MONITORING
AND ENFORCEMENT OF THE APPLICATION OF THE GDPR – ROLES AND POWERS
|
Establishment of a Supervisory Authority
- Under Article 51 of the GDPR, each EU Member
State must have or set up at least one independent public authority to be
responsible for monitoring and enforcing the provisions of the GDPR and to
protect the rights and freedoms of individuals. These authorities are known
under the GDPR as “Supervisory Authorities”.
- If a Member State appoints more than one SA, it
must designate which authority will represent it on the European Data
Protection Board (“EDPB”) and set
out a mechanism to ensure compliance by the other authorities with the rules
relating to the GDPR “Consistency Mechanism” (as described further below in
this Practice Note).
- SAs are required to co-operate with each other
and with the European Commission.
- Under Article 28 of the previous EU Directive,
each Member State was required to have a similar data protection authority in
place. It is not therefore expected that the role of most existing
authorities (for example, the Information Commissioner’s Office (“ICO”) in the UK) will change. Organisations
should be able to continue interacting with their existing bodies in a
similar way.
- Under
the GDPR, SAs and their members must:
- Be
set up by appropriate legislation and transparent procedures in the Member
State and have appropriately skilled and experienced staff acting subject to
a duty of professional secrecy in order to exercise the SAs’ powers in a fair, uniform and impartial
manner.
- Act
independently in carrying out their functions.
- Not
be influenced by or take instructions from anyone when performing their
duties.
- Not
be involved in any way in any incompatible behaviour or occupation
during their term in office.
- Be given adequate human, technical and
financial resources, premises and infrastructure that are necessary to carry
out their duties and powers.
- Be subject to financial control and budgets that
do not affect their independence.
|
Recitals 117, 118 & 121
Articles 51–54
|
Lead Supervisory Authority
- Each
SA can only exercise its powers on the territory of its own Member State but,
under the Lead SA approach (see below), the SA’s regulatory action could
affect processing occurring in other EU Member States.
- Under
the GDPR, if a Data Controller or Data Processor organisation has
establishments in a number of different Member States, the SA for its “main
establishment” (which in simple terms is an organisation’s
headquarters for EU operations or the location where it makes its main
decisions regarding data-processing activities in the EU) will act as its “Lead SA”. This
Lead SA:
- Will
have the power to regulate that organisation throughout all of the Member
States where the organisation carries out cross-border data-processing
activities.
- Is intended
to provide a single decision-making process in situations where a number of
different Member State SAs would otherwise be required to regulate the same
activities by the same organisation in a number of different Member States.
It is hoped that this will mean greater harmonisation of the data protection legislation across Europe.
-
Many
practitioners are calling this Lead SA approach the “one-stop shop”, equating
it to similar approaches taken in other areas of regulatory enforcement (for example,
trading standards).
- Under Article 28 of the previous EU Directive,
each Member State’s enforcement powers were mostly restricted to that Member
State’s territory. This meant that organisations were often subject to
inconsistent decisions being taken in different Member States. The changes
under the GDPR will, however, create new challenges for multinationals
operating across Europe and interacting with a number of SAs. It is, for
example, unclear and uncertain whether this Lead SA approach will work well
in practice or whether national SAs will still try to regulate organisations that should otherwise be subject to another
SA’s jurisdiction.
|
Recitals 124–128;
Articles 51, 55 & 56
|
Duties of the Supervisory Authority
The main
duties of SAs as set out under the GDPR are as follows:
- To
monitor and enforce application of the GDPR.
- To
promote general awareness of the risks, rules, safeguards and rights relating
to data processing (especially in relation to children).
- To
advise national and governmental institutions as well as other institutions
and bodies on the application of the GDPR.
- To
promote awareness of GDPR obligations to Data Controllers and Data Processors.
- To
advise Data Subjects on their rights under the GDPR (including liaising with
other SAs in relation to these rights) and to handle complaints raised by
Data Subjects and/or their representatives.
- To
co-operate with other SAs and the EDPB to ensure consistent application of
the GDPR.
- To
carry out regulatory investigations in relation to application of the GDPR.
- To
monitor technical and commercial developments that may impact on data
protection.
- To
authorise the use of the EC Standard Model Clauses and Binding Corporate
Rules for International Data Transfer.
- To
comply with the requirements under the GDPR for Data Protection Impact
Assessments (including liaising with organisations in relation to these).
- To
encourage the creation of Codes of Conduct and review data protection certifications.
- To maintain records of sanctions and enforcement actions carried out.
- To
fulfil “any other tasks related to the protection of personal data”.
The tasks
performed by each SA remain largely free of charge to Data Subjects and to
Data Protection Officers (if any). Article 57(4) does, however, provide that
where requests are manifestly unfounded or excessive, in particular because
of their repetitive character, the SA may charge a reasonable fee based on
administrative costs, or indeed refuse to act on the request. The SA must be
able to show that the request is manifestly unfounded or excessive.
In short, the
duties of SAs are set out in a lot more detail under the GDPR than they were
under the EU Directive. It seems, however, that this will make little
practical difference to the way that SAs operate under the GDPR.
|
Recitals 122–123.
Articles 55, 57
|
Powers of the Supervisory Authority
The main
powers of SAs to sanction organisations who are not complying with the GDPR
are as follows:
- Investigative Powers.
- Corrective Powers.
Using these
powers, which are set out in more detail below, SAs are authorised to enforce
the GDPR, to investigate GDPR breaches and to bring legal action against
those breaching the GDPR where it is necessary to do that.
The powers
available to the SAs are not hugely different to those that they already have
under the EU Directive. It therefore seems likely that enforcement may
continue to be approached in different ways by different Member State SAs.
It is,
however, important to note that many of these powers can be applied to both
Data Controllers and to Data Processors. This is a big change under the GDPR
for Data Processors that were able to hide behind Data Controllers under the
previous EU Directive.
|
Recital 129
Article 58
|
Activity Reports
As was
previously required under the EU Directive and in order to maintain fairness,
SAs must create and, to ensure transparency, make public, annual reports
explaining their regulatory activities.
|
Article 59
|
Co-operation, Consistency, Assistance and Joint Operations
- The
European Union Article 29 Working Party (“WP29”) was formed from representatives from the national data
protection authorities in each EU Member State and was established to try to provide
consistent advice on the interpretation and application of the EU Directive.
Although the WP29 guidance is not legally binding, national data protection
authorities have usually followed the guidance when taking their own
enforcement action and creating their own national guidance. Under the GDPR,
the WP29 is to be replaced by the EDPB.
The EDBP
will be constituted similarly to the WP29 except that (as already discussed
above in this Practice Note) in Member States where more than one SA has been
appointed (for example, in Germany), that Member State will have to appoint
only one SA as an EDPB representative. The EDPB is also intended to have a
similar function to the WP29 except that its aim is to have more power than
the WP29 because it is intended to play an active part in enforcing the GDPR.
It remains to be seen how this will be carried out in practice.
- As
already discussed above, SAs are required under the GDPR to co-operate and
assist one another where that is necessary. They also have authority under
the GDPR to carry out joint operations where appropriate. Where it is
believed that a particular matter may have an impact in more than one Member
State, the issue may be referred to the EDPB and they may also have to
co-operate with the European Commission.
The
co-operation, assistance and appropriate joint operations are intended to
help maintain consistency in the way that the GDPR is operated and enforced
by SAs across Europe. It is hoped that, in practical terms, it will also mean
that regulatory investigations applying to organisations operating across borders
should be easier both for SAs and for the organisations to manage. However,
prior to the GDPR, most data protection authorities already work together in
practice, so this may not lead to a lot of practical change to practices
under the EU Directive.
- Many organisations carry out cross-border data processing in a number of different
Member States. Under the GDPR, if a particular SA wants to take enforcement
action against a particular organisation, that SA is required to consult with
other affected SAs in order to maintain a consistent approach to the
application and enforcement of the GDPR. This has become known as the “Consistency
Mechanism”. When interpreting and making decisions about the EU Directive, national
data protection authorities have historically taken different approaches to
the same issues, which has made it very hard for organisations working across
borders. It is hoped that the new, more formal procedures required under the
GDPR will help to harmonise the enforcement approaches of SAs across the EU.
|
Articles 51(3), 68–76
Recitals 132–134
Articles 61–63,
64(2)
Recitals 135–138
Articles 4, 56, 63–67
|
European Data Protection Board: Establishment, Function & Reports
- The
EDPB is established as a body of the EU with its own legal personality. It
must comply with the procedures set out under Articles 72–75.
- It is
represented by its Chair and consists of the head of one SA of each Member
State and of the European Data Protection Supervisor, or their respective
representatives.
- As
discussed above in this Practice Note, where a Member State has more than one
SA, it must appoint one representative to the EDPB.
- The
European Commission has the right to send a representative to participate in
the activities and meetings of the EDPB, but without voting rights.
- The
Chair of the EDPB must communicate EDPB activities to the European
Commission.
- The
European Data Protection Supervisor shall have voting rights only on
decisions that concern principles and rules applicable to the EU
institutions, bodies, offices and agencies that correspond in substance to
those of this Regulation.
- The
EDPB must act independently when performing its tasks and duties as set out in
detail in Article 70.
- The
EDPB must issue Annual Reports in accordance with Article 71.
- Under
Article 76, discussions held by the EDPB may be kept confidential where the
EDPB deems it necessary, acting in accordance with its own rules.
|
Articles 65 and 68–76
|
European Data Protection Board: Disputes
- Under
the GDPR, SAs are required to submit a draft decision to the EDPB for
approval before the SA does any of the following:
- Specifies
what data-processing measures should be subject to a Data Protection Impact
Assessment.
- Approves
a Code of Conduct.
- Approves
accreditation criteria.
- Determines
the content of standard data protection clauses under Articles 46(2), 46(3)
or 28(8).
- Approves
Binding Corporate Rules.
- Makes
decisions that may affect Data Subjects or organisations in a number of
Member States.
The EDPB will
consider any such decision to be made and will issue its opinion if the
matter may affect multiple Member States. The relevant SA is then required to
take “utmost account” of the EDPB’s opinion before proceeding with its
decision. It is hoped that this process will ensure that SAs make consistent
decisions, which in turn will help to ensure that the GDPR is applied
consistently across the EU.
- Where
SAs cannot agree about significant matters under the GDPR, the EDPB will
issue a binding decision, which involved SAs are required to adopt within one
month of the EDPB notifying its decision. Again, it is hoped that dispute
resolution by the EDPB will lead to a more consistent application of the
GDPR.
- There was no such requirement under the EU
Directive for national data protection authorities to submit their decisions
to a central authority for checking. It is therefore hoped that, although there
are undoubtedly benefits to this new process, it does not cause decision-making processes to be unnecessarily delayed
by bureaucracy. The GDPR has tried to include a check and balance in relation
to this by including an “Urgency Procedure”. Under Article 66, if an SA
believes that it needs to act urgently to protect a Data Subject’s rights, it
is entitled to adopt provisional measures to do so for a three-month period.
To do so, it must explain the reasons for this fully to the other affected
SAs, to the EDPB and to the European Commission. It can also ask the EDPB to
issue an urgent opinion in the circumstances.
- Under
the GDPR, the European Commission may ensure effective information exchange
between affected SAs and the EDPB by specifying arrangements for electronic
exchange of information.
|
Recital 136
Article 64
Recital 136
Article 65
Recital 137
Article 66
Recitals 116, 168 and Articles 47(3), 50, 60(1), 61(3), (9), 67,
70(c), (u)–(w)
|
INVESTIGATIVE POWERS
|
The GDPR sets out certain investigative
powers for SAs, which include the following powers:
- To
order the Data Controller and/or the Data Processor (or their applicable
representatives) to provide any information that the SA requires for the
proper performance of its tasks.
- To
carry out data protection audits.
- To
carry out a review of certifications issued.
- To
notify the Data Controller and/or the Data Processor of any alleged
infringement of the GDPR.
- To
obtain access from the Data Controller and/or the Data Processor to all personal
data and all information necessary to perform the SA’s tasks.
- To
obtain access to any premises of the Data Controller and/or the Data
Processor including access, as required, to data-processing equipment/means.
|
Article 58(1)
|
CORRECTIVE POWERS
|
Warnings, Reprimands and SA Orders
The GDPR sets out certain
corrective powers for SAs, which include the following powers:
- To issue warnings
to a Data Controller and/or Data Processor that intended processing
operations are likely to infringe the GDPR.
- To issue reprimands
to a Data Controller and/or Data Processor where processing operations have
infringed the GDPR. If there
is a minor infringement of the GDPR, or if the fine likely to be imposed
would constitute a disproportionate burden to a natural person, a reprimand
may be issued instead of a fine. Due regard should however be given to the
nature, gravity and duration of the infringement, the intentional character
of the infringement, actions taken to mitigate the damage suffered, degree of
responsibility or any relevant previous infringements, the manner in which
the infringement became known to the supervisory authority, compliance with
measures ordered against the controller or processor, adherence to a code of
conduct and any other aggravating or mitigating factor.
- To order
the Data Controller and/or Data Processor to:
- Comply with the Data Subject’s requests to
exercise his or her rights pursuant to the GDPR.
- Bring processing operations into compliance
with the GDPR, where appropriate, in a specified manner and within a
specified period.
- To order:
- The rectification or erasure of personal data
or restriction of processing where appropriate.
- A certification body to withdraw a
certification or indeed for the SA to order withdrawal of a certification
itself.
- The suspension of data flows to a recipient in
a third country or to an international organisation.
- The Data Controller to communicate a personal
data breach to affected Data Subjects.
- A temporary or definitive limitation,
including a ban on processing.
- To impose an administrative fine in addition to, or instead of taking, other
corrective measures, depending on the circumstances of each individual case
(see below for further information).
Some of these corrective powers for SAs are
likely to have a significant impact on the day-to-day operations of
organisations, for example, powers to suspend data transfers to third
countries. The potential impact of these risks should be considered by
organisations and internal risk registers updated accordingly.
|
Recitals 148, 150
Articles 58(2)
|
Remedies: Complaints & Representation
- Data
Subjects have a right to complain to an
SA about the handling of their personal data if they believe that their
rights under the GDPR have been breached. They can complain to the SA either in
the Member State where they live or work or in the Member State where the
alleged infringement took place. The SA must inform the Data Subject about the
progress and outcome of the complaint. This right to complain is very similar
to the rights under the previous EU Directive, but it clarifies that
individuals can claim not just in their own country but also to different SAs
in other countries where the breach occurred. It is worth noting that under
the “one-stop shop” approach (discussed above), the SA who receives the
complaint may not be the SA who has responsibility to regulate that
infringing Data Controller, so there will still be situations where the SAs
have to work with Data Subjects to decide who is best placed to then handle
the complaint.
- Under
the previous EU Directive, Data Subjects were allowed to appoint a third-party representative or association to lodge a
complaint to an SA on their behalf. Under the GDPR, those rights have
been clarified and expanded to state that Data Subjects can appoint as their
representative any not-for-profit body, organisation or association that fulfils
the necessary requirements under national law, has statutory objectives that are
in the public interest and that are “active in the field of the protection of
Data Subjects’ rights and freedoms” (for example, a works council or trade
union). Those representatives will then have the right to complain to the SA
on behalf of the Data Subject and also to
exercise the right to a judicial remedy or to seek compensation on behalf
of the Data Subject if provided for by national law (as discussed further
below). It seems that these GDPR provisions will therefore enable
representatives to bring actions on behalf of numerous Data Subjects at a
time. Data Controllers will need to consider what steps they can take to
prepare for such situations arising and have policies and procedures in place
to manage these risks. It is also worth noting that, under Member State law, these
representatives are also allowed under the GDPR to lodge a complaint with the
SA on behalf of Data Subjects, without being mandated by those Data Subjects.
|
Recital 141
Article 77
Recital 142
Article 80
|
Remedies: Compensation, Concept of Damage and
Liability of Data Controllers & Data Processors
- Under
the GDPR, all Data Subjects have the right to claim compensation through the courts
from the appropriate Data Controller and/or the Data Processor, for
material or immaterial damage suffered as a result of any processing of their
personal data carried out in breach of the GDPR.
- The
rights to compensation have been expanded under the GDPR because under the
previous EU Directive, Data Subjects suffering any such harm were only
entitled to claim such compensation from Data Controllers. By contrast, under
the GDPR:
- Any Data Controllers involved in the unlawful processing shall be liable for the
damage caused by the processing that is in breach.
- The Data
Processor shall only be liable for the damage caused where it (or its
sub-processor) hasn’t complied with the GDPR obligations specifically
directed at Data Processors or where it has acted outside or contrary to
lawful instructions from the relevant Data Controller.
- Each
Data Controller or Data Processor will be held liable for the entire harm
caused if they are involved in the same infringing data processing and will
be held responsible for that harm in order to ensure effective compensation.
- Under
the GDPR:
- Data
Subjects’ rights have been clarified to state that they may enforce their
rights to compensation against any Joint Data Controllers involved. This is
to ensure that the Data Subjects’ rights are always protected where
information is being shared or used by multiple Data Controllers.
- Each
Joint Data Controller involved will be liable for the entirety of the damage
unless national Member State law apportions liability between the controllers.
- If
one of the Joint Data Controllers pays the full compensation to the Data
Subject, that Joint Data Controller is then entitled to bring proceedings
against the other Joint Data Controllers involved in order to recover their
portions of the relevant damages that have been payable. This apportionment
of liability is something that will need to be carefully considered between Joint
Data Controllers, particularly in data-processing situations in group
companies, for example, and also
where data-sharing projects are entered into (for example, public sector data
sharing). It may lead to more protracted negotiations between Data
Controllers in advance of entering into joint data-processing or data-sharing
arrangements.
- Both
Data Controllers and/or Data Processors can argue against whole or partial
liability where they can prove that they were not responsible for the
situation that led to the damage suffered.
- It is
worth noting that under the previous EU Directive, there was also a defence
to show that the liability arose in whole or in part from force majeure, but
under the GDPR, there is no mention of force majeure events. This should be
considered carefully in relation to contractual arrangements where Data
Controllers may bear the risk in force majeure situations. Thought should
therefore be given as to whether existing force majeure clauses need to be altered
or strengthened to take account of this.
- The
rights to compensation under the GDPR are strengthened, clarified and
expanded on from the previous EU Directive, which should make these rights easier
for Data Subjects to enforce. The scope of liability for both Data
Controllers and Data Processors infringing the GDPR has increased risks for
both in terms of compensation that could be payable. Some Joint Data
Controllers may, for example, find that they face much higher liability for
claims under the GDPR. Data Processors take on this direct liability for the
first time. It would therefore be prudent for each kind of organisation to
ensure that their relevant Board of Directors or management are briefed on
these increased liability risks and also to update any internal risk
registers to reflect this risk.
|
Recitals 79, 146–147
Articles 26(3), 82(1)–(5)
|
No comments:
Post a Comment