Article 75 GDPR: Difference between revisions

From GDPRhub
mNo edit summary
 
(13 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 75 - Secretariat'''</center><br />
<br /><center>'''Article 75 - Secretariat'''</center>


<span id="1">1.  The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.</span>
<span id="1">1.  The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.</span>
Line 214: Line 214:


== Relevant Recitals==
== Relevant Recitals==
''You can help us fill this section!''
{{Recital/140 GDPR}}


== Commentary ==
== Commentary ==
Article 75 GDPR establishes the existence of, and governs the functioning of the secretariat of the Board. Article 75 GDPR outlines the secretariat's responsibilities, which take on a primarily administrative function. Including the secretariat within the GDPR's legislative rubric is reflective of European policymakers' desire to support the Board with robust administrative assistance in pursuit of maintaining the Board's independent functioning.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).</ref>


=== (1) The Secretariat ===
=== (1) The Secretariat ===
Article 75(1) GDPR clarifies that the EDPB secretariat, one of the most important structures with the Board, is provided by the EDPS. According to ''Docksey'', the choice of the EDPS rather than the Commission to provide its secretariat “''was grounded on a number of compelling considerations''”. In particular, the EDPS is itself an independent supervisory authority, has its own financial, budget and HR independent administration and has deep data protection expertise.<ref>''Docksey'' furthermore suggests that the choice must also be seen in the light of the ECJ, Case C-614/10, Commission v Austria “''which made it plain that the EDPB could not be attached ro and be dependent upon the Commission and its services for its operation. It was also out of the question for the officials of the Board to be Commission officials. It therefore made sense ro attach the Board for such administrative purposes ro another, larger independent authority whkh was completely in control over its own human and budgetary resources''”. See, ''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).</ref>
Article 75(1) GDPR clarifies that the EDPB secretariat is provided for by the EDPS. Docksey notes that the choice of the EDPS rather than the Commission to provide the secretariat was based on the following factors. Unlike the Commission, the EDPS is itself an independent supervisory authority, has its own financial budget, independent administration and has the necessary data protection knowledge.


=== (2) The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board ===
Furthermore, this choice must be seen in light of Case C-614/10, ''Commission v Austria''. Here, the ECJ established that a supervisory authority's staff could not be subject to the disciplinary oversight of the executive. The Court noted that this arrangement undermined the authority's independence by creating the risks of partiality and undue influence.<ref>Case C-614/10, ''Commission v Austria'', paras 51–52.</ref> Docksey suggests that the ruling in Case C-614/10 ''"made it plain,"'' that under no circumstances could the Board be reliant on the Commission for its functioning, therefore its reliance on the EDPS as an independent authority was the most logical conclusion.<ref>For more on this point, see, ''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).</ref>
Section 2 clarifies that the Secretariat is subject to the instructions of the EDPB Chair. The use of the word "exclusively" is intended to make it clear that the EDPS does not retain any authority over the staff seconded to the EDPB. In this regard, many doubt that Article 75(1) can effectively ensure the EDPB staff full independence from the EDPS – even indirect – influence. For instance, the Secretariat staff remain formally employed the EDPS and on its budget, is only made available to the EDPB on a temporary basis, and is subject to the EDPS for any step in their career development.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin number 8-9 (Beck 2020, 36th ed.) (accessed 5 August 2021) who, to reduce the EDPS influence, advocates for a wider use of  staff from the individual member state supervisory authorities.</ref> In other words, whether Article 75(1) ensures that there is no indirect influence on the work processes of the Secretariat, which could endanger the EDPB independence, remains to be seen.<ref>''Dix'', in Kühling/Buchner, DS-GVO BDSG, Article 75 GDPR, Margin number 6 (Beck 2020, 3rd ed.) (accessed 5 August 2021)</ref>


=== (3) Separate reporting lines for the EDPB staff ===
=== (2) Exclusive Performance of Tasks under the Instructions of the Chair ===
The employees of the EDPB Secretariat only report to the Chair (Recital 140). In this respect, they are therefore withdrawn from the EDPS’s area of ​​responsibility (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.
The second paragraph of the provision clarifies that the secretariat is subject to the instructions of the Board's Chair. The use of the word “''exclusively''” is intended to clarify that the EDPS does not retain any authority over the staff seconded to the EDPB.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).</ref> Many commentators doubt that Article 75(1) GDPR can effectively ensure EDPB freedom from any influence from the EDPS, direct or indirect. For instance, the secretariat staff remain formally employed by the EDPS and are only made available to the EDPB on a temporary basis. Finally secretariat staff are dependent on the EDPS for career progression.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck 2020, 36th edition) who, to reduce the EDPS influence, advocate for a wider use of staff from the individual member state supervisory authorities.</ref> This arrangement undoubtedly has the capacity to undermine the Board's independence and may conflict with the legislative aim of establishing an independent Board. Whether Article 75(1) GDPR can truly ensure the secretariat's freedom from the EDPS' influence, remains to be seen. However, it must be acknowledged that this risk is offset by the reporting provisions under Article 75(3) GDPR.
=== (3) Separate Reporting Lines for EDPB Staff ===
The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore withdrawn from the EDPS’s oversight (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.


=== (4) A Memorandum of Understanding to protect the EDPB staff from EDPS undue influence ===
=== (4) Memorandum of Understanding ===
The EDPB's dependence status, discussed in the previous paragraphs, is reflected in the need to ensure a special status for members of the Secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks and separate reporting lines.  
The EDPB's interdependence upon the EDPS gave rise to concerns regarding the Board's independence. These concerns have been acknowledged and are reflected in the legislature's need to ensure a special status for members of the secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks, and separate reporting lines. To this end, as suggested by Article 75(4) GDPR, the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“''MoU''”) which also defines the terms of the EDPS/EDPB cooperation with regard to organisation of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).<ref>Available [https://edpb.europa.eu/sites/edpb/files/files/file1/memorandum_of_understanding_signed_en.pdf here]</ref> Brink and Wilhelm have rightly doubted the extent to which the MoU will be able to prevent any potential interference from the EDPS in the Board's staffing and budgetary arrangements.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (C.H. Beck 2020, 36th edition).</ref>


To this end, as suggested by Article 75(4), the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“MoU”) which also defines the terms of the EDPS/EDPB cooperation with regard to organization of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).<ref>Available [https://edpb.europa.eu/sites/edpb/files/files/file1/memorandum_of_understanding_signed_en.pdf here]</ref>
=== (5) General Tasks ===
The secretariat of the EDPB has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the Article 29 Working Party. Article 75(5) GDPR states generally that the secretariat shall provide “''analytical, administrative and logistical support''”. This broadly requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).</ref> These are explained further below.


Some scholars, whose views we unpretentiously share, doubt the MoU will be able to prevent the EDPS from potentially influencing the staffing and budget.<ref>''Brink, Wilhelm'', in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (Beck 2020, 36th ed.) (accessed 5 August 2021).</ref>
=== (6) Specific Tasks ===
 
Article 75(6) GDPR exhaustively lists the secretariat's tasks. The Board's administrative and logistical tasks include responsibilities such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant information.<ref>Also confirmed by Article 64(5)(a) GDPR: “''The secretariat of the Board shall, where necessary, provide translations of relevant information''”.</ref> While the secretariat's analytical tasks include (c) communicating with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “''Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities''”.</ref>
=== (5) Secretariat main task: providing analytical, administrative and logistical support ===
The secretariat of the Board has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the WP29. Article 75(5) states generally that the secretariat shall provide 'analytical, administrative and logistical support'. This requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).</ref>
 
=== (6) Specific tasks ===
Article 75(6) specifies above-mentioned types of tasks. On the one hand, administrative and logistical tasks, such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant- information.<ref>Also confirmed by Article 64(5)(a): “''The secretariat of the Board shall, where necessary, provide translations of relevant information''”</ref> On the other hand, reference is made to analytical responsibilities such as (c) communication with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.<ref>''Docksey'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “''Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities''”.</ref>


== Decisions ==
== Decisions ==
Line 246: Line 244:
<references />
<references />


[[Category:Article 75 GDPR]] [[Category:GDPR]]
[[Category:Article 75 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 14:21, 17 October 2023

Article 75 - Secretariat
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 75 - Secretariat

1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.

2. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.

3. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.

4. Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.

5. The secretariat shall provide analytical, administrative and logistical support to the Board.

6. The secretariat shall be responsible in particular for:

(a) the day-to-day business of the Board;
(b) communication between the members of the Board, its Chair and the Commission;
(c) communication with other institutions and the public;
(d) the use of electronic means for the internal and external communication;
(e) the translation of relevant information;
(f) the preparation and follow-up of the meetings of the Board;
(g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.

Relevant Recitals

Recital 140: Secretariat and Staff of the EDPS
The Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation should perform its tasks exclusively under the instructions of, and report to, the Chair of the Board.

Commentary

Article 75 GDPR establishes the existence of, and governs the functioning of the secretariat of the Board. Article 75 GDPR outlines the secretariat's responsibilities, which take on a primarily administrative function. Including the secretariat within the GDPR's legislative rubric is reflective of European policymakers' desire to support the Board with robust administrative assistance in pursuit of maintaining the Board's independent functioning.[1]

(1) The Secretariat

Article 75(1) GDPR clarifies that the EDPB secretariat is provided for by the EDPS. Docksey notes that the choice of the EDPS rather than the Commission to provide the secretariat was based on the following factors. Unlike the Commission, the EDPS is itself an independent supervisory authority, has its own financial budget, independent administration and has the necessary data protection knowledge.

Furthermore, this choice must be seen in light of Case C-614/10, Commission v Austria. Here, the ECJ established that a supervisory authority's staff could not be subject to the disciplinary oversight of the executive. The Court noted that this arrangement undermined the authority's independence by creating the risks of partiality and undue influence.[2] Docksey suggests that the ruling in Case C-614/10 "made it plain," that under no circumstances could the Board be reliant on the Commission for its functioning, therefore its reliance on the EDPS as an independent authority was the most logical conclusion.[3]

(2) Exclusive Performance of Tasks under the Instructions of the Chair

The second paragraph of the provision clarifies that the secretariat is subject to the instructions of the Board's Chair. The use of the word “exclusively” is intended to clarify that the EDPS does not retain any authority over the staff seconded to the EDPB.[4] Many commentators doubt that Article 75(1) GDPR can effectively ensure EDPB freedom from any influence from the EDPS, direct or indirect. For instance, the secretariat staff remain formally employed by the EDPS and are only made available to the EDPB on a temporary basis. Finally secretariat staff are dependent on the EDPS for career progression.[5] This arrangement undoubtedly has the capacity to undermine the Board's independence and may conflict with the legislative aim of establishing an independent Board. Whether Article 75(1) GDPR can truly ensure the secretariat's freedom from the EDPS' influence, remains to be seen. However, it must be acknowledged that this risk is offset by the reporting provisions under Article 75(3) GDPR.

(3) Separate Reporting Lines for EDPB Staff

The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore withdrawn from the EDPS’s oversight (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.

(4) Memorandum of Understanding

The EDPB's interdependence upon the EDPS gave rise to concerns regarding the Board's independence. These concerns have been acknowledged and are reflected in the legislature's need to ensure a special status for members of the secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks, and separate reporting lines. To this end, as suggested by Article 75(4) GDPR, the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“MoU”) which also defines the terms of the EDPS/EDPB cooperation with regard to organisation of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).[6] Brink and Wilhelm have rightly doubted the extent to which the MoU will be able to prevent any potential interference from the EDPS in the Board's staffing and budgetary arrangements.[7]

(5) General Tasks

The secretariat of the EDPB has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the Article 29 Working Party. Article 75(5) GDPR states generally that the secretariat shall provide “analytical, administrative and logistical support”. This broadly requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.[8] These are explained further below.

(6) Specific Tasks

Article 75(6) GDPR exhaustively lists the secretariat's tasks. The Board's administrative and logistical tasks include responsibilities such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant information.[9] While the secretariat's analytical tasks include (c) communicating with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.[10]

Decisions

→ You can find all related decisions in Category:Article 75 GDPR

References

  1. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition).
  2. Case C-614/10, Commission v Austria, paras 51–52.
  3. For more on this point, see, Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).
  4. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
  5. Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck 2020, 36th edition) who, to reduce the EDPS influence, advocate for a wider use of staff from the individual member state supervisory authorities.
  6. Available here
  7. Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (C.H. Beck 2020, 36th edition).
  8. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).
  9. Also confirmed by Article 64(5)(a) GDPR: “The secretariat of the Board shall, where necessary, provide translations of relevant information”.
  10. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities”.