Desktop version

Home arrow Law

  • Increase font
  • Decrease font


<<   CONTENTS   >>

: Responsibilities, tasks and powers of DPAs (Articles 57-58-59 GDPR)

DPAs are independent from governments. They are responsible for enforcing data protection laws at a national level and providing guidance on the interpretation of those laws (Recital 117, Article 51 GDPR). Each Member State is required to appoint one or more DPAs to implement the GDPR and protect the rights and freedoms of individuals (Recital 117, Article 51 GDPR).

The GDPR makes a complicated distinction between competences (Article 55 GDPR), tasks (Article 57 GDPR) and powers (Article 58 GDPR). The two latter provisions identify no less than 22 tasks and 26 powers, with Article 57 ironically adding “fulfilling any other tasks related to the protection of personal data” to the list of tasks as item 22.

In literature, several classifications are proposed to understand the tasking of DPAs. In our understanding of the ambitious list of tasks contained in Article 57

  • 1
  • 45 Hijmans, supra note 23.
  • 2

Belgian DPA, Opinion no. 35/2012 of 21 November 2012 on the draft regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, para. 143, via https://www.dataprotectionautho rity.be/sites/privacycommission/files/documents/opinion_35_2012.pdf. Compare Raab, Szekely, supra note 34,430 (smaller DPA are lacking ICT-expertise for technology foresight).

3

See the harsh, in our view not always fair, comments on 30 years of functioning of the Dutch DPA in the press, in B. Heilbron, E. Koopman, ‘De Autoriteit Persoonsgegevens is nog altijd on-volwassen. De tragédie van het Privacytoezicht’ (2019) 3 De Groene Amsterdammer, available at https://www.groene.nl/artikel/de-tragedie-van-het-privacytoezicht.

  • 4
  • 46 For a short discussion, Raab, Szekely, supra note 34, 421-422; Jori, supra note 26, 134. Both refer to the groundbreaking role of Canadian political scientist Colin J. Bennett who differentiates between the roles of DPAs as ombudsmen, as auditors, as consultants, as educators, as policy advisers, as negotiators, as enforcers, and as international ambassadors.

GDPR, these can be bundled around the following seven addressees and themes: 1) public institutions and bodies (advise on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing); 2) the GDPR (monitor and enforce the application of the GDPR; promote awareness of controllers and processors of their obligations under the GDPR; conduct investigations on the application of the GDPR); 3) data subjects (promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; upon request, provide information concerning the exercise of their rights under the GDPR; handle complaints); 4) controllers and processors (encourage the drawing up of codes of conduct and carry out a periodic review of certifications; authorize contractual clauses and provisions; approve binding corporate rules; establish and maintain a list in relation to the requirement for data protection impact assessment; give advice on the processing operations); 5) other supervisory authorities (cooperation; sharing information and provide mutual assistance); 6) international cooperation (contribute to the activities of the EDPB); monitor relevant developments, insofar as they have an impact on the protection of personal data); and 7) any other tasks related to the protection of personal data.

The 26 powers of the DPAs identified in Article 58 GDPR are about: 1) investigative powers (DPAs have the authority to intervene in all organizations and business activities, insofar as personal data is processed and carry out investigations and review certifications; obtain access to all personal data and to all information necessary for the performance of its tasks; obtain access to any premises of the controller and the processor, including to any data processing equipment and means); 2) corrective powers (issue warnings and reprimands for the controller; order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to the GDPR; communicate a personal data breach to the data subject; impose an administrative fines); 3) authorization of processing activities and advisory powers; and 4) authorization of model clauses and binding corporate rules.

: European and trans-border tasks and cooperation between DPAs (one stop-shop and EDPB)

Many GDPR-provisions deal with the trans-border aspects of the DPA’s work. In principle, their jurisdiction and enforcement powers are largely restricted to the territory of their own Member State (Recital 124, Articles 51, 55, 56 GDPR), but the reality of the digital society and the goal of the EU to facilitate the free flow of per

1

For a comparison with the reduced list of tasks and powers provided for in the LED, De Hert, Sajfert, supra note 32,250-252.

sonal data between Member States without compromising the protection of personal data explains the importance of these provisions on the extra- and trans-border aspects of their work. DPAs are not only required to cooperate and provide each other with mutual assistance (Recitals 135-138 and Articles 4(23), 56 and 63-67; Articles 68-76 GDPR), but are also asked to accept a one-stop-shop mechanism as a derogation from the territorial jurisdiction principle in certain cases (Recitals 124-128, Articles 55-56; Article 29 Data Protection Working Party (WP29) Lead DPA Guidelines).[1]

This mechanism applies to and should benefit organizations operating across Member States and thus processing personal data of data subjects in different Member States. It allows these organizations to deal with only one DPA (as opposed to up to 27 DPAs). Hence, a single “lead DPA” can be chosen when different authorities are responsible for the processing operations, performed by the same entity, but affecting rights of data subjects in different Member States.

How does it work? If a data controller conducts cross-border data processing in the EU, according to the GDPR the supervisory authority is the one based in the Member State where the data controller has its main establishment. If the data controller’s activity concerns citizens of another Member State, the local DPA of that state may hand over the case to the DPA of the main establishment (lead supervisory authority) or can handle the case locally in co-operation with the latter.

A DPA that wishes to take action must consult with the other affected DPAs to ensure consistency of the GDPR (consistency mechanism). In particular, it shall inform the lead supervisory authority without delay and the latter shall decide within three weeks whether or not it will handle the case in accordance with the procedure provided in Article 60 GDPR.

The foregoing is the provisional outcome of a power struggle between several stakeholders. As said, the one-stop-shop mechanism must be understood as a derogation from the jurisdiction principle of territority (states enforce norms within their territory). ‘Proximity’ was one of the arguments by opponents of this derogation. In their view, proximity required that individuals were entitled to protection by the DPA in the Member State where they reside. The opposition against one-stop-shop mechanisms was partly fuelled by a lack of trust in the effectiveness of DPAs in other countries.

Essential in the success of the GDPR will be the functioning of the EDPB, made up of representatives of DP As from each Member State and the European Data Protection Supervisor (EDPS). The European Commission takes part in the meetings of the EDPB without voting rights (Articles 68-76 GDPR). This organ - successor to WP29 under the 1995 Directive - functions as an advisory and appellate body to the national DP As and is the central guarantor of the so-called GDPR consistency mechanism, supplementing the cooperation rules discussed above, to ensure an harmonious application of the GDPR across the different EU Member States.[2] One aspect of competence is to solve disagreements between DP As faced with tasks to cooperate or between a lead DPA and other DP As in one-stop-shop scenarios.

The EDPB will take binding decisions by two-thirds majority (a simple majority is sufficient for non-binding opinions) in case of disagreement about decisions to be taken in the cooperation procedure; in case of disagreements in one-stop-shop scenarios about the DPA that will be the lead DPA; in case the DPA does not consult the EDPB where required or does not follow an EDPB opinion (Article 65 GDPR). The advisory tasks contained in Article 64 GDPR (‘Opinion of the Board’) and Article 70 GDPR (‘Tasks of the Board’) are also important. The EDPB can be asked to express itself (via opinions, guidelines, recommendations, and other soft law instruments) both on practical matters or problems, and on more general policy-related matters, such as new upcoming legislation and clarification of GDPR provisions. The EDPB is now at the centre of the new data protection landscape in the EU. Every month new guidance is proposed and made available on its website on issues of all levels of importance, from vulgar and technical to fundamental for the interpretation of core concepts of the GDPR.

This GDPR framework seems to suit the national authorities, who are reported to come to the EDPB enthusiastically with all kinds of ideas and materials to be transformed and elaborated in EDPB instruments and opinions. Based on the observations of the author, the new framework, including the power to rule by binding decisions on disputes regarding cross-border processing, has the potential to ensure a uniform application of EU data protection rules by a network of national authorities (see below).

  • [1] WP29, Guidelines for identifying a controller or processor’s lead supervisor}' authority, WP 244, adopted on 13 December 2016. 2 If the lead supervisory authority decides to handle the case, then Article 60 GDPR applies. If the lead supervisory authority decides not to handle the case, then the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62 GDPR. 3 See on this discussion, Hijmans, supra note 23, p. 371. 4 For a comparison with the more modest European tasks of DPAs and the lack of GDPR-
  • [2] For a short description, see Burton, De Boel, Kuner, Pateraki, Cadiot, Hoffman, supra note 10, 11. 2 See the website of the EDPB, https://edpb.europa.eu/edpb_en. A good flavour of the work tempo is given by the foregoing footnote and by the Annual Report 2018 3 (https://edpb.europa.eu/sites/edpb/files/files/filel/edpb_annual_report_2018_summary_-_digital_-_final_1507.pdf) proudly summing up an impressive number of guidelines, consisten 4 cy opinions, binding decisions, opinions about legal acts and letters drafted and produced between 25 May (date of the first plenary meeting) and 31 December 2018.
 
<<   CONTENTS   >>

Related topics