Chapter 13 Supervision and Enforcement Flashcards
Who has the powers to exercise supervision and enforcement of GDPR?
Regulators, courts, markets, citizens, self-regulation schemes.
What is the meaning of self-regulation?
It’s a tool of supervision and enforcement where C&P directly control the application of appropriate processes, procedures and measures to protect data
How is self-regulation introduced through GDPR?
- accountability
- DPOs
- CoC, certification schemes for DP seals and marks
- regulatory function of the Cs over the Ps, Ps over Sub-Ps
What shows a self-regulation role of the DPO?
They have a supervisory and enforcement role within the organisation
- must be focused on compliance
- immune from dismissal
- duty of cooperation with DPA
Who can create CoC?
Representative bodies of Cs and Ps, e.g. industry associations.
CoC on any aspect of DP compliance
Which body approves CoC?
DPA
Who monitors Cs&Ps for compliance to CoC?
Monitoring body accredited by DPA
Must prove independence, expertise, must avoid conflicts of interest
must have procedures in place for effective monitoring, dealing with complaints, take action against infringements
Who issues seals and marks?
Certification body accredited by DPA or accreditation bodies in MS
Must prove independence, expertise, must avoid conflicts of interest
procedures for issuing, reviewing and revoking seals and marks
must have procedures in place for effective monitoring, dealing with complaints, take action against infringements
What are transnational codes?
Affect at least 2 MS and are subject to consistency mechanism
Forms of “regulation by the citizen” in GDPR
- regulating the C through the use of DS rights
- remedies for breach of obligations
- representative actions
- liability and compensation claims
- regulating the regulators
regulating the C through the use of DS rights
If DS are dissatisfied with their ability to exercise their rights, they can pursue administrative and judicial remedies
Are DS required to first raise their concerns with the C?
No, they can directly pursue complaints and remedies before DPAs or courts.
remedies for breach of obligations
If DS feel their rights have been breached, they can pursue litigation in accordance with the national laws, complain to the regulator or both
Forum provisions for complaints before the DPA
DS’s place of residence
DS’s place of work
place where the infringement took place
representative actions
group litigation, class actions under Art. 80 GDPR
individuals can elect to be represented by not-for-profit organisations (CsO, privacy advocates, preassure groups)
MS may allow the representatives proceedings without individuals mandates
liability and compensation claims
against Cs and Ps if DS suffers damage as a result of an act of noncompliance
An individual CorP that is responsible for any part of the damage, can be held liable for all the damage
Damage means material and nonmaterial d. (distress)
regulating the regulators
DS has the right to take action against the DPA before a court if DPA has not dealt with their complaint or they hear nothing within 3 months.
Also, where an individual or legal entity is unhappy with the decision (e.g. with corrective action or sanction)
Who is responsible for administrative supervision and enforcement
SA or DPA
independent bodies
must have sufficient skills and resources to do the job
How are regulators embedded into national law making?
MS must consult with the R during the preparation of the proposed legislation that relates to the processing of PD
What are regulators main tasks?
monitoring and enforcing GDPR
providing advice to parliaments and governments
promoting awareness and understanding of GDPR
handling complaints and carrying out investigations
supporting consistent implementation of GDPR - consistency mechanism
providing assistance and supporting EDPB
monitoring the development of information and communication technologies and communications technologies and commercial practices
What is the role of DPAs in international transfers
C&P can obtain authorisation to use their own contractual models
public authorities can seek for approvals for administrative arrangements
approve transfers based on BCRs
all subject to consistency mechanism
Can DPA charge the individuals?
No, except for administration costs based on manifestly unfounded or excessive requests
What are regulators powers
Investigative powers: R to start investigation and access to all relevant documentation (excl. legal professional privilege and privilege from self-discrimination); also R to audits and the inspection of premises and processing equipment
Corrective powers: warning, order to stop processing activities, financial penalties
Authorisation and advisory powers: CoC, certifications, marks&seals, international transfers
Litigation powers: can take legal proceedings against C&P
What is a consistency mechanism?
to contribute to the consistent application of the GDPR by requiring DPAs cooperate with each other, and the commission
What are the competence rules for DPAs?
DPA is competent for C&Ps established in the territory or Cs established elsewhere if there is an effect in the DPAs territory
Crossborder processing - lead SA
What is a one-stop-shop principle in supervision and enforcement?
Lead SA is determined in case of cross-border processing
When do rules of cross-border processing not apply?
Public authorities or private bodies processing in accordance with a legal obligation, in the public interest or for official function
One-stop shop - how to determine competence
the location of the main establishment of the C or P
1) C or P is established in more than one MS and the processing takes place in the context of more than 1 establishment (multinational organisations)
2) single establishment but processing substantially affects DSs in more than one MS (multinational organisations and organisations with only 1 establishment)
What is main establishment?
For C=where the decision making for the processing takes place
For P=location of main processing activities
What triggers the battle of competence?
Non-lead authority decides to take action in cross-border situation if complaint relates only to its territory or it affects individuals only in its territory
must notify lead authority who can then trigger battle of competence
Can a concerned DPA give reasoned objection against the lead authority draft decision?
Yes, it can be about the substantive findings on compliance or imposititon of a corrective measure or size of a fine
What can a lead authority do after receiving the reasoned objection?
accept it: issue a revised draft decision and other DPAs accept or make another reasoned objection - the process will carry on until the impasse is broken
reject it: must follow the consistency mechanism
If no objections are made, the DPAs are deemed to be in agreement and the draft decision is binding
Who must be notified about the decision?
C or P
other DPAs
EDPB
individual in case of complaint
Explain mutual assistance and joint cooperation between DPAs
Art 61(1) mandates cooperation and exchange of information
DPA can give request for assistance with sufficient information
DPAs must have appropriate measures to provide assistance without undue delay subject to one-month-long stop
If receiving DPA does not provide assistance, the requesting DPA can adopt a provisional measure that, in turn, triggers the urgency procedure
Joint operations in case where C/P are established in multiple territories or where processing activities affect a significant number of individuals in multiple territories - DPAs have the right to be properly represented in supervisory and enforcement work
Who is represented in EDPB?
Chairperson
head of each DPA
EDP Supervisor
The Commission is entitled to send a delegate to its meetings
Who is responsible for Consistency mechanism?
EDPB
What are EDPB’s responsibilities?
Opinions - on DPIAs lists, codes on conduct, international transfer mechanisms referred by DPAs
Dispute resolution - lead authority rejects reasoned objection; dispute between DPA about who is competent; DPA fails to refer its decisions on DPIAs lists, codes on conduct, international transfer mechanisms - result is a binding decision
What is an urgency procedure?
DPA must take urgent action to protect R&F of individuals but there is not enough time for cooperation procedure or consistency mechanism
DPA can adopt provisional measures - 3 months
DPA must refer them with reasons to concerned DPAs, EDPB and Commission
At the end of 3 months the provisional measures lapse; DPA can request an urgent opinion or urgent binding decision from EDPB
Can a non lead DPA utilize Art 58(5) - refer issues to the court or initiate or take part in legal proceeding where they are competent to regulate?
One-stop- shop has a primacy but the DPA can utilize Art 58(5) if a carve-out applies but must before follow the cooperation and consistency rules in full
What are the 2 carve-outs to the one-stop shop?
non-lead DPA can regulate aspects of cross-border processing that concern only an establishment in its territory or substantially affects DS in its territory
cases of urgency
Which Article GDPR deals with fines?
Art 83
What fines can be imposed?
10 M EUR or 20 M EUR for non-undertakings (e.g. public authorities)
10 M EUR or 2% of annual turnover or 20 M EUR or 4% of annual turnover for for undertakings (e.g. companies)
Lesser breaches
child consent
DP by design/default
engagement of processors by controllers
records of processing
cooperation with regulators
security
breach notification
DPIAs
DPOs
Codes of Conduct
Certification
Higher breaches
Data protection principles
lawfulness of processing
consent
processing of special category data
DS rights
international transfers
failure to comply with DPAs investigatory or corrective powers
What is the requirement for the fines?
effective, proportionate, dissuasive
they can be imposed in conjunction with the exercise of DPA’s investigatory and corrective powers
serious breaches can be met with multiple responses
What is the total amount of the fine?
It can not exceed the amount that is specified for the most serious breach
each breach will need a particular quantum assigned to it
Circumstances that SA must consider before imposing a fine
Nature, gravity and duration of the infringement taking into account the nature, scope or purpose of processing, number of DSs and the level of damage suffered by them
intentional or negligent
any action taken to mitigate the damage
degree of C’s or P’s responsibility taking into account T&O measures implemented
any relevant previous infringements
degree of cooperation with SA
categories of PD
how did the infringement become known to the SA (notification by C or P?)
if any previous measures have been ordered against P or C with regard to the same subject matter, compliance with those measures
adherence to approved codes of conduct or certification mechanisms
any other applicable aggravating or mitigating factor
What is a definition of an undertaking
Entity engaged in commercial activities, i.e. companies
Excl. public authorities, unincorporated associations
What are the rules for fine calculation for the companies that form a part of a group?
It could be fined up to the max % of its individual turnover or group’s turnover if the group companies are effectively acting together or in concert as one undertaking (as an economic unit, regardless of legal units) which can be rebuffed by evidence
According to WP29 guidelines, when can a reprimand replace a fine?
In case of minor infringements (infringement does not pose a significant risk to the DS rights or the essence of obligation in question)
A fine would constitute a disproportionate burden on a C who is a natural person
Must there be a causal connection btw. the breach and the suffering of material loss?
No, DPA is not obliged to establish a causal connection
What is an intentional breach?
it includes knowledge and willfulness in relation to the offence, e.g. it might be explicitly authorised by management, done despite the DPO’s advice or in disregard of the policy
EDPB guidelines on the calculation of fines - five-step process
1) Processing operations must be identified and evaluated
2) Starting point for calculating the fine must be identified - nature and seriousness of the infringement & turnover of the undertaking
3) Aggravating and mitigating features must be considered
4) max amount of fine must be established
5) Fine must be effective, proportionate and dissuasive
What fines can be imposed in case of linked and in case of separate processing operations
Linked PO=1 single fine subject to legal maximum
Separate PO=separate fines which in aggregate can exceed the legal maximum
Supervision and enforcement in LED
mirrored provisions except for the absence of lead authority concept and financial penalties
