Article 75 GDPR: Difference between revisions
mNo edit summary |
|||
(13 intermediate revisions by 5 users not shown) | |||
Line 185: | Line 185: | ||
== Legal Text == | == Legal Text == | ||
<br /><center>'''Article 75 - Secretariat'''</center | <br /><center>'''Article 75 - Secretariat'''</center> | ||
<span id="1">1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.</span> | <span id="1">1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.</span> | ||
Line 214: | Line 214: | ||
== Relevant Recitals== | == Relevant Recitals== | ||
{{Recital/140 GDPR}} | |||
== Commentary == | == Commentary == | ||
Article 75 GDPR establishes the existence of, and governs the functioning of the secretariat of the Board. Article 75 GDPR outlines the secretariat's responsibilities, which take on a primarily administrative function. Including the secretariat within the GDPR's legislative rubric is reflective of European policymakers' desire to support the Board with robust administrative assistance in pursuit of maintaining the Board's independent functioning.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).</ref> | |||
=== (1) The Secretariat === | === (1) The Secretariat === | ||
Article 75(1) GDPR clarifies that the EDPB secretariat | Article 75(1) GDPR clarifies that the EDPB secretariat is provided for by the EDPS. Docksey notes that the choice of the EDPS rather than the Commission to provide the secretariat was based on the following factors. Unlike the Commission, the EDPS is itself an independent supervisory authority, has its own financial budget, independent administration and has the necessary data protection knowledge. | ||
Furthermore, this choice must be seen in light of Case C-614/10, ''Commission v Austria''. Here, the ECJ established that a supervisory authority's staff could not be subject to the disciplinary oversight of the executive. The Court noted that this arrangement undermined the authority's independence by creating the risks of partiality and undue influence.<ref>Case C-614/10, ''Commission v Austria'', paras 51–52.</ref> Docksey suggests that the ruling in Case C-614/10 ''"made it plain,"'' that under no circumstances could the Board be reliant on the Commission for its functioning, therefore its reliance on the EDPS as an independent authority was the most logical conclusion.<ref>For more on this point, see, ''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).</ref> | |||
=== (3) Separate | === (2) Exclusive Performance of Tasks under the Instructions of the Chair === | ||
The employees of the | The second paragraph of the provision clarifies that the secretariat is subject to the instructions of the Board's Chair. The use of the word “''exclusively''” is intended to clarify that the EDPS does not retain any authority over the staff seconded to the EDPB.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).</ref> Many commentators doubt that Article 75(1) GDPR can effectively ensure EDPB freedom from any influence from the EDPS, direct or indirect. For instance, the secretariat staff remain formally employed by the EDPS and are only made available to the EDPB on a temporary basis. Finally secretariat staff are dependent on the EDPS for career progression.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck 2020, 36th edition) who, to reduce the EDPS influence, advocate for a wider use of staff from the individual member state supervisory authorities.</ref> This arrangement undoubtedly has the capacity to undermine the Board's independence and may conflict with the legislative aim of establishing an independent Board. Whether Article 75(1) GDPR can truly ensure the secretariat's freedom from the EDPS' influence, remains to be seen. However, it must be acknowledged that this risk is offset by the reporting provisions under Article 75(3) GDPR. | ||
=== (3) Separate Reporting Lines for EDPB Staff === | |||
The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore withdrawn from the EDPS’s oversight (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB. | |||
=== (4) | === (4) Memorandum of Understanding === | ||
The EDPB's | The EDPB's interdependence upon the EDPS gave rise to concerns regarding the Board's independence. These concerns have been acknowledged and are reflected in the legislature's need to ensure a special status for members of the secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks, and separate reporting lines. To this end, as suggested by Article 75(4) GDPR, the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“''MoU''”) which also defines the terms of the EDPS/EDPB cooperation with regard to organisation of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).<ref>Available [https://edpb.europa.eu/sites/edpb/files/files/file1/memorandum_of_understanding_signed_en.pdf here]</ref> Brink and Wilhelm have rightly doubted the extent to which the MoU will be able to prevent any potential interference from the EDPS in the Board's staffing and budgetary arrangements.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (C.H. Beck 2020, 36th edition).</ref> | ||
=== (5) General Tasks === | |||
The secretariat of the EDPB has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the Article 29 Working Party. Article 75(5) GDPR states generally that the secretariat shall provide “''analytical, administrative and logistical support''”. This broadly requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).</ref> These are explained further below. | |||
=== (6) Specific Tasks === | |||
Article 75(6) GDPR exhaustively lists the secretariat's tasks. The Board's administrative and logistical tasks include responsibilities such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant information.<ref>Also confirmed by Article 64(5)(a) GDPR: “''The secretariat of the Board shall, where necessary, provide translations of relevant information''”.</ref> While the secretariat's analytical tasks include (c) communicating with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “''Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities''”.</ref> | |||
=== ( | |||
== Decisions == | == Decisions == | ||
Line 246: | Line 244: | ||
<references /> | <references /> | ||
[[Category:Article 75 GDPR]] [[Category:GDPR]] | [[Category:Article 75 GDPR]] [[Category:GDPR Articles]] |
Latest revision as of 14:21, 17 October 2023
Legal Text
1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
2. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.
3. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
4. Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.
5. The secretariat shall provide analytical, administrative and logistical support to the Board.
6. The secretariat shall be responsible in particular for:
- (a) the day-to-day business of the Board;
- (b) communication between the members of the Board, its Chair and the Commission;
- (c) communication with other institutions and the public;
- (d) the use of electronic means for the internal and external communication;
- (e) the translation of relevant information;
- (f) the preparation and follow-up of the meetings of the Board;
- (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.
Relevant Recitals
Commentary
Article 75 GDPR establishes the existence of, and governs the functioning of the secretariat of the Board. Article 75 GDPR outlines the secretariat's responsibilities, which take on a primarily administrative function. Including the secretariat within the GDPR's legislative rubric is reflective of European policymakers' desire to support the Board with robust administrative assistance in pursuit of maintaining the Board's independent functioning.[1]
(1) The Secretariat
Article 75(1) GDPR clarifies that the EDPB secretariat is provided for by the EDPS. Docksey notes that the choice of the EDPS rather than the Commission to provide the secretariat was based on the following factors. Unlike the Commission, the EDPS is itself an independent supervisory authority, has its own financial budget, independent administration and has the necessary data protection knowledge.
Furthermore, this choice must be seen in light of Case C-614/10, Commission v Austria. Here, the ECJ established that a supervisory authority's staff could not be subject to the disciplinary oversight of the executive. The Court noted that this arrangement undermined the authority's independence by creating the risks of partiality and undue influence.[2] Docksey suggests that the ruling in Case C-614/10 "made it plain," that under no circumstances could the Board be reliant on the Commission for its functioning, therefore its reliance on the EDPS as an independent authority was the most logical conclusion.[3]
(2) Exclusive Performance of Tasks under the Instructions of the Chair
The second paragraph of the provision clarifies that the secretariat is subject to the instructions of the Board's Chair. The use of the word “exclusively” is intended to clarify that the EDPS does not retain any authority over the staff seconded to the EDPB.[4] Many commentators doubt that Article 75(1) GDPR can effectively ensure EDPB freedom from any influence from the EDPS, direct or indirect. For instance, the secretariat staff remain formally employed by the EDPS and are only made available to the EDPB on a temporary basis. Finally secretariat staff are dependent on the EDPS for career progression.[5] This arrangement undoubtedly has the capacity to undermine the Board's independence and may conflict with the legislative aim of establishing an independent Board. Whether Article 75(1) GDPR can truly ensure the secretariat's freedom from the EDPS' influence, remains to be seen. However, it must be acknowledged that this risk is offset by the reporting provisions under Article 75(3) GDPR.
(3) Separate Reporting Lines for EDPB Staff
The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore withdrawn from the EDPS’s oversight (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.
(4) Memorandum of Understanding
The EDPB's interdependence upon the EDPS gave rise to concerns regarding the Board's independence. These concerns have been acknowledged and are reflected in the legislature's need to ensure a special status for members of the secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks, and separate reporting lines. To this end, as suggested by Article 75(4) GDPR, the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“MoU”) which also defines the terms of the EDPS/EDPB cooperation with regard to organisation of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).[6] Brink and Wilhelm have rightly doubted the extent to which the MoU will be able to prevent any potential interference from the EDPS in the Board's staffing and budgetary arrangements.[7]
(5) General Tasks
The secretariat of the EDPB has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the Article 29 Working Party. Article 75(5) GDPR states generally that the secretariat shall provide “analytical, administrative and logistical support”. This broadly requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.[8] These are explained further below.
(6) Specific Tasks
Article 75(6) GDPR exhaustively lists the secretariat's tasks. The Board's administrative and logistical tasks include responsibilities such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant information.[9] While the secretariat's analytical tasks include (c) communicating with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.[10]
Decisions
→ You can find all related decisions in Category:Article 75 GDPR
References
- ↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).
- ↑ Case C-614/10, Commission v Austria, paras 51–52.
- ↑ For more on this point, see, Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).
- ↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
- ↑ Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck 2020, 36th edition) who, to reduce the EDPS influence, advocate for a wider use of staff from the individual member state supervisory authorities.
- ↑ Available here
- ↑ Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (C.H. Beck 2020, 36th edition).
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).
- ↑ Also confirmed by Article 64(5)(a) GDPR: “The secretariat of the Board shall, where necessary, provide translations of relevant information”.
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities”.