Article 63 GDPR: Difference between revisions

From GDPRhub
Line 196: Line 196:
One of the main goals of the GDPR was to solve the problem of having a fragmented system of EU data protection rules, which the DPD had not been able to prevent from happening. In this respect, it was crucial to implement a system which would eventually ensure a consistent interpretation of such rules in the same way.
One of the main goals of the GDPR was to solve the problem of having a fragmented system of EU data protection rules, which the DPD had not been able to prevent from happening. In this respect, it was crucial to implement a system which would eventually ensure a consistent interpretation of such rules in the same way.


The GDPR now foresees a consistency mechanism which pursues two main objectives. First, it seeks to “ensure that all DPAs interpret and apply the GDPR in a consistent, harmonious and uniform manner”. Second, it assists in solving disputes which may arise ''“''either between the DPAs over the course of the one-stop-shop mechanism [...], or when a DPA disregards or fails to seek the opinion of the EDPB in those cases where it is required by the consistency mechanism”. The authority tasked with such an important role is the European Data Protection Board.<ref>''Van Eecke/Simkus'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 63 GDPR, p. 998-999 (Oxford University Press 2020).</ref> The ultimate goal of ensuring consistency in the European data protection system is implemented through the so-called consistency mechanism, which is triggered in three distinct circumstances.
The GDPR now foresees a consistency mechanism which pursues two main objectives. First, it seeks to “ensure that all DPAs interpret and apply the GDPR in a consistent, harmonious and uniform manner”. Second, it assists in solving disputes which may arise ''“''either between the DPAs over the course of the one-stop-shop mechanism [...], or when a DPA disregards or fails to seek the opinion of the EDPB in those cases where it is required by the consistency mechanism”. The authority tasked with such an important role is the European Data Protection Board.<ref>''Van Eecke, Simkus'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 63 GDPR, p. 998-999 (Oxford University Press 2020).</ref> The ultimate goal of ensuring consistency in the European data protection system is implemented through the so-called consistency mechanism, which is triggered in three distinct circumstances, as outlined below.


==== A DPA plans to adopt a measure which has effects in different Member States ====
==== A DPA Plans to Adopt a Measure which has Effects in Different Member States ====
First, under Article 64(1), the consistency mechanism is triggered when a supervisory authority plans to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. [Examples of these measures are standard data protection clauses referred to in point (d) of Article 46(2), contractual clauses referred to in point (a) of Article 46(3) or binding corporate rules within the meaning of Article 47.] In these cases, the Board will issue an opinion on the matter within eight weeks by simple majority.
First, under Article 64(1), the consistency mechanism is triggered when a supervisory authority plans to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. Examples of these measures are standard data protection clauses referred to in Article 46(2)(d), contractual clauses referred to in Article 46(3)(a), or binding corporate rules within the meaning of Article 47. In these cases, the Board will issue an opinion on the matter within eight weeks by simple majority.


==== Any other matter of general application or producing effects in different Member States ====
==== Any Other Matter of General Application or Producing Effects in different Member States ====
Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62. Also in this case, the Board will issue an opinion on the matter within eight weeks by simple majority.
Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62. Also in this case, the Board will issue an opinion on the matter within eight weeks by simple majority.


==== Following a dispute during the one-stop-shop ====
==== Following a Dispute During the One-stop-shop ====
This mechanism seems to be directly, though not entirely, related to remedying possible dysfunctions of the one-stop-shop. As analysed above, the one-stop-shop provides specific rules for the management of so-called 'cross-border cases'. Through these rules, the authorities involved improve cooperation and reduce uncertainty for data subjects and controllers. This mechanism, however, does not prevent a certain authority from abusing its position, for instance by arrogating to itself (wrongly) the role of lead supervisory authority or by ignoring relevant and reasoned objections formulated by other authorities.
This mechanism seems to be directly, though not entirely, related to remedying possible dysfunctions of the one-stop-shop. As analysed above, the one-stop-shop provides specific rules for the management of so-called 'cross-border cases'. Through these rules, the authorities involved improve cooperation and reduce uncertainty for data subjects and controllers. This mechanism, however, does not prevent a certain authority from abusing its position, for instance by arrogating to itself (wrongly) the role of lead supervisory authority or by ignoring relevant and reasoned objections formulated by other authorities.


Precisely to remedy the shortcomings or possible problems of the one-stop-shop, the GDPR forsees specific rules with respect to different types of situations. Article 65 provides for a dispute-resolution procedure in the event that the authority concerned does not comply with Article 64 mentioned above or that clarification by the EDPB is required for disputes arising during the one-stop-shop. Article 66 provides for an urgency procedure when, by virtue of exceptional circumstances, a DPA needs to derogate from the one-stop-shop or the consistency mechanism.
Precisely to remedy the shortcomings or possible problems of the one-stop-shop, the GDPR foresees specific rules with respect to different types of situations. Article 65 provides for a dispute-resolution procedure in the event that the authority concerned does not comply with Article 64 mentioned above or that clarification by the EDPB is required for disputes arising during the one-stop-shop. Article 66 provides for an urgency procedure when, by virtue of exceptional circumstances, a DPA needs to derogate from the one-stop-shop or the consistency mechanism.


In this scenario the EDPB can issue a decision on how to resolve the aforementioned situations. This decision is legally binding on the supervisory authorities concerned
In this scenario the EDPB can issue a decision on how to resolve the aforementioned situations. This decision is legally binding on the supervisory authorities concerned.


== Decisions ==
== Decisions ==

Revision as of 14:37, 18 August 2021

Article 63 - Consistency mechanism
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 63 - Consistency mechanism


In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

Relevant Recitals

Recital 135: Consistency Mechanism
In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established. That mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.

Recital 138: Urgency Procedure
The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effects by a supervisory authority in those cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned should be applied and mutual assistance and joint operations might be carried out between the supervisory authorities concerned on a bilateral or multilateral basis without triggering the consistency mechanism.

Commentary

One of the main goals of the GDPR was to solve the problem of having a fragmented system of EU data protection rules, which the DPD had not been able to prevent from happening. In this respect, it was crucial to implement a system which would eventually ensure a consistent interpretation of such rules in the same way.

The GDPR now foresees a consistency mechanism which pursues two main objectives. First, it seeks to “ensure that all DPAs interpret and apply the GDPR in a consistent, harmonious and uniform manner”. Second, it assists in solving disputes which may arise either between the DPAs over the course of the one-stop-shop mechanism [...], or when a DPA disregards or fails to seek the opinion of the EDPB in those cases where it is required by the consistency mechanism”. The authority tasked with such an important role is the European Data Protection Board.[1] The ultimate goal of ensuring consistency in the European data protection system is implemented through the so-called consistency mechanism, which is triggered in three distinct circumstances, as outlined below.

A DPA Plans to Adopt a Measure which has Effects in Different Member States

First, under Article 64(1), the consistency mechanism is triggered when a supervisory authority plans to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. Examples of these measures are standard data protection clauses referred to in Article 46(2)(d), contractual clauses referred to in Article 46(3)(a), or binding corporate rules within the meaning of Article 47. In these cases, the Board will issue an opinion on the matter within eight weeks by simple majority.

Any Other Matter of General Application or Producing Effects in different Member States

Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62. Also in this case, the Board will issue an opinion on the matter within eight weeks by simple majority.

Following a Dispute During the One-stop-shop

This mechanism seems to be directly, though not entirely, related to remedying possible dysfunctions of the one-stop-shop. As analysed above, the one-stop-shop provides specific rules for the management of so-called 'cross-border cases'. Through these rules, the authorities involved improve cooperation and reduce uncertainty for data subjects and controllers. This mechanism, however, does not prevent a certain authority from abusing its position, for instance by arrogating to itself (wrongly) the role of lead supervisory authority or by ignoring relevant and reasoned objections formulated by other authorities.

Precisely to remedy the shortcomings or possible problems of the one-stop-shop, the GDPR foresees specific rules with respect to different types of situations. Article 65 provides for a dispute-resolution procedure in the event that the authority concerned does not comply with Article 64 mentioned above or that clarification by the EDPB is required for disputes arising during the one-stop-shop. Article 66 provides for an urgency procedure when, by virtue of exceptional circumstances, a DPA needs to derogate from the one-stop-shop or the consistency mechanism.

In this scenario the EDPB can issue a decision on how to resolve the aforementioned situations. This decision is legally binding on the supervisory authorities concerned.

Decisions

→ You can find all related decisions in Category:Article 63 GDPR

References

  1. Van Eecke, Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 63 GDPR, p. 998-999 (Oxford University Press 2020).