Article 70 GDPR

From GDPRhub
Revision as of 08:16, 29 April 2022 by SR (talk | contribs) (→‎Commentary)
Article 70 - Tasks of the Board
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 70 - Tasks of the Board

1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;
(b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;
(c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;
(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);
(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);
(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;
(l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);
(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);
(n) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;
(o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);
(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;
(q) provide the Commission with an opinion on the certification requirements referred to in Article 43(8);
(r) provide the Commission with an opinion on the icons referred to in Article 12(7);
(s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.
(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;
(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;
(v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;
(w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.
(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and
(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

Relevant Recitals

Recital 124: Lead Supervisory Authority and Cooperation
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

Recital 136: Opinions and Binding Decisions of the EDPB
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.

Recital 139: EDPB
In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The Board should act independently when performing its tasks.

Commentary

Article 70(1) GDPR lists the tasks of the EDPB (Article 70(1)(a)-(y), which share the overall aim of ensuring the GDPR's consistent application across the EU.

(1) Tasks to Ensure GDPR's Consistent Application

Articles 70(1)(a) and (t) GDPR grant the EDPB an important and new role regarding the GDPR’s consistency mechanism.[1] In particular, the EDPB is required to issue: opinions on draft measures by supervisory authorities (“SA”) under the consistency mechanism (Article 64(1) GDPR); opinions on matters of general application, or producing effects in more than one member state, in particular where a competent SA does not comply with obligations for mutual assistance (Article 64(2) GDPR); binding decisions under the dispute resolution procedure (Article 65 GDPR); and binding decisions where a SA has adopted provisional measures under the urgency procedure and considers a need for definitive action (Article 66 GDPR). The EDPB adopted its first binding decision under the Article 65 GDPR dispute resolution procedure on 9 November 2020 on a draft decision by the Irish SA concerning a data breach by Twitter, which SAs in Austria, Denmark, France, Germany, Hungary, Italy and Spain had objected to.[2] The EDPB asked the Irish SA to re-assess the elements it relied upon to calculate the fine to be imposed on twitter, and to amend its draft decision by increasing this fine in order to ensure it fulfils its purpose as a corrective measure.[3]

Article 70(1)(b) GDPR states that the Commission may consult the EDPB on any issue regarding data protection in the Union. This provision is similar to that in Article 42 Regulation 2018/1725, which states the Commission may consult either: (1) the EDPS, in relation to legislative proposals or drafts implementing measures impacting data protection, or (2), both the EDPS and EDPB jointly, where such proposals are of particular importance. On 13 May 2019, the Commission submitted its first request for a joint opinion of this kind on the draft Implementation Decision on eHealth.[4] The EDPB and EDPS have also submitted joint advice to the European Parliament, although the GDPR does not specifically provide for this.[5]

Under Article 70(1)(e) GDPR, the EDPB must examine – either on its own initiative or in response to a request from a member of the Commission – questions covering the GDPRs application, as well as issue guidelines, recommendations, and best practices. Articles 70(1)(f)-(j) GDPR specify areas in which these should be issued, namely: profiling; data breaches and the risk to data subject rights and freedoms; binding corporate rules; and data transfers. As Schiedermair emphasises, these guidelines are an “important building block in the effort to gradually dismantle” the varied enforcement of data protection law by member states.[6] The Meijers Committee – an independent group researching and advising on privacy law – has highlighted the potential risks of soft law instruments such as these guidelines, recommendations, and best practices, which are in practice often treated as law. Soft law can consequently have legal effects, which means it requires a specific legal basis. Moreover, soft law may lack “safeguards, transparency and the involvement of democratically chosen bodies or interested citizens or organisations associat edition”.[7] Docksey notes that the EDPB’s competence to issue guidelines, recommendations, and best practices under Article 70s largely avoids these risks.[8] Importantly, the EDPB has a clear statutory mandate, to “ensure the consistent application” of the GDPR (Article 70(1) GDPR). Article 70(4) GDPR also requires the EDPB, “where appropriate”, to consult interested stakeholders and provide them with the opportunity to comment, and the results of this consultation must be made public.

The fact that Article 70(1)(l) GDPR only requires the EDPB to review the practical application of guidelines, recommendations, and best practices referred to in Article 70(1)(e) and (f) GDPR was an editorial error; this obligation applies to all guidance issued by the Board.[9]

Articles 70(1)(n) to (q) GDPR outline the EDPB’s responsibilities regarding the drawing up of codes of conduct, and the accreditation of certification bodies pursuant to Articles 40-41 GDPR and Articles 42-43 GDPR, respectively. On certification, the EDPB must encourage the creation of codes of conduct on certification mechanisms (Article 70(1)(n) GDPR), as well as actually accredit the certification bodies, regularly review them, and keep a public register (Article 70(1)(n) GDPR). The latter requirement conflicts with the wording of Article 43(1) GDPR, which only requires national SAs to carry out accreditation. Article 70(1)(n) GDPR thus contains an editorial error as the EDPB is merely required to review accreditation decisions by national SAs.

(2) Time Limit

Article 70(2) GDPR postulates that, where the Commission requests advice from the EDPB, it may indicate a time limit, taking into account the urgency of the matter. However, the question whether the time limit is binding for the EDPB, seems to be unclear. Some argue that it is not binding but that the EDPB should give priority to corresponding requests from the Commission and inform it that the deadline cannot be met and for what reasons, or by when the Committee can deliver the desired opinion.[10] Others indicate an option for leeway only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR.[11]

(3) Forwarding the Opinions, Guidelines, and Recommendations

According to Article 70(3) GDPR, the EDPB is obligated to “forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.” At the same time, it has to publish all these working results, as the Article 29 Working Party has always done. For the decisions in the consistency mechanism, a more precise publication obligation results from Article 65(5) GDPR. The opinions, guidelines, recommendations and best practices are also published online.[12]

(4) Consultation of Interested Parties

Article 70(4) GDPR requires the EDPB, where appropriate, to consult interested groups and provide them with the opportunity to comment. Interested groups may include data protection experts from science and practice, interested groups may also include any other groups active regarding data protection issues.[13] In practice, the EDPB conducts consultations ex ante, by hosting workshops and ‘fablabs,’ and ex post, by providing stakeholders the opportunity to comment on draft guidelines.[14]

Decisions

→ You can find all related decisions in Category:Article 70 GDPR

References

  1. Schiedermair in Simitis et al., Data Protection Law, Article 70 GDPR, margin numbers 6-8 (C.H. Beck 2019, 1st edition).
  2. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 240 (Oxford University Press 2021).
  3. EDPB, 9 November 2020, Twitter International Company, Decision 01/2020 (available here).
  4. EDPB-EDPS, Guidelines 3/2019 on processing of personal data through video devices, 29 January 2020.
  5. EDPB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection, referenced by Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 240 (Oxford University Press 2021).
  6. Schiedermair in Simitis et al., Data Protection Law, Article 70 GDPR, margin number 4 (C.H. Beck 2019, 1st edition).
  7. Meijers Committee, Note on the use of soft law instruments under EU law, in particular in the area of freedom, security and justice, and its impact on fundamental rights, democracy and the rule of law, 9 April 2018, referenced in Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 243 (Oxford University Press 2021).
  8. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 243 (Oxford University Press 2021).
  9. Albrecht in Ehmann, Selmayr, DS-GVO, Article 70 GDPR, margin numbers 6,7 (C.H. Beck 2018, 2nd edition).
  10. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 70 GDPR, margin number 16 (C.H. Beck 2020, 3rd edition); Brink in BeckOK Datenschutzrecht, Wolff/Brink DS-GVO Article 69 margin number 19 (C.H. Beck, 39th edition).
  11. Hellmich, in Taeger, Gabel, Datenschutzrecht, Article 69 DSGVO BDSG, margin number 5 (C.H. Beck 2022, 4th edition).
  12. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 70 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).
  13. Schiedermair in Simitis et al., Data Protection Law, Article 70 GDPR, margin number 13 (C.H. Beck 2019, 1st edition).
  14. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 243 (Oxford University Press 2021).