Article 64 GDPR: Difference between revisions

From GDPRhub
m (1 revision imported)
 
No edit summary
 
(30 intermediate revisions by 6 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 64 - Opinion of the Board'''</center><br />
<br /><center>'''Article 64 - Opinion of the Board'''</center>


<span id="1">1.  The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span>
<span id="1">1.  The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span>
Line 219: Line 219:
<span id="8">8.  Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span>
<span id="8">8.  Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span>


<span id="8">8.  By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span>
==Relevant Recitals==
{{Recital/136 GDPR}} 


<span id="9">9.  Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span>
==Commentary==
Section 2 of Chapter VII, the GDPR introduces a so-called “''consistency mechanism''” to ensure the consistent application of the GDPR by the supervisory authorities (“''SA''”). In order to empower the European Data Protection Board (“''EDPB''”) to fulfil this task, Article 64 GDPR includes an opinion procedure which can be triggered in two types of situations: First, when a SA prepares a draft decision in a selected range of cases that require the EDPB’s opinion (Article 64(1) GDPR). Second, when a SA, the EDPB Chair, or the Commission request the EDPB to issue an opinion on any other matter (Article 64(2) GDPR). The remaining paragraphs of Article 64(3)-(8) GDPR lay down substantive rules and a detailed procedure for the EDPB’s opinions.


<span id="10">10.   After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span>
=== (1) A mandatory opinion of the EDPB ===
Article 64(1) GDPR formulates a list of cases that require a mandatory opinion by the EDPB in view of their nature – there is a considerable need for a harmonised implementation of the issues they deal with across the EU.<ref>''Caspar'' in Kühling, Buchner, GDPR Article 64, margin number 8b (Beck 2020, 3rd edition).</ref> These issues are: (a) the adoption of a list of the processing operations subject to the requirement for a data protection impact assessment; (b) a decision on whether a draft code of conduct is compliant with the GDPR; (c) a decision which will approve requirements for accreditation or certification bodies; (d) a decision which will determine standard data protection clauses; (e) a decision that will authorise contractual clauses; (f) or a decision approving binding corporate rules. If one of the situations listed in this paragraph has been triggered, a SA that intends to issue a decision shall submit a draft decision to the EDPB to obtain an opinion. The validity of the relevant SA’s decision will depend on the opinion of the EDPB. The opinions of the EDPB are not directly binding on the SAs. However, the SAs are obliged to notify the EDPB if they intend to deviate from the opinion in order to ensure a possibility to trigger a binding dispute resolution procedure in accordance with Article 65 GDPR.<ref>''Marsch'' in BeckOK Datenschutzrecht, Wolff/Brink DS-GVO Article 64 margin number 4 (C.H. Beck, 35th Edition).</ref>


<span id="11">11.  Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span>
=== (2) An optional opinion of the EDPB ===
Article 64(2) GDPR allows any SA, the EDPB Chair or the Commission to request the EDPB to issue an opinion in cases which are not included in the list from 64(1) GDPR, but which address issues having a general application or producing effects in more than one Member State. This provision potentially allows for a wide array of issues to be brought up before the EDPB depending on the interpretation of Article 64(2) GDPR.  


<span id="12">12.   The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span>
The EDPB, however, seems to have adopted a narrow interpretation of this provision requiring the issue at stake to be an abstract, substantive, and legal issue that is independent of any particular case or cases.<ref>''Caspar'' in Kühling, Buchner, GDPR Article 64, margin number 8b (Beck 2020, 3rd edition).</ref> The refusal by the EDPB to issue an opinion in cases which fulfil the necessary criteria, shall take a form of a formal decision by the EDPB. A SA will then be able to submit such a decision for the review of the legality of such a decision to the CJEU.<ref>''Caspar'' in Kühling, Buchner GDPR Article 64, margin numbers 7-12 (Beck 2020, 3rd edition).</ref>


== Relevant Recitals==
Early drafts of the GDPR foresaw giving the Commission the power to enforce the GDPR by means of implementing acts. However, as some authors indicate, granting the Commission such a power was seen as a violation of the independence of the SAs. Therefore, the final decision-making powers and the Commission’s role within the consistency mechanism were significantly reduced, leaving to the Commission the power to request from the EDPB to issue an opinion under Article 64(2) GDPR.
''You can help us fill this section!''
=== (3) Conditions for the adoption of the opinion and timeline ===
Article 64(3) GDPR provides that the EDPB shall adopt an opinion within eight weeks by a simple majority vote. In more complex cases, this period may be extended by another six weeks, allowing for 14 weeks in total. The Chair of the EDPB makes decisions about the extension either on its own initiative or at the request of at least one third of the Board’s members. Prior to the adoption of the opinion, the EDPB shall evaluate whether the request fulfils the requirements of 64(1) and (2) GDPR, and whether the EDPB has not already issued an opinion on the same matter in the past. The EDPB Secretariat prepares a draft opinion and presents it for approval to the Board. The EDPB Chair can also invite a rapporteur and expert subgroups to assist with the preparation of the draft opinion. The Board may adopt an opinion in favour of a draft decision submitted to the EDPB under Article 64(1) GDPR if none of the members of the Board objected to it (a “''non-objection-procedure''”). However, if at least one member of the Board objects to the draft decision, the obligation of the EPDB to examine the objection and prepare an opinion on the draft decision shall immediately be triggered. When objecting, members of the Board should provide reasons for their objections.<ref>European Data Protection Board (EDPB) Rules of Procedure, Version 7, adopted on 25 May 2018. As last modified and adopted on 8 October 2020, p. 11.</ref>
=== (4) Communication obligations ===
Article 64(4) and (5) GDPR contain the rules on communication between the EDPB, the SAs, and the Commission. The rules require the respective applicant to provide all relevant information to the EDPB without undue delay and by electronic means. After analysing the submitted documents, the EDPB secretariat may request to provide additional information to complete the file.


== Commentary ==
=== (5) Information obligations ===
Article 64(5) GDPR contains a comprehensive information obligation on the Chair of the EDPB about the draft opinion. The Chair shall inform the EDPB members of any relevant information received from the SA or from the Commission, as well as of the adopted opinion. The opinion shall be made public.


''You can help us fill this section!''
=== (6) Compliance with or deviation from the adopted opinion ===
Article 64(6)-(8) GDPR put forward the rules for SAs during and after the adoption of the opinion by the EDPB. The SA which submitted its draft decision to the EDPB according to Article 64(1) GDPR shall inform the EDPB within two weeks after receiving the opinion whether they will maintain or amend their draft decision. If the latter is the case, they should send to the EDPB the amended draft of the decision.
 
If the SA decides not to uphold the opinion of the EDPB, it shall notify the EDPB about the reasons not to do so. In this case, any SA or the European Commission may initiate the dispute resolution procedure (according to Article 65(1)(c) GDPR). If the dispute resolution procedure is not triggered, the SA may decide to deviate from the EDPB’s opinion in whole or in part providing the reasons. However, the provisions leave it open to decide how long the SA shall wait to see whether the dispute resolution procedure is initiated before it issues a final decision.<ref>''Marsch'' in BeckOK Datenschutzrecht, Wolff/Brink DS-GVO Article 64 margin numbers 19-20.1 (35th Edition 1.2.2021).</ref>
 
When the opinion of the EDPB is mandatory (in cases listed under Article 64(1) GDPR), the legality of a subsequent measure taken by the SA in question will depend on the validity of the opinion of the EDPB. Consequently, a failure to obtain a valid opinion from the EDPB will lead to an illegal draft decision which is not effective.<ref>''Caspar'' in Kühling, Buchner, GDPR Article 64, margin number 24 (C.H. Beck 2020, 3rd edition).</ref> The obligation of the SA to notify the EDPB about upholding the opinion enables the EDPB to monitor the uniformity of the GDPR enforcement across the Member States.<ref>''Caspar'' in Kühling, Buchner, GDPR Article 64, margin number 23 (C.H. Beck 2020, 3rd edition).</ref>


== Decisions ==
== Decisions ==
Line 242: Line 255:
<references />
<references />


[[Category:Article 64 GDPR]] [[Category:GDPR]]
[[Category:Article 64 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 16:07, 2 November 2023

Article 64 - Opinion of the Board
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 64 - Opinion of the Board

1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:

(a) aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);
(b) concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with this Regulation;
(c) aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);
(d) aims to determine standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8);
(e) aims to authorise contractual clauses referred to in point (a) of Article 46(3); or
(f) aims to approve binding corporate rules within the meaning of Article 47.

2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.

3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.

4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.

5. The Chair of the Board shall, without undue, delay inform by electronic means:

(a) the members of the Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the Board shall, where necessary, provide translations of relevant information; and
(b) the supervisory authority referred to, as the case may be, in paragraphs 1 and 2, and the Commission of the opinion and make it public.

6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.

7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.

8. Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.

Relevant Recitals

Recital 136: Opinions and Binding Decisions of the EDPB
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.

Commentary

Section 2 of Chapter VII, the GDPR introduces a so-called “consistency mechanism” to ensure the consistent application of the GDPR by the supervisory authorities (“SA”). In order to empower the European Data Protection Board (“EDPB”) to fulfil this task, Article 64 GDPR includes an opinion procedure which can be triggered in two types of situations: First, when a SA prepares a draft decision in a selected range of cases that require the EDPB’s opinion (Article 64(1) GDPR). Second, when a SA, the EDPB Chair, or the Commission request the EDPB to issue an opinion on any other matter (Article 64(2) GDPR). The remaining paragraphs of Article 64(3)-(8) GDPR lay down substantive rules and a detailed procedure for the EDPB’s opinions.

(1) A mandatory opinion of the EDPB

Article 64(1) GDPR formulates a list of cases that require a mandatory opinion by the EDPB in view of their nature – there is a considerable need for a harmonised implementation of the issues they deal with across the EU.[1] These issues are: (a) the adoption of a list of the processing operations subject to the requirement for a data protection impact assessment; (b) a decision on whether a draft code of conduct is compliant with the GDPR; (c) a decision which will approve requirements for accreditation or certification bodies; (d) a decision which will determine standard data protection clauses; (e) a decision that will authorise contractual clauses; (f) or a decision approving binding corporate rules. If one of the situations listed in this paragraph has been triggered, a SA that intends to issue a decision shall submit a draft decision to the EDPB to obtain an opinion. The validity of the relevant SA’s decision will depend on the opinion of the EDPB. The opinions of the EDPB are not directly binding on the SAs. However, the SAs are obliged to notify the EDPB if they intend to deviate from the opinion in order to ensure a possibility to trigger a binding dispute resolution procedure in accordance with Article 65 GDPR.[2]

(2) An optional opinion of the EDPB

Article 64(2) GDPR allows any SA, the EDPB Chair or the Commission to request the EDPB to issue an opinion in cases which are not included in the list from 64(1) GDPR, but which address issues having a general application or producing effects in more than one Member State. This provision potentially allows for a wide array of issues to be brought up before the EDPB depending on the interpretation of Article 64(2) GDPR.  

The EDPB, however, seems to have adopted a narrow interpretation of this provision requiring the issue at stake to be an abstract, substantive, and legal issue that is independent of any particular case or cases.[3] The refusal by the EDPB to issue an opinion in cases which fulfil the necessary criteria, shall take a form of a formal decision by the EDPB. A SA will then be able to submit such a decision for the review of the legality of such a decision to the CJEU.[4]

Early drafts of the GDPR foresaw giving the Commission the power to enforce the GDPR by means of implementing acts. However, as some authors indicate, granting the Commission such a power was seen as a violation of the independence of the SAs. Therefore, the final decision-making powers and the Commission’s role within the consistency mechanism were significantly reduced, leaving to the Commission the power to request from the EDPB to issue an opinion under Article 64(2) GDPR.

(3) Conditions for the adoption of the opinion and timeline

Article 64(3) GDPR provides that the EDPB shall adopt an opinion within eight weeks by a simple majority vote. In more complex cases, this period may be extended by another six weeks, allowing for 14 weeks in total. The Chair of the EDPB makes decisions about the extension either on its own initiative or at the request of at least one third of the Board’s members. Prior to the adoption of the opinion, the EDPB shall evaluate whether the request fulfils the requirements of 64(1) and (2) GDPR, and whether the EDPB has not already issued an opinion on the same matter in the past. The EDPB Secretariat prepares a draft opinion and presents it for approval to the Board. The EDPB Chair can also invite a rapporteur and expert subgroups to assist with the preparation of the draft opinion. The Board may adopt an opinion in favour of a draft decision submitted to the EDPB under Article 64(1) GDPR if none of the members of the Board objected to it (a “non-objection-procedure”). However, if at least one member of the Board objects to the draft decision, the obligation of the EPDB to examine the objection and prepare an opinion on the draft decision shall immediately be triggered. When objecting, members of the Board should provide reasons for their objections.[5]

(4) Communication obligations

Article 64(4) and (5) GDPR contain the rules on communication between the EDPB, the SAs, and the Commission. The rules require the respective applicant to provide all relevant information to the EDPB without undue delay and by electronic means. After analysing the submitted documents, the EDPB secretariat may request to provide additional information to complete the file.

(5) Information obligations

Article 64(5) GDPR contains a comprehensive information obligation on the Chair of the EDPB about the draft opinion. The Chair shall inform the EDPB members of any relevant information received from the SA or from the Commission, as well as of the adopted opinion. The opinion shall be made public.

(6) Compliance with or deviation from the adopted opinion

Article 64(6)-(8) GDPR put forward the rules for SAs during and after the adoption of the opinion by the EDPB. The SA which submitted its draft decision to the EDPB according to Article 64(1) GDPR shall inform the EDPB within two weeks after receiving the opinion whether they will maintain or amend their draft decision. If the latter is the case, they should send to the EDPB the amended draft of the decision.

If the SA decides not to uphold the opinion of the EDPB, it shall notify the EDPB about the reasons not to do so. In this case, any SA or the European Commission may initiate the dispute resolution procedure (according to Article 65(1)(c) GDPR). If the dispute resolution procedure is not triggered, the SA may decide to deviate from the EDPB’s opinion in whole or in part providing the reasons. However, the provisions leave it open to decide how long the SA shall wait to see whether the dispute resolution procedure is initiated before it issues a final decision.[6]

When the opinion of the EDPB is mandatory (in cases listed under Article 64(1) GDPR), the legality of a subsequent measure taken by the SA in question will depend on the validity of the opinion of the EDPB. Consequently, a failure to obtain a valid opinion from the EDPB will lead to an illegal draft decision which is not effective.[7] The obligation of the SA to notify the EDPB about upholding the opinion enables the EDPB to monitor the uniformity of the GDPR enforcement across the Member States.[8]

Decisions

→ You can find all related decisions in Category:Article 64 GDPR

References

  1. Caspar in Kühling, Buchner, GDPR Article 64, margin number 8b (Beck 2020, 3rd edition).
  2. Marsch in BeckOK Datenschutzrecht, Wolff/Brink DS-GVO Article 64 margin number 4 (C.H. Beck, 35th Edition).
  3. Caspar in Kühling, Buchner, GDPR Article 64, margin number 8b (Beck 2020, 3rd edition).
  4. Caspar in Kühling, Buchner GDPR Article 64, margin numbers 7-12 (Beck 2020, 3rd edition).
  5. European Data Protection Board (EDPB) Rules of Procedure, Version 7, adopted on 25 May 2018. As last modified and adopted on 8 October 2020, p. 11.
  6. Marsch in BeckOK Datenschutzrecht, Wolff/Brink DS-GVO Article 64 margin numbers 19-20.1 (35th Edition 1.2.2021).
  7. Caspar in Kühling, Buchner, GDPR Article 64, margin number 24 (C.H. Beck 2020, 3rd edition).
  8. Caspar in Kühling, Buchner, GDPR Article 64, margin number 23 (C.H. Beck 2020, 3rd edition).