Enforcement and DPIA

Question 1

What is a DPIA?

Answer 1

1. An assessment to calculate the impact of the envisaged processing:
   - Descriptive – What kind of processing, purpose…
   - Proportionality + Necessity
   - Risks to rights and freedoms of DS
   - How to mitigate these risks (safeguards, security measures…)
2. Involves DPO and helps with GDPR compliance but is based on a self-assessment – Effectiveness issue

Question 2

When does one have to conduct a DPIA?

Answer 2

When there is a high risk for DS:

1. Based on nature, scope, context and purposes
2. When new tech is involved
3. When there is new kinds of processing
4. When a long time has elapsed since the initial processing

Question 3

What is the role of the supervisory authorities in DPIA?

Answer 3

Can issue a black list:

1. Mandatory
2. Adopted by supervisory authorities
3. Communicated to the European Data Protection Board (European Data Protection Supervisor + head of DPAs of MSs)
4. There must be some kind of consistency amongst the MS
5. DPIA will be required for activities on that list

Can issue a white list:

1. Optional
2. No DPIA required if on the list
3. Consistency

Question 4

What are the different outcomes of the DPIA?

Answer 4

1. High risk but measures to mitigate - Processing can go on
2. High risk but no measures to mitigate:
   - If processing infringes GDPR – Send written advice to controller
   - DPA can open investigation, ask for info, obtain access to data or premises…
   - Controller must issue broad information to DPA
3. High risk and no measures to mitigate but processing is carried out in the public interest – If based on EU or MS law

Question 5

What are the key features of the Supervisory Authorities?

Answer 5

Independence:

1. Only for members, not for staff
2. Free from external influence
3. No instructions
4. Must refrain from action incompatible with duties
5. Must be financially independent – Separate and public annual budget

Question 6

What are the tasks and powers of the Supervisory Authorities?

Answer 6

Tasks:

1. Enforcement of GDPR – Protection of DS
2. General tasks – Public awareness, advise national organs, monitor developments…

Powers:

1. Investigatory powers
2. Corrective powers
3. Advisory powers

Question 7

What are the remedies available to data subjects?

Answer 7

1. Right to lodge a complaint with DPA - In the MS that has a link (work, residence, infringement…)
2. Judicial remedy against DPA decision or silence of DPA
3. Judicial remedy against controller/processor
4. Compensation for damage:
   - Material
   - Non-material
   - Reverse burden of proof
   - Unless no responsibility

Question 8

How are administrative fines imposed?

Answer 8

Based on certain factors:

1. Nature, gravity and duration of infringement
2. Intentional or negligent
3. Actions to mitigate damage
4. Technical and organisational measures
5. Previous infringements
6. Degree of cooperation with DPA
7. Categories of personal data affected by infringement
8. Did the controller notify the infringement?
9. Compliance with corrective measures
10. Compliance with code of conduct
11. Aggravating factors (like financial benefits)

Question 9

Administrative fines - Level 1

Answer 9

1. €10 millions or 2% annual turnover
2. If disregard of conditions for child’s consent
3. Breach of data minimisation principle
4. If there was a lack of technical or organisational measures for processing
5. …

Question 10

Administrative fines - Level 2

Answer 10

1. €20 millions or 4% annual turnover
2. ‘Hardcore’ breach of GDPR:
3. Infringement of basic principles
4. Infringement of DS rights
5. Unlawful data transfers to 3rd country
6. Non-compliance with corrective powers
7. Failure to provide DPA with access to information