Supervision and Enforcement Flashcards
What are the roles of supervisory authorities?
AKA data protection authorities
Promote, monitor, and enforce GDPR
Promote awareness by helping organizations understand their obligations under GDPR and by serving in an advisory capacity so orgs can approach them for advice
Conduct investigations on GDPR compliance
Protect fundamental human rights, including raising public awareness and managing data subjects’ complaints
Draw up annual reports that explain the data protection in their country, current issues, agenda for the following year
Facilitate free flow of data in the EU
What are the three categories of powers for supervisory authorities (include article)?
Article 58
1) Investigative:
- data protection audits: can require you to hand over information and conduct audits on your premises
2) Corrective:
- can issue warnings and reprimands to controllers and processors not in compliance with GDPR
- can order companies to notify data subjects of a breach
- can ban processing activities that they consider in breach of GDPR
- they can order a company to comply with a data subject’s request
3) Authorization and advisory
- can approve codes of conduct or certification criteria or BCRs
- can create their own versions of model contracts/standard clauses or review companies’ proposed versions and authorize those
What is cross-border processing (include article)?
Article 4(23)
Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the EU where the controller or processor is established in more than one Member State
OR
Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State
How does an organization determine the lead supervisory authority?
If the organization has one establishment in the EU, then that establishment is the lead SA
If an organization has multiple establishments in the EU, then the lead SA is that of the place of central administration UNLESS decisions about purposes, means, and implementation of processing take place at a different location. If that’s the case, then the SA of that location where the processing decisions take place will be the lead.
This makes it possible for a company to have several lead SAs if it conducts several cross-border activities whose related decisions take place in more than one location.
What are mechanisms to promote cooperation and consistency between supervisory authorities?
Cooperation: between the lead supervisory authority and other concerned supervisory authorities to reach consensus
Mutual assistance: provision of relevant information between supervisory authorities
Joint operations: joint supervisory authority investigations and enforcement measures of controllers or processors in several member states or of data subjects in more than one member state
Consistency mechanism: specific collaborative process between the Commission, the European Data Protection Board, and supervisory authorities for adopting certain measures and ensuring consistent GDPR application
Dispute resolution: mechanism to dispute a decision (if not jointly agreed upon by the supervisory authorities) and the issuance of binding decisions
Urgency Procedure: procedure for the immediate adoption of provisional measures within a member state
What is the European Data Protection Board (EDPB)? How many reps/active members?
It replaced the Article 29 Working Party
Comprises a representative of every member state’s supervisory authority. Decides which A29 WP opinions need to be updated.
Each of the 30 member states of the EEA have appointed a rep to sit on the EDPB (30 reps)
Only representatives from 27 EU member states may actively participate
There is a chair who presides over the EDPB and is elected by the reps
European Data Protection Supervisor (EDPS) and Representatives of the Commission also participate, but the EDPS has limited voting rights and the Commission does not have voting rights.
What is the role of the European Data Protection Supervisor (EDPS)?
Oversees the European Commission’s and Parliament’s compliance with GDPR, playing an ambassadorial role and often issuing opinions
What are the roles of the EDPB?
Must act independently
Monitors for correct GDPR application
Oversees consistency mechanism for ensuring consistent approach to data protection by the various supervisory authorities
Issue guidance and advice to the Commission
Preside over dispute-resolution process
Who has a right to complain to supervisory authorities? What else is their right?
Individuals
Right to seek judicial redress
What are the various remedies, liabilities, and penalties?
Fines
Liability for material or nonmaterial damage
Member state additional penalties
What are the two tiers of fines under GDPR?
- Up to 20,000,000 Euros or 4% of worldwide annual turnover (whichever is higher)
- GDPR Principles
- Data subject rights
- International transfers - 10,000,000 euros or 2% of the total worldwide annual turnover (whichever is higher)
- most other infringements, including security breaches
What should supervisory authorities look at when determining level of fines/penalties?
The nature, gravity, and duration of the infringement
The nature, scope, and purpose of the processing
The number of individuals concerned
Degree of responsibility for the infringement
Degree of cooperation with the supervisory authority
Categories of data concerned (whether it was sensitive)
