Datafication 10

Question 1

2 systems to ensure compliance

Answer 1

1) Authorities
2) Sanctions

Question 2

Supervision through Authorities

Answer 2

1) European Data Protection Board (EDPB
2) National Supervisory / Data Protection Authority (DPA)

Question 3

European Data Protection Board (EDPB)

Answer 3

• independent EU body
• contributes to consistent application of data protection rules

Question 4

European Data Protection Board (EDPB) - composition

Answer 4

1) representatives of national DPAs &
2) European Data Protection Supervisor (EDPS)
3) Supervisory authorities of EFTA EEA States (but no right to vote & (deputy) chair)

Question 5

European Data Protection Board (EDPB) - Tasks / Responsibility (more in Art. 70):

Answer 5

• Advice EU Commission
• Issue legally binding decisions
• Issue guidelines, recommendations & best practices (annual report including reviewing practical applications of those)

Question 6

National Supervisory / Data Protection Authority (DPA)

Answer 6

independent public authority(ies) which each Member State is required to provide

Question 7

National Supervisory / Data Protection Authority (DPA) - task

Answer 7

• Monitor, enforce & promote public awareness
• annual report on its activities ( transparency)

Question 8

National Supervisory / Data Protection Authority (DPA) - requirements

Answer 8

• Independency from external influence: law underlying it & organizational structure
• no conflict of interests
• sufficient resources & capabilities
• choose own sfaff

Question 9

Lead Supervisory Authority

Answer 9

• NSA of main establishment of dc or dp is competent to act as lead
• for cross-border processing (when dc has establishments in several & processing affects ds in different member states)

Question 10

Main establishment of dc or dp when establishments in > 1 Member State

Answer 10

= Place in EU
a) dc:
- where decisions on purposes & means of processing pd take place
- Otherwise: of its central administration
b) dp:
- of its central administration
- Otherwise: where main processing activities in context of activities of an establishment of the dp take place

Question 11

e.g. main establishment Fb?

Answer 11

Ireland: established company in Ireland -> benefiting form GDPRs principles of free pd movement in EU

Question 12

e.g. main establishment Google?

Answer 12

• established in California, sales offices in number of EU Member States
• Google Spain case: CJEU found Google Inc. (dp established in US) along with its establishment in Spain (Google Spain) were processing pd “in context of activities of an establishment” in Spain
• undisputed Google Spain was not (directly) involved in processing but promote & sell advertising space offered by the search -> used economically profitable
• CJEU: directive applicable to processing done by Google to protect guaranteed protection by earlier Data Protection Directive & prevent excuse by having board territorial scope

Question 13

Relationship LSA & other DPAs

Answer 13

• LSA can request assistant from other DPAs
• DPAs can raise reasonable objects to draft decision, LSA can decide to follow or not

Question 14

One stop shop (OSS) mechanism

Answer 14

• if company conducts cross-border data processing
• required to work primarily with the SA based in same Member State as companies main establishment (usually EU headquarters) to achieve compliance
• aim: improve harmonization & consistency application in all Member States

Question 15

e.g. Google Ireland Limited by French supervisory authority fine 53 mil. Euro

Answer 15

• Frech DPA checked complains in other Member States if lead already appointed
• as non-claimed lead (also not Irish) they took the case

Question 16

Ds (or non-profit entities on behalf of 1 or more ds) right to enforce

Answer 16

• lodge complaint with SA in Member State of residence, place of work or place of alleged infringement if feels like pd not handled accordingly
• effective judicial remedy against a SA (bring a decision from SA before court if Member State where SA established)
• effective judicial remedy against a dc or dp (proceedings where dp or dc has establishment or in Member state of ds)

Question 17

2. Sanctions

Answer 17

1. Fines
2. Art. 8: ds right to claim compensation from dc or dp for damage suffered
3. Art. 58: Supervisory Authority corrective powers

Question 18

Sanctions - Fines

Answer 18

• Requirement: effective, proportionate & dissuasive
• levels: 1. up to 10 Mio Euro or 2% of total worldwide annual turnover of preceding financial year (what is higher), 2. Up to 20 Mio. Euro or up to 4%
• Amount & Type depends on number of factors (e.g. nature of the breach, degree of fault, prior breaches, actions of dc & dp after mistake, cooperation with SA)

Question 19

Sanctions - Supervisory Authority corrective powers

Answer 19

• Orders & warnings to dc or dp
• Order to communicate pd breach to ds
• Temporary or definitive limitation (including ban on processing)
• Order rectification, restriction, or erasure of pd
• Suspension of data flows to recipient in 3rd country or international organization