Chapter 2J: Supervision and enforcement Flashcards
What is the role of the supervisory authority?
To represent the member state in the European Data Protection Board (EDPB)
Promote, monitor and enforce GDPR application
Protect fundamental human rights
Facilitate free flow of personal data
How does the supervisory authority represent its member state in the EDP?
By cooperating with other supervisory authorities and contributing to the EDPB.
How does the supervisory authority (SA) promote, monitor and enforce GDPR application?
Promote awareness of its obligations,
provide advice to controllers and processors and
conduct investigations on GDPR application.
What is the European Data Protection Board?
An independent European body that contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authority.
Who did the European Data Protection Board replace?
Working Party 29.
How is the European Data Protection Board composed?
It’s made up of a chair, the European Data Protection Supervisor (specific voting rights),
the EU European Commission (no voting rights) and
the head of each of the 28 member state’s Data Protection Authority.
What does the EDPB use to ensure data protection consistency?
Binding decisions,
guidelines,
opinions.
How does the supervisory authority protect fundamental human rights?
Promote public awareness and understanding
Provide information to data subjects on request
Manage complaints (re: the member state)
Establish and maintain a list of processing operations subject to DPIAs
Draw up an annual report available to the public
How does the supervisory authority facilitate the free flow of personal data?
Encourage use of approved codes of conduct and certification mechanisms
What powers does a supervisory authority have?
Investigative, corrective and authorisation and advisory
What does the investigative power allow a supervisory authority to do?
Order access to processing information and obtain access to premises
Conduct data protection audits
Review certifications
Notify of alleged GDPR infringements
What does the corrective power allow a supervisory authority to do?
Issue warnings and reprimands
Order compliance with a DSR
Order notification to a DS of breaches
Order rectification, restriction or erasure of data
Ban processing (temporarily or definitively) or suspend cross border transfers or withdraw certifications
Impose administrative fines
What does the authorisation and advisory power allow a supervisory authority to do?
Provide advice, authorise processing of personal data
Approve draft codes, certification criteria and BCRs
Accredit certification bodies and issue certifications
Adopt standard data protection clauses and authorise contractual clauses
Where cross-border processing occurs, how can the lead supervisory authority be identified?
For a single establishment - supervisory authority of the place of establishment
For multiple establishments - the place of the main establishment (central administration) unless decisions about processing happen elsewhere
If both controller and processor both involves in the processing, default to the controller’s lead SA.
What other supervisory authority procedures are in place?
Cooperation Mutual assistance Joint operations Consistency mechanism Dispute resolution Urgency procedure