Chapter 2J: Supervision and enforcement

Question 1

What is the role of the supervisory authority?

Answer 1

To represent the member state in the European Data Protection Board (EDPB)

Promote, monitor and enforce GDPR application

Protect fundamental human rights

Facilitate free flow of personal data

Question 2

How does the supervisory authority represent its member state in the EDP?

Answer 2

By cooperating with other supervisory authorities and contributing to the EDPB.

Question 3

How does the supervisory authority (SA) promote, monitor and enforce GDPR application?

Answer 3

Promote awareness of its obligations,
provide advice to controllers and processors and
conduct investigations on GDPR application.

Question 4

What is the European Data Protection Board?

Answer 4

An independent European body that contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authority.

Question 5

Who did the European Data Protection Board replace?

Answer 5

Working Party 29.

Question 6

How is the European Data Protection Board composed?

Answer 6

It’s made up of a chair, the European Data Protection Supervisor (specific voting rights),
the EU European Commission (no voting rights) and
the head of each of the 28 member state’s Data Protection Authority.

Question 7

What does the EDPB use to ensure data protection consistency?

Answer 7

Binding decisions,
guidelines,
opinions.

Question 8

How does the supervisory authority protect fundamental human rights?

Answer 8

Promote public awareness and understanding
Provide information to data subjects on request
Manage complaints (re: the member state)
Establish and maintain a list of processing operations subject to DPIAs
Draw up an annual report available to the public

Question 9

How does the supervisory authority facilitate the free flow of personal data?

Answer 9

Encourage use of approved codes of conduct and certification mechanisms

Question 10

What powers does a supervisory authority have?

Answer 10

Investigative, corrective and authorisation and advisory

Question 11

What does the investigative power allow a supervisory authority to do?

Answer 11

Order access to processing information and obtain access to premises
Conduct data protection audits
Review certifications
Notify of alleged GDPR infringements

Question 12

What does the corrective power allow a supervisory authority to do?

Answer 12

Issue warnings and reprimands
Order compliance with a DSR
Order notification to a DS of breaches
Order rectification, restriction or erasure of data
Ban processing (temporarily or definitively) or suspend cross border transfers or withdraw certifications
Impose administrative fines

Question 13

What does the authorisation and advisory power allow a supervisory authority to do?

Answer 13

Provide advice, authorise processing of personal data
Approve draft codes, certification criteria and BCRs
Accredit certification bodies and issue certifications
Adopt standard data protection clauses and authorise contractual clauses

Question 14

Where cross-border processing occurs, how can the lead supervisory authority be identified?

Answer 14

For a single establishment - supervisory authority of the place of establishment

For multiple establishments - the place of the main establishment (central administration) unless decisions about processing happen elsewhere

If both controller and processor both involves in the processing, default to the controller’s lead SA.

Question 15

What other supervisory authority procedures are in place?

Answer 15

Cooperation
Mutual assistance
Joint operations
Consistency mechanism
Dispute resolution
Urgency procedure

Question 16

What is the ‘cooperation between other supervisory authorities’ procedure?

Answer 16

Cooperation between the lead supervisory authority and other concerned supervisory authorities to reach a consensus

Question 17

What is the ‘mutual assistance’ procedure?

Answer 17

Provision of relevant information between supervisory authorities.

Question 18

What is the ‘joint operations of supervisory authorities’ procedure?

Answer 18

Working together, including for investigations and enforcement measures (of controllers or processors in several member states or of data subjects in more than one member state)

Question 19

What is the ‘consistency mechanism’ procedure?

Answer 19

Cooperation with the EDPB and the Commission for consistent application of the GDPR
and
Specific collaborative process between supervisory authorities, the commission and the EDPB for adopting certain measures

Question 20

What is the ‘dispute resolution’ procedure?

Answer 20

Supervisory authorities work on dispute resolution (if a decision is not jointly agreed upon by the supervisory authorities) and issuance of binding decisions

Question 21

What is the ‘urgency procedure’?

Answer 21

A procedure for the immediate adoption of provisional measures within a member state

Question 22

The EDPB is independent - true/false?

Answer 22

True.

Question 23

What tasks does the EDPB have?

Answer 23

Monitor for correct application of the GDPR
Advise the Commission via opinions on issues related to personal data protection
Examine questions and issue guidelines, recommendations and best practices
Reside over ‘one-stop’shop’
Provide dispute resolution
Publish annual reports

Question 24

How does the EDPS action supervision and enforcement?

Answer 24

Monitoring personal data processing of the EU bodies (Commission, Council, Parliament, etc.)
Checking processing operations that pose high risk to data subjects prior to processing
Dealing with complaints
Making inquiries
Consulting

Question 25

How does the EDPS action consultations?

Answer 25

Advising the community, intervening in cases before the court of justice

Question 26

How does the EDPS action cooperation?

Answer 26

Cooperating with supervisory authorities, supervisory data protection bodies (e.g. Europol)

Question 27

What is EDPS?

Answer 27

European Data Protection Supervisor

Question 28

What are the tasks of EDPS?

Answer 28

Supervision and enforcement
Consultation
Cooperation
Not a supervisory authority under the GDPR
But secretariat of the EDPB
Has oversight of Eurodac

Question 29

Remedies, liabilities and penalties are possible enforcement actions for…

Answer 29

Data subject rights
Liability of controllers / processors
Administrative fnes
Additional penalties

Question 30

Data subjects have the right to…

Answer 30

Lodge a complaint with a supervisory authority and a judicial remedy against a supervisory authority or controller/processor

Question 31

Re: liability, compensation may be awarded to…

Answer 31

individuals who suffer damages as a result of controllers and processors who have caused GDPR infringements

Question 32

Additional penalties may be given …

Answer 32

based on determination of penalties in addition to admin fees made by member states

Question 33

What administrative fines may be given?

Answer 33

High category - for infringement of principles, data subjects’ rights, cross-border data transfers, obligations of member state law or noncompliance with an SA’s order - 20mil euros or 4% of total turnover (where infringements are more substantive)

2nd category - for infringements of most other obligations - 10 mil euros or 2% of annual turnover, whichever is higher (where infringements tend to be more administrative)

Question 34

What does the amount of administrative fine depend on?

Answer 34

Nature, gravity and duration
Nature, scope and purposes of processing
Number of data subjects concerned
Level of damage
Intent or negligence
Previous infringements
Degree of responsibility
Degree of cooperation with SA
Categories of personal data
Manner of notification
Compliance with measures ordered by the supervisory authority
Adherence to approved codes of conduct/certification mechanisms

Question 35

What did WP29 say about administrative fines in their ‘guidelines on the application and setting of administrative fines’?

Answer 35

SAs will consider ‘nature, gravity and duration’
Some cases may only trigger a reprimand 9when does not pose significant risk or if it would impose a disproportionate burden on a natural person)

Consider size of fine -
Number involved, more affected, larger fine

Damage suffered

Purpose of processing (limitation and use)

Duration of infringement (intent or negligence - acting counter to DPO advice may be considered intentional)