Article 75 GDPR
Legal Text
1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
2. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.
3. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
4. Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.
5. The secretariat shall provide analytical, administrative and logistical support to the Board.
6. The secretariat shall be responsible in particular for:
- (a) the day-to-day business of the Board;
- (b) communication between the members of the Board, its Chair and the Commission;
- (c) communication with other institutions and the public;
- (d) the use of electronic means for the internal and external communication;
- (e) the translation of relevant information;
- (f) the preparation and follow-up of the meetings of the Board;
- (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.
Relevant Recitals
Commentary
(1) The Secretariat
Article 75(1) GDPR clarifies that the EDPB secretariat, one of the most important structures with the Board, is provided by the EDPS. According to Docksey, the choice of the EDPS rather than the Commission to provide its secretariat “was grounded on a number of compelling considerations”. In particular, the EDPS is itself an independent supervisory authority, has its own financial, budget and HR independent administration and has deep data protection expertise.[1]
(2) The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board
Section 2 clarifies that the Secretariat is subject to the instructions of the EDPB Chair. The use of the word "exclusively" is intended to make it clear that the EDPS does not retain any authority over the staff seconded to the EDPB. In this regard, many doubt that Article 75(1) can effectively ensure the EDPB staff full independence from the EDPS – even indirect – influence. For instance, the Secretariat staff remain formally employed the EDPS and on its budget, is only made available to the EDPB on a temporary basis, and is subject to the EDPS for any step in their career development.[2] In other words, whether Article 75(1) ensures that there is no indirect influence on the work processes of the Secretariat, which could endanger the EDPB independence, remains to be seen.[3]
(3) Separate reporting lines for the EDPB staff
The employees of the EDPB Secretariat only report to the Chair (Recital 140). In this respect, they are therefore withdrawn from the EDPS’s area of responsibility (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.
(4) A Memorandum of Understanding to protect the EDPB staff from EDPS undue influence
The EDPB's dependence status, discussed in the previous paragraphs, is reflected in the need to ensure a special status for members of the Secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks and separate reporting lines.
To this end, as suggested by Article 75(4), the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“MoU”) which also defines the terms of the EDPS/EDPB cooperation with regard to organization of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).[4]
Some scholars, whose views we unpretentiously share, doubt the MoU will be able to prevent the EDPS from potentially influencing the staffing and budget.[5]
(5) Secretariat main task: providing analytical, administrative and logistical support
The secretariat of the Board has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the WP29. Article 75(5) states generally that the secretariat shall provide 'analytical, administrative and logistical support'. This requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.[6]
(6) Specific tasks
Article 75(6) specifies above-mentioned types of tasks. On the one hand, administrative and logistical tasks, such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant- information.[7] On the other hand, reference is made to analytical responsibilities such as (c) communication with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.[8]
Decisions
→ You can find all related decisions in Category:Article 75 GDPR
References
- ↑ Docksey furthermore suggests that the choice must also be seen in the light of the ECJ, Case C-614/10, Commission v Austria “which made it plain that the EDPB could not be attached ro and be dependent upon the Commission and its services for its operation. It was also out of the question for the officials of the Board to be Commission officials. It therefore made sense ro attach the Board for such administrative purposes ro another, larger independent authority whkh was completely in control over its own human and budgetary resources”. See, Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).
- ↑ Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin number 8-9 (Beck 2020, 36th ed.) (accessed 5 August 2021) who, to reduce the EDPS influence, advocates for a wider use of staff from the individual member state supervisory authorities.
- ↑ Dix, in Kühling/Buchner, DS-GVO BDSG, Article 75 GDPR, Margin number 6 (Beck 2020, 3rd ed.) (accessed 5 August 2021)
- ↑ Available here
- ↑ Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (Beck 2020, 36th ed.) (accessed 5 August 2021).
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).
- ↑ Also confirmed by Article 64(5)(a): “The secretariat of the Board shall, where necessary, provide translations of relevant information”
- ↑ Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities”.