Law
Read books online » Law » GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖

Book online «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖». Author Adv. Prashant Mali



1 ... 25 26 27 28 29 30 31 32 33 ... 71
Go to page:
adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.

The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6.

The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.

Suitable Recitals

Binding decisions and opinions of the Board.

COMMENTARY:

Article 65 creates a mechanism by which the European Data Protection Board may resolve any disputes among the DPAs. Decisions of the Board and decisions jointly agreed upon by lead and concerned supervisory authorities become binding.

In any case, the lead DPA must notify the accused controller or processor of any final decision, whereas the DPA where the complaint was originally lodged must notify the complainant. The complainant retains its right to an effective judicial remedy against a legally binding decision of a supervisory authority or where the supervisory authority fails to deal with a complaint or inform a data subject about the outcome of a case within three months. Additionally, under Article 83 the “exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.”

If the lead supervisory authority does not follow the objection or regards it as not relevant and reasoned, it has to apply the consistency mechanism and the Board has to adopt a binding decision according to Article 65(1)(a) GDPR.

As described above the Board adopts decisions according to Article 65(1) GDPR, when the lead supervisory authority does not follow objections of supervisory authorities concerned, regards them as irrelevant or unreasoned, when there are conflicting views on the main establishment of a controller or processor, or when the competent supervisory authority either fails to request an opinion of the Board or decides not to follow an opinion of the Board under Article 64 GDPR. Article 65(2)-(4) GDPR prescribes that all decisions are adopted with a two-thirds majority and generally within one month, which may be extended by six weeks.

If the Board fails to adopt a decision by that time the quorum is lowered to a simple majority for an additional two weeks. In the case of a split vote, the chair

decides. During the time of deliberation, the competent supervisory authority is barred from adopting its draft decision. As pointed out in Recital 142 GDPR decisions of the Board can be brought before the ECJ in an annulment action under Article 263 TFEU (Treaty on the Functioning of the European Union) by supervisory authorities, as they are addressees of these decisions.


Art. 66 GDPR Urgency procedure

In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.

Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision.

Any supervisory authority may request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.

By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority of the members of the Board.

Suitable Recitals

Provisional measures; (138) Urgency procedure.

COMMENTARY:

There is an urgency procedure provided by Article 66(1) GDPR, which allows the supervisory authority concerned to circumvent the consistency mechanism of Articles 63-65 GDPR under exceptional circumstances in cases with an urgent need to protect the rights and freedoms of data subjects and to adopt immediate provisional measures for its Member State. These measures have to specify a period of validity, which may not exceed three months. In order to have final measures adopted, the supervisory authority concerned may request an urgent opinion or decision of the Board. According to paragraph 4 urgent opinions and decisions have to be adopted within two weeks by a simple majority.

In the opposite case, where the supervisory authority concerned does not take measures although there is an urgent need to act in order to protect the rights and freedoms of data subject, any supervisory authority may request an urgent opinion or decision of the Board according to Article 66(3) GDPR.


Art. 67 GDPR Exchange of information

The Commission may adopt implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board, in particular the standardised format referred to in Article 64.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

COMMENTARY:

The Directive already vested in the Commission the ability to adopt implementing acts, in the form of directly applicable measures, after consulting the Board, which is composed of representatives of the Member States within the meaning of article 31 (1). However, under the Directive, this ability was limited to the area of the transfer of data to third countries.

In the case of a non-compliant opinion, Article 31 (2), paragraph 4, requires the Commission to defer the application of the measures for a period of three months and refer to the Board that is ultimately competent to decide on the appropriateness of such measures.


Section 3: European data protection board Art. 68 GDPR European Data Protection Board

The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

The Board shall be represented by its Chair.

The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law.

The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. 3The Chair of the Board shall communicate to the Commission the activities of the Board.

In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Suitable Recitals

(139) European Data Protection Board.

COMMENTARY:

This article provides detail description regarding establishment of European Data Protection Board (EDPB). This article also provides general rules regarding the composition and functioning of EDPB. GDPR Article 68 establishes the European Data Protection Board and contains some general rules regarding the composition and functioning of it.


Art. 69 GDPR Independence

The Board shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.

Without prejudice to requests by the Commission referred to in Article 70(1) and (2), the Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody.

Suitable Recitals

(139) European Data Protection Board.

COMMENTARY:

According to article 69 the EDPB is an independent legal body of the Union and it does not seek permission from anybody, in the performance of its task or to exercise its powers. GDPR Article 69 emphasizes the independence of the European Data Protection Board, adding that in the performance of its tasks and exercise of its powers it doesn’t seek nor take instructions for anyone.


Art. 70 GDPR Tasks of the Board

The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

Monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

Advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;


Advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;

Issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);

Examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

Issue guidelines, recommendations and best practices in accordance with point

of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);

Issue guidelines, recommendations and best practices in accordance with point

(e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;

issue guidelines, recommendations and best practices in accordance with point

(e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

issue guidelines, recommendations and best practices in accordance with point

(e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;

issue guidelines, recommendations and best practices in accordance with point

(e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);

draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

review the practical application of the guidelines, recommendations and best practices;

issue guidelines, recommendations and best practices in accordance with point

(e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);


encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40and 42;

approve the criteria of certification pursuant to Article 42(5) and maintain a public register of certification mechanisms and data protection seals and marks pursuant to Article 42(8) and of the certified controllers or processors established in third countries pursuant to Article 42(7);

approve the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies referred to in Article 43;

provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

provide the Commission with an opinion on the icons referred to in Article 12(7);

provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.

issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

promote the cooperation and the effective bilateral and multilateral exchange of

1 ... 25 26 27 28 29 30 31 32 33 ... 71
Go to page:

Free ebook «GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (best novels to read for beginners txt) 📖» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment