Chapter 2J: Supervision and enforcement Flashcards
What is the role of the supervisory authority?
To represent the member state in the European Data Protection Board (EDPB)
Promote, monitor and force GDPR application
Protect fundamental human rights
Facilitate free flow of personal data
How does the supervisory authority represent its member state in the EDP?
By cooperating with other supervisory authorities and contributing to the EDPB.
How does the supervisory authority promote, monitor and enforce GDPR application?
Promote awareness of its obligations, provide advice to controllers and processors and conduct investigations on GDPR application.
What is the European Data Protection Board?
An independent European body that contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authority.
Who did the European Data Protection Board replace?
Working Party 29.
How is the European Data Protection Board composed?
It’s made up of a chair, the European Data Protection Supervisor (specific voting rights), the EU European Commission (no voting rights) and the head of each of the 28 member state’s Data Protection Authority.
What does the EDPB use to ensure data protection consistency?
Binding decisions, guidelines, opinions.
How does the supervisory authority protect fundamental human rights?
Promote public awareness and understanding
Provide information to data subjects on request
Manage complaints (re: the member state)
Establish and maintain a list of processing operations subject to DPIAs
Draw up an annual report available to the public
How does the supervisory authority facilitate the free flow of personal data?
Encourage use of approved codes of conduct and certification mechanisms
What powers does a supervisory authority have?
Investigative, corrective and authorisation and advisory
What does the investigative power allow a supervisory authority to do?
Order access to processing information and obtain access to premises
Conduct data protection audits
Review certifications
Notify of alleged GDPR infringements
What does the corrective power allow a supervisory authority to do?
Issue warnings and reprimands
Order compliance with a DSR
Order notification to a DS of breaches
Order rectification, restriction or erasure of data
Ban processing (temporarily or definitively) or suspend cross border transfers or withdraw certifications
Impose administrative fines
What does the authorisation and advisory power allow a supervisory authority to do?
Provide advice, authorise processing of personal data
Approve draft codes, certification criteria and BCRs
Accredit certification bodies and issue certifications
Adopt standard data protection clauses and authorise contractual clauses
Where cross-border processing occurs, how can the lead supervisory authority be identified?
For a single establishment - supervisory authority of the place of establishment
For multiple establishments - the place of the main establishment (central administration) unless decisions about processing happen elsewhere
If both controller and processor both involves in the processing, default to the controller’s lead SA.
What other supervisory authority procedures are in place?
Cooperation Mutual assistance Joint operations Consistency mechanism Dispute resolution Urgency procedure
What is the ‘cooperation between other supervisory authorities’ procedure?
Cooperation between the lead supervisory authority and other concerned supervisory authorities to reach a consensus
What is the ‘mutual assistance’ procedure?
Provision of relevant information between supervisory authorities.
What is the ‘joint operations of supervisory authorities’ procedure?
Working together, including for investigations and enforcement measures (of controllers or processors in several member states or of data subjects in more than one member state)
What is the ‘consistency mechanism’ procedure?
Cooperation with the EDPB and the Commission for consistent application of the GDPR
and
Specific collaborative process between supervisory authorities, the commission and the EDPB for adopting certain measures
What is the ‘dispute resolution’ procedure?
Supervisory authorities work on dispute resolution (if a decision is not jointly agreed upon by the supervisory authorities) and issuance of binding decisions
What is the ‘urgency procedure’?
A procedure for the immediate adoption of provisional measures within a member state
The EDPB is independent - true/false?
True.
What tasks does the EDPB have?
Monitor for correct application of the GDPR
Advise the Commission via opinions on issues related to personal data protection
Examine questions and issue guidelines, recommendations and best practices
Reside over ‘one-stop’shop’
Provide dispute resolution
Publish annual reports
How does the EDPS action supervision and enforcement?
Monitoring personal data processing of the EU bodies (Commission, Council, Parliament, etc.)
Checking processing operations that pose high risk to data subjects prior to processing
Dealing with complaints
Making inquiries
Consulting