Supervision and Enforcement (11)

Question 1

What is the 6 functions of the Supervisory Authority?

Answer 1

1. Enforce GDPR
2. Promote awareness
3. Conduct investigations
4. Protect human rights
5. Make annual reports
6. Facilitate free flow of personal data within EU

Question 2

What 3 types of powers do Supervisory Authorities have over controllers and processors?

Answer 2

1. Investigative
2. Corrective
3. Authorization and advisory

Question 3

What are corrective measures Supervisory Authorities can take?

Answer 3

issue warnings, reprimands

order notification to data subjects of breach

ban processing and suspend transfers

impose fines

Question 4

Can member states grant SA additional powers?

Answer 4

Yes, through member state law

Question 5

How do you identify the lead supervisory authority for cross-border processing?

Answer 5

Single establishment - SA of establishment

Multiple establishments - SA of place of central administration or where decisions about purpose and means take place

If processor and controller - SA of controller location

Question 6

What is cross-border processing?

Answer 6

processing that takes place in the context of activities in which controller/processor are established in more than one member state,

or

activities substantially affect data subjects in more than one member state

Question 7

What are the 6 types of procedures to support SA cooperation and GDPR application?

Answer 7

1. Cooperation (lead SA cooperates with other SAs)
2. Mutual assistance (SAs provide each other with information)
3. Joint operations (SAs conduct joint investigations or enforcement)
4. Consistency mechanism (cooperate with other SAs in implementing new measures that impact other member states)
5. Dispute resolution (Board resolves disputes)
6. Urgency procedure (derogation from consistency mechanism)

Question 8

What is a consistency mechanism procedure (SAs)?

Answer 8

collaborative process between SAs, Commission and EDPB to adopt measures and ensuring consistent GDPR application

Question 9

What is an urgency procedure for SAs?

Answer 9

for immediate adoption of provisional measures within a member state

Question 10

Who makes up the European Data Protection Board?

Answer 10

representatives of each member state’s SA
(only 27 of the 30 may actively participate)

Question 11

What is the European Data Protection Supervisor?

Answer 11

the data protection regulator for the EU as an entity

Question 12

What are the functions of the EDPS?

(European Data Protection Supervisor)

Answer 12

Monitor and ensure personal data protection from EU institutions and bodies

Advise EU institutions

Monitor new technology

Intervene before CJEU to interpret data protection law

Cooperate with supervisory authorities

Question 13

What kinds of infringements can receive fines up to 20m euros or 4% of total turnover?

Answer 13

infringements of principles, data subject rights, international data transfers, obligations of member state law, noncompliance with SA order

Question 14

What is the fine for other infringements?

Answer 14

10m euros or 2% of total turnover

Question 15

Why did the French data protection authority fine Google $57m?

Answer 15

lack of transparency, inadequate information and lack of valid consent for personalizing ads

google had not sufficiently established its Ireland establishment and was making decisions around processing within the US so France could be the competent SA

Question 16

What does the SA consider when issuing an administrative fine?

Answer 16

nature, gravity, and duration of infringement

Question 17

What does the mutual assistance mechanism facilitate for SAs?

Answer 17

provision of relevant information between SAs

Question 18

Who should data subjects lodge a complaint with for noncompliance?

Answer 18

if they feel rights have been violated they can pursue litigation in accordance with national law or complain to regulator

Question 19

Where can an individual lodge their complaint?

which member state

Answer 19

Any of the following DPAs:

DPA for place of residence
DPA for place of work
DPA where infringement took place

Question 20

Can data subjects pursue compensation claims against controllers and processors?

Answer 20

Yes.

if they suffer damages as a result of an act of noncompliance

Question 21

Who is held accountable when multiple parties are at fault?

Answer 21

any individual controller or processor that is responsible for any part of the damage can be held liable for all the damage

Question 22

When can an individual take action against a DPA?

Answer 22

if the issue is not dealt with or they hear nothing within 3 months

Question 23

Who has administrative supervisory and enforcement powers under GDPR?

Answer 23

Supervisory Authorities (“DPAs”)

Question 24

When should a controller consult with a supervisory authority regarding a DPIA?

Answer 24

whenever a DPIA indicates that processing would result in high risk to the rights and freedoms of individuals in the absence of measures taken by the controller to mitigate that risk

Question 25

What are the 3 types of powers of the DPA?

article 58

Answer 25

Investigatory powers

Corrective powers

Authorizaion and advisory powers

Question 26

What are 3 ways GDPR achieves consistency and cooperation?

Answer 26

Article 57 - general duty of cooperation on SAs

Article 60 - cooperation for cross-border processing

Article 63 - consistency mechanism

Question 27

What is the one-stop-shop principle of supervision and enforcement?

Answer 27

when a controller or processor is involved in cross-border processing, the question of regulatory competence turns on the location of the “main establishment” of the controller or processor

Article 56

Question 28

How long can an urgency decision be valid?

Answer 28

3 months

Question 29

Why are so many US technology privacy cases seen under the SA of Ireland?

Answer 29

One-stop-shop rule

Many US tech business have established EU headquarters in Dublin which has often made Ireland the lead supervisory authority for companies that are engaging in cross-bordering processing