Chapter 13 Supervision and Enforcement

Question 1

Who has the powers to exercise supervision and enforcement of GDPR?

Answer 1

Regulators, courts, markets, citizens, self-regulation schemes.

Question 2

What is the meaning of self-regulation?

Answer 2

It’s a tool of supervision and enforcement where C&P directly control the application of appropriate processes, procedures and measures to protect data

Question 3

How is self-regulation introduced through GDPR?

Answer 3

• accountability
• DPOs
• CoC, certification schemes for DP seals and marks
• regulatory function of the Cs over the Ps, Ps over Sub-Ps

Question 4

What shows a self-regulation role of the DPO?

Answer 4

They have a supervisory and enforcement role within the organisation
- must be focused on compliance
- immune from dismissal
- duty of cooperation with DPA

Question 5

Who can create CoC?

Answer 5

Representative bodies of Cs and Ps, e.g. industry associations.
CoC on any aspect of DP compliance

Question 6

Which body approves CoC?

Answer 6

DPA

Question 7

Who monitors Cs&Ps for compliance to CoC?

Answer 7

Monitoring body accredited by DPA
Must prove independence, expertise, must avoid conflicts of interest
must have procedures in place for effective monitoring, dealing with complaints, take action against infringements

Question 8

Who issues seals and marks?

Answer 8

Certification body accredited by DPA or accreditation bodies in MS

Must prove independence, expertise, must avoid conflicts of interest
procedures for issuing, reviewing and revoking seals and marks
must have procedures in place for effective monitoring, dealing with complaints, take action against infringements

Question 9

What are transnational codes?

Answer 9

Affect at least 2 MS and are subject to consistency mechanism

Question 10

Forms of “regulation by the citizen” in GDPR

Answer 10

• regulating the C through the use of DS rights
• remedies for breach of obligations
• representative actions
• liability and compensation claims
• regulating the regulators

Question 11

regulating the C through the use of DS rights

Answer 11

If DS are dissatisfied with their ability to exercise their rights, they can pursue administrative and judicial remedies

Question 12

Are DS required to first raise their concerns with the C?

Answer 12

No, they can directly pursue complaints and remedies before DPAs or courts.

Question 13

remedies for breach of obligations

Answer 13

If DS feel their rights have been breached, they can pursue litigation in accordance with the national laws, complain to the regulator or both

Question 14

Forum provisions for complaints before the DPA

Answer 14

DS’s place of residence
DS’s place of work
place where the infringement took place

Question 15

representative actions

Answer 15

group litigation, class actions under Art. 80 GDPR
individuals can elect to be represented by not-for-profit organisations (CsO, privacy advocates, preassure groups)
MS may allow the representatives proceedings without individuals mandates

Question 16

liability and compensation claims

Answer 16

against Cs and Ps if DS suffers damage as a result of an act of noncompliance
An individual CorP that is responsible for any part of the damage, can be held liable for all the damage

Damage means material and nonmaterial d. (distress)

Question 17

regulating the regulators

Answer 17

DS has the right to take action against the DPA before a court if DPA has not dealt with their complaint or they hear nothing within 3 months.
Also, where an individual or legal entity is unhappy with the decision (e.g. with corrective action or sanction)

Question 18

Who is responsible for administrative supervision and enforcement

Answer 18

SA or DPA
independent bodies
must have sufficient skills and resources to do the job

Question 19

How are regulators embedded into national law making?

Answer 19

MS must consult with the R during the preparation of the proposed legislation that relates to the processing of PD

Question 20

What are regulators main tasks?

Answer 20

monitoring and enforcing GDPR
providing advice to parliaments and governments
promoting awareness and understanding of GDPR
handling complaints and carrying out investigations
supporting consistent implementation of GDPR - consistency mechanism
providing assistance and supporting EDPB
monitoring the development of information and communication technologies and communications technologies and commercial practices

Question 21

What is the role of DPAs in international transfers

Answer 21

C&P can obtain authorisation to use their own contractual models
public authorities can seek for approvals for administrative arrangements
approve transfers based on BCRs
all subject to consistency mechanism

Question 22

Can DPA charge the individuals?

Answer 22

No, except for administration costs based on manifestly unfounded or excessive requests

Question 23

What are regulators powers

Answer 23

Investigative powers: R to start investigation and access to all relevant documentation (excl. legal professional privilege and privilege from self-discrimination); also R to audits and the inspection of premises and processing equipment

Corrective powers: warning, order to stop processing activities, financial penalties

Authorisation and advisory powers: CoC, certifications, marks&seals, international transfers

Litigation powers: can take legal proceedings against C&P

Question 24

What is a consistency mechanism?

Answer 24

to contribute to the consistent application of the GDPR by requiring DPAs cooperate with each other, and the commission

Question 25

What are the competence rules for DPAs?

Answer 25

DPA is competent for C&Ps established in the territory or Cs established elsewhere if there is an effect in the DPAs territory

Crossborder processing - lead SA

Question 26

What is a one-stop-shop principle in supervision and enforcement?

Answer 26

Lead SA is determined in case of cross-border processing

Question 27

When do rules of cross-border processing not apply?

Answer 27

Public authorities or private bodies processing in accordance with a legal obligation, in the public interest or for official function

Question 28

One-stop shop - how to determine competence

Answer 28

the location of the main establishment of the C or P

1) C or P is established in more than one MS and the processing takes place in the context of more than 1 establishment (multinational organisations)
2) single establishment but processing substantially affects DSs in more than one MS (multinational organisations and organisations with only 1 establishment)

Question 29

What is main establishment?

Answer 29

For C=where the decision making for the processing takes place
For P=location of main processing activities

Question 30

What triggers the battle of competence?

Answer 30

Non-lead authority decides to take action in cross-border situation if complaint relates only to its territory or it affects individuals only in its territory
must notify lead authority who can then trigger battle of competence

Question 31

Can a concerned DPA give reasoned objection against the lead authority draft decision?

Answer 31

Yes, it can be about the substantive findings on compliance or imposititon of a corrective measure or size of a fine

Question 32

What can a lead authority do after receiving the reasoned objection?

Answer 32

accept it: issue a revised draft decision and other DPAs accept or make another reasoned objection - the process will carry on until the impasse is broken
reject it: must follow the consistency mechanism

If no objections are made, the DPAs are deemed to be in agreement and the draft decision is binding

Question 33

Who must be notified about the decision?

Answer 33

C or P
other DPAs
EDPB
individual in case of complaint

Question 34

Explain mutual assistance and joint cooperation between DPAs

Answer 34

Art 61(1) mandates cooperation and exchange of information
DPA can give request for assistance with sufficient information
DPAs must have appropriate measures to provide assistance without undue delay subject to one-month-long stop
If receiving DPA does not provide assistance, the requesting DPA can adopt a provisional measure that, in turn, triggers the urgency procedure

Joint operations in case where C/P are established in multiple territories or where processing activities affect a significant number of individuals in multiple territories - DPAs have the right to be properly represented in supervisory and enforcement work

Question 35

Who is represented in EDPB?

Answer 35

Chairperson
head of each DPA
EDP Supervisor
The Commission is entitled to send a delegate to its meetings

Question 36

Who is responsible for Consistency mechanism?

Answer 36

EDPB

Question 37

What are EDPB’s responsibilities?

Answer 37

Opinions - on DPIAs lists, codes on conduct, international transfer mechanisms referred by DPAs
Dispute resolution - lead authority rejects reasoned objection; dispute between DPA about who is competent; DPA fails to refer its decisions on DPIAs lists, codes on conduct, international transfer mechanisms - result is a binding decision

Question 38

What is an urgency procedure?

Answer 38

DPA must take urgent action to protect R&F of individuals but there is not enough time for cooperation procedure or consistency mechanism
DPA can adopt provisional measures - 3 months
DPA must refer them with reasons to concerned DPAs, EDPB and Commission
At the end of 3 months the provisional measures lapse; DPA can request an urgent opinion or urgent binding decision from EDPB

Question 39

Can a non lead DPA utilize Art 58(5) - refer issues to the court or initiate or take part in legal proceeding where they are competent to regulate?

Answer 39

One-stop- shop has a primacy but the DPA can utilize Art 58(5) if a carve-out applies but must before follow the cooperation and consistency rules in full

Question 40

What are the 2 carve-outs to the one-stop shop?

Answer 40

non-lead DPA can regulate aspects of cross-border processing that concern only an establishment in its territory or substantially affects DS in its territory

cases of urgency

Question 41

Which Article GDPR deals with fines?

Answer 41

Art 83

Question 42

What fines can be imposed?

Answer 42

10 M EUR or 20 M EUR for non-undertakings (e.g. public authorities)
10 M EUR or 2% of annual turnover or 20 M EUR or 4% of annual turnover for for undertakings (e.g. companies)

Question 43

Lesser breaches

Answer 43

child consent
DP by design/default
engagement of processors by controllers
records of processing
cooperation with regulators
security
breach notification
DPIAs
DPOs
Codes of Conduct
Certification

Question 44

Higher breaches

Answer 44

Data protection principles
lawfulness of processing
consent
processing of special category data
DS rights
international transfers
failure to comply with DPAs investigatory or corrective powers

Question 45

What is the requirement for the fines?

Answer 45

effective, proportionate, dissuasive
they can be imposed in conjunction with the exercise of DPA’s investigatory and corrective powers
serious breaches can be met with multiple responses

Question 46

What is the total amount of the fine?

Answer 46

It can not exceed the amount that is specified for the most serious breach
each breach will need a particular quantum assigned to it

Question 47

Circumstances that SA must consider before imposing a fine

Answer 47

Nature, gravity and duration of the infringement taking into account the nature, scope or purpose of processing, number of DSs and the level of damage suffered by them

intentional or negligent

any action taken to mitigate the damage

degree of C’s or P’s responsibility taking into account T&O measures implemented

any relevant previous infringements

degree of cooperation with SA

categories of PD

how did the infringement become known to the SA (notification by C or P?)

if any previous measures have been ordered against P or C with regard to the same subject matter, compliance with those measures

adherence to approved codes of conduct or certification mechanisms

any other applicable aggravating or mitigating factor

Question 48

What is a definition of an undertaking

Answer 48

Entity engaged in commercial activities, i.e. companies
Excl. public authorities, unincorporated associations

Question 49

What are the rules for fine calculation for the companies that form a part of a group?

Answer 49

It could be fined up to the max % of its individual turnover or group’s turnover if the group companies are effectively acting together or in concert as one undertaking (as an economic unit, regardless of legal units) which can be rebuffed by evidence

Question 50

According to WP29 guidelines, when can a reprimand replace a fine?

Answer 50

In case of minor infringements (infringement does not pose a significant risk to the DS rights or the essence of obligation in question)
A fine would constitute a disproportionate burden on a C who is a natural person

Question 51

Must there be a causal connection btw. the breach and the suffering of material loss?

Answer 51

No, DPA is not obliged to establish a causal connection

Question 52

What is an intentional breach?

Answer 52

it includes knowledge and willfulness in relation to the offence, e.g. it might be explicitly authorised by management, done despite the DPO’s advice or in disregard of the policy

Question 53

EDPB guidelines on the calculation of fines - five-step process

Answer 53

1) Processing operations must be identified and evaluated
2) Starting point for calculating the fine must be identified - nature and seriousness of the infringement & turnover of the undertaking
3) Aggravating and mitigating features must be considered
4) max amount of fine must be established
5) Fine must be effective, proportionate and dissuasive

Question 54

What fines can be imposed in case of linked and in case of separate processing operations

Answer 54

Linked PO=1 single fine subject to legal maximum
Separate PO=separate fines which in aggregate can exceed the legal maximum

Question 55

Supervision and enforcement in LED

Answer 55

mirrored provisions except for the absence of lead authority concept and financial penalties