Supervision and Enforcement (11) Flashcards
What is the 6 functions of the Supervisory Authority?
- Enforce GDPR
- Promote awareness
- Conduct investigations
- Protect human rights
- Make annual reports
- Facilitate free flow of personal data within EU
What 3 types of powers do Supervisory Authorities have over controllers and processors?
- Investigative
- Corrective
- Authorization and advisory
What are corrective measures Supervisory Authorities can take?
issue warnings, reprimands
order notification to data subjects of breach
ban processing and suspend transfers
impose fines
Can member states grant SA additional powers?
Yes, through member state law
How do you identify the lead supervisory authority for cross-border processing?
Single establishment - SA of establishment
Multiple establishments - SA of place of central administration or where decisions about purpose and means take place
If processor and controller - SA of controller location
What is cross-border processing?
processing that takes place in the context of activities in which controller/processor are established in more than one member state,
or
activities substantially affect data subjects in more than one member state
What are the 6 types of procedures to support SA cooperation and GDPR application?
- Cooperation (lead SA cooperates with other SAs)
- Mutual assistance (SAs provide each other with information)
- Joint operations (SAs conduct joint investigations or enforcement)
- Consistency mechanism (cooperate with other SAs in implementing new measures that impact other member states)
- Dispute resolution (Board resolves disputes)
- Urgency procedure (derogation from consistency mechanism)
What is a consistency mechanism procedure (SAs)?
collaborative process between SAs, Commission and EDPB to adopt measures and ensuring consistent GDPR application
What is an urgency procedure for SAs?
for immediate adoption of provisional measures within a member state
Who makes up the European Data Protection Board?
representatives of each member state’s SA
(only 27 of the 30 may actively participate)
What is the European Data Protection Supervisor?
the data protection regulator for the EU as an entity
What are the functions of the EDPS?
(European Data Protection Supervisor)
Monitor and ensure personal data protection from EU institutions and bodies
Advise EU institutions
Monitor new technology
Intervene before CJEU to interpret data protection law
Cooperate with supervisory authorities
What kinds of infringements can receive fines up to 20m euros or 4% of total turnover?
infringements of principles, data subject rights, international data transfers, obligations of member state law, noncompliance with SA order
What is the fine for other infringements?
10m euros or 2% of total turnover
Why did the French data protection authority fine Google $57m?
lack of transparency, inadequate information and lack of valid consent for personalizing ads
google had not sufficiently established its Ireland establishment and was making decisions around processing within the US so France could be the competent SA
What does the SA consider when issuing an administrative fine?
nature, gravity, and duration of infringement
What does the mutual assistance mechanism facilitate for SAs?
provision of relevant information between SAs
Who should data subjects lodge a complaint with for noncompliance?
if they feel rights have been violated they can pursue litigation in accordance with national law or complain to regulator
Where can an individual lodge their complaint?
which member state
Any of the following DPAs:
DPA for place of residence
DPA for place of work
DPA where infringement took place
Can data subjects pursue compensation claims against controllers and processors?
Yes.
if they suffer damages as a result of an act of noncompliance
Who is held accountable when multiple parties are at fault?
any individual controller or processor that is responsible for any part of the damage can be held liable for all the damage
When can an individual take action against a DPA?
if the issue is not dealt with or they hear nothing within 3 months
Who has administrative supervisory and enforcement powers under GDPR?
Supervisory Authorities (“DPAs”)
When should a controller consult with a supervisory authority regarding a DPIA?
whenever a DPIA indicates that processing would result in high risk to the rights and freedoms of individuals in the absence of measures taken by the controller to mitigate that risk
What are the 3 types of powers of the DPA?
article 58
Investigatory powers
Corrective powers
Authorizaion and advisory powers
What are 3 ways GDPR achieves consistency and cooperation?
Article 57 - general duty of cooperation on SAs
Article 60 - cooperation for cross-border processing
Article 63 - consistency mechanism
What is the one-stop-shop principle of supervision and enforcement?
when a controller or processor is involved in cross-border processing, the question of regulatory competence turns on the location of the “main establishment” of the controller or processor
Article 56
How long can an urgency decision be valid?
3 months
Why are so many US technology privacy cases seen under the SA of Ireland?
One-stop-shop rule
Many US tech business have established EU headquarters in Dublin which has often made Ireland the lead supervisory authority for companies that are engaging in cross-bordering processing
