Opinion of the European Data Protection Supervisor on the legislative proposals on alternative and online dispute resolution for consumer disputes.
On 6 December 2011, the EDPS received the proposals for alternative dispute resolution for consumer disputes (ADR) and online dispute resolution for consumer disputes (ODR) for consultation.
This Opinion aims at analysing the provisions on processing of personal data in the proposals.
It will focus on the ODR proposal, as it involves a centralised processing of personal data related to disputes through an online platform.
The EDPS welcomes the fact that data protection principles have been integrated in the text, in particular as regards the purpose and access limitation, the limitation of the retention period and the security measures. However, he recommends:
-clarifying the responsibilities of the controllers and informing data subjects accordingly: the legislative part of the ODR proposal should specify at least to which of the controllers data subjects should address their requests of access, rectification, blocking and erasure; and which controller would be accountable in case of specific breaches of the data protection legislation (for example, for security breaches). Data subjects should also be informed accordingly;
-clarifying the limitation of access rights: the EDPS welcomes these limitations of the purpose and the access rights. However, it is not clear whether all ODR facilitators (at least 54) will have access to personal data related to all the disputes. He recommends clarifying that every ODR facilitator will have access only to the data needed to fulfil his or her obligations under the Regulation;
-complementing the provisions on security: the EDPS recommends adding also a reference to the need to conduct a privacy impact assessment (including a risk assessment) and to the fact that compliance with data protection legislation and data security should be periodically audited and reported. Furthermore, he recalls that the development of IT tools for the establishment of the ODR platform should integrate privacy and data protection from the very early design stage (privacy by design), including the implementation of tools enabling users to better protect personal data (such as authentication and encryption) ;
-mentioning the need to consult the EDPS on delegated and implementing acts related to the processing of personal data.
The EDPS would also like to stress that the processing of personal data in the framework of the ODR platform may be subject to prior checking by the EDPS and by national data protection authorities.