Article 97 GDPR

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Article 97 - Commission reports
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 97 - Commission reports

1. By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.

2. In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:

(a) Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC;
(b) Chapter VII on cooperation and consistency.

3. For the purpose of paragraph 1, the Commission may request information from Member States and supervisory authorities.

4. In carrying out the evaluations and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources.

5. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account of developments in information technology and in the light of the state of progress in the information society.

Relevant Recitals

There are no relevant recitals for Article 97 GDPR.

Commentary

Article 97 GDPR imposes a "comprehensive reporting obligation" upon the Commission.[1] The first paragraph of Article 97 GDPR sets out the time-frame for the Commission's reporting obligations to the European Parliament and the Council, which is to be fulfilled every four years, as well as imposing a formal publication obligation upon the Commission.

The second paragraph sets out the content of the Commission's reports made under Article 97 GDPR, which is to examine the application and functioning of Chapters V and VII of the Regulation. Under Article 97(2)(a) GDPR, the Commission's report must look to the functioning of existing adequacy decisions (Article 45(3) GDPR), regardless of whether they were adopted under the previous regulatory framework (Article 25(6) Directive 95/46/EC or 'DPD').[2] The next provision of Article 97(2) GDPR, paragraph (b), establishes Chapter VII of the Regulation as another area which the Commission must report upon. Chapter VII relates to the cooperation and consistency mechanisms. The inclusion of Chapter V on the transfer of personal data to third countries or international organisations was raised in Trilogue proceedings following the annulment of the Safe Harbour Agreement by the Court of Justice of the European Union ("CJEU").[3] Zedrick notes that as a direct result of the Schrems I case,[4] European legislators sought to implement a system whereby each adequacy decision would be subject to a mechanism of periodic review, every four years as per Article 45(3) GDPR, and subject to regular reporting, which Article 97(2) GDPR provides for.[5]

The third paragraph of Article 97 GDPR, obliges the Commission to take into account the opinions of Member States and Supervisory Authorites in the fulfillment of its reporting obligations. While the fourth paragraph of the provision obliges the Commission to also take into account the opinions of "relevant bodies or sources," in particular, explicitly listed are the European Parliament and the Council.

Lastly, paragraph five of Article 97 GDPR encompasses the overall aim of the Article - to allow for the Regulation to keep pace with rapid technological advancements. Article 97(5) GDPR establishes that once the Commission has carried out its assessment and reporting obligations, it may propose amendments to the GDPR, if it considers them to be necessary to align the existing legislation with developments in information technology and information society (Article 17(2) of the Treaty on European Union).[6]

Decisions

→ You can find all related decisions in Category:Article 97 GDPR

References

  1. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 97 GDPR, margin numbers 1-3 (C. H. Beck 2020, 3rd edition).
  2. In the latter case, under Article 45(9) GDPR, adequacy decisions adopted on the basis of Article 25(6) DPD remain in force until amended, replaced or repealed.
  3. Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 97 GDPR, margin numbers 4-6 (C. H. Beck 2020, 3rd edition).
  4. Case C‑362/14, Schrems. In Schrems I, the CJEU invalidated the Safe Harbor Agreement and stated that, in order to be "adequate", the level of data protection offered by a third country should be “essentially equivalent” to that of the EU.
  5. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 97 GDPR, p. 1310 (Oxford University Press 2020).
  6. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 97 GDPR, p. 1310 (Oxford University Press 2020).