Article 71 GDPR: Difference between revisions

From GDPRhub
mNo edit summary
 
(13 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 71 - Reports'''</center><span id="1">1.  The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.</span>
<br /><center>'''Article 71 - Reports'''</center>
 
<span id="1">1.  The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.</span>


<span id="2">2.  The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.</span>
<span id="2">2.  The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.</span>


== Relevant Recitals==
== Relevant Recitals==
''N/a.''
{{Recital/100 GDPR}}{{Recital/139 GDPR}}{{Recital/91 GDPR}}


== Commentary ==
== Commentary ==
Article 71 GDPR aims to enhance transparency in accordance with the principles of transparency and good governance, under Article 15 Treaty on the Functioning of the European Union ("''TFEU''") and Article 41 of the Charter of Fundamental Rights of the European Union ("''CFR''"). Following concerns from the Commission that the Board's predecessor, the Article 29 Working Party (“''WP29''”), lacked transparency, European legislators sought to remedy the issue through the inclusion of a reporting obligation under Article 71 GDPR.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 71 GDPR, p. 1086 (Oxford University Press 2020).</ref>


===(1) Obligation to prepare an annual report===
===(1) Obligation to prepare an annual report===


The EDPB’s annual report can include all topics relevant to data protection law. It is simultaneously intended to make the actions of the EDPB transparent, whilst also increasing public awareness of the risks associated with the processing of personal data.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin numbers 1-3 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021).</ref>
The report is not designed to simply act as a summary of the EDPB’s activities, but rather a status report on data protection in the Union, as well as in third countries “''where relevant''.”<ref>''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin number 2 (C.H. Beck 2021, 3<sup>rd</sup> edition).</ref> The phrase “''where relevant''” is intended to clarify that third countries will only be referred to where the data of EU individuals are processed. Irrespective of this, the EDPB may also monitor international developments in data protection for other reasons.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).</ref>Although made public, the annual report is directly transmitted to the European Parliament, Council, and Commission, giving it a distinctive political orientation.<ref>''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 4 (C.H. Beck 2021, 3<sup>rd</sup> edition).</ref> These bodies may use the report as an opportunity to take action in their own capacity. For example, the Commission may initiate infringement proceedings against Member States that the EDPB confirms have violated the GDPR.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).</ref>
 
It is not primarily designed to be a summary of the EDPB’s activities, but rather a status report on data protection in the EU, as well as in third countries “where relevant.”<ref>''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 1-4 (Beck 2021, 3<sup>rd</sup> ed.) (accessed 01.06.2021).</ref> The phrase “where relevant” is intended to make clear that third countries will only be referred to where the data of EU individuals are processed. Irrespective of this, the EDPB may also monitor international developments in non-EU data protection for other reasons.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).</ref>  
 
Although made public, the annual report is directly transmitted to the European Parliament, Council, and Commission, giving it a distinctive political orientation. <ref>''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 1-4 (Beck 2021, 3<sup>rd</sup> ed.) (accessed 01.06.2021).</ref> These bodies can use the report as an opportunity to take their own action; e.g., the Commission might initiate infringement proceedings against Member States that the EDPB confirms have violated the GDPR.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).</ref>
 
Public bodies can be named in the annual report as they have no basic right to data protection. The extent to which private organisations should be named must be assessed on a case-by-case basis, and factors may include: whether the organisation is committing persistent violations of the GDPR; whether there is a legal dispute (the ECJ and ECHR always publish their judgments with the full names of parties to the proceedings); and the possible adverse effects on the company’s reputation.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).</ref> 
 
===(1) Content of the annual report===
 
Article 71(2) establishes a few specific requirements for the content of the annual report.
 
First, the report must include a review of the EDPB’s statements, guidelines, recommendations, and best practices published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures the public is provided with an overview of acts adopted during the relevant reporting period.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021).</ref>
 
Additionally, the report must include any binding decisions issued in dispute resolution procedures under Article 65(1). Article 65(5) also obliges the EDPB to publish such decisions on its website.
 
Beyond these specific requirements, the EDPB has a wide discretion as to which information is included in the annual report.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021).</ref> This has previously included a summary of its most important statements and resolutions, and statements on the activities of supervisory authorities.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021).</ref>
----[[Article 71 GDPR#%20ftnref1|<sup><sup>[1]</sup></sup>]] ''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin numbers 1-3 (Beck 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021).
 
[[Article 71 GDPR#%20ftnref2|<sup><sup>[2]</sup></sup>]] ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 1-4 (Beck 2021, 3<sup>rd</sup> ed.) (accessed 01.06.2021).
 
[[Article 71 GDPR#%20ftnref3|<sup><sup>[3]</sup></sup>]] ''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).
 
[[Article 71 GDPR#%20ftnref4|<sup><sup>[4]</sup></sup>]] ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 1-4 (Beck 2021, 3<sup>rd</sup> ed.) (accessed 01.06.2021).
 
[[Article 71 GDPR#%20ftnref5|<sup><sup>[5]</sup></sup>]] ''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).
 
[[Article 71 GDPR#%20ftnref6|<sup><sup>[6]</sup></sup>]] ''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 06.01.2021).
 
[[Article 71 GDPR#%20ftnref7|<sup><sup>[7]</sup></sup>]] ''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021)
 
[[Article 71 GDPR#%20ftnref8|<sup><sup>[8]</sup></sup>]] ''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021)
 
[[Article 71 GDPR#%20ftnref9|<sup><sup>[9]</sup></sup>]] ''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 1-3 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 01.06.2021)


Public bodies should be openly named in the annual report as they have no reasonable expectation of privacy. Whether private entities are named must be assessed on a case-by-case basis. Factors justifying the publication of an entity's name may include considerations such as, whether the organisation has committed persistent violations of the GDPR, or whether there have been legal proceedings instigated against the entity.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).</ref>


===(2) Content of the annual report===


Article 71(2) GDPR establishes several specific requirements for the content of the annual report. First, the report must include a review of the EDPB’s statements, guidelines, recommendations, and best practices published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is provided with an overview of acts adopted during the relevant reporting period.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 2 (C.H. Beck, 2018, 2<sup>nd</sup> edition).</ref>Additionally, the report must include any binding decisions issued in dispute resolution procedures under Article 65(1) GDPR. Article 65(5) GDPR also obliges the EDPB to publish such decisions on its website. Beyond these specific requirements, the EDPB has a wide discretion as to which information is included in the annual report. This has previously included a summary of its most important statements and resolutions, and statements on the activities of supervisory authorities.<ref>''Nguyen'' in Gola DS-GVO, Article 71 GDPR, margin number 3 (C.H. Beck, 2018, 2<sup>nd</sup> edition).</ref>


== Decisions ==
== Decisions ==
Line 240: Line 213:
<references />
<references />


[[Category:Article 71 GDPR]] [[Category:GDPR]]
[[Category:Article 71 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 08:15, 19 October 2023

Article 71 - Reports
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 71 - Reports

1. The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.

2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.

Relevant Recitals

Recital 100: Establishment of Certification Mechanisms and Data Protection Seals and Marks
In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

Recital 139: EDPB
In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The Board should act independently when performing its tasks.

Recital 91: Conditions Necessitating an Impact Assessment
This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.

Commentary

Article 71 GDPR aims to enhance transparency in accordance with the principles of transparency and good governance, under Article 15 Treaty on the Functioning of the European Union ("TFEU") and Article 41 of the Charter of Fundamental Rights of the European Union ("CFR"). Following concerns from the Commission that the Board's predecessor, the Article 29 Working Party (“WP29”), lacked transparency, European legislators sought to remedy the issue through the inclusion of a reporting obligation under Article 71 GDPR.[1]

(1) Obligation to prepare an annual report

The report is not designed to simply act as a summary of the EDPB’s activities, but rather a status report on data protection in the Union, as well as in third countries “where relevant.”[2] The phrase “where relevant” is intended to clarify that third countries will only be referred to where the data of EU individuals are processed. Irrespective of this, the EDPB may also monitor international developments in data protection for other reasons.[3]Although made public, the annual report is directly transmitted to the European Parliament, Council, and Commission, giving it a distinctive political orientation.[4] These bodies may use the report as an opportunity to take action in their own capacity. For example, the Commission may initiate infringement proceedings against Member States that the EDPB confirms have violated the GDPR.[5]

Public bodies should be openly named in the annual report as they have no reasonable expectation of privacy. Whether private entities are named must be assessed on a case-by-case basis. Factors justifying the publication of an entity's name may include considerations such as, whether the organisation has committed persistent violations of the GDPR, or whether there have been legal proceedings instigated against the entity.[6]

(2) Content of the annual report

Article 71(2) GDPR establishes several specific requirements for the content of the annual report. First, the report must include a review of the EDPB’s statements, guidelines, recommendations, and best practices published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is provided with an overview of acts adopted during the relevant reporting period.[7]Additionally, the report must include any binding decisions issued in dispute resolution procedures under Article 65(1) GDPR. Article 65(5) GDPR also obliges the EDPB to publish such decisions on its website. Beyond these specific requirements, the EDPB has a wide discretion as to which information is included in the annual report. This has previously included a summary of its most important statements and resolutions, and statements on the activities of supervisory authorities.[8]

Decisions

→ You can find all related decisions in Category:Article 71 GDPR

References

  1. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 71 GDPR, p. 1086 (Oxford University Press 2020).
  2. Körffer in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin number 2 (C.H. Beck 2021, 3rd edition).
  3. Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
  4. Körffer in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 4 (C.H. Beck 2021, 3rd edition).
  5. Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
  6. Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
  7. Nguyen in Gola DS-GVO, Article 71 GDPR, margin number 2 (C.H. Beck, 2018, 2nd edition).
  8. Nguyen in Gola DS-GVO, Article 71 GDPR, margin number 3 (C.H. Beck, 2018, 2nd edition).