Article 92 GDPR: Difference between revisions
No edit summary |
|||
Line 209: | Line 209: | ||
=== (2) Delegation of power under Article 12(8) and 43(8) GDPR === | === (2) Delegation of power under Article 12(8) and 43(8) GDPR === | ||
The first delegation | The first delegation is provided for in [[Article 12 GDPR|Article 12(8) GDPR]]. This provision permits the Commission to adopts delegated acts in accordance with Article 92 for the purpose of determining the procedures for providing standardised icons and to determine the information to be displayed by icons. | ||
The second | The second delegation is provided for through [[Article 43 GDPR|Article 43(8) GDPR]], which empowers the Commission to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1). | ||
Any delegated acts made under these provisions are inherently subject to the general principles governing delegated acts under Article 92 GDPR, as well as to the principles of the Articles under which any delegated act is made. A delegated act may not contradict the GDPR's fundamental principles and objectives. | |||
=== (3) The delegation of power may be revoked === | === (3) The delegation of power may be revoked === |
Revision as of 08:49, 29 September 2023
Legal Text
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
3. The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Relevant Recitals
Commentary
This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, within the scope of the GDPR.[1] The function of Article 92 GDPR is to lay down conditions for the delegation of power as necessitated by Article 290 TFEU, such as its duration (Article 290(1) TFEU), its revocability (Article 290(2)(a) TFEU), and the dependence of the entry of force of individual delegated acts on the absence of objections by the Parliament and the Council (Article 290(2)(b) TFEU). Delegated acts are distinguishable from other types of acts which the Commission may adopt in relation to the GDPR, in particular the implementing acts found in Article 93 GDPR.[2]
(1) Delegated acts
Under Article 290(1) TFEU, an EU legislative act may delegate the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act to the Commission. Article 290(1) TFEU provides that “the objectives, content, scope and duration of the delegation of power” must be explicitly defined within the legislative act, which Article 92 GDPR does through Articles 12(8) and 43(8) GDPR. Nonetheless, the Article 290(1) TFEU restricts the delegation of power to 'non-essential' areas of the legislative provision in question.
The “essential elements of an area” shall be reserved for the legislative act, and cannot be delegated to the Commission. In regard to the GDPR, the 'essential' legislative areas are the regulation and enforcement of data protection. The Commission may not legislate in these core areas, but is permitted to legislate for periphery matters which fall outside of the scope of areas considered 'essential.' In accordance with the framework established through Article 290 TFEU, Article 92 GDPR provides that the commission may make use of its delegated powers solely through Articles 12(8) and 43(8) GDPR.
(2) Delegation of power under Article 12(8) and 43(8) GDPR
The first delegation is provided for in Article 12(8) GDPR. This provision permits the Commission to adopts delegated acts in accordance with Article 92 for the purpose of determining the procedures for providing standardised icons and to determine the information to be displayed by icons.
The second delegation is provided for through Article 43(8) GDPR, which empowers the Commission to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
Any delegated acts made under these provisions are inherently subject to the general principles governing delegated acts under Article 92 GDPR, as well as to the principles of the Articles under which any delegated act is made. A delegated act may not contradict the GDPR's fundamental principles and objectives.
(3) The delegation of power may be revoked
The delegation is conferred on the Commission for an indeterminate period of time. However, it may be revoked by the Council or the Parliament at any time. The revocation shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. Should it be used to revoke the delegations granted in Articles 12(8) and 43(8) GDPR, the revocation will not affect the validity of any of the delegated acts that the Commission may have already adopted and which are in force at that point. This, of course, does not preclude the possibility that the legislators (once the power has been resumed following revocation) may remove or amend the act issued by the Commission by an ordinary legislative act.
(4) Notification of delegated acts
As soon as it adopts a delegated act, the Commission shall notify it (together with the relevant documentation) simultaneously to the European Parliament and to the Council.
(5) Entry into force of delegated acts
After the Commission has notified the act (and the relevant documents), the Parliament and the Council have three months to express objections (or waive their intention to object). When this period expires, the delegated act “pursuant to Article 12(8) and Article 43(8) shall enter into force”.
Possible scenarios
(a) The Parliament and Council inform the Commission of their intention not to object to the delegated act. In this case, the delegated act can be published in the Official Journal of the European Union, and can enter into force before the end of the three-month period.
(b) The Parliament and Council express the same objection. In this case, the Commission will most likely amend its act.
(c) Either the Parliament or the Council expresses an objection while the other remains silent. In this case, the Commission will probably amend the act as requested, and await a reaction from the other legislator. If there is no reaction within three months, the act is published in the Official Journal.
(d) Parliament and Council express separate objections, or different positions, on the same issue. This can be resolved either by the Commission renouncing the power of delegation, or by a dialogue between the two legislators.
(e) The Parliament and the Council do not express any objections within three months of the date on which the act is notified to them. In this case, the act shall enter into force.
Decisions
→ You can find all related decisions in Category:Article 92 GDPR