This chapter outlines mechanisms for collaboration among supervisory authorities within the EU to ensure consistent application and enforcement of data protection laws across member states. It comprises three main sections:
- Cooperation: The Cooperation section, represented by Articles 60 to 62, emphasizes collaboration between the lead supervisory authority and other relevant supervisory authorities concerning cross-border data processing activities. It delineates procedures for mutual assistance and joint operations among supervisory authorities to address challenges and ensure effective oversight.
- Consistency: The Consistency section, spanning Articles 63 to 67, establishes a framework for achieving uniform interpretation and application of the GDPR across the EU. It introduces mechanisms such as the consistency mechanism, opinions of the Board, and dispute resolution procedures to address discrepancies in the application of data protection laws among member states.
- European Data Protection Board: The European Data Protection Board (EDPB) is introduced in Section 3, outlined in Articles 68 to 76. The EDPB is an independent body responsible for promoting consistent application of the GDPR throughout the EU. It performs various tasks, including issuing guidance, providing advice, and facilitating cooperation among supervisory authorities. The EDPB operates under specific procedures, led by a Chair and supported by a Secretariat, ensuring confidentiality and effective functioning.
Section 1: Cooperation
Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 60 of the GDPR outlines the principles and procedures for cooperation between the lead supervisory authority and other concerned supervisory authorities regarding data protection matters within the European Union. Here's a detailed breakdown of its provisions and their implications:
Cooperation and consensus: The lead supervisory authority is tasked with cooperating with other relevant supervisory authorities to reach a consensus on data protection issues. This collaboration ensures a unified approach to addressing cross-border data processing activities, promoting consistency and effectiveness in enforcement.
Exchange of information: Both the lead supervisory authority and other concerned supervisory authorities are required to exchange all relevant information pertaining to the matter at hand. This exchange ensures transparency and enables informed decision-making among the supervisory authorities involved.
Mutual assistance and joint operations: The lead supervisory authority can request mutual assistance from other supervisory authorities as per Article 61 and conduct joint operations as per Article 62. This enables coordinated efforts in investigations and monitoring activities, especially concerning controllers or processors operating across multiple Member States.
Consultation and decision-making process: The lead supervisory authority must promptly communicate relevant information to other concerned supervisory authorities and seek their opinion on draft decisions. If any of the concerned authorities raise a relevant and reasoned objection, the matter may be escalated to the consistency mechanism outlined in Article 63.
Revised draft decision: If the lead supervisory authority intends to address objections raised by other authorities, it must submit a revised draft decision for their opinion within a specified timeframe. This iterative process ensures that all relevant perspectives are considered before reaching a final decision.
Adoption and notification of decision: Once consensus is reached or objections are resolved, the lead supervisory authority adopts and notifies the decision to the controller or processor involved, as well as informs other concerned supervisory authorities and the EDPB. Complaints lodged by data subjects are also addressed through this process.
Article 61: Mutual assistance
Article 61 of the GDPR establishes a framework for cooperation and information sharing between supervisory authorities of EU member states. This collaboration is crucial for ensuring consistent enforcement of the GDPR across the EU.
Mutual assistance: Supervisory authorities are obligated to provide each other with relevant information and assistance to ensure consistent application of the GDPR. This fosters a unified approach to data protection enforcement.
Scope of assistance: Mutual assistance covers various aspects, including:
- Information requests: Sharing relevant data protection information.
- Supervisory measures: Collaboration on investigations, inspections, consultations, and prior authorizations.
Timely response: The requested supervisory authorities must respond to information requests from other supervisory authorities promptly, ideally within one month.
Confidentiality: The information exchanged must be used only for the purpose that it was requested. The requested supervisory authority can refuse to comply if it's not competent for the subject-matter of the requestor if fulfilling the request would violate the GDPR or national laws.
Transparency and refusal reasons: The requested supervisory authority must inform the requesting supervisory authority about the results or progress of their actions taken in response to the request. It must also provide justification for any refusal to comply.
Electronic communication: Supervisory authorities are encouraged to use standardized electronicmethods to exchange information efficiently.
No fees and indemnity: Supervisory authorities generally cannot charge each other fees,but in exceptional circumstances, they can compensate each other for specific expenses.
Provisional measures: If a requested supervisory authority fails to provide information within a month, the requesting supervisory authority can take provisional measures within their territory to address the issue.
Urgent action and board involvement: In such cases, the urgency for action under Article 66 (investigations) is presumed, potentially involving the EDPB for a binding decision.
Implementing acts: The European Commission can define specific details regarding the format, procedures, and electronic information exchange methods for mutual assistance through implementing acts.
Implications
- Consistent enforcement: Collaboration between supervisory authorities helps ensure a more consistent approach to GDPR enforcement across the EU, reducing the risk of unpredictable outcomes for businesses operating in multiple member states.
- Potential for multi-authority investigations: Knowing that supervisory authorities can collaborate on investigations means businesses might need to be prepared to interact with multiple supervisory authorities if their data processing activities span several member states.
- Importance of cooperation: Businesses should strive to maintain a cooperative relationship with relevant supervisory authorities. This can be helpful during investigations or inquiries, as supervisory authorities may be more willing to share information or provide guidance.
Article 62: Joint operations of supervisory authorities
Article 62 of the GDPR empowers supervisory authorities of EU member states to collaborate on data protection enforcement through joint operations, including investigations and enforcement actions. This fosters a more unified approach to GDPR compliance across the EU.
Joint operations: Supervisory authorities can conduct joint investigations and enforcement measures when deemed appropriate. This allows them to pool resources and expertise for complex cross-border cases.
Right to participate: If a data controller or processor operates in several member states or a significant number of data subjects in multiple member states are likely to be impacted by the processing, the supervisory authorities of each relevant member state have the right to participate in joint operations.
Lead supervisory authority: The supervisory authority competent under Article 56 (one-stop-shop mechanism) is responsible for inviting other supervisory authorities to participate and promptly responding to participation requests.
Investigative powers: With proper authorization, supervisory authorities can confer investigative powers on staff from other supervisory authorities involved in joint operations. These powers can only be exercised under the guidance and in the presence of the host supervisory authority's staff, respecting the host member state's laws.
Liability and responsibility: The member state of the host supervisory authority assumes responsibility for any actions or damages caused by staff from the seconding supervisory authority during joint operations. The member state where the damage occurred compensates for it, and the seconding member state reimburses the host member state.
Provisional measures and EDPB involvement: If an supervisory authority fails to comply with the obligation to participate in a joint operation within a month, the other supervisory authorities can take provisional measures and presume urgency for action under Article 66, potentially involving the EDPB for an opinion or binding decision.
Section 2: Consistency
Article 63: Consistency mechanism
Article 63 of the GDPR establishes a framework for the "consistency mechanism"—a process designed to ensure consistent application of the GDPR across all EU member states. This mechanism involves cooperation between supervisory authorities and, when necessary, the European Commission.
Supervisory authorities are obligated to cooperate with each other and, in relevant cases, with the Commission through this consistency mechanism. This fosters a unified interpretation and enforcement of the GDPR.
Article 64: Opinion of the Board
Article 64 of the GDPR outlines the role of the EDPB in providing opinions on specific GDPR matters. This mechanism helps ensure consistent application of the regulation across EU member states.
EDPB opinions: The EDPB issues opinions on various matters when requested by a competent supervisory authority intending to adopt specific decisions. These decisions include:
- Lists of processing operations requiring Data Protection Impact Assessments (DPIAs) under Article 35(4).
- Compliance of draft codes of conduct with the GDPR (Article 40(7)).
- Approval of accreditation requirements for certification bodies (Articles 41(3) and 43(3)) and certification criteria (Article 42(5)).
- Standard Data Protection Clauses for data transfers (Articles 46(2)(d) and 28(8)).
- Authorization of contractual clauses for data transfers (Article 46(3)(a)).
- Approval of Binding Corporate Rules (BCRs) for intra-group data transfers (Article 47).
Additional requests for opinions: Any supervisory authority, the EDPB Chair, or the European Commission can request the EDPB to examine matters of general application or those impacting multiple member states. This includes situations where an supervisory authority may not be fulfilling its obligations for mutual assistance (Article 61) or joint operations (Article 62).
Time limits and procedures: The EDPB generally issues opinions within eight weeks, with a potential six-week extension for complex issues. They aim for a simple majority vote among members. If an supervisory authority doesn't object within a reasonable timeframe set by the Chair, agreement with the draft decision is assumed.
Information sharing: Supervisory authorities and the Commission must electronically submit relevant information to the EDPB in a standardized format. This may include summaries of the case, draft decisions, justifications, and other supervisory authority's views.
EDPB communication: The EDPB Chair electronically informs Board members, the Commission, and the relevant supervisory authority about any information received and the final opinion, which is also made public.
Supervisory authority consideration of opinion: The supervisory authority considering the EDPB opinion must wait for the opinion finalization before adopting their draft decision. Following receipt of the opinion, the supervisory authority must inform the EDPB Chair within two weeks if they intend to maintain or amend their draft decision, providing justification and any amendments.
Disagreement with opinion: If an supervisory authority disagrees with the EDPB opinion, they must inform the Chair with justifications. This triggers the Article 65 procedure for resolving inconsistencies between supervisory authorities.
Article 65: Dispute resolution by the Board
Article 65 of the GDPR establishes the EDPB's authority to issue binding decisions in specific situations where supervisory authorities disagree on how to apply the GDPR in individual cases. This mechanism helps to ensure consistent enforcement across the EU.
EDPB binding decisions: The EDPB can issue binding decisions in three main scenarios:
- When a concerned supervisory authority raises a relevant and reasoned objection to a lead supervisory authority draft decision and the lead supervisory authority doesn't follow or dismisses the objection (referring to Article 60(4) for the consistency mechanism). The binding decision covers whether a GDPR infringement occurred.
- When there is disagreement about which supervisory authority has competence over the main establishment (headquarters) of a data controller or processor.
- When a competent supervisory authority fails to request an EDPB opinion under Article 64(1) or doesn't follow the issued opinion. Any concerned supervisory authority or the Commission can then refer the matter to the EDPB.
Decision process and timeline: The EDPB aims to adopt a binding decision within one month of referral, with a possible one-month extension for complex cases. The decision requires a two-thirds majority vote, except in situations of deadlock where the Chair's vote prevails (simple majority). The decision must be reasoned and communicated to all relevant supervisory authorities and the lead supervisory authority.
Deadlock resolution: If the EDPB cannot reach a decision within the initial timeframe, a simple majority vote is used within two weeks after the extension period.
Supervisory authority actions during dispute: Supervisory authorities involved in a dispute cannot adopt decisions on the matter while the EDPB reaches a resolution.
Communication and publication: The EDPB Chair promptly notifies supervisory authorities and the Commission of the decision. The decision is published on the EDPB website after the final supervisory authority decision is notified.
Supervisory authority final decision: The lead supervisory authority, or the supervisory authority receiving the complaint, must adopt a final decision based on the EDPB's binding decision within one month. This final decision informs the EDPB of the notification date to the data controller/processor and data subject. The final decision follows the procedures outlined in Article 60(7) (grounds for decision), (8) (information to be provided), and (9) (restriction of processing). It must reference the EDPB's decision and its publication on the EDPB website.
Article 66: Urgency procedure
Article 66 of the GDPR establishes an "urgency procedure" allowing supervisory authorities to take immediate action under exceptional circumstances to protect data subject rights. This exception bypasses the usual consistency mechanisms (Articles 63, 64, and 65) and dispute resolution processes (Article 60).
Immediate action: A supervisory authority can take provisional measures with legal effect within its territory if they believe there's an urgent need to protect data subject rights. These measures are temporary, with a maximum validity of three months.
Notification requirements: The supervisory authority must promptly inform other concerned supervisory authorities, the EDPB, and the Commission about the provisional measures taken and the justification for them.
Request for urgent EDPB decision
- A supervisory authority that has taken provisional measures can request an urgent opinion or binding decision from the EDPB if they believe final measures are urgently needed.
- Any supervisory authority can request an urgent EDPB opinion or decision if they believe a competent supervisory authority hasn't taken appropriate action in a situation requiring urgent protection of data subject rights. justifications for urgency must be provided.
EDPB urgent decisions: Urgent opinions or binding decisions from the EDPB are adopted within two weeks by a simple majority vote, deviating from the usual timeframes in Articles 64(3) and 65(2).
Example:Imagine a large social media platform suffers a major data breach due to a ransomware attack, potentially compromising the personal data of millions of EU citizens. Here's how Article 66 might apply:
Urgent action by the supervisory authority: The supervisory authority of the member state where the social media platform's headquarters are located might consider the situation critical and take immediate provisional measures under Article 66.
Examples of provisional measures: These measures could include ordering the social media platform to:
- Publicly disclose the breach.
- Take immediate steps to contain the attack and secure its systems.
- Restrict further data processing activities until proper safeguards are implemented.
EDPB involvement: The supervisory authority could request an urgent EDPB decision on the situation, seeking guidance on appropriate final enforcement actions.
Potential impact on business: The social media platform could face significant reputational damage and potential fines from the supervisory authority based on the final enforcement decision.
Article 67: Exchange of information
Article 67 of the GDPR is relatively brief but plays a crucial role in facilitating cooperation between enforcement authorities under the regulation. It empowers the European Commission to establish specific arrangements for the electronic exchange of information between:
- Supervisory authorities of different EU member states
- Supervisory authorities and the EDPB
Standardized information exchange: The Commission has the authority to adopt implementing acts specifying the technical details and procedures for electronically exchanging information. This includes defining a standardized format (mentioned in Article 64) to ensure consistent and efficient communication between different authorities.
Legislative procedure: The Commission must follow the examination procedure outlined in Article 93(2) when adopting these implementing acts. This involves scrutiny by a committee composed of representatives from each EU member state.
Section 3: European data protection board
Article 68: European Data Protection Board
Article 68 of the GDPR establishes the EDPB as a key body responsible for facilitating cooperation and consistency in applying the GDPR across the EU.
EDPB establishment: The article formally establishes the EDPB as a legal entity within the EU framework.
Board representation: The EDPB comprises the head of one supervisory authority from each EU member state and the European Data Protection Supervisor (EDPS), or their designated representatives.
Joint representative: In member states with multiple supervisory authorities, a joint representative is appointed based on national law.
Commission participation: The European Commission has the right to participate in EDPB activities and meetings but cannot vote. The Commission designates a representative, and the EDPB Chair keeps them informed about the Board's activities.
EDPS voting rights: In specific situations outlined in Article 65 (dispute resolution), the EDPS has voting rights only on decisions concerning principles and rules applicable to EU institutions, bodies, offices, and agencies that mirror those of the GDPR.
Article 69: Independence
Article 69 of the GDPR safeguards the independence of the EDPB when carrying out its duties under the regulation. This ensures that the EDPB functions objectively and free from undue influence.
Independent functioning: The EDPB must act independently while performing its tasks and exercising its powers as outlined in Articles 70 and 71 of the GDPR. These articles cover various EDPB responsibilities, including issuing opinions on specific GDPR matters and facilitating consistency in how supervisory authorities apply the regulation.
Limited exceptions: The EDPB can consider requests from the European Commission under specific circumstances outlined in Article 70(1) and (2). These articles relate to the Commission's role in requesting the EDPB to undertake specific tasks or provide opinions on draft measures related to data protection. However, even in these cases, the EDPB retains the ultimate decision-making authority.
No undue influence: Beyond the limited exceptions, the EDPB cannot seek or take instructions from any other entity or individual while performing its duties. This ensures the EDPB's neutrality and objectivity in its decision-making processes.
Implications
Fair and objective enforcement: The EDPB's independence helps to ensure that interpretations and decisions related to the GDPR are applied fairly and objectively across the EU.
Predictable regulatory environment: Consistent and objective application of the GDPR by the EDPB contributes to a more predictable regulatory environment for businesses.
Limited direct impact: Businesses are less likely to have direct interactions with the EDPB compared to their interactions with national supervisory authorities responsible for day-to-day enforcement activities.
Article 70: Tasks of the Board
Article 70 of the GDPR outlines the extensive responsibilities of the EDPB in ensuring the consistent application of the regulation across the EU. Here's a breakdown of the key points:
Main objective: The EDPB's primary function is to guarantee consistent application of the GDPR throughout the EU.
Board's activities: The EDPB has a wide range of tasks, including:
- Monitoring and enforcement: They monitor the correct application of the GDPR, particularly in situations involving disputes resolved through the consistency mechanism (Articles 64 and 65). This doesn't replace the responsibilities of national supervisory authorities.
- Advising the commission: The EDPB advises the European Commission on various data protection issues, including proposed amendments to the GDPR.
- Facilitating data exchange: They advise the Commission on formats and procedures for data exchange between data controllers, processors, and supervisory authorities regarding binding corporate rules.
- Issuing guidelines: The EDPB has the authority to issue a variety of non-binding instruments like guidelines, recommendations, and best practices on various GDPR topics. These cover aspects like:
- Erasing personal data from public communication services (Article 17(2)).
- Applying profiling (Article 22(2)).
- Identifying personal data breaches and notification requirements (Article 33).
- Assessing the risk of data breaches (Article 34(1)).
- Criteria for data transfers based on binding corporate rules (Article 47).
- Criteria for data transfers under specific derogations (Article 49(1)).
- Implementing administrative fines by supervisory authorities (Article 83).
- Establishing common procedures for reporting GDPR infringements (Article 54(2)).
- Developing codes of conduct and data protection certification mechanisms (Articles 40 and 42).
- Common training programs and personnel exchange between supervisory authorities (Article 64).
- Knowledge sharing on data protection with global counterparts.
- Certification and adequacy decisions: The EDPB plays a role in:
- Approving criteria for data protection certification schemes (Article 42(5)).
- Maintaining a public register of certified bodies and seals (Article 42(8)).
- Approving requirements for accrediting certification bodies (Article 43(3)).
- Providing opinions on certification requirements and adequacy assessments for third countries (Article 43 and 45).
- Dispute resolution: The EDPB issues opinions on draft decisions by supervisory authorities under the consistency mechanism (Article 64) and binding decisions in specific dispute resolution cases (Article 65).
- Promoting cooperation: The EDPB fosters collaboration and information exchange between supervisory authorities, including:
- Bilateral and multilateral cooperation.
- Common training programs and personnel exchange.
- Knowledge sharing on data protection legislation and practices.
- Codes of conduct and consistency mechanism register: They issue opinions on codes of conduct drafted at the EU level (Article 40(9)) and maintain a public register of decisions made by supervisory authorities and courts related to the consistency mechanism.
- Commission requests: The Commission can request the EDPB's advice, specifying a timeframe based on urgency.
- Transparency and public access: The EDPB forwards its outputs (opinions, guidelines, etc.) to the Commission and the relevant committee, and also makes them publicly available. They may also consult interested parties and publish the consultation results, respecting confidentiality where necessary.
Example: Imagine a large cloud service provider offering anonymization solutions to businesses across the EU. Here's how Article 70 might apply:
EDPB guidelines on anonymization: The cloud service provider might be interested in the EDPB's guidelines on data anonymization techniques to ensure their solutions.
Article 71: Reports
Article 71 of the GDPR outlines the EDPB's obligation to produce an annual report on data protection.
- Annual report requirement: The EDPB must prepare an annual report on the state of data protection for natural persons within the EU. This report should also cover, where relevant, processing activities in third countries and international organizations.
- Transparency and dissemination: The report must be made public and shared with various EU institutions:
- European Parliament
- Council of the European Union
- European Commission
Report content: The report should focus on two key aspects:
- Review of EDPB outputs: An evaluation of the practical application of the EDPB's non-binding instruments issued under Article 70(1)(l). These instruments include guidelines, recommendations, and best practices on various GDPR topics.
- Review of binding decisions: An analysis of the binding decisions issued by the EDPB in dispute resolution cases under Article 65.
Implications
For businesses operating in the EU or processing data of EU citizens, Article 71 has minimal direct implications. However, it indirectly contributes to a more transparent and accountable data protection environment:
Public knowledge of EDPB activities: Businesses can gain insights into the EDPB's focus areas and priorities through the annual report. This can inform their overall data protection strategies.
Insights into binding decisions: The report might shed light on specific GDPR interpretations and enforcement actions resulting from binding decisions, potentially influencing future compliance approaches.
Article 72: Procedure
Article 72 of the GDPR establishes the voting procedures and operational autonomy of the (EDPB.
- Simple majority voting: The EDPB generally makes decisions by a simple majority vote of its members. This means that more than half of the members voting must agree for a proposal to pass.
- Exceptional cases: The GDPR may specify situations where a different voting majority is required. Currently, there are no such exceptions outlined in the regulation itself.
- EDPB rules of procedure: The EDPB has the authority to adopt its own internal rules of procedure. These rules would govern how the Board conducts its meetings, debates proposals, and casts votes. They are adopted by a two-thirds majority vote of the members, indicating a higher threshold for establishing these internal procedures.
- Operational autonomy: The EDPB can also organize its own operational arrangements. This includes aspects like scheduling meetings, allocating resources, and managing its staff.
Article 73: Chair
Article 73 of the GDPR outlines the process for electing the leadership of the EDPB.
Election process: The EDPB elects a Chair and two Deputy Chairs from among its members. The election process involves a simple majority vote, meaning that more than half of the voting members need to support a candidate for them to be elected.
Term limits: Both the Chair and Deputy Chairs serve five-year terms with the possibility of a single renewal. This ensures continuity in leadership while also allowing for periodic change.
Article 74: Tasks of the Chair
Article 74 of the GDPR outlines the responsibilities of the Chair of the EDPB.
- Chair's duties: The Chair is entrusted with several key tasks:
- Meeting management: Convening EDPB meetings and preparing the agenda ensures efficient organization and focused discussions.
- Communication of decisions: Notifying relevant supervisory authorities about decisions made by the EDPB under Article 65 (binding decisions in dispute resolution) facilitates coordination and enforcement actions.
- Ensuring timely tasks: The Chair oversees the timely completion of the EDPB's tasks, particularly those related to the consistency mechanism (Article 63) which aims to ensure consistent application of the GDPR across EU member states.
- Deputy Chair responsibilities: The specific allocation of tasks between the Chair and Deputy Chairs is determined by the EDPB's internal rules of procedure. This allows for flexibility in assigning responsibilities based on expertise or workload.
Article 75: Secretariat
Article 75 of the GDPR establishes the EDPB secretariat and defines its role in supporting the Board's activities.
- EDPB secretariat: The EDPB has a secretariat provided by the EDPS. This means the EDPS allocates staff and resources to support the EDPB's functioning.
- Reporting lines and independence: The secretariat staff specifically assigned to the EDPB operates under the instructions of the EDPB Chair, ensuring their focus on the Board's tasks. These staff members have separate reporting lines from the regular EDPS staff to maintain the EDPB's independence in carrying out its GDPR-related duties. A Memorandum of Understanding (MoU) between the EDPB and the EDPS can be established to further clarify cooperation terms and staff responsibilities.
- Secretariat's functions: The secretariat provides a broad range of support to the EDPB, including:
- Analytical support: Assisting with research, data analysis, and preparing reports relevant to the EDPB's work.
- Administrative and logistical support: Managing day-to-day operations, organizing meetings, and handling logistics.
- Communication support: Facilitating communication between EDPB members, the Chair, the Commission, other institutions, and the public. This includes managing electronic communication channels and translation services.
- Documentation support: Preparing and following up on meetings, drafting and publishing EDPB outputs (opinions, decisions, etc.).
Article 76: Confidentiality
Article 76 of the GDPR deals with confidentiality within the EDPB. It outlines two key aspects:
Confidentiality of discussions:
The article allows the EDPB to maintain confidentiality around its discussions "where the Board deems it necessary." This means confidentiality is not mandatory for all discussions, but rather applied on a case-by-case basis.
The specific criteria for deeming discussions confidential are not explicitly mentioned in the article. However, it's likely these criteria would be defined within the EDPB's rules of procedure, as the article itself refers to them. These criteria might include:
- Protecting sensitive information related to ongoing investigations or disputes.
- Safeguarding commercially sensitive information shared during discussions.
- Respecting confidentiality obligations for information received from third parties.
Access to documents:
Regulation (EC) No 1049/2001: This regulation sets out rules regarding public access to documents of the European Parliament, the Council of the European Union, and the Commission.
It's important to note that Regulation (EC) No 1049/2001 primarily focuses on public access to documents held by the EU institutions mentioned above. Its application to the EDPB in this context is likely limited to situations where the EDPB receives documents from these institutions that fall under the scope of Regulation (EC) No 1049/2001. In such cases, the EDPB would need to consider the relevant provisions of that regulation when determining access rights.
Disclaimer: This guide has been created using information provided by official GDPR documents.
Take the lead in data protection best practices with our unified SIEM solution!