GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).
Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.
The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
Suitable Recitals
(124) Lead authority regarding processing in several Member States; (127) Information of the supervisory authority regarding local processing; (128) Responsibility regarding processing in the public interest.
COMMENTARY:
Lead supervisory authority is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority will coordinate any investigation, involving other ‘concerned’ supervisory authorities. Identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.
The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity. In terms of factor (a) above, the same considerations as for identifying a lead authority apply. Note that in (b) the data subject must merely reside in the Member State in question; he or she does not have to be a citizen of that state. It will generally be easy – in (c) to determine – as a matter of fact – whether a particular supervisory authority has received a complaint.
Article 56 GDPR provides that the lead supervisory authority for cross-border processing of data will be the authority that is competent to supervise the entity engaged in data processing of individuals in different countries or, the authority competent to supervise the main establishment of the data controller or processor in case this has different establishments in several Member States.
Article 56, paragraphs (2) and (5) of the GDPR provide for a concerned supervisory authority to take a role in dealing with a case without being the lead supervisory authority. When a lead supervisory authority decides not to handle a case, the concerned supervisory authority that informed the lead shall handle it. This is in accordance with the procedures in Article 61 (Mutual assistance) and Article 62 (Joint operations of supervisory authorities) of the GDPR.
Art. 57 GDPR Tasks
Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
Monitor and enforce the application of this Regulation;
Promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
Advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;
Promote the awareness of controllers and processors of their obligations under this Regulation;
Upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
Handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
Cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
Conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
Monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
Adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
Establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);
Give advice on the processing operations referred to in Article 36(2);
Encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
Encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
Where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);
Draft and publish the requirements for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
Conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
authorise contractual clauses and provisions referred to in Article 46(3);
Approve binding corporate rules pursuant to Article 47;
Contribute to the activities of the Board;
Keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
fulfill any other tasks related to the protection of personal data.
Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form, which can also be completed electronically, without excluding other means of communication.
The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Suitable Recitals
(122) Responsibility of the supervisory authorities; (123) Cooperation of the supervisory authorities with each other and with the Commission; (132) Awareness- raising activities and specific measures; (133) Mutual assistance and provisional measures; (137) Provisional measures.
COMMENTARY:
Supervisory authorities (also colloquially known as “Data Protection Authorities” or “DPAs”) are given competence “for the performance of the tasks assigned to and the exercise of the powers conferred on it” described in the GDPR on their national territory. Recital 122 tells us that this competence includes “processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing in its territory”.
In cases where the legal basis for processing, whether by a private body or a public authority, is a legal obligation, acting in the public interest or in the exercise of official authority, the ‘concerned’ authority has competence and the cross-border lead authority system is dis-applied. The language is rather obscure, but Recital 128 says that a supervisory authority has exclusive jurisdiction over both public authorities and private bodies acting in the public interest, which in either case are established on the supervisory authority’s territory. It is not clear whether this contemplates multiple establishments and is a means of excluding the one-stop shop or whether it gives exclusive jurisdiction to the home supervisory authority even if the processing is elsewhere in the EU.
This might have wide application to private sector bodies – e.g. financial institutions carrying out anti-money-laundering activities in relation to customers elsewhere in the EU than the home country. Supervisory authorities cannot exercise jurisdiction over courts acting in a judicial capacity. ‘Court’ is not defined and it is not entirely clear how far down the judicial hierarchy this rule will extend. A lead- authority system is set up to deal with cross-border processing (see section on co- operation and consistency between supervisory authorities for further information about this complex arrangement).
Tasks
There is a very comprehensive list of tasks given to the supervisory authorities by Article 57 of the GDPR. There is no need to list them all, because the last on the list is “fulfill any other tasks related to the protection of personal data”. Supervisory authorities must therefore do anything that might reasonably be said to be about the “protection of personal data”. Some tasks are worth emphasizing. Supervisory authorities are to monitor and enforce the “application” of the GDPR and to promote awareness amongst the public, controllers and processors.
They are to advise their governments and parliaments on proposed new laws. Helping data subjects, dealing with and investigating complaints lodged by individuals or representative bodies, conducting investigations and especially co- operating with other supervisory authorities are all specifically mentioned, as is monitoring the development of technical and commercial practices in information technology. Supervisory authorities are to encourage the development of Codes of Conduct and Certification systems and they are to “draft and publish the criteria for accreditation” of certification bodies and those which monitor codes of conduct. Supervisory authorities cannot charge data subjects or Data Protection Officers for
their services; the GDPR is however silent on whether controllers and processors could be charged fees in respect of services they receive from supervisory authorities. Powers Article 58 of the GDPR lists the powers of the supervisory authorities to which Member States can add if they wish.
Many of the powers correspond to the specific tasks listed in Article 57 and do not need repeating. Worthy of mention are: ordering a controller or processor to provide information; conducting investigatory audits; obtaining access to premises and data; issuing warnings and reprimands and imposing fines; ordering controllers and processors to comply with the GDPR and data subjects’ rights; banning processing and trans-border data flows outside the EU; approving standard contractual clauses and binding corporate rules.
The exercise of powers by a supervisory authority must be subject to safeguards and open to judicial challenge. Member States must give supervisory authorities the right to bring matters to judicial notice and “where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation”. Presumably the existing variation in powers will continue in accordance with national law and procedure. Finally, supervisory authorities must produce annual reports. In summary, the competence, powers and tasks of supervisory authorities are a comprehensive listing of everything a supervisory authority must or might do. This is largely a predictable consolidation of existing practices with some innovations in individual Member States.
Pursuant to the Directive, each national supervisory authority was responsible for monitoring the application within its territory of the provisions transposing the Directive as adopted by the Member States (Article 28 (1)). On this basis, the application of the measures could be referred to the relevant national supervisory authority by any person for verification of the lawfulness of personal data processing or with any request relating to the protection of his or her rights and freedoms with regard to such processing (Article 28 (4)).
Those authorities should also be consulted on all proposed legislative, administrative or regulatory drafts relating to the protection of rights and freedoms of individuals with regard to personal data processing (Article 28 (2)).
Art. 58 GDPR Powers
Each supervisory authority shall have all of the following investigative powers:
to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
to carry out investigations in the form of data protection audits;
to carry out a review on certifications issued pursuant to Article 42(7);
to notify the controller or the processor of an alleged infringement of this Regulation;
to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
To obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
Each supervisory authority shall have all of the following corrective powers:
To issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
To issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
To order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
To order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
To order the controller to communicate a personal data breach to the data subject;
To impose a temporary or definitive limitation including a ban on processing;
To order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
To withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
To impose an administrative fine pursuant to Article 83,
Comments (0)