of personal data shall be lawful (among other situations) when it “is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (emphasis added)”.
2. In August 2020, the complainant asked the EDPB to grant public access to “any document that relates to the issue of how and why the interpretation of Article 6(1)(b) of the GDPR was formed”.
3. The EDPB replied to the complainant in November 2021. It identified 11 documents as falling within the scope of the complainant´s request. It granted partial access to two of those documents, and denied access to the other nine. In refusing access to the documents, the EDPB invoked an exception provided for under the EU’s rules on public access to documents (Regulation 1049/2001), arguing that disclosure would “seriously undermine” its decision-making process. The EDPB considered that there was no overriding public interest in the disclosure of the documents.
4. Dissatisfied with the EDPB´s reply, the complainant turned to the Ombudsman on 24 February 2021.
The Ombudsman's proposal for a solution
5. The Ombudsman asked the EDPB to provide her with a copy of the documents at issue in the complainant´s request. The examination of the documents showed that it was in the public domain that there were two approaches to how to interpret the concept of “necessity” under Article 6(1)(b) of the GDPR among the different NSAs. . The final version of the Guidelines contained the more restrictive of the two interpretations.
6. The Ombudsman found it hard to understand the EDPB´s argument that its decision-making process could be seriously undermined by disclosing documents that “do not necessarily reflect the position of the EDPB as a whole”, given that it is already in the public domain that there were dissenting voices in the process of adopting the Guidelines. On the contrary, public debate about the possible interpretations considered by the EDPB is to be expected and indeed welcomed.
7. It was also not clear to the Ombudsman how disclosing the requested documents would give rise to undue external pressure on the different NSAs if their views were made public, as the EDPB had claimed. The EDPB had not demonstrated any specific risk or examples of such pressure being exerted. To this end, the Ombudsman noted that the complainant had stated that he would be satisfied with having access to the views of the NSAs in anonymised format. The EDPB had not explained specifically how granting access to anonymised views of the NSAs could lead to external pressure on them.
8. The Guidelines set out a legal interpretation of the GDPR that has a significant bearing on its application. Given the importance of the GDPR, the Ombudsman took the view that the public has an interest in knowing how an authoritative interpretation of its provisions was decided.
9. In light of the above, the Ombudsman proposed as a solution that the EDPB reconsider its decision on the complainant´s public access request with a view to granting the widest possible public access to the identified documents.
The Ombudsman's assessment after the proposal for a solution
10. In June 2021, the EDPB informed the Ombudsman that it had decided to revise its decision on the complainant’s request and it had granted wider access to the identified documents, in line with the Ombudsman´s observations. This included access to the NSAs’ opinions in an anonymised form. The Ombudsman welcomes the EDPB´s positive reply to her proposal.
11. The complainant has informed the Ombudsman that he is satisfied with the EDPB´s reply.
Based on the inquiry, the Ombudsman closes this case with the conclusion that a solution has been achieved.
The complainant and the EDPB will be informed of this decision.
 The supervisory authorities of the EFTA EEA States are also members with regard to GDPR-related matters but without the rights to vote and to be elected as chair or deputy chairs. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights. See https://edpb.europa.eu/
 Guidelines 2/2019 of the EDPB, available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj. Article 6 reads as follows:
“ Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: [...] (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; [...]
 Article 4(3) second paragraph of Regulation 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32001R1049