Presentation at Data protection in the Western Balkans and the Eastern Partnership Region. High-level exchange and learning week organised by SIGMA, GIZ, RCC and ReSPA.

1. EUROPEAN
DATA
PROTECTION
SUPERVISOR
The EU’s independent data
protection authority
Data-protection in the
Western Balkans and Eastern
Partnership Region
EDPS Technology &
Privacy unit
Massimo ATTORESI
Deputy Head of T&P unit
19 September 2023

2. 2
A bit about the TP unit: our story
2012 2019 2023
Technology Sector
created
2 people
Our Composition and Expertise –Multidisciplinarystaff with focus on technologicaland
scientific research
Expertise in Telecommunications, Computer engineering, Computer science, Physics, Auditing,
Information security etc.
Technology sector
becomes Technology
and Privacy unit
8 people
Technology
unit grows
to 15 people

3. Technology & Privacy Unit
3
The Supervisor
Secretary/General
Cabinet
Supervision &
Enforcement
Policy &
Consultation
Technology
& Privacy
Governance
& Internal
Compliance
Information &
Communication
HR, Budget &
Administration
EDPB
Secretariat

4. 4
What T&P Unit does?
Support functions
SupportPolicy and Consultation Unit
in technologicial matters (informal-formal Consultations, Opinions). Participation
in EDPB subgroups, international fora (GPA, Spring Conference, int. organisations)
Direct Attributions
SupportSupervision and EnforcementUnit
in technological matters (prior consultations, mainly in AFSJ, joint
Audits/Investigations, Complaints). In a few cases, with high technological focus,
TP is on the lead.
Supportour Director in Security Functions
LSO and LISO Functions.
Technology monitoring & foresight
Techsonar, TechDispatch, IPEN organisation, preparation guidelines specific topics, training
in PETS, collaboration with other organisations in technology matters ( in the EU, such as
ENISA, international, such as IWGDPT/Berlin Group), support Supervisor & Sec Gen
Technology and
Privacy Unit
IT function
EDPS own IT needs as an institution: IT Strategy, IT Governance, Local IT support. Own
systems, NextCloud, EuVideo-Voice, PKI infrastructure. Auditing tolos such as WEC,
mobile apps lab.
IT Audits
Mainly in the context of Large Scale IT Systems and Coordinated Supervision.
Data Breach Notification Handling

5. 6
How are we organised?
Management
Luis Velasco (HoU)
Massimo Attoresi (DHoU)
Technology Monitoring and Foresight Sector
System Oversight and Technology Audits
Digital Transformation
• IRM – IT Governance
• ICDT
• IT Strategy, IT Feasibility Study
• SLA EP
• Local IT function
• Innovation Projects
• IT audits on Large Scale IT systems
• Other IT audits outside ASFJ area
• Data breach notifications, DBN
Guidelines and DBN system
• Expertise in AFSJ including support
the other two sectors and to P&C,
S&E and EDPB
• DPO meetings
• Technological expertise including support
the other two sectors and to PC and SE in
the rest of topics, Digital Euro, Cloud, AI,
Blockchain, Surveillance, Finance, Health,
eGovernment, Data Spaces....
• Guidelines on technology topics
• Foresight activities. TechSonar &
TechDispatch
• Contributions to EDPB in topics above
• IPEN Organisation
• Berlin Group, GPA....

6. 7
Personal Data Breaches
• “a breach of security leading to the accidental unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed”
EUDPR Art. 3(16)

7. 8
Personal Data Breaches
Root causes of
personal data breaches
2019-2022

8. 9
Our topics of interest

9. 10
Technology Monitoring & Foresight

10. 11
Technology Monitoring: TechSonar
(Foresight dimension)
TechSonar aims to anticipate emerging
technology trends: the main aim of this
initiative is to better understand future
developments in the technology sector from a
data protection perspective.

11. 12
Technology Monitoring: TechDispatch
Smart speakers Connected Cars Contact Tracing
with Apps
Quantum
Computing
Facial Emotion
Recognition
Card Based
Systems
Federated Social
Media Platforms
TechDispatch provides factual descriptions
of a new technology, preliminarily assesses
possible impacts on privacy and the
protection of personal data, as we
understand them now, and provides links to
further recommended reading.

12. 13
Technology Monitoring: IPEN network
The purpose of exchange with Academia and
Engineers in the IPEN Network is to bring
together developers and data protection experts
with a technical background from different
areas in order to launch and support projects
that build privacy into everyday tools and
develop new tools that can effectively protect
and enhance our privacy.
IPEN2023 – Explainable AI
IPEN2022 - CBDC
IPEN2022 - DigitalIdentity
IPEN2021 - Pseudonymisation
IPEN2021 SyntheticData Webinar
IPEN2020 - Contact Tracing Apps webinar
IPEN2020 - Encryption webinar
IPEN2020 - Online Workshop
IPEN2020 - Panel on Web Tracking
IPENWorkshop 2019 - Rome
IPENData Protection Day Workshop 2019
IPENWorkshop 2018 - Barcelona
IPENWorkshop 2017 - Vienna
IPENWorkshop 2016 - Frankfurt
IPENWorkshop 2015 - Leuven
IPENWorkshop 2014 – Berlin

13. • Guidelineson personal data and electronic communicationsin the EU institutions
(eCommunicationsguidelines)
• Guidelineson Personal Data BreachNotification
• IT governanceand IT management
• Guidelineson the use of cloud computing services by the Europeaninstitutions and
bodies
• Mobile Devices
• Mobile Applications
• Web Services
• Security Measures for Personal Data Processing
14
Technology & Privacy – EDPS Guidelines

14. 15
The Web is watching you:
Watch back with the “WEC”

15. 16
Various Compliance Tools for Website
Controllers
Cloud Solutions
• Qualys SSL Labs (HTTPS check)
• Cookiebot (Cookiecheck)
• PrivacyScore, Webbkoll
(Cookies, HTTPS, etc.)
• OneTrust (Cookiecheck)
Problems
• no scans in intranets
• confidentiality or compliance issues
• transparency, reproducibility of the cloud solution
On-Premise Solutions
• OpenWPM by Mozilla
• WebXray
• Developer Toolbar
(Firefox and Chrome)
• Website Evidence Collector
bytheEDPS
• Website Evidence Collector
by the EDPS

16. 17
Website Evidence Collector (WEC)
from the EDPS
Features
• automated, reproducible evidence collection
• records screenshots, cookies, traffic,
potential web beacons, HTTPS security
• no legal judgements: data protectionlaw agnostic
Output
• machine- and human-readable output
• with many details to identify tracking issues

17. 18
Digital Sovereignty – EDPS Fediverse
pilots
• EDPS launched on 28 April 2022 Fediverse pilot
and invites other EU institutions to participate.
• EU Voice powered by Mastodon with
35 accounts of EU institutions, bodies, agencies
https://social.network.europa.eu
• EU Video powered by Peertube with
about 6 accounts
https://tube.network.europa.eu(originally EU Tube)
...and an ongoing Pilot on a sovereign Cloud - NextCloud collaborationtools

18. T&P unit follows closely EU legislative developments with a significant technology
dimension. Files include:
• The ArtificialIntelligence Act (AIA)
• Digital Services Act (DSA), the Digital Markets Act (DMA), the Data
Governance Act (DGA) and the Data Act
• Regulation as regards establishing a framework for a European Digital Identity
• Digital Euro joint Opinion with the EDPB
• Regulation laying down rules to prevent and combat child sexual abuse
• Regulation on the digitalisationof the visa procedure
• Directiveon informationexchange between law enforcement authorities of
Member States
19
Legislative proposals followed by T&P

19. 20
Collaboration with EDPB and EDPB
secretariat
• Interface with the European Parliament for the provisionof general basic services
to all the EDPS units including the EDPB Secretariat
• Collaborationwith EDPB Secretariat in the organisation of the Website Audit
BootCamp
• Participationin the EDPB “ChatGPT taskforce”
• Management of projects using EDPB Expert pool of experts in the field of
ArtificialIntelligence.
• Collaborationin TECH subgroup within the EDPB. Co-rapporteurs in multiple
documents such pseudo-anonymisation, blockchain, ....
• Supervision of Large Scale IT Systems and contributionto the Coordianted
Supervision Committee

20. 21
Artificial Intelligence & AI Act
• EDPS has been identifying and assessing AI risks under
GDPR/EUDPR
• AI Act identifies the EDPS as the AI competent authority for
the EU institutions
• Preparations will start to understand our tasks, interaction
with MSs national competent and market authorities,
interaction with applicable data protectionlaw, the role of
« regulatory sandboxes »

21. @EU_EDPS
European Data
Protection Supervison
EDPS
The EU’s independent data
protection authority
EUROPEAN
DATA
PROTECTION
SUPERVISOR
Some icons from https://www.flaticon.com/
Word cloud created in https://wordart.com