GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;
promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.
issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and
maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
Suitable Recitals
(136) Binding decisions and opinions of the Board; (139) European Data Protection Board.
COMMENTARY:
Article 30 of the Directive already listed the tasks of the board of the Article 29 Working Party to the Commission, as well as the way the Board is called to contribute to the uniform application of the national transposition rules. These tasks logically include the ability of the Board to examine any question relating to the transposition of the Directive by the Member States, in order to ensure its uniform application.
Then, Article 30 (2) gave the Article 29 Working Party the task to provide advice to the Commission regarding the level of protection in the Community and in third countries, as well as on the codes of conduct developed at Community level. The Article 29 Working Party should also advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms.
In addition to these tasks, the Working Party should inform the Commission on any divergences between the laws or practices of Member States likely to affect the corresponding protection for persons with regard to the processing of personal data in the Union. The Working Party also had a general competence to adopt initiative for recommendations on any matter pertaining to the protection of personal data in the Union.
Article 30 allowed for a dialog between the Article 29 Working Party and the Commission, in order to prepare a report on the response given by the Commission to the recommendations made by the Article 29 Working Party. This report was communicated to Parliament and published. Finally, the Article 29 Working Party has the obligation to prepare an annual activity report on the status of the personal data protection in the Union and in third countries. This report was publicized and communicated to the Commission and the Parliament.
GDPR Article 70, as mentioned, describes the many tasks of the European Data Protection Board and it’s a pretty long list so do check it out indeed. This article basically elaborates tasks of EDPB.
Art. 71 GDPR Reports
The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.
The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.
COMMENTARY:
Article 30 (6) of the Directive, required the Article 29 Working Party to draw up an annual report on the status of the protection of natural persons with respect to the personal data processing in the Community and in third countries. The report had to be published and communicated to the Commission, the European Parliament and the Council. GDPR Article 71 is about the duty of the EDPB to make an annual report on, among others, the personal data protection of data subjects where processing happens in the EU and, where relevant outside of the EU. The report is public.
Art. 72 GDPR Procedure
The Board shall take decisions by a simple majority of its members, unless otherwise provided for in this Regulation.
The Board shall adopt its own rules of procedure by a two-thirds majority of its members and organise its own operational arrangements.
COMMENTARY:
Under the Directive, the G29 decisions should be taken by a simple majority of the representatives of the authorities within that Working Party. GDPR Article 72 simply says that when the EDPB takes decisions, normally it’s by a simple majority of its members and in some cases by a two-thirds majority.
Art. 73 GDPR Chair
The Board shall elect a chair and two deputy chairs from amongst its members by simple majority.
The term of office of the Chair and of the deputy chairs shall be five years and be renewable once.
COMMENTARY:
GDPR Article 73 says that, again via a simple majority vote, each five years the European Data Protection Board elects a chair and two deputy chairs. These have to be members of the board and can only be re-elected once (so never one person more
than 10 years). The Article 29 Working Party was allowed to elect their chair for a term of 2 years. In addition, pursuant to the Directive, the chair mandate was renewable.
Art. 74 GDPR Tasks of the Chair
1. The Chair shall have the following tasks:
to convene the meetings of the Board and prepare its agenda;
to notify decisions adopted by the Board pursuant to Article 65 to the lead supervisory authority and the supervisory authorities concerned;
to ensure the timely performance of the tasks of the Board, in particular in relation to the consistency mechanism referred to in Article 63.
2. The Board shall lay down the allocation of tasks between the Chair and the deputy chairs in its rules of procedure.
COMMENTARY:
GDPR Article 74 expands on what the tasks of the chair of the European Data Protection Board are with, on top of a list of tasks the additional stipulation that the allocation of tasks that need to be executed by the chair and deputy chairs must be in the rules of procedure. Under the Directive, the Chair’s task was essentially to include in the agenda the matters to be considered by G29 (see Art. 29 (7)).
Art. 75 GDPR Secretariat
The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.
The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.
The secretariat shall provide analytical, administrative and logistical support to the Board.
The secretariat shall be responsible in particular for:
the day-to-day business of the Board;
communication between the members of the Board, its Chair and the Commission;
communication with other institutions and the public;
the use of electronic means for the internal and external communication;
the translation of relevant information;
the preparation and follow-up of the meetings of the Board;
the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.
Suitable Recitals
Secretariat and staff of the Board.
COMMENTARY:
Article 75 states that the Board secretariat shall be provided by the European Data Protection Supervisor and defines their tasks. In general, the secretariat shall provide analytical, administrative and logistical support to the Board. In order to ensure the independence of the secretariat, Article 75 provides various safeguards, including organizational such as all the tasks of the secretariat shall be carried out under the exclusive authority of the Chair of the European Data Protection Board. In addition, paragraph 3 imposes the organizational separation of the staff of the Board secretariat from that of the secretariat of the European Data Protection Supervisor, which implies that the Board secretariat must be subject to separate hierarchical relations, still intended to ensure its independence.
Paragraph 4 enables the Board, in conjunction with the European Supervisor, to establish and publish a Memorandum of Understanding applicable to the staff, implementing the aforementioned organizational separation and specifying the terms of cooperation between the Board and the European Supervisor. Paragraph 6 contains a list of the tasks entrusted to the secretariat, namely: the day-to-day business of the European Data Protection Board; the communication between the members of the Board, its Chair and the Commission and the communication with other institutions and the public.
The secretariat must also ensure the use of electronic means for internal and external communication as well as the translation of relevant information. Finally, the secretariat shall ensure the preparation and follow-up of the meetings of the European Data Protection Board and also the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board. Article 29 of the Directive stipulated that the Article 29 Working Party shall be assisted by a secretariat provided by the Commission.
Art. 76 GDPR Confidentiality
The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.
Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council.
COMMENTARY:
GDPR Article 76, finally, provides a few words on confidentiality in the scope of discussions of the EDPB and access to documents. Article 76 expressly states that the discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure. Regulation (EC) shall govern access to documents submitted to members of the Board, experts and representatives of third parties No. 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents. In its first version, paragraph 3 of Article 76 imposed on the Chair the requirement to ensure that the members of the Board, the experts and the representatives of third parties are made aware of their duty to comply with the rule of confidentiality. However, this provision has not been maintained. The Directive did not provide for confidentiality of the discussions of the Article 29 Working Party.
* * *
CHAPTER 8: REMEDIES, LIABILITY AND PENALTIESArt. 77 GDPR Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Suitable Recitals
Right to lodge a complaint.
COMMENTARY:
The GDPR says that data subjects can lodge a complaint with a supervisory authority if they believe that the processing of their data infringes the GDPR. The complaint must be lodged with the supervisory authority of the EU member state where the data subject has their habitual residence or place of work, or of the member state where the alleged infringement occurred. In the event that a supervisory authority does not inform a data subject about the progress or outcome of their complaint within three months, or partially or wholly rejects or dismisses the complaint, the data subject shall have the right to an effective judicial remedy.
The Directive already required Member States to implement a procedure for lodging a complaint with the supervisory authority. Thus any person or an association representing that person may lodge a complaint concerning the protection of his or her rights and freedoms in regard to the processing of personal data. This may in particular consist of a request for verification of the lawfulness of processing. Pursuant to Article 28
Comments (0)