Article 93 GDPR: Difference between revisions

From GDPRhub
mNo edit summary
 
(6 intermediate revisions by the same user not shown)
Line 198: Line 198:


== Commentary ==
== Commentary ==
The GDPR provides for the Commission to adopt implementing acts within the meaning of Article 291(2) of the Treaty on the Functioning of the European Union ("''TFEU''"). Implementing acts for the objectives of Article 291 TFEU serve the purpose of ensuring the uniform implementation of binding legal acts of the Union, in this instance, the GDPR. In principle, binding acts of the Union are implemented by each individual Member State in accordance with their national law (Article 291(1) TFEU). However, these implementing powers may be conferred upon the Commission in the absence of uniform conditions for implementing legally binding Union acts (Article 291(2) TFEU). The purpose of Article 93 GDPR is to regulate this conferral.<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).</ref>


=== (1) Implementing acts ===
=== (1) Implementing acts ===
The adoption of implementing acts can be delegated to the Commission (Article 291 TFEU). In such a case, the Commission “''shall be assisted by a committee''”, as Article 93(1) euphemistically puts it [In this sense, ''Ehmann'', in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018, 2nd ed.)]. In clearer words, the Commission is obliged to involve a Committee in accordance with this provision. This Committee shall be composed of representatives of the Member States according to Article 3(2) of Regulation (EU) No. 182/2011.<ref>This provision does not concern the adoption of delegated acts in accordance with Article 290 TFEU. The heading of Chapter X (“''Delegated Acts and Implementing Acts''”), which consists only of Articles 92 and 93, may at first suggest that the provision is also related to delegated acts, but is misleading in this respect.</ref>
In the instance where implementing acts are delegated to the Commission pursuant to Article&nbsp;291&nbsp;TFEU, Article 93(1) GDPR provides that the Commission shall be assisted by a committee.<ref>''Ehmann'', in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018, 2nd ed.)</ref> This provision imposes a positive obligation upon the Commission to involve a committee in this process. According to Article 3(2) of Regulation (EU) No. 182/2011, the committee shall be composed of representatives of the Member States.<ref>This provision does not concern the adoption of delegated acts in accordance with Article 290 TFEU. The heading of Chapter X (“''Delegated Acts and Implementing Acts''”), which consists only of Articles 92 and 93, may at first suggest that the provision is also related to delegated acts, but is misleading in this respect.</ref>
 
Implementing acts, functionally, take on a similar role as delegated acts (see [[Article 92 GDPR]]) as non-legislative acts. Nonetheless, there are significant procedural differences in regard to their adoption. In the case of implementing acts, the Parliament and Council have no decisive power, unlike delegated acts made under Article 92 GDPR.<ref>For further discussion on this point, see ''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin numbers 2-3 (C.H. Beck 2020, 3rd Edition).</ref>


=== (2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011 ===
=== (2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011 ===
Regulation (EU) No 182/2011 establishes different procedures for the adoption of implementing acts. Article 93(2), however, refers exclusively to the so-called "examination procedure" provided for in Article 5 Regulation (EU) No 182/2011. This procedure is generally foreseen for (a) implementing acts of general scope and (b) other implementing acts relating to programmes with substantial implications, including the intervention of a committee composed of representatives of each Member State.  
Article 93(2) GDPR explicitly provides for the application of Article 5 of Regulation&nbsp;(EU)&nbsp;No&nbsp;182/2011, which establishes the procedure for the adoption of implementing acts. Notably, Article 93(2) exclusively refers to the ''"examination procedure"'' provided for in Article&nbsp;5 of Regulation (EU) No 182/2011. This procedure is generally foreseen for (a) implementing acts of general scope and (b) other implementing acts relating to programmes with substantial implications, including the intervention of a committee composed of representatives of each Member State.  


==== GDPR cases where the examination procedure is referred to ====
==== GDPR cases where the examination procedure is referred to ====
Specifically, the GDPR provides the Commission with the power to adopt implementing acts in several occasions. For example, in Article 28(7) (standard contractual clauses between controllers and processors and between processors), Article 40(9) (codes of conduct), Article 43(9) (technical standards and mechanisms for certification), Article 45(3) (the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation), Article 45(5) (revocation, change of such determinations), Article 46(2)(c) and (d) (standard protection clauses), Article 47(3) (formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules), Article 61(9) (mutual assistance), and lastly Article 67 (arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board).<ref>Recital 168.</ref>
Recital 168 GDPR exhaustively lists the circumstances in which the Commission may adopt implementing acts. The Commission may adopt an implementing act pursuant to [[Article 28 GDPR|Article 28(7) GDPR]] (standard contractual clauses between controllers and processors and between processors); [[Article 40 GDPR|Article 40(9) GDPR]] (codes of conduct); [[Article 43 GDPR|Article 43(9) GDPR]] (technical standards and mechanisms for certification); [[Article 45 GDPR|Article 45(3) GDPR]] (the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation), [[Article 45 GDPR|Article&nbsp;45(5)&nbsp;GDPR]] (revocation, change of such determinations); [[Article 46 GDPR|Articles 46(2)(c) and (d) GDPR]] (standard protection clauses); [[Article 47 GDPR|Article 47(3) GDPR]] (formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules); [[Article 61 GDPR|Article 61(9) GDPR]] (mutual assistance); and lastly [[Article 67 GDPR]] (arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board).


==== Procedural aspects ====
==== Committee procedure ====
The Commission proposes the measures to be taken and the committee gives its opinion, generally by a qualified majority vote (55% of the Member States representing at least 65% of the population). If the majority indicated in favour of the draft act is reached (favourable opinion), the Commission adopts the implementing act. If not (negative opinion), the President of the Commission may submit an amended version to the Committee, in accordance with various procedures. If neither a favourable nor an unfavourable opinion is obtained, the Commission may decide to adopt the implementing act anyway.  
The committee procedure is offset by a proposal made by the Commission regarding the measures to be taken. Follwing the Commission's proposal, the committee gives its opinion by a qualified majority vote (55% of the Member States representing at least 65% of the population). If the majority indicated in favour of the draft act (favourable opinion), the Commission adopts the implementing act. If not (negative opinion), the President of the Commission may submit an amended version to the Committee. If neither a favourable nor an unfavourable opinion is reached, the Commission may decide to adopt the implementing act regardless.  


=== (3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011 ===
=== (3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011 ===
Under Article 8 of Regulation (EU) No. 182/2011 (by way of derogation from Articles 4 and 5) on duly justified imperative grounds of urgency, a basic act may provide that the Commission adopts an implementing act which shall apply immediately, without prior submission to a committee. This implementing act will remain in force for a maximum period of 6 months, unless the basic act provides otherwise. At the latest, 14 days after its adoption, the chair shall submit the urgent act to the relevant committee in order to obtain its opinion. In Recital 159, the GDPR provides for the only case of “imperative urgency”. In particular, ''“''[t]''he Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.”''
By way of derogation from Articles 4 and 5, under Article 8 of Regulation (EU) No. 182/2011 a basic act may provide that the Commission adopts an implementing act which shall apply immediately, without prior submission to a committee, only on ''"duly justified imperative grounds of urgency."'' An implementing act made pursuant to the urgency procedure will remain in force for a maximum period of 6 months, unless the basic act provides otherwise. At the latest, 14 days after its adoption, the chair shall submit the urgent act to the relevant committee in order to obtain its opinion. Recital 159 of the GDPR provides for the only case of “imperative urgency”. In particular, it notes that ''“''[t]''he Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.”''


== Decisions ==
== Decisions ==

Latest revision as of 08:19, 19 October 2023

Article 93 - Committee procedure
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 93 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

3. Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.

Relevant Recitals

Recital 168: Examination Procedure
The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.

Recital 169: Immediately Applicable Implementing Acts
The Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.

Commentary

The GDPR provides for the Commission to adopt implementing acts within the meaning of Article 291(2) of the Treaty on the Functioning of the European Union ("TFEU"). Implementing acts for the objectives of Article 291 TFEU serve the purpose of ensuring the uniform implementation of binding legal acts of the Union, in this instance, the GDPR. In principle, binding acts of the Union are implemented by each individual Member State in accordance with their national law (Article 291(1) TFEU). However, these implementing powers may be conferred upon the Commission in the absence of uniform conditions for implementing legally binding Union acts (Article 291(2) TFEU). The purpose of Article 93 GDPR is to regulate this conferral.[1]

(1) Implementing acts

In the instance where implementing acts are delegated to the Commission pursuant to Article 291 TFEU, Article 93(1) GDPR provides that the Commission shall be assisted by a committee.[2] This provision imposes a positive obligation upon the Commission to involve a committee in this process. According to Article 3(2) of Regulation (EU) No. 182/2011, the committee shall be composed of representatives of the Member States.[3]

Implementing acts, functionally, take on a similar role as delegated acts (see Article 92 GDPR) as non-legislative acts. Nonetheless, there are significant procedural differences in regard to their adoption. In the case of implementing acts, the Parliament and Council have no decisive power, unlike delegated acts made under Article 92 GDPR.[4]

(2) Examination procedure under Article 5 of Regulation (EU) No. 182/2011

Article 93(2) GDPR explicitly provides for the application of Article 5 of Regulation (EU) No 182/2011, which establishes the procedure for the adoption of implementing acts. Notably, Article 93(2) exclusively refers to the "examination procedure" provided for in Article 5 of Regulation (EU) No 182/2011. This procedure is generally foreseen for (a) implementing acts of general scope and (b) other implementing acts relating to programmes with substantial implications, including the intervention of a committee composed of representatives of each Member State.

GDPR cases where the examination procedure is referred to

Recital 168 GDPR exhaustively lists the circumstances in which the Commission may adopt implementing acts. The Commission may adopt an implementing act pursuant to Article 28(7) GDPR (standard contractual clauses between controllers and processors and between processors); Article 40(9) GDPR (codes of conduct); Article 43(9) GDPR (technical standards and mechanisms for certification); Article 45(3) GDPR (the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation), Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules); Article 61(9) GDPR (mutual assistance); and lastly Article 67 GDPR (arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board).

Committee procedure

The committee procedure is offset by a proposal made by the Commission regarding the measures to be taken. Follwing the Commission's proposal, the committee gives its opinion by a qualified majority vote (55% of the Member States representing at least 65% of the population). If the majority indicated in favour of the draft act (favourable opinion), the Commission adopts the implementing act. If not (negative opinion), the President of the Commission may submit an amended version to the Committee. If neither a favourable nor an unfavourable opinion is reached, the Commission may decide to adopt the implementing act regardless.

(3) Urgency procedure under Article 8 of Regulation (EU) No. 182/2011

By way of derogation from Articles 4 and 5, under Article 8 of Regulation (EU) No. 182/2011 a basic act may provide that the Commission adopts an implementing act which shall apply immediately, without prior submission to a committee, only on "duly justified imperative grounds of urgency." An implementing act made pursuant to the urgency procedure will remain in force for a maximum period of 6 months, unless the basic act provides otherwise. At the latest, 14 days after its adoption, the chair shall submit the urgent act to the relevant committee in order to obtain its opinion. Recital 159 of the GDPR provides for the only case of “imperative urgency”. In particular, it notes that [t]he Commission should adopt immediately applicable implementing acts where available evidence reveals that a third country, a territory or a specified sector within that third country, or an international organisation does not ensure an adequate level of protection, and imperative grounds of urgency so require.”

Decisions

→ You can find all related decisions in Category:Article 93 GDPR

References

  1. Herbst in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
  2. Ehmann, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018, 2nd ed.)
  3. This provision does not concern the adoption of delegated acts in accordance with Article 290 TFEU. The heading of Chapter X (“Delegated Acts and Implementing Acts”), which consists only of Articles 92 and 93, may at first suggest that the provision is also related to delegated acts, but is misleading in this respect.
  4. For further discussion on this point, see Herbst in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin numbers 2-3 (C.H. Beck 2020, 3rd Edition).