Supervision And Enforcement Flashcards
Does the individual have a right of recourse against the controller in the case of a data breach?
They have a right to be told that the breach has occurred and then only in serious cases, which leaves the individual without any direct recourse to the controller to prevent the personal data being exposed to a security breach.
In order to prevent their personal data being put at risk in this way, the individual has no choice but to take the complaint to the DPA or the court, if the controller fails to deal with things on a voluntary basis.sm
What are individuals remedies for breach of obligations?
They can take them to the DPAs or to the courts regardless of whether they have used the data subjects’ rights or made prior complaints to the controller.
If they feel that their rights have been breached, they can pursue litigation in accordance with the national laws, complain to their regulator, or, indeed, they can pursue both remedies at the same time. Both avenues are available against Controllers and Processors.
What are the forum provisions under article 77(1)?
Individual can pursue complaint before the DPA:
(A) for their place of residence
(B) for their place of work
(C) for the place where the infringement took place
Whatever the place of Establishment of the controller or processor or the individual‘s place of work, the individual always has the right to pursue the remedies before their home DPA or court.
What is Article 78(1) (complaints re DPA) about?
Enable appeals by a person (individual or legal entity) against corrective actions and also for failure to take action or lenient sanctions.
How does the law decide which regulator should be responsible for the regulatory work if there are competing options?
Ross on competence co-operation and consistency
When can non-lead authorities take action in cross-border situations?
Where the complaint relates only to that territory or is it substantially affects individuals only in their territory
What must a DPA is asserting competence need to do when it wishes to take action in cross-border situations?
It needs to notify the Lead authority, which may or may not then trigger a battle of competence, as indicated by article 56(3).
If the lead authority rejects the assertion of competence by the other other DPAs and decides to take up the matter itself, the procedure in article 60 must be followed.
If the lead authority accepts the other DPAs assertion of competence, the other DPA can then proceed subject to following the rules in articles 61 and 62 about mutual assistance and joint operations.
If the lead DPA decides to pursue the case, Article 60 (cooperation and consistency) procedures apply. The original supervisory authority is invited to submit a draft decision to the lead, who “shall take utmost account” of the draft.
Who was the successor to the article 29 working party?
The European Data Protection Board, established by Article 68
If the receiving DPA does not provide assistance within one month what happens?
Article 66 allows the DPAs to immediately adopt provisional measures that are intended to produce legal effect in their territories. These provisional measures are subject to a three-month lifespan, and whenever they’re adopted, they have to be referred by the DPA with reasons to the other DPAs that have a concern in the matter, the EDPB and the commission.
At the end of the three month period, the provisional measures will lapse unless the DPA considers that final measures need to be urgently adopted, in which case, it can request an urgent opinion or an urgent binding decision from the EDPB, which directs the process to Articles 64 or 65.
What do the fines in the article 88[4] cover?
Fines up to €10 million for non-undertakings [not engaged in economic activity, eg. Public authorities]
Fines up to the higher of €10 million or 2% of total worldwide annual turnover in preceding year for undertakings [e.g. companies]
- Obtaining a child’s consent
- Notification of supervisory authority or data subject of breach
- designating a data protection officer
- obligations of certification bodies and monitoring bodies to take appropriate action to enforce code violations
What do the fines in article 88[5] cover?
Finance up to €20 million from non- undertakings
Fines up to the higher of €20 million or 4% of total worldwide annual turn over in preceding year for undertakings
- Basic principles for processing data, including consent
- data subjects’ rights
- data transfer provisions
- Obligations to member states laws
- Non-Compliance with an order or temporary or definitive limitation on processing or suspension of data flows
What is the European data protection supervisor? EDPS
It is an independent supervisory authority whose primary object is to ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies. In practice its activities can be divided into three main roles: supervision, consultation, and corporation.
How long does the lead DPA have to decide whether to keep the case or delegate it back to the first DPA?
Three weeks. In Making its decision, it should consider whether the controller or processor has an establishment in the member state where the action was initiated.