CIPPE Module 11 - Supervision and Enforcement

Question 1

What do Supervisor Authorities or DPAs do?

Answer 1

Promote, Monitor and Enforce GDPR

Tasks include:
* Advise organizations on data protection issues
* Conduct investigations on GDPR compliance
* Support Data Subjects Compliants.
* Annual reports on issues and agenda for the following year
* Facilitate free flow of info across EU.

Question 2

What are the three categories of powers that DPAs/SAs have?

Answer 2

1. Investigative - power to conduct audits, request information, review certs,
2. Corrective - issue warnings/reprimands on non-compliances, force DC/DPs to honor DS rights, force DC to communicate data breach to DSs, ban certain processing,
3. Authorization and Advisory - approve/disapprove DPIAs, BCCs, SCCs etc. , advise national parliament,

Question 3

How do companies identify Lead SAs?

Answer 3

1. If the organization doing the data processing is established in a single EU state, then that SA is the lead.
2. If in more than on state, then the place of central administration determines the SA (assuming this is where processing decisions are made)
3. Else, the place where processing decisions are made.

Question 4

What are the mechanisms that SAs use for interaction?

Answer 4

Mechanisms are defined for
1. Cooperation between SAs
2. Providing mutual assistance
3. Joint operations -e.g. joint investigations etc.
4. Consistency mechanism - between EC, EDPB and SAs to enforce GDPR provisions.
5. Dispute resolution and binding orders (in case of disputes between SAs)
6. Urgency procedure - immediate adoption of provisional measures.

Question 5

What is the EDPB comprised of?

Answer 5

One SA from every 27 member state. They are active.
One SA from 3 of EEA members not part of the EU.
Chair of the EDPB is elected by members.
EDPS and representatives of the EC sit on the board.
EDPS has limited voting rights. EC has none.

Question 6

What is the EDPS?

Answer 6

European Data Protection Supervisor (EDPS) is an independent supervisory authority.
Primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies.
Appointed by a joint decision of the Parliament and the Council.
EDPS is distinct from the EDPB.

Question 7

What is the role of the EDPB?

Answer 7

1. Monitor for correct GDPR application.
2. Oversee the consistency mechanism (essentially ensuring that the data protection is uniform throughout the EU).
3. Advice and guide the EC on data protection regulations
4. Resolve disputes between SAs.

Question 8

How are fines structured?

Answer 8

There are two levels of penalties - a) Euro 20M or 4% of worldwide turnover (whichever is higher) and b) Euro 10M or 2% of WW turnover.

The former is applicable if an organization is not in compliance with GDPR principles (lawfulness, transparency etc.), does not respect DS rights and violates international transfers.

The latter is applicable to all other infringements including security breaches. Security incidents may not be avoidable.

Question 9

What are the factors the determine the size of the fine?

Answer 9

1. Number of DS involved
2. Purpose of the processing - has org considered purpose limitation
3. Damage to the DS
4. Duration of infringement and if negligent or intentional behavior is at the root.