Article 67 GDPR

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Article 67 - Exchange of information
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 67 - Exchange of information

The Commission may adopt implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board, in particular the standardised format referred to in Article 64.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

Relevant Recitals

Recital 167: Implementing Acts
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

Recital 168: Examination Procedure
The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.

Commentary

Article 67 GDP provision grants the power to adopt an implementing act to the Commission for the exchange of information not only between the supervisory authorities (“SA”), but also between the SAs and the European Data Protection Board (“EDPB”).

The necessity of a reliable and efficient system to communicate, in particular under the cooperation procedure (between SAs) and the consistency mechanism (under the consistency procedure) is vital for the good functioning of the cooperation between the SAs and the EDPB, considering the strict deadlines and the need for enhanced cooperation. The Internal Market Information System (IMI) was chosen as the IT platform to support cooperation and consistency procedures under the GDPR. IMI helps public authorities across the EU to cooperate and exchange information. IMI has been developed by the European Commission’s DG GROW and was adapted to cater for the needs of the GDPR, in close cooperation with the Secretariat of the EDPB and the national SAs.[1] The IMI system is therefore used to initiate various procedures under the GDPR, such as the identification of the LSA, mutual assistance procedures, or one-stop-shop procedures.[2]

The Commission also adopted an implementing decision on a pilot project to implement the administrative cooperation provisions of the GDPR.[3] This decision refers to the Administrative cooperation between SAs (covering cooperation under Articles 56, 60, 61 and 62 GDPR) and the administrative cooperation between SAs, the EDPB and the Commission (covering Articles 64 to 66 GDPR). For the purposes of the pilot project, the SAs referred to in Article 51 GDPR and the EDPB shall be considered as “competent authorities” under the IMI Regulation.[4] The IMI Regulation (Regulation (EU) No 1024/2012) has also been modified to extend the list of IMI actors (besides the “competent authorities, IMI coordinators and the Commission”) to the “Union bodies, offices and agencies” and to add the GDPR to the Annex listing the provisions on administrative cooperation in union acts that are implemented by means of IMI.[5]

Article 17 of the EDPB Rules of Procedure (RoP) refers to the use of an “Internal information and communication system”, “in particular to support the electronic exchange of documents within the cooperation and the consistency mechanisms”. Article 10 11(1) of the EDPB RoP require the competent SA to send the relevant documents to the secretariat of the EDPB via the IMI IT system. The use of the IMI system to communicate between SAs is therefore made mandatory. Ignoring this requirement can have consequences, since the EDPB already considered that the urgency could not be presumed under Article 61(8) GDPR if the request for mutual assistance was not made under the formal IMI procedure to send a request for mutual assistance to the Irish SA.[6]

Decisions

→ You can find all related decisions in Category:Article 67 GDPR

References

  1. See EDPB, State of Play - IMI for GDPR purposes, 27 June 2018 (available here).
  2. See EDPB, 2019 Annual Report, Section 4.3.1 (available here).
  3. European Commission, 16 May 2018, Implementing Decision (EU) 2018/743 (available here).
  4. The EDPS is not a competent authority under the GDPR, which seems to exclude it from the pilot project.
  5. See Article 5(g) of Regulation (EU) No 1024/2012, as modified by Regulation (EU) 2018/1724.
  6. EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, p.42, s. 4.2.1(available here).