Article 92 GDPR
Legal Text
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
3. The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Relevant Recitals
Commentary
This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, within the scope of the GDPR.[1] The function of Article 92 GDPR is to lay down conditions for the delegation of power as necessitated by Article 290 TFEU, such as its duration (Article 290(1) TFEU), its revocability (Article 290(2)(a) TFEU), and the dependence of the entry of force of individual delegated acts on the absence of objections by the Parliament and the Council (Article 290(2)(b) TFEU). Delegated acts are distinguishable from other types of acts which the Commission may adopt in relation to the GDPR, in particular the implementing acts found in Article 93 GDPR.[2]
(1) Delegated acts
Under Article 290(1) TFEU, an EU legislative act may delegate the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act to the Commission. Article 290(1) TFEU provides that “the objectives, content, scope and duration of the delegation of power” must be explicitly defined within the legislative act, which Article 92 GDPR does through Articles 12(8) and 43(8) GDPR. Nonetheless, the Article 290(1) TFEU restricts the delegation of power to 'non-essential' areas of the legislative provision in question.
The “essential elements of an area” shall be reserved for the legislative act, and cannot be delegated to the Commission. In regard to the GDPR, the 'essential' legislative areas are the regulation and enforcement of data protection. The Commission may not legislate in these core areas, but is permitted to legislate for periphery matters which fall outside of the scope of areas considered 'essential.' In accordance with the framework established through Article 290 TFEU, Article 92 GDPR provides that the commission may make use of its delegated powers solely through Articles 12(8) and 43(8) GDPR.
(2) Delegation of power under Article 12(8) and 43(8) GDPR
The first delegation is provided for in Article 12(8) GDPR. This provision permits the Commission to adopts delegated acts in accordance with Article 92 for the purpose of determining the procedures for providing standardised icons and to determine the information to be displayed by icons.
The second delegation is provided for through Article 43(8) GDPR, which empowers the Commission to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
Any delegated acts made under these provisions are inherently subject to the general principles governing delegated acts under Article 92 GDPR, as well as to the principles of the Articles under which any delegated act is made. A delegated act may not contradict the GDPR's fundamental principles and objectives.
(3) The delegation of power may be revoked
The delegation of power provided for by Article 92(2) GDPR is for an 'indeterminate' period of time. Nonetheless, the wording of Article 290(1) TFEU requires that the 'duration' of the delegation must be provided for in the legislative act which confers the delegation of power. At first glance, Article 92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2) GDPR must be read in line with Article 92(3) GDPR, which provides that the Parliament and the Council may revoke the conferral of power at any time. This provision ensures that there can be no unlimited conferral.[3]
In the instance that a revocation is made, it shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. Should it be used to revoke the delegations granted in Articles 12(8) and 43(8) GDPR, the revocation will not affect the validity of any of the delegated acts that the Commission may have already adopted and which are in force up to that point. This, of course, does not preclude the possibility that the legislators (once the power has been resumed following revocation) may remove or amend the act issued by the Commission by an ordinary legislative act.
(4) Notification of delegated acts
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. This notification triggers the start of the three-month period in which Parliament and the Council may raise objections pursuant to Article 92(5) GDPR.[4]
(5) Entry into force of delegated acts
Article 92(5) GDPR imposes a further condition for the delegation of power, in line with Article 290(2)(b) TFEU. A delegated act only enters into force, if no objection has been expressed by either the European Parliament or the Council within the three-month notification period. The period may be extended by a further three months at the request of Parliament or the Council. If no objection has been expressed within this time frame, the delegated act enters into force following the expiry of the three-month period.
Possible scenarios
(a) In the instance that the Parliament and Council inform the Commission of their intention not to object to the delegated act, the delegated act may be published in the Official Journal of the European Union and enters into force before the end of the three-month period.
(b) In the instance that the Parliament and Council express the same objection, the original act is void and the Commission may seek to amend the proposed act.
(c) In the instance that either the Parliament or the Council express an objection while the other remains silent, the Commission may choose to amend the act (if requested) and await a reaction from the other legislator. If there is no reaction within three months, the act is published in the Official Journal and enters into force.
(d) In the instance that the Parliament and Council express separate objections or different positions on the same issue, this can be resolved either by the Commission renouncing the power of delegation, or via a dialogue between the two legislators.
(e) In the instance that the Parliament and Council do not express any objections within the three-month notification period, the act enters into force.
Decisions
→ You can find all related decisions in Category:Article 92 GDPR
References
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition). See also, Sydow in Sydow, Marsch, DS-GVO BDSG, Article 92 GDPR, margin number 26.
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).
- ↑ Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).