Article 92 GDPR

From GDPRhub
Article 92 - Exercise of the delegation
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 92 - Exercise of the delegation

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.

3.   The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

5.   A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.

Relevant Recitals

Recital 166: Delegated Acts
In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

Commentary

This provision outlines the limits to the Commission's power to adopt delegated acts pursuant to Article 290 TFEU, within the scope of the GDPR.[1] The function of Article 92 GDPR is to lay down conditions for the delegation of power as necessitated by Article 290 TFEU, such as its duration (Article 290(1) TFEU), its revocability (Article 290(2)(a) TFEU), and the dependence of the entry of force of individual delegated acts on the absence of objections by the Parliament and the Council (Article 290(2)(b) TFEU). Delegated acts are distinguishable from other types of acts which the Commission may adopt in relation to the GDPR, in particular the implementing acts found in Article 93 GDPR.[2]

(1) Delegated acts

Under Article 290(1) TFEU, an EU legislative act may delegate the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act to the Commission. Article 290(1) TFEU provides that “the objectives, content, scope and duration of the delegation of power” must be explicitly defined within the legislative act, which Article 92 GDPR does through Articles 12(8) and 43(8) GDPR. Nonetheless, the Article 290(1) TFEU restricts the delegation of power to 'non-essential' areas of the legislative provision in question.

The “essential elements of an area” shall be reserved for the legislative act, and cannot be delegated to the Commission. In regard to the GDPR, the 'essential' legislative areas are the regulation and enforcement of data protection. The Commission may not legislate in these core areas, but is permitted to legislate for periphery matters which fall outside of the scope of areas considered 'essential.' In accordance with the framework established through Article 290 TFEU, Article 92 GDPR provides that the commission may make use of its delegated powers solely through Articles 12(8) and 43(8) GDPR.

(2) Delegation of power under Article 12(8) and 43(8) GDPR

The first delegation is provided for in Article 12(8) GDPR. This provision permits the Commission to adopts delegated acts in accordance with Article 92 for the purpose of determining the procedures for providing standardised icons and to determine the information to be displayed by icons.

The second delegation is provided for through Article 43(8) GDPR, which empowers the Commission to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

Any delegated acts made under these provisions are inherently subject to the general principles governing delegated acts under Article 92 GDPR, as well as to the principles of the Articles under which any delegated act is made. A delegated act may not contradict the GDPR's fundamental principles and objectives.

(3) The delegation of power may be revoked

The delegation is conferred on the Commission for an indeterminate period of time. However, it may be revoked by the Council or the Parliament at any time. The revocation shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. Should it be used to revoke the delegations granted in Articles 12(8) and 43(8) GDPR, the revocation will not affect the validity of any of the delegated acts that the Commission may have already adopted and which are in force at that point. This, of course, does not preclude the possibility that the legislators (once the power has been resumed following revocation) may remove or amend the act issued by the Commission by an ordinary legislative act.

(4) Notification of delegated acts

As soon as it adopts a delegated act, the Commission shall notify it (together with the relevant documentation) simultaneously to the European Parliament and to the Council.

(5) Entry into force of delegated acts

After the Commission has notified the act (and the relevant documents), the Parliament and the Council have three months to express objections (or waive their intention to object).  When this period expires, the delegated act “pursuant to Article 12(8) and Article 43(8) shall enter into force”.

Possible scenarios

(a) The Parliament and Council inform the Commission of their intention not to object to the delegated act. In this case, the delegated act can be published in the Official Journal of the European Union, and can enter into force before the end of the three-month period.

(b) The Parliament and Council express the same objection. In this case, the Commission will most likely amend its act.

(c) Either the Parliament or the Council expresses an objection while the other remains silent. In this case, the Commission will probably amend the act as requested, and await a reaction from the other legislator. If there is no reaction within three months, the act is published in the Official Journal.

(d) Parliament and Council express separate objections, or different positions, on the same issue. This can be resolved either by the Commission renouncing the power of delegation, or by a dialogue between the two legislators.

(e) The Parliament and the Council do not express any objections within three months of the date on which the act is notified to them. In this case, the act shall enter into force.

Decisions

→ You can find all related decisions in Category:Article 92 GDPR

References

  1. Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
  2. Herbst in Kühling, Buchner, DS-GVO BDSG, Article 92 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition). See also, Sydow in Sydow, Marsch, DS-GVO BDSG, Article 92 GDPR, margin number 26.