Article 75 GDPR

From GDPRhub
Article 75 - Secretariat
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 75 - Secretariat

1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.

2. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.

3. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.

4. Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.

5. The secretariat shall provide analytical, administrative and logistical support to the Board.

6. The secretariat shall be responsible in particular for:

(a) the day-to-day business of the Board;
(b) communication between the members of the Board, its Chair and the Commission;
(c) communication with other institutions and the public;
(d) the use of electronic means for the internal and external communication;
(e) the translation of relevant information;
(f) the preparation and follow-up of the meetings of the Board;
(g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.

Relevant Recitals

Recital 140: Secretariat and Staff of the EDPS
The Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation should perform its tasks exclusively under the instructions of, and report to, the Chair of the Board.

Commentary

(1) The Secretariat

Article 75(1) GDPR clarifies that the EDPB secretariat, one of the most important structures within the Board, is provided by the EDPS. According to Docksey, the choice of the EDPS rather than the Commission to provide its secretariat “was grounded on a number of compelling considerations”. In particular, the EDPS is itself an independent supervisory authority (“SA”), has its own financial budget and independent administration and has deep data protection expertise.[1]

(2) Exclusive Performance of Tasks under the Instructions of the Chair

Article 75(2) GDPR clarifies that the secretariat is subject to the instructions of the EDPB Chair. The use of the word “exclusively” is intended to clarify that the EDPS does not retain any authority over the staff seconded to the EDPB.[2] Some commentators doubt that Article 75(1) GDPR can effectively ensure the EDPB staff full independence from the EDPS’s – even indirect – influence. For instance, the secretariat staff remain formally employed by the EDPS and on its budget, are only made available to the EDPB on a temporary basis, and are subject to the EDPS for any step in their career development.[3] Whether Article 75(1) GDPR ensures that there is no indirect influence on the work processes of the Secretariat, which could endanger the EDPB independence, remains to be seen.

(3) Separate Reporting Lines for EDPB Staff

The employees of the EDPB Secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore withdrawn from the EDPS’s area of ​​responsibility (Article 46 Regulation (EC) No. 45/2001) and are obliged to maintain secrecy vis-à-vis their employer with regard to their activities within the EDPB.

(4) Memorandum of Understanding

The EDPB's dependence status, discussed in the previous paragraphs, is reflected in the need to ensure a special status for members of the secretariat in terms of staff selection, leave, performance appraisals, disciplinary profiles, reintegration into the EDPS ranks, and separate reporting lines. To this end, as suggested by Article 75(4) GDPR, the EDPS and the EDPB issued a joint Memorandum of Understanding on May 25, 2018 (“MoU”) which also defines the terms of the EDPS/EDPB cooperation with regard to organization of work spaces and structures (service rooms, e-mail addresses, filing systems and separation of documents).[4] Some scholars, whose views we share, doubt the MoU will be able to prevent the EDPS from potentially influencing the staffing and budget.[5]

(5) General Tasks

The secretariat of the EDPB has a broader range of tasks than the simple administrative and logistical tasks provided by the Commission secretariat to the Article 29 Working Party. Article 75(5) GDPR states generally that the secretariat shall provide “analytical, administrative and logistical support”. This broadly requires the secretariat to carry out two different types of activity for the Board: analytical tasks on the one hand, and logistical and administrative tasks on the other.[6]

(6) Specific Tasks

Article 75(6) GDPR specifies the above-mentioned types of tasks. On the one hand, there are administrative and logistical tasks, such as (a) the day-to-day business of the Board; (b) communication between the members of the Board, its Chair and the Commission, and, where relevant, the EFTA Surveillance Authority; (d) the use of electronic means for the internal and external communication; and (e) the translation of relevant- information.[7] On the other hand, reference is made to analytical responsibilities such as (c) communication with other institutions and the public; (f) the preparation and follow-up of the meetings of the Board; and (g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.[8]

Decisions

→ You can find all related decisions in Category:Article 75 GDPR

References

  1. Docksey furthermore suggests that the choice must also be seen in the light of the ECJ, Case C-614/10, Commission v Austria “which made it plain that the EDPB could not be attached to and be dependent upon the Commission and its services for its operation. It was also out of the question for the officials of the Board to be Commission officials. It therefore made sense to attach the Board for such administrative purposes to another, larger independent authority which was completely in control over its own human and budgetary resources”. See, Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020).
  2. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition).
  3. Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck 2020, 36th edition) who, to reduce the EDPS influence, advocate for a wider use of staff from the individual member state supervisory authorities.
  4. Available here
  5. Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin number 13 (C.H. Beck 2020, 36th edition).
  6. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020).
  7. Also confirmed by Article 64(5)(a) GDPR: “The secretariat of the Board shall, where necessary, provide translations of relevant information”.
  8. Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 75 GDPR, p. 1108 -1109 (Oxford University Press 2020) who also reports how “Section IY.2 of the MoU sets forth a number of further support tasks regarded as included under Article 75(6) GDPR: (i) organisation of meetings, (ii) IT communications, (iii) handling access to document requests, (iv) record management, (v) security of information, (vi) information and communication tasks, (vii) relations with other institutions, including representation of the Board before the Courts, and (viii) DPO activities”.