Chapter 13 (Supervision & Enforcement) Flashcards
1
Q
What is one of the most effective tools of supervision and enforcement of the GDPR and why?
A
Self regulation due to the fact that controllers and processors directly control the application of appropriate processes, procedures, and measures to protect data.
2
Q
What Articles of the GDPR advance the ideas of self regulation?
A
- Article 5(2): concept of accountability
- Articles 37-39: introduction of requirement for DPOs
- Articles 40-43: heightens focus on codes of conduct and certification schemes for data protection deals and marks
- Article 28: controllers must regulate their processors and processors must regulate their sub-processors
3
Q
What is the intent of Chapter 4 of the GDPR?
A
It expands Article 5(2)’s accountability requirement and its intent is that controllers will identify their risks, then set their positions to address them.
4
Q
What are 4 components of the GDPR that relate to self regulation?
A
- As part of their business-as-usual activities, controllers should look critically at their data processing activities through performance testing and adjust and refine its activities as needed to achieve good data protection.
- Article 28 creates relationships of supervision and enforcement between controllers and their processors.
- Articles 33 and 34 require notification of personal data breaches to DPAs in all cases where a risk to rights and freedoms is likely and notification to individuals who are affected in serious cases.
- Article 35 requires controllers to perform DPIAs where processing is likely to result in a high risk to the rights and freedoms’ of individuals.
5
Q
Do DPOs look more like quasi regulators or ordinary employees?
A
More like quasi regulators.
6
Q
How does Chapter 4 Articles 40-43 of the GDPR create a self-regulatory framework?
A
By way of codes of conduct and data protection certification mechanisms, such as seals and marks.
7
Q
Article 40 of the GDPR encourages representative bodies for controllers and processors, like industry associations, to create what in the context of self-regulation?
A
To create codes of conduct on any aspect of data protection compliance. A key feature is that the controllers and processors that undertake to apply them should be monitored for compliance.
8
Q
If a representative body creates a code of conduct Article 41 of the GDPR sets out the characteristics and tasks the monitoring body of such a code must exhibit. List 3 of these tasks/characteristics.
A
- They have to prove their expertise and avoid conflicts
- They must have procedures for effective monitoring of compliance and for dealing with complaints
- They should take appropriate actions against infringements
9
Q
By approving a representative body’s code of conduct does the relevant DPA abandon their supervisory and enforcement role?
A
No, they retain their jurisdiction over the subject matter covered by the codes and the controllers and processors that have undertaken to follow them.
10
Q
In order to issue certified seals or marks under Articles 42 & 43 of the GDPR the certification body must be accredited by whom?
A
Either the DPAs or the national accreditation bodies in the member states.
11
Q
In order to be accredited, certification bodies need to satisfy the DPAs that they have what 3 things?
A
- Independence and expertise and avoid conflicts of interest
- Must have procedures for issuing, reviewing, and revoking seals and marks
- Must have procedures for handling complaints
12
Q
If controllers and processors provide the first line of defense against bad data protection, who provides the second line of defense?
A
The citizens.
13
Q
Does the GDPR require that individuals must use and pursue their data subject rights against controllers before they can pursue complaints and remedies before the DPAs or the courts?
A
No.
14
Q
What Articles of the GDPR govern situations where individuals want to take their complaints of controllers noncompliance to the DPAs or courts?
A
Articles 77 and 79.
15
Q
Article 77(1) of the GDPR allows individuals to pursue noncompliance complaints before DPAs located in what 3 jurisdictions?
A
- DPA for their place of residence
- DPA for their place of work
- DPA for the place where the infringement took place
If each of the above places is different.
16
Q
What are representative actions and what is their benefit?
A
They are group litigation or class actions whereby groups of individuals are represented as a collective before the courts, thereby spreading the financial risks, leveraging collective case info, and likely securing more experienced legal representation.
17
Q
The GDPR introduces new representative action rights under Article 80 that allow individuals to elect to be represented by whom?
A
Not-for-profit orgs commonly known as CSOs (i.e. privacy advocates or pressure groups)
18
Q
Article 82 of the GDPR creates the right for citizens to pursue compensation claims against whom under what circumstances?
A
Against controllers and processors if they suffer damage as a result of an act of noncompliance.
19
Q
Under the GDPR are damages limited to financial loss?
A
No, damages can include no material damages such as distress.
20
Q
What remedy does Article 78 of the GDPR provide if an individual puts a complaint before a DPA that isn’t dealt with or acknowledged within 3 months?
A
In this circumstance an individual is entitled to take action against the DPA before the courts to force the issue.
21
Q
Who are the only bodies that are equipped with administrative supervisory and enforcement powers under the GDPR?
A
DPAs
22
Q
The GDPR’s provisions on administrative supervision are found in what chapter?
A
Chapter 6
23
Q
Article 36(4) of the GDPR contains a structural control - a consultation requirement - that effectively embeds what in the law making process of the member states?
A
The national regulator, i.e. it embeds data protection in the DNA of member states’ laws at the beginning of the legislative and rule-making process.
24
Q
Which article of the GDPR outlines the tasks of the DPAs?
A
Article 57
25
Article 57 of the GDPR states that in addition to monitoring and enforcing the GDPR and providing advice to their national parliaments and governments DPAs must do what 4 things?
1. Promote awareness and understanding of data protection, including risks, safeguards, and rights
2. Handle complaints and carry out investigations
3. Support the consistent application of the GDPR internationally, which includes working within the consistency mechanism, providing mutual assistance, and supporting the EDPB
4. Monitor and development of info and communications technologies and commercial practices
26
Articles 35(4), 35(5), and 36(1) outline what three things with regard to DPIAs respectively?
1. **Article 35(4)**: requires DPAs to publish a list of situations where DPIAs should be carried out
2.**Article 35(5)**: allows DPAs to publish a list of situations where DPIAs are not required
3. **Article 36(1)**: requires controllers to consult with their DPAs whenever a DPIA indicates that the processing would result in a high risk to the rights and freedoms of individuals in the absence of measures taken by the controller to mitigate the risk
27
What are the 3 powers of the DPAs listed in Article 58 of the GDPR?
1. Investigatory powers
2. Corrective powers
3. Authorization& advisory powers
28
The DPAs’ investigatory powers are intended to give them access to what?
They are intended to give them access to all necessary:
1. Evidence
2. Materials
3. Facilities
To enable them to deliver their tasks, together with a mechanism to actually start investigations (namely the power to notify controllers and processors of alleged breaches of the GDPR).
29
When conducting an investigation what 6 types of documents are DPAs likely to seek?
1. Policy frameworks built under Article 24
2. Privacy-by-design frameworks pursuant to Article 25
3. Processor contracts under Article 28
4. Records of data processing activities compiled under Article 30
5. Breach logs maintained under Article 33
6. Risk assessments taken for the purposes of Articles 24 and 35
30
What 2 lines of attack do DPAs have if they are determined to pursue a controller or processor for noncompliance under the GDPR?
1. Data protection written system
2. Data protection business operations
31
Article 54(2) imposes what type of obligation on the DPAs and their staff in respect of confidential info to which they have access?
Imposes obligations of professional secrecy.
32
Broadly speaking, what are the 3 ways the GDPR achieves cooperation and consistency?
1. Article 57(1) imposes a general duty of cooperation on the regulators, requiring them to work together to try and ensure a consistent application of the GDPR
2. Article 60(1) creates duties of cooperation for cross-border processing situations
3. Article 63 creates a consistency mechanism
33
What is the well-known one-stop-shop principle of supervision and enforcement under the GDPR for noncompliance that crosses multiple borders?
That the lead supervisory authority has competence when a controller or processor is involved in cross-border processing
34
The rules on cross-border processing do not apply to whom?
Public authorities or private bodies that are processing in accordance with a legal obligation, in the public interest, or for an official function.
35
Under Article 56 of the GDPR, where a controller or processor is involved in cross-border processing the question of regulatory competence turns on what?
The location of the main establishment of the controller or processor.
36
Under Article 4(23) of the GDPR, the concept of cross-border processing covers what 2 situations?
1. Processing by a controller or processor that is established in more than 1 member state, if the processing takes place in the context of more than one establishment (e.g. multinational orgs)
2. Processing by a controller or processor in the context of the activities of a single establishment, where the processing substantially affects or is likely to substantially affect data subjects in more than one member state (e.g. multinationals orgs with only one country of establishment)
37
For controllers, the concept of main establishment focuses on what?
Focuses on where the decision-making for processing of personal data takes place. Its generally the controller’s place of central administration.
38
For processors, the concept of main establishment focuses on what?
Focuses on the location of the main processing activities.
39
Does Article 56(2) permit non-lead authorities to take action in cross-border situations?
Yes, where the complaint relates only to their territory or if it substantially affects individuals only in their territory.
40
In a cross-border processing matter what happens if the lead authority rejects or accepts another DPAs assertion of competence?
1. If it rejects assertion, it will handle the matter itself and the procedure in Article 60 must be followed
2. If it accepts assertion, the other DPA will proceed in the matter subject to following the rules in Articles 61 and 62 about mutual assistance and joint operations
41
Now that the UK is no longer a member state of the EU, do the GDPR’s rules in the one-stop-shop and cross-border processing apply?
No.
42
For groups of undertakings with EU headquarters, there is a rebuttable presumption that what will be the main establishment?
The parent organization
43
The cooperation procedure in Article 60 only applies when?
When there is cross-border processing triggering the lead authority rules.
44
The essence of Article 60’s cooperation procedure is to supply what?
To supply a draft decision by the lead authority to other concerned DPAs.
45
Under Article 60 of the GDPR, a draft decision can trigger what 3 responses from the other concerned DPAs?
1. Comments
2. A reasoned objection
3. Agreement
46
Under Article 60 of the GDPR, what 2 choices does a lead authority have if another concerned DPA makes a reasoned objection?
1. It can accept the objection
2. It can reject the objection
47
Under Article 60 of the GDPR, if a lead authority accepts a reasoned objection what happens?
It must issues a revised draft decision.
48
Under Article 60 of the GDPR, if a lead authority rejects a reasoned objection what happens?
The lead authority must must follow the consistency mechanism.
49
Under Article 60 of the GDPR, if a draft decision is deemed accepted (i.e. there are no reasoned objections) the lead authority shall adopt the decision and notify whom of the decision?
1. The controller or processor at its main establishment
2. The other concerned DPAs
3. The EDPB
50
Articles 61 & 62 of the GDPR are concerned with what 2 things between the DPAs?
1. Mutual assistance
2. Joint operations (respectively)
51
Article 61(1) of the GDPR requires the DPAs to put in place appropriate measures to provide assistance within what time frame?
One month
52
What is the EDPB and what article of the GDPR established it.
It is the European Data Protection Board and successor to WP29. Established by Article 68 of the GDPR.
53
Who is part of the EDPB?
1. The chairperson
2. The heads of the DPAs
3. The European Data Protection Supervisor (EDPS)
54
What does the consistency mechanism apply to and who is at the heart of it?
It applies to:
1. Disputes about supervision and enforcement in cross-border processing situations
2. The core functions of creating regulatory advice and guidance
The EDPB is at the heart of the consistency mechanism.
55
Article 64 of the GDPR requires the EDPB to issue opinions on what 5 things?
1. List of circumstances when DPIAs are required
2. Adoption of proposed codes of conduct that affect multiple member states
3. Criteria for accreditation of code-monitoring bodies and certification bodies
4. Contractual clauses approved by the DPAs
5. BCRs authorizations
56
What is a key part of the consistency mechanism and what 3 situations trigger it?
A key part is the dispute resolution procedure in Article 65 of the GDPR.
It is triggered whenever:
1. A lead authority rejects reasoned objections to a draft decision concerning cross-border processing
2. There is a dispute between the DPAs about who is competent to regulate the main establishment
3. A DPA fails to refer its decision on DPIA lists, codes of conduct, and international transfer mechanisms to the EDPB
57
What procedures are adopted in the exceptional circumstances that demand a DPA take urgent action to protect the rights and freedoms of individuals? Describe them.
The procedures in Article 66 of the GDPR they allow DPAs to immediately adopt provisional measures that are intended to produce legal effects in their territories. They have a 3 month life span.
58
Tensions have emerged within the one-stop shop concerning what DPA is the lead authority for high-profile US technology businesses. Who is the lead authority DPA?
The Irish DPC’s role because US technology companies have established their EU headquarters in and around Dublin.
59
What did the Facebook cases in Ireland and Belgium take a look at?
The carve outs to the one-stop shop principle, specifically whether the Belgium DPA could take action where it was not the lead authority.
60
What are the 2 carve outs to the one-stop shop rule?
1. Article 56(2): an exception where a non-lead DPA can regulate aspects of cross-border processing that concern only an establishment in its territory, or which substantially effects data subjects only in its territory
2. Cases of urgency under Article 66 (though the CJEU confirmed the consistency rules in Article 66 can’t be bypassed by the non-lead authority)
61
What are 3 things the CJEU confirmed in the Facebook case re Belgium and Ireland?
1. If a carve-out applies, the non-lead authority can utilize Article 58(5) against a non-main establishment if a controller or processor in its territory.
2. A non-lead authority can take action against a controller or processor that isn’t established in its territory, provided it is established elsewhere in the EU for the purposes of cross-border processing
3. An action can be brought against an entity that isn’t the actual controller provided there is an inextricable link between it and the controller
62
What article of the GDPR contains its administrative fines regime?
Article 83
63
Article 83(4) of the GDPR allows fines up to how much for non-undertakings (not engaged in economic activities, e.g. public authorities)?
Fines up to 10 million pounds
64
Article 83(5) the GDPR allows fines up to how much for non-undertakings (not engaged in economic activities, e.g. public authorities)?
Fines up to 20 million pounds
65
Article 83(4) of the GDPR allows fines up to how much for undertakings (e.g. companies)?
Fines up to the higher of 10 million or 2% of total worldwide annual turnover in preceding year for undertakings.
66
Article 83(5) of the GDPR allows fines up to how much for undertakings (e.g. companies)?
Fines up to the higher of 20 million or 4% of total worldwide annual turnover in preceding year for undertakings.
67
Article 83(4) of the GDPR applies to noncompliance with what articles of the GDPR?
1. Controller and processor infringements: Articles 8,11, 25-39, 42 and 43
2. Certification body infringements: Articles 42 and 43
3. Monitoring body infringements: Article 41(4)
68
Article 83(5) of the GDPR applies to noncompliance with what articles of the GDPR?
Articles 5-7, 9, 12-22, 44-49, and 58(1) and (2).
69
What 11 noncompliance issues are covered under the fines listed in Article 83(4) of the GDPR?
Covers issues such as:
1. Child consent
2. Data protection by design and default
3. Engagement of processors by controllers
4. Records of processing
5. Cooperation with regulators
6. Security
7. Breach notification
8. DPIAs
9. DPOs
10. Codes of conduct
11. Certifications
70
What 7 noncompliance issues are covered under the fines listed in Article 83(5) of the GDPR?
Covers issues such as
1. Data protection principles
2. Lawfulness of processing
3. Consent
4. Processing of special category data
5. Data subject rights
6. International transfers
7. Failure to comply with the DPAs’ investigatory and corrective powers
71
Under Article 83(2) of the GDPR, what are the 12 factors DPAs need to consider when determining the appropriate fine for noncompliance with the GDPR?
1. The nature, gravity and duration of the infringement
2. The intentional or negligent character of the infringement
3. Any action taken by the controller or processor to mitigate the damage suffered by the data subject
4. The degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 and 32
5. Any relevant previous infringements by the controller or processors
6. The degree of cooperation with the the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
7. The categories of personal data affected by the infringement
8. The categories of personal data affected by the infringement
9. The manner in which the infringement became known to the supervisory authority, in particular whether, and if so, to what extent, the controller or processor notified the infringement
10. Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with re to the same subject matter, compliance with those measures
11. Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
12. Any other aggravating or mitigating factor applicable to the circumstances of the car, such as financial benefits gained or losses avoided directly or indirectly from the infringement
72
Does the GDPR allow member states to lay down rules on whether and to what extent fines may be imposed on public authorities and bodies established in their territories?
Yes- Article 83(7).
73
What 5 guidelines does the EDPB provide for calculating fines for undertakings?
1. CJEU case law defines undertaking to “encompass every entity engaged in economic activity, regardless of the legal status of the entity and the way it is financed”
2. For purposes of competition law undertakings are therefore identified with economic units rather than legal units
3. Different companies belonging to the same group can form an economic unit and therefore an undertaking
4. There is a legal presumption that where a parent company holds 100% or nearly 100% of shares of its subsidiary it will exercise decisive influence over the conduct of the subsidiary
5. In cases where a legal presumption doesn’t apply, the regulators can’t assume an undertaking exists
74
What is an intentional breach of the GDPR (provide examples)
It includes knowledge and willfulness in relation to the characteristics of the offense. Can include breaches that
1. Are explicitly authorized by management
2. Authorized despite advice of the DPO
3. Are in disregard of policy
75
What are examples of unintentional breaches of the GDPR?
1. Failures to abide by policy
2. Human error
3. Failure to apply technical updates in a timely manner
76
What are the 5 steps the EDPB provides for calculating the amount of a fine under the GDPR?
1. The processing operations must be identified and evaluated
2. The starting point for calculating the fine must be identified, by reference to the nature and seriousness of the infringement and the turnover of the undertaking
3. Aggravating and mitigating features must be considered
4. The maximum amount that can be fined must be established
5. The calculated fine must be effective, proportionate, and dissuasive
77
The EDPB provides guidelines on tiers of fines, based on the turnover of an undertaking, with the principle being the higher the turnover within a particular tier the higher the starting amount of the fine should be. What are the 4 tiers?
Turnovers:
1. Up to 50 million
2. 50 million to 100 million
3. 100 million to 250 million
4. And 250 million and above
78
What are 5 high profile fines issued under the GDPR in 2021?
1. 160 million imposed on Google LLC and Google Ireland by France’s CNIL
2. 60 million on Facebook Ireland Ltd by France’s CNIL
3. 6.5 million imposed on Grinder by Norway’s DPA
4. 225 million imposed on WhatsApp Ireland Ltd by Ireland’s DPC
5. 746 million imposed on Amazon.com Inc by Luxembourg’s DPA
