DPA Flashcards
What is a DPA?
An independent authority (supervisory authority) in each MS of EU responsible for monitoring the application of GDPR in order to protect fundamental rights and freedoms of natural persons and facilitate the free flow of personal data.
What are the tasks of a DPA?
Article 57
What powers do a DPA have?
Investigative
Corrective
Authorisation and advisory
When is it relevant to identify a lead supervisory authority?
In cases of cross-border (taking place in multiple MS or in only one MS but substantially affecting more than one MS) processing
What is the consistency mechanism?
Following article 63, multiple DPAs must cooperate with each other and with the Commission.
European Data Protection Board can adopt:
- Opinions (article 64)
- Binding decisions (article 65)
When shall a DPA communicate a draft decision to the Board for an opinion?
When a DPA intends to adopt following measures:
- A list of processing operations for which a DPIA is required
- An opinion on whether a draft code of conduct or an amendment or extension to an existing one complies with GDPR
- Approving the criteria for accreditation of a body or certification body
- Standard data protection clauses
- Authorise contractual clauses
- Approve binding corporate rules
Is an opinion from the Board binding?
No, but a DPA must “take utmost account of the opinion” and must communicate to the Chair of the Board whether it will follow the opinion. If it will not, the Board will adopt a binding decision.
When shall the Board adopt a binding decision in pursuant of article 65?
(a) Where there is a dispute between a lead DPA and a DPA concerned
(b) Conflicting views on which DPA is competent for the main establishment
(c) Where a DPA has not requested an opinion pursuant of article 64 or does not follow an opinion of the Board
Within one month from referral by 2/3 majority (may be extended by one month - and if not possible within this timeline, a decision must be adopted within two weeks by simple majority)
