Article 71 GDPR: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 195: | Line 195: | ||
== Commentary == | == Commentary == | ||
Article 71 GDPR aims to enhance transparency in accordance with the principles of transparency and good governance, under Article 15 TFEU and Article 41 of the Charter | Article 71 GDPR aims to enhance transparency in accordance with the principles of transparency and good governance, under Article 15 Treaty on the Functioning of the European Union ("''TFEU''") and Article 41 of the Charter of Fundamental Rights of the European Union ("''CFR''"). Following concerns from the Commission that the Board's predecessor, the Article 29 Working Party (“''WP29''”), lacked transparency, European legislators sought to remedy the issue through the inclusion of a reporting obligation under Article 71 GDPR.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 71 GDPR, p. 1086 (Oxford University Press 2020).</ref> | ||
===(1) Obligation to prepare an annual report=== | ===(1) Obligation to prepare an annual report=== |
Latest revision as of 08:15, 19 October 2023
Legal Text
1. The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.
2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.
Relevant Recitals
Commentary
Article 71 GDPR aims to enhance transparency in accordance with the principles of transparency and good governance, under Article 15 Treaty on the Functioning of the European Union ("TFEU") and Article 41 of the Charter of Fundamental Rights of the European Union ("CFR"). Following concerns from the Commission that the Board's predecessor, the Article 29 Working Party (“WP29”), lacked transparency, European legislators sought to remedy the issue through the inclusion of a reporting obligation under Article 71 GDPR.[1]
(1) Obligation to prepare an annual report
The report is not designed to simply act as a summary of the EDPB’s activities, but rather a status report on data protection in the Union, as well as in third countries “where relevant.”[2] The phrase “where relevant” is intended to clarify that third countries will only be referred to where the data of EU individuals are processed. Irrespective of this, the EDPB may also monitor international developments in data protection for other reasons.[3]Although made public, the annual report is directly transmitted to the European Parliament, Council, and Commission, giving it a distinctive political orientation.[4] These bodies may use the report as an opportunity to take action in their own capacity. For example, the Commission may initiate infringement proceedings against Member States that the EDPB confirms have violated the GDPR.[5]
Public bodies should be openly named in the annual report as they have no reasonable expectation of privacy. Whether private entities are named must be assessed on a case-by-case basis. Factors justifying the publication of an entity's name may include considerations such as, whether the organisation has committed persistent violations of the GDPR, or whether there have been legal proceedings instigated against the entity.[6]
(2) Content of the annual report
Article 71(2) GDPR establishes several specific requirements for the content of the annual report. First, the report must include a review of the EDPB’s statements, guidelines, recommendations, and best practices published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is provided with an overview of acts adopted during the relevant reporting period.[7]Additionally, the report must include any binding decisions issued in dispute resolution procedures under Article 65(1) GDPR. Article 65(5) GDPR also obliges the EDPB to publish such decisions on its website. Beyond these specific requirements, the EDPB has a wide discretion as to which information is included in the annual report. This has previously included a summary of its most important statements and resolutions, and statements on the activities of supervisory authorities.[8]
Decisions
→ You can find all related decisions in Category:Article 71 GDPR
References
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 71 GDPR, p. 1086 (Oxford University Press 2020).
- ↑ Körffer in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin number 2 (C.H. Beck 2021, 3rd edition).
- ↑ Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
- ↑ Körffer in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 4 (C.H. Beck 2021, 3rd edition).
- ↑ Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
- ↑ Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
- ↑ Nguyen in Gola DS-GVO, Article 71 GDPR, margin number 2 (C.H. Beck, 2018, 2nd edition).
- ↑ Nguyen in Gola DS-GVO, Article 71 GDPR, margin number 3 (C.H. Beck, 2018, 2nd edition).