What is the role of supervisory authorities?
Promote, monitor and enforce the GDPR
- promote awareness
- conduct investigations
- protect fundamental human rights (e.g. complaints)
- draw up annual reports
- facilitate the free flow of personal data within the EU
What are the 3 categories of power that supervisory authorities have? (Set out inArticle 58)
- Investigative (inc data protection audits, which is why keeping records of processing etc is so important)
- Corrective (issues warnings, reprimands, order people to tell data subjects in event of breach, can ban processing activities, can order companies to comply with a data subject’s request)
- Authorisation and advisory (e.g. DPIAs require you to consult with DPA if high risk identified - they can then advise you on whether or not to continue.
They can also approve codes of conduct, BCRs, can create own versions of model clauses etc)
How is cross-border processing defined?
“Processing of personal data which takes place in the context f the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State”
Or
“Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State” (note that supervisory authorities interpret “substantially affects” on a case by case basis)
If an organisation has multiple establishments in the EU, how d they identify their lead supervisory authority?
It will be the supervisory authority of the place of central administration
UNLESS, decisions about purposes and means and implementation of processing happen elsewhere. If this is the case, then the SA where the processing decisions take place will be the lead.
So it is possible to have different lead SAs if you have different types of processing decisions taking place in different countries
How is a processor’s lead SA determined in the event that their controller is also involved in the processing?
Then the controller’s lead SA will the processor’s as well
And the processors lead SA becomes the “supervisory authority concerned”
List out the mechanisms available to enable consistency between supervisory authorities
- Cooperation (working together to reach consensus)
- Mutual assistance (provision of relevant information between SAs)
- Consistency mechanism (specific process between EDPB & SAs for adopting certain measures and ensuring consistent GDPR application)
- Dispute resolution (mechanism to dispute a decision and issuance of binding decision)
- Urgency procedure (procedure for immediate adoption of provisional measures within a member state)
- Joint operations (investigations and enforcement of companies in several member states or of data subjects in more than one member state)
How do you determine who will be your lead SA?
You have to determine the “central administration” of the organisation in the EU, which is the place “where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented”
Recital 36 states that this “should imply the effective and real exercise of management activities determining the main decisions as to the purpose and means of processing through stable arrangements”
What happens if an organisation does not have an establishment in the EU?
Then there may be no lead SA and they must anticipate interacting with several
WP29: “controllers without any establishment in the EU must deal with local supervisory authorities in every member state they are active in, through their local representative”
Data controllers not established here must appoint an EU representative - someone “nearby” who is available to both the local DPA and data subjects and who “speaks their language and understands their customs and expectations”
(Note that this representative is subject to enforcement proceedings in event of non compliance by the controller or processor)
How long do you have to notify your DPA in the event of a data breach?
“Without undue delay and, where feasible, not later than 72 hours after having become aware” of the breach (unless it’s unlikely to result in a risk to the rights and freedoms of natural persons)
Who makes up the EDPB (previously WP29)?
A representative of every member state supervisory authority
31 representatives from across the EEA
27 active members (EU member states)
EDPB Chair (elected by the representatives)
The European Data Protection Supervisor (EDPS) and representatives of the Commission also participate on the board (EDPS has limited voting rights and the Commission does not have voting rights)
What is the role of the European Data Protection Supervisor (EDPS)?
Oversees the European Commission’s and Parliament’s compliance with the GDPR, playing an ambassadorial role and often issuing opinions
What are the roles of the EDPB?
- Monitor for correct GDPR application
- Oversee the consistency mechanism
- Issue guidance and advice to the Commission
- Preside over the dispute-resolution process
What remedies, liabilities and penalties exist under the GDPR?
- Individuals can complain to a supervisory authority or seek judicial redress (nb GDPR provides ability for organisations to represent groups of individuals to make complaints - so becoming more like class actions)
- Fines can be imposed on controllers / processors
- Can also be Liable for material or non-material damage as determined by a court
- Member states can also pass own laws which allow for additional penalties
What are the two tiers of fines?
- E20m or 4% total worldwide annual turnover (whichever is higher)
This relates to infringements of the PRINCIPLES of the GDPR (e.g. fairness, lawfulness, refusing to let individuals exercise their rights, unlawful international transfers etc)
- E10m or 2% total worldwide annual turnover (whichever is higher) Anything else (including data security breaches)
What are the factors which determine which level of fine you’re going to get?
The nature, scope and purpose of the processing, the number of individuals concerned. The degree of responsibility you have for the infringement, the degree of cooperation with the supervisory authority.
Also the categories of personal data (e.g. whether it was special category or particularly sensitive etc)
What is the maximum fine for a data security breach?
10m euros or 2% of total WW turnover (whichever is higher)
Who does the GDPR task with promoting, monitoring and enforcing the GDPR?
Supervisory authorities
How many active participants will the EDPB have?
27 (one from each EU member state)
Which if the mechanisms facilitate the provision of relevant information between supervisory authorities?
Mutual assistance
Which mechanism facilitates a specific collaborative process between the Commission, the EDPB and the supervisory authorities for adopting certain measures and ensuring consistent GDPR application?
The Consistency Mechanism
If a 3rd country controller/processor doesn’t want to comply with a Supervisory Authority decision - what powers does the SA have?
They have the power to order the suspension of data flows to a recipient in a third country (or to an international organisation)
