Chapter 2J: Supervision and enforcement Flashcards
What is the role of the supervisory authority?
To represent the member state in the European Data Protection Board (EDPB)
Promote, monitor and enforce GDPR application
Protect fundamental human rights
Facilitate free flow of personal data
How does the supervisory authority represent its member state in the EDP?
By cooperating with other supervisory authorities and contributing to the EDPB.
How does the supervisory authority (SA) promote, monitor and enforce GDPR application?
Promote awareness of its obligations,
provide advice to controllers and processors and
conduct investigations on GDPR application.
What is the European Data Protection Board?
An independent European body that contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authority.
Who did the European Data Protection Board replace?
Working Party 29.
How is the European Data Protection Board composed?
It’s made up of a chair, the European Data Protection Supervisor (specific voting rights),
the EU European Commission (no voting rights) and
the head of each of the 28 member state’s Data Protection Authority.
What does the EDPB use to ensure data protection consistency?
Binding decisions,
guidelines,
opinions.
How does the supervisory authority protect fundamental human rights?
Promote public awareness and understanding
Provide information to data subjects on request
Manage complaints (re: the member state)
Establish and maintain a list of processing operations subject to DPIAs
Draw up an annual report available to the public
How does the supervisory authority facilitate the free flow of personal data?
Encourage use of approved codes of conduct and certification mechanisms
What powers does a supervisory authority have?
Investigative, corrective and authorisation and advisory
What does the investigative power allow a supervisory authority to do?
Order access to processing information and obtain access to premises
Conduct data protection audits
Review certifications
Notify of alleged GDPR infringements
What does the corrective power allow a supervisory authority to do?
Issue warnings and reprimands
Order compliance with a DSR
Order notification to a DS of breaches
Order rectification, restriction or erasure of data
Ban processing (temporarily or definitively) or suspend cross border transfers or withdraw certifications
Impose administrative fines
What does the authorisation and advisory power allow a supervisory authority to do?
Provide advice, authorise processing of personal data
Approve draft codes, certification criteria and BCRs
Accredit certification bodies and issue certifications
Adopt standard data protection clauses and authorise contractual clauses
Where cross-border processing occurs, how can the lead supervisory authority be identified?
For a single establishment - supervisory authority of the place of establishment
For multiple establishments - the place of the main establishment (central administration) unless decisions about processing happen elsewhere
If both controller and processor both involves in the processing, default to the controller’s lead SA.
What other supervisory authority procedures are in place?
Cooperation Mutual assistance Joint operations Consistency mechanism Dispute resolution Urgency procedure
What is the ‘cooperation between other supervisory authorities’ procedure?
Cooperation between the lead supervisory authority and other concerned supervisory authorities to reach a consensus
What is the ‘mutual assistance’ procedure?
Provision of relevant information between supervisory authorities.
What is the ‘joint operations of supervisory authorities’ procedure?
Working together, including for investigations and enforcement measures (of controllers or processors in several member states or of data subjects in more than one member state)
What is the ‘consistency mechanism’ procedure?
Cooperation with the EDPB and the Commission for consistent application of the GDPR
and
Specific collaborative process between supervisory authorities, the commission and the EDPB for adopting certain measures
What is the ‘dispute resolution’ procedure?
Supervisory authorities work on dispute resolution (if a decision is not jointly agreed upon by the supervisory authorities) and issuance of binding decisions
What is the ‘urgency procedure’?
A procedure for the immediate adoption of provisional measures within a member state
The EDPB is independent - true/false?
True.
What tasks does the EDPB have?
Monitor for correct application of the GDPR
Advise the Commission via opinions on issues related to personal data protection
Examine questions and issue guidelines, recommendations and best practices
Reside over ‘one-stop’shop’
Provide dispute resolution
Publish annual reports
How does the EDPS action supervision and enforcement?
Monitoring personal data processing of the EU bodies (Commission, Council, Parliament, etc.)
Checking processing operations that pose high risk to data subjects prior to processing
Dealing with complaints
Making inquiries
Consulting
How does the EDPS action consultations?
Advising the community, intervening in cases before the court of justice
How does the EDPS action cooperation?
Cooperating with supervisory authorities, supervisory data protection bodies (e.g. Europol)
What is EDPS?
European Data Protection Supervisor
What are the tasks of EDPS?
Supervision and enforcement Consultation Cooperation Not a supervisory authority under the GDPR But secretariat of the EDPB Has oversight of Eurodac
Remedies, liabilities and penalties are possible enforcement actions for…
Data subject rights
Liability of controllers / processors
Administrative fnes
Additional penalties
Data subjects have the right to…
Lodge a complaint with a supervisory authority and a judicial remedy against a supervisory authority or controller/processor
Re: liability, compensation may be awarded to…
individuals who suffer damages as a result of controllers and processors who have caused GDPR infringements
Additional penalties may be given …
based on determination of penalties in addition to admin fees made by member states
What administrative fines may be given?
High category - for infringement of principles, data subjects’ rights, cross-border data transfers, obligations of member state law or noncompliance with an SA’s order - 20mil euros or 4% of total turnover (where infringements are more substantive)
2nd category - for infringements of most other obligations - 10 mil euros or 2% of annual turnover, whichever is higher (where infringements tend to be more administrative)
What does the amount of administrative fine depend on?
Nature, gravity and duration Nature, scope and purposes of processing Number of data subjects concerned Level of damage Intent or negligence Previous infringements Degree of responsibility Degree of cooperation with SA Categories of personal data Manner of notification Compliance with measures ordered by the supervisory authority Adherence to approved codes of conduct/certification mechanisms
What did WP29 say about administrative fines in their ‘guidelines on the application and setting of administrative fines’?
SAs will consider ‘nature, gravity and duration’
Some cases may only trigger a reprimand 9when does not pose significant risk or if it would impose a disproportionate burden on a natural person)
Consider size of fine -
Number involved, more affected, larger fine
Damage suffered
Purpose of processing (limitation and use)
Duration of infringement (intent or negligence - acting counter to DPO advice may be considered intentional)
