GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
To order the suspension of data flows to a recipient in a third country or to an international organisation.
Each supervisory authority shall have all of the following authorisation and advisory powers:
To advise the controller in accordance with the prior consultation procedure referred to in Article 36;
To issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
To authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
To issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
To accredit certification bodies pursuant to Article 43
To issue certifications and approve criteria of certification in accordance with Article 42(5);
To adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
To authorise contractual clauses referred to in point (a) of Article 46(3);
To authorise administrative arrangements referred to in point (b) of Article 46(3);
To approve binding corporate rules pursuant to Article 47.
The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Suitable Recitals
(122) Responsibility of the supervisory authorities; (129) Tasks and powers of the supervisory authorities; (131) Attempt of an amicable settlement.
COMMENTARY:
Article 28 of the Directive provided for two types of powers given to supervisory authorities: a power of consultation of the national authorities drawing up administrative measures or regulations relating to the protection of the rights and freedoms of individuals with regard to the personal data processing; effective powers of control expressed in investigative powers, effective powers of intervention and powers to engage in legal proceedings. However. A wide space for maneuvering was left to Member States so that eventually, the powers of national supervisory authorities could differ widely from one Member State to another.
The powers provided to the national supervisory authorities are considerable - including sanctions - and probably will change the relationship profoundly between them and the controllers or the processors, in particular, where the authorities were previously organized as mere advisory and conciliation bodies. Thus they acquire coercive powers similar to those of the administrative authorities such as the competition authorities, with the well-known fear that they generate for the enterprises. They are therefore established for the future as real "policemen" of the data protection.
This extension of powers will necessarily involve a dramatic strengthening of human and financial resources available to existing authorities if we are to prevent these from remaining a dead letter. This will certainly raise some reluctance from the Member States, but will undoubtedly allow for the protection to be taken much more seriously than at present. In any event, the status of these authorities may change profoundly and give them institutional importance that they did not have before. It should be noted that the Member States will retain discretion as to the application of fines to public authorities and organizations (see the comments on Article 83).
Art. 59 GDPR Activity reports
Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.
COMMENTARY:
An activity report is provided at regular intervals by the supervisory authorities.
* * *
CHAPTER 7: COOPERATION ANDCONSISTENCY
Section 1: Cooperation
Art. 60 GDPR Cooperation between the lead supervisory authority and the other supervisory authorities concerned.
The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.
Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.
Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Suitable Recitals
(124) Lead authority regarding processing in several Member States; (125) Competences of the lead authority; (130) Consideration of the authority with which the complaint has been lodged.
COMMENTARY:
While the lead authority is in charge of operations, under Article 60(1) GDPR the lead supervisory authority shall cooperate with the other supervisory authorities concerned in order to reach a consensus on actions to be taken. It may request assistance by other concerned supervisory authorities under Article 61 GDPR, and especially for purposes of carrying out investigations or monitoring the implementation of measures taken, may conduct joint operations in accordance with Article 62 GDPR. All supervisory authorities concerned exchange relevant information (Article 60(1) cl. 2 and (3) GDPR). Concerning a decision, it is for the lead supervisory authority to submit a draft to the other concerned supervisory authorities.
According to Article 60(3) GDPR, their views have to be taken duly into account. Further, the other concerned supervisory authorities may, within four weeks, express relevant and reasoned objections as provided by Article 60(4) GDPR. This term is defined in Article 4(24) GDPR as stating whether there is an infringement of the GDPR, whether the envisaged action is in accordance with the GDPR and clearly demonstrate the significance of risks incurred by the draft decision with data subjects’ fundamental rights and freedoms or the free flow of personal data.
If the lead supervisory authority agrees with the objection, it has to submit a revised draft to the other concerned supervisory authorities, who then have to submit any objections within two weeks according to Article 60(5) GDPR.
If no objections are submitted within the prescribed period, a consensus is deemed to exist by Article 60(6) GDPR and all supervisory authorities concerned are bound by the decision. When the decision is adopted, it is for the lead supervisory authority to take action with regard to the controller or processor, while the supervisory authority to which a complaint was lodged has to inform the complainant according to Article 60(7) GDPR.
Art. 61 GDPR Mutual assistance
Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.
Each supervisory authority shall take all appropriate measures required to reply to a request of another supervisory authority without undue delay and no later than one month after receiving the request. Such measures may include, in particular, the transmission of relevant information on the conduct of an investigation.
Requests for assistance shall contain all the necessary information, including the purpose of and reasons for the request. Information exchanged shall be used only for the purpose for which it was requested.
The requested supervisory authority shall not refuse to comply with the request unless:
It is not competent for the subject-matter of the request or for the measures it is requested to execute; or
Compliance with the request would infringe this Regulation or Union or Member State law to which the supervisory authority receiving the request is subject.
The requested supervisory authority shall inform the requesting supervisory authority of the results or, as the case may be, of the progress of the measures taken
in order to respond to the request. The requested supervisory authority shall provide reasons for any refusal to comply with a request pursuant to paragraph 4.
Requested supervisory authorities shall, as a rule, supply the information requested by other supervisory authorities by electronic means, using a standardised format.
Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.
Where a supervisory authority does not provide the information referred to in paragraph 5 of this Article within one month of receiving the request of another supervisory authority, the requesting supervisory authority may adopt a provisional measure on the territory of its Member State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2).
The Commission
Comments (0)