Chapter 2J: Supervision and enforcement Flashcards

1
Q

What is the role of the supervisory authority?

A

To represent the member state in the European Data Protection Board (EDPB)

Promote, monitor and force GDPR application

Protect fundamental human rights

Facilitate free flow of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does the supervisory authority represent its member state in the EDP?

A

By cooperating with other supervisory authorities and contributing to the EDPB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does the supervisory authority promote, monitor and enforce GDPR application?

A

Promote awareness of its obligations, provide advice to controllers and processors and conduct investigations on GDPR application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the European Data Protection Board?

A

An independent European body that contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who did the European Data Protection Board replace?

A

Working Party 29.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How is the European Data Protection Board composed?

A

It’s made up of a chair, the European Data Protection Supervisor (specific voting rights), the EU European Commission (no voting rights) and the head of each of the 28 member state’s Data Protection Authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the EDPB use to ensure data protection consistency?

A

Binding decisions, guidelines, opinions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does the supervisory authority protect fundamental human rights?

A

Promote public awareness and understanding
Provide information to data subjects on request
Manage complaints (re: the member state)
Establish and maintain a list of processing operations subject to DPIAs
Draw up an annual report available to the public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does the supervisory authority facilitate the free flow of personal data?

A

Encourage use of approved codes of conduct and certification mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What powers does a supervisory authority have?

A

Investigative, corrective and authorisation and advisory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the investigative power allow a supervisory authority to do?

A

Order access to processing information and obtain access to premises
Conduct data protection audits
Review certifications
Notify of alleged GDPR infringements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the corrective power allow a supervisory authority to do?

A

Issue warnings and reprimands
Order compliance with a DSR
Order notification to a DS of breaches
Order rectification, restriction or erasure of data
Ban processing (temporarily or definitively) or suspend cross border transfers or withdraw certifications
Impose administrative fines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the authorisation and advisory power allow a supervisory authority to do?

A

Provide advice, authorise processing of personal data
Approve draft codes, certification criteria and BCRs
Accredit certification bodies and issue certifications
Adopt standard data protection clauses and authorise contractual clauses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where cross-border processing occurs, how can the lead supervisory authority be identified?

A

For a single establishment - supervisory authority of the place of establishment

For multiple establishments - the place of the main establishment (central administration) unless decisions about processing happen elsewhere

If both controller and processor both involves in the processing, default to the controller’s lead SA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What other supervisory authority procedures are in place?

A
Cooperation
Mutual assistance
Joint operations
Consistency mechanism
Dispute resolution
Urgency procedure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the ‘cooperation between other supervisory authorities’ procedure?

A

Cooperation between the lead supervisory authority and other concerned supervisory authorities to reach a consensus

17
Q

What is the ‘mutual assistance’ procedure?

A

Provision of relevant information between supervisory authorities.

18
Q

What is the ‘joint operations of supervisory authorities’ procedure?

A

Working together, including for investigations and enforcement measures (of controllers or processors in several member states or of data subjects in more than one member state)

19
Q

What is the ‘consistency mechanism’ procedure?

A

Cooperation with the EDPB and the Commission for consistent application of the GDPR
and
Specific collaborative process between supervisory authorities, the commission and the EDPB for adopting certain measures

20
Q

What is the ‘dispute resolution’ procedure?

A

Supervisory authorities work on dispute resolution (if a decision is not jointly agreed upon by the supervisory authorities) and issuance of binding decisions

21
Q

What is the ‘urgency procedure’?

A

A procedure for the immediate adoption of provisional measures within a member state

22
Q

The EDPB is independent - true/false?

A

True.

23
Q

What tasks does the EDPB have?

A

Monitor for correct application of the GDPR
Advise the Commission via opinions on issues related to personal data protection
Examine questions and issue guidelines, recommendations and best practices
Reside over ‘one-stop’shop’
Provide dispute resolution
Publish annual reports

24
Q

How does the EDPS action supervision and enforcement?

A

Monitoring personal data processing of the EU bodies (Commission, Council, Parliament, etc.)
Checking processing operations that pose high risk to data subjects prior to processing
Dealing with complaints
Making inquiries
Consulting

25
Q

How does the EDPS action consultations?

A

Advising the community, intervening in cases before the court of justice

26
Q

How does the EDPS action cooperation?

A

Cooperating with supervisory authorities, supervisory data protection bodies (e.g. Europol)

27
Q

What is EDPS?

A

European Data Protection Supervisor

28
Q

What are the tasks of EDPS?

A
Supervision and enforcement
Consultation
Cooperation
Not a supervisory authority under the GDPR
But secretariat of the EDPB
Has oversight of Eurodac
29
Q

Remedies, liabilities and penalties are possible enforcement actions for…

A

Data subject rights
Liability of controllers / processors
Administrative fnes
Additional penalties

30
Q

Data subjects have the right to…

A

Lodge a complaint with a supervisory authority and a judicial remedy against a supervisory authority or controller/processor

31
Q

Re: liability, compensation may be awarded to…

A

individuals who suffer damages as a result of controllers and processors who have caused GDPR infringements

32
Q

Additional penalties may be given …

A

based on determination of penalties in addition to admin fees made by member states

33
Q

What administrative fines may be given?

A

High category - for infringement of principles, data subjects’ rights, cross-border data transfers, obligations of member state law or noncompliance with an SA’s order - 20mil euros or 4% of total turnover (where infringements are more substantive)

2nd category - for infringements of most other obligations - 10 mil euros or 2% of annual turnover, whichever is higher (where infringements tend to be more administrative)

34
Q

What does the amount of administrative fine depend on?

A
Nature, gravity and duration
Nature, scope and purposes of processing
Number of data subjects concerned
Level of damage
Intent or negligence
Previous infringements
Degree of responsibility
Degree of cooperation with SA
Categories of personal data
Manner of notification
Compliance with measures ordered by the supervisory authority
Adherence to approved codes of conduct/certification mechanisms
35
Q

What did WP29 say about administrative fines in their ‘guidelines on the application and setting of administrative fines’?

A

SAs will consider ‘nature, gravity and duration’
Some cases may only trigger a reprimand 9when does not pose significant risk or if it would impose a disproportionate burden on a natural person)

Consider size of fine -
Number involved, more affected, larger fine

Damage suffered

Purpose of processing (limitation and use)

Duration of infringement (intent or negligence - acting counter to DPO advice may be considered intentional)