One Move Ahead

Legal & Tax Alerts

EDPB Adopts Guidelines on Virtual Voice Assistants and Concepts of Controller and Processor

Publication: ZRVP

GDPR compliance challenges tackled by extended guidelines have been recently brought to the table by EDBP.

Further developments of the data protection legislative context are envisaged by the European Data Protection Board (EDPB). In particular, the attention has recently focused on guidelines which aim at clarifying the law and at promoting common understanding of EU data protection laws.

These Guidelines identify some of the most relevant GDPR compliance challenges and provide practical guidance and interpretative assistance to relevant stakeholders on how to address them. Even though generally applicable, given that such guidelines cannot address the nuances and many variables which may arise in the context of data protection, they enable those to whom data protection rules are applicable to understand advanced specific concepts.

In the light of this, a final version of the Guidelines on Virtual Voice Assistants (VVA) has been recently adopted after being updated in compliance with relevant comments received after the public consultation period.

The virtual voice assistants are technologies which can understand and execute user voice commands, and which are commonly associated with devices such as smartphones, tablets, and traditional computers. Although such apps bring along many advantages, they are granted easy access to intimate information. Another determined potential flaw of the VAAs lays in errors of so-called ”wake-up words” which could, on a false basis, activate listening even though the user has not said the keyword. The more a VVA provides services or features and is connected to other devices or services managed by other parties, the more the amount of personal data is processed, and repurposing processing increases.

EDPB stresses the need to ensure a few mechanisms which would attempt to protect data subjects’ rights. Some of the recommendations imposed that VVA services must allow all users, registered and non-registered, to exercise their data subject rights using easy-to-follow voice commands. Moreover, VVA providers and developers should facilitate data subjects’ control over their data through specific tools providing an effective and efficient way to exercise such rights.

The EDPB has also adopted a final version of the Guidelines on the Concepts of Controller and Processor which focus on explaining fundamental GDPR concepts backed up by specific scenarios.

While GDPR’s success is undisputed as it has raised global awareness of the need to ensure protection of personal information, however, ensuring privacy as intended by the legal context should be further explained and developed in such a way as to avoid misunderstandings or simply an incorrect application of the applicable legal provisions.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.