Article 93 GDPR: Difference between revisions
(style consistency) |
mNo edit summary |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 186: | Line 186: | ||
== Legal Text == | == Legal Text == | ||
<br /><center>'''Article 93 - Committee procedure'''</center> | <br /><center>'''Article 93 - Committee procedure'''</center> | ||
<span id="1">1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.</span> | <span id="1">1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.</span> | ||
Line 197: | Line 198: | ||
== Commentary == | == Commentary == | ||
The GDPR provides for the Commission to adopt implementing acts within the meaning of Article 291(2) of the Treaty on the Functioning of the European Union ("''TFEU''"). Implementing acts for the objectives of Article 291 TFEU serve the purpose of ensuring the uniform implementation of binding legal acts of the Union, in this instance, the GDPR. In principle, binding acts of the Union are implemented by each individual Member State in accordance with their national law (Article 291(1) TFEU). However, these implementing powers may be conferred upon the Commission in the absence of uniform conditions for implementing legally binding Union acts (Article 291(2) TFEU). The purpose of Article 93 GDPR is to regulate this conferral.<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).</ref> | |||
=== (1) Implementing acts === | === (1) Implementing acts === | ||
In the instance where implementing acts are delegated to the Commission pursuant to Article 291 TFEU, Article 93(1) GDPR provides that the Commission shall be assisted by a committee.<ref>''Ehmann'', in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018, 2nd ed.)</ref> This provision imposes a positive obligation upon the Commission to involve a committee in this process. According to Article 3(2) of Regulation (EU) No. 182/2011, the committee shall be composed of representatives of the Member States.<ref>This provision does not concern the adoption of delegated acts in accordance with Article 290 TFEU. The heading of Chapter X (“''Delegated Acts and Implementing Acts''”), which consists only of Articles 92 and 93, may at first suggest that the provision is also related to delegated acts, but is misleading in this respect.</ref> | |||
Implementing acts, functionally, take on a similar role as delegated acts (see [[Article 92 GDPR]]) as non-legislative acts. Nonetheless, there are significant procedural differences in regard to their adoption. In the case of implementing acts, the Parliament and Council have no decisive power, unlike delegated acts made under Article 92 GDPR.<ref>For further discussion on this point, see ''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin numbers 2-3 (C.H. Beck 2020, 3rd Edition).</ref> | |||
=== (2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011 === | === (2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011 === | ||
Regulation (EU) No 182/2011 establishes | Article 93(2) GDPR explicitly provides for the application of Article 5 of Regulation (EU) No 182/2011, which establishes the procedure for the adoption of implementing acts. Notably, Article 93(2) exclusively refers to the ''"examination procedure"'' provided for in Article 5 of Regulation (EU) No 182/2011. This procedure is generally foreseen for (a) implementing acts of general scope and (b) other implementing acts relating to programmes with substantial implications, including the intervention of a committee composed of representatives of each Member State. | ||
==== GDPR cases where the examination procedure is referred to ==== | ==== GDPR cases where the examination procedure is referred to ==== | ||
Recital 168 GDPR exhaustively lists the circumstances in which the Commission may adopt implementing acts. The Commission may adopt an implementing act pursuant to [[Article 28 GDPR|Article 28(7) GDPR]] (standard contractual clauses between controllers and processors and between processors); [[Article 40 GDPR|Article 40(9) GDPR]] (codes of conduct); [[Article 43 GDPR|Article 43(9) GDPR]] (technical standards and mechanisms for certification); [[Article 45 GDPR|Article 45(3) GDPR]] (the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation), [[Article 45 GDPR|Article 45(5) GDPR]] (revocation, change of such determinations); [[Article 46 GDPR|Articles 46(2)(c) and (d) GDPR]] (standard protection clauses); [[Article 47 GDPR|Article 47(3) GDPR]] (formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules); [[Article 61 GDPR|Article 61(9) GDPR]] (mutual assistance); and lastly [[Article 67 GDPR]] (arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board). | |||
==== | ==== Committee procedure ==== | ||
The Commission | The committee procedure is offset by a proposal made by the Commission regarding the measures to be taken. Follwing the Commission's proposal, the committee gives its opinion by a qualified majority vote (55% of the Member States representing at least 65% of the population). If the majority indicated in favour of the draft act (favourable opinion), the Commission adopts the implementing act. If not (negative opinion), the President of the Commission may submit an amended version to the Committee. If neither a favourable nor an unfavourable opinion is reached, the Commission may decide to adopt the implementing act regardless. | ||
=== (3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011 === | === (3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011 === | ||
By way of derogation from Articles 4 and 5, under Article 8 of Regulation (EU) No. 182/2011 a basic act may provide that the Commission adopts an implementing act which shall apply immediately, without prior submission to a committee, only on ''"duly justified imperative grounds of urgency."'' An implementing act made pursuant to the urgency procedure will remain in force for a maximum period of 6 months, unless the basic act provides otherwise. At the latest, 14 days after its adoption, the chair shall submit the urgent act to the relevant committee in order to obtain its opinion. Recital 159 of the GDPR provides for the only case of “imperative urgency”. In particular, it notes that ''“''[t]''he Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.”'' | |||
== Decisions == | == Decisions == |
Latest revision as of 08:19, 19 October 2023
Legal Text
1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
3. Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.
Relevant Recitals
Commentary
The GDPR provides for the Commission to adopt implementing acts within the meaning of Article 291(2) of the Treaty on the Functioning of the European Union ("TFEU"). Implementing acts for the objectives of Article 291 TFEU serve the purpose of ensuring the uniform implementation of binding legal acts of the Union, in this instance, the GDPR. In principle, binding acts of the Union are implemented by each individual Member State in accordance with their national law (Article 291(1) TFEU). However, these implementing powers may be conferred upon the Commission in the absence of uniform conditions for implementing legally binding Union acts (Article 291(2) TFEU). The purpose of Article 93 GDPR is to regulate this conferral.[1]
(1) Implementing acts
In the instance where implementing acts are delegated to the Commission pursuant to Article 291 TFEU, Article 93(1) GDPR provides that the Commission shall be assisted by a committee.[2] This provision imposes a positive obligation upon the Commission to involve a committee in this process. According to Article 3(2) of Regulation (EU) No. 182/2011, the committee shall be composed of representatives of the Member States.[3]
Implementing acts, functionally, take on a similar role as delegated acts (see Article 92 GDPR) as non-legislative acts. Nonetheless, there are significant procedural differences in regard to their adoption. In the case of implementing acts, the Parliament and Council have no decisive power, unlike delegated acts made under Article 92 GDPR.[4]
(2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011
Article 93(2) GDPR explicitly provides for the application of Article 5 of Regulation (EU) No 182/2011, which establishes the procedure for the adoption of implementing acts. Notably, Article 93(2) exclusively refers to the "examination procedure" provided for in Article 5 of Regulation (EU) No 182/2011. This procedure is generally foreseen for (a) implementing acts of general scope and (b) other implementing acts relating to programmes with substantial implications, including the intervention of a committee composed of representatives of each Member State.
GDPR cases where the examination procedure is referred to
Recital 168 GDPR exhaustively lists the circumstances in which the Commission may adopt implementing acts. The Commission may adopt an implementing act pursuant to Article 28(7) GDPR (standard contractual clauses between controllers and processors and between processors); Article 40(9) GDPR (codes of conduct); Article 43(9) GDPR (technical standards and mechanisms for certification); Article 45(3) GDPR (the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation), Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules); Article 61(9) GDPR (mutual assistance); and lastly Article 67 GDPR (arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board).
Committee procedure
The committee procedure is offset by a proposal made by the Commission regarding the measures to be taken. Follwing the Commission's proposal, the committee gives its opinion by a qualified majority vote (55% of the Member States representing at least 65% of the population). If the majority indicated in favour of the draft act (favourable opinion), the Commission adopts the implementing act. If not (negative opinion), the President of the Commission may submit an amended version to the Committee. If neither a favourable nor an unfavourable opinion is reached, the Commission may decide to adopt the implementing act regardless.
(3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011
By way of derogation from Articles 4 and 5, under Article 8 of Regulation (EU) No. 182/2011 a basic act may provide that the Commission adopts an implementing act which shall apply immediately, without prior submission to a committee, only on "duly justified imperative grounds of urgency." An implementing act made pursuant to the urgency procedure will remain in force for a maximum period of 6 months, unless the basic act provides otherwise. At the latest, 14 days after its adoption, the chair shall submit the urgent act to the relevant committee in order to obtain its opinion. Recital 159 of the GDPR provides for the only case of “imperative urgency”. In particular, it notes that “[t]he Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.”
Decisions
→ You can find all related decisions in Category:Article 93 GDPR
References
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
- ↑ Ehmann, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018, 2nd ed.)
- ↑ This provision does not concern the adoption of delegated acts in accordance with Article 290 TFEU. The heading of Chapter X (“Delegated Acts and Implementing Acts”), which consists only of Articles 92 and 93, may at first suggest that the provision is also related to delegated acts, but is misleading in this respect.
- ↑ For further discussion on this point, see Herbst in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin numbers 2-3 (C.H. Beck 2020, 3rd Edition).