1 / 32

Understanding the Role of Data Protection Authorities (DPAs) in GDPR Compliance

This presentation delves into the responsibilities of the key regulator, the Data Protection Authority (DPA), under the GDPR. Participants will grasp the role of DPAs, their interactions with organizations, and best practices for collaboration. Topics include DPA status, competences, tasks, powers, cooperation, and enforcement measures.

jarmstrong
Download Presentation

Understanding the Role of Data Protection Authorities (DPAs) in GDPR Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topic 6:Role of the DPA

  2. Guidance for using these slides (removebeforedelivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assignedto a specificaudience (see „relevant for:” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notesthoroughly Take a look at the readingmaterials – theyalsoservetoassistyou in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisionalcategorisation has beenmadebasedon the depth and importance of the respectivecontent Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

  3. How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content

  4. Speaker Name Title Department Contact details

  5. Theseslides explores the role and responsibilities of the key regulator under the GDPR, the Dataprotection authority. How can the DPA be of assistance to other data protection professionals?Trainees will be able to understand the role of the DPA and how it likely interacts with theirorganization, how best to approach and work with the DPA and what can be expected of it.

  6. Table of content • What is a DPA? • status • competences • tasks • Powers • cooperation between supervisoryauthorities • connectionwiththedatasubjects • remedies and penalties • Q & A • Wrap-up and feedback

  7. Objectives • Explain the role of DPAsintheprotectionofnaturalpersons’ rightswith regard to the processing of their personal data • Provide an owerviewontheactivities of a DPA • Helptocreate a betterunderstanding of theoperationofthenationalsupervisoryauthority

  8. Introductions What’s your level of experience and exposure with data protection? Whatdoyouknowaboutyour DPA? Is there anything in particular you are hoping to get out of today?

  9. RelevantArticles of the GDPR concerning Data Protection Authorities (DPAs) • Independent status of the DPAs (Article 52) • General conditions for the members of the supervisory authority (Article 53) • Rules on the establishment of the supervisory authority (Article 54) • Competence, tasks and powers of a DPA (Article 55-58) • Activityreports (Article 59) • Cooperation between DPAs (Article 60-62) • European Data Protection Board (Article 68-76) • Right to lodge a complaint with a supervisory authority (Article 77) • Right to an effective judicial remedy against a supervisory authority (Article 78) • Right to an effective judicial remedy against a controller or processor (Article 79) • Representation of datasubjects (Article 80) • Suspension of proceedings (Article 81) • Right to compensation and liability (Article 82) • General conditions for imposing administrative fines (Article 83) • Penalties (Article 84)

  10. Data ProtectionAuthorities and human rights • The Article 8 of the Human Rights Convention and theArticle 8 of theEU Charter of Fundamental Rightsprotectpeople’s right to a private life • Compliance with these rules shall be subject to control by an independent authority • DPAs are independent public authorities that supervisetheapplication of thedataprotectionlawintheMSs. In ordertoexercisetheirpower in an effectivewaytheDPAshave investigative and corrective powers. • In ordertoensuretherighttotheprotection of personaldata each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of thoserules • to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union • Eachsupervisory authority shall contribute to the consistent application of the GDPR Titel van dia

  11. Independence of theDPAs •  Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with the GDPR • Forthesake of independencethesupervisoryauthorities • shall in the performance of their tasks and exercise of their powers in accordance with the GDPR, remain free from external influence, whether direct or indirect, • shall neither seek nor take instructions from anybody • Forthesake of independencemembers of thesupervisoryauthorities • shallrefrain from any action incompatible with their duties • shall not, during their term of office, engage in any incompatible occupation, whether gainful or not

  12. MeasuresMemberStatesshalltakefortheindependentoperation of a DPA The supervisoryauthorityshall be provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers Each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned Each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget

  13. Rules on the establishment of the supervisory authority 1. Each Member State is required to appoint one or more DPAs to implement the Regulation and protect the rights and freedoms of individuals 2. DPAsperform their tasks and exercise their powers with complete independence -> it is an essential component of the protection of natural persons’ personaldata 3. Each supervisory authority shall contribute to the consistent application of the GDPR 4. Where more thanone DPA is establishedthe MS shalldesignatethe lead supervisoryauthority

  14. General conditions for the members of the supervisory authority • Membes of thesupervisoryauthoritiesshall be appointedbymeans of a transparentprocedureby: • theparliament, • thegovernment, • the Head osstateor • an independent body entrusted with the appointment under Member State law • Eachmembershallhavetheappropriatequalification, experience and skills in thearea of dataprotection • The duties of a memebershall end in theevent of: • expiry of the term of office, • resignation • compulsory retirement • dismissal (in case of seriousmisconductorthemember no longer fulfils the conditions required for the performance of the duties)

  15. Competence of a DPA • Competence of the DPAs: • performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with the GDPR on the territory of its own Member State and • enforcing data protection laws at a national level and providing guidance on the interpretation of those laws • Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity. • 2. Competence of the lead supervisoryauthority • the DPA of the main establishment or of the single establishment of the controller or processor is competenttoactas a lead supervisoryauthority • BUT eachsupervisoryauthorityshall be competenttohandle a complaintlodgedwithitor a possibleinfringement of thisRegulation, if the subjectmatterrelatesonlyto an establishment in itsMemberStateorsubstantiallyaffectsdatasubjectsonly in itsMemberState (the lead supervisoryauthorityshall be informedwithpit a delay and the lattershalldecidewithin 3 weekswhetherornotitwillhandle the case in accordancewith the procedureprovided in Article 60. • The lead supervisoryauthoritydecidestohandle the case -> Article 60 apploes • The lead supervisoryauthoritydecidesnottohandle the case -> the supervisoryauthoritywhichinformed the lead supervisoryauthorityshallhandleitaccordingtoArticles 61 and 62.

  16. Tasks of theDPAs I. • Tasks of DPAsconcern: • publicinstitutions and bodies • adviseonlegislative and administrativemeasuresrelatingto the protection of naturalpersons' rights and freedomswithregardtoprocessing • the GDPR • monitor and enforce the application of the GDPR • promote the awareness of controllers and processors of theirobligationsunder the GDPR • conductinvestigationson the application of the GDPR • datasubjects • promotepublicawarenessand understanding of the risks, rules, safeguards and rights in relation to processing • uponrequest, provideinformationconcerning the exercise of theirrightsunder the GDPR • handlecomplaints

  17. Tasks of theDPAs II. • controllers and processors • encouragethedrawingup of codes of conduct and carry out a periodicreview of certifications • authorisecontractualclauses and provisions • approvebindingcorporaterules • establish and maintain a list in relationtotherequirementfordataprotectionimpactassessment • giveadviceontheprocessingoperations • othersupervisoryauthorities • cooperation • sharinginformation and providemutualassistance • internationalcooperation • contributetotheactivities of theBoard • monitor relevantdevelopments, insofarastheyhave an impactontheprotection of personaldata • anyothertasksrelatedtotheprotection of personaldata

  18. Powers of theDPAs DPAs have the authority to intervene in all organisations and business activities, insofar as personal data is processed: • Investigative powers • carry out investigations and reviewcertifications • obtainaccesstoallpersonaldata and toallinformationnecessaryforthe performance of itstasks • toobtainaccesstoanypremises of thecontroller and theprocessor, includingtoanydataprocessingequipment and means • Corrective powers, including to issue substantial fines • issuewarnings and reprimandsforthecontroller • Orderthecontrollerortheprocessortocomplywiththedatasubject'srequeststoexercisehisorherrightspursuanttothisRegulation; tocommunicate a personaldatabreachtothedatasubject; to • toimpose an administrativefine • Authorisation and advisory powers  - authorize model Clauses and binding corporate rules

  19. When you have to contact a DPA: the obligation to notify • Notification of a personal data breach to the supervisory authority In the case of a personal data breach, the controller shall.. without undue delay and, where feasible, not later than 72 hours • Prior consultation The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

  20. Cooperation between DPAs DPAs are required to cooperate and provide each other with mutual assistance • Cooperation between the lead supervisory authority and the other supervisory authorities concerned • Cross-border data processing affecting data subjects in multiple Member States:  a DPA that wishes to take action must consult with the other affected DPAs to ensure consistency of the GDPR. (consistency mechanism • European Data Protection Board (EDPB) : made up of representatives of DPAs from each Member State • provides advice and takes an active role in enforcing EU data protection law • replaces the Article 29 Working Party

  21. European Data ProtectionBoard • Independence • The Board shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71. • Tasks of theBoard • The Board shall ensure the consistent application of the GDPR • Report • The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union  • Procedure • The Board shall take decisions by a simple majority of its members, unless otherwise provided for in this Regulation. • Chair and Secreteriat • Tasks and responsibilities

  22. One-stop-shop I The one-stop-shop mechanism applies to organisations operating across Member States and thus processing personal data of data subjects of different MS • derogates form the territory jurisdiction principle • pbjective: allows an organisation to deal with a single “lead DPA” when different authorities are responsible for same processing operations, performed by same entity, but affecting rights of data subjects in different member states • Howdoesitwork? • If a datacontrollerconducts cross-border data processing in the EU, accordingtotheGDPR the supervisory authority is he onethatbased in the same MS as its main establishment • Ifthedatacontrolleractivityconcernscitizens of another MS the local DPA of that MS mayhand over thecasetothe DPA of themain establishment (lead supervisoryauthority) oralsocanandle the case locally in co-operation the DPA of themain establishment

  23. One-stop-shop II. (Examples) 1. A food retailer has its headquarters (i.e. its ‘place of central administration’) in Rotterdam, Netherlands. It has establishments in various other EU countries, which are in contact with individuals there. All establishments make use of the same software to process consumers’ personal data for marketing purposes. All the decisions about the purposes and means of the processing of consumers’ personal data for marketing purposes are taken within its Rotterdam headquarters. What is the company’s lead supervisory authority for this cross border processing activity ? 2. Company Y would like to simplify the way it deals with data protection compliance by notifying its operations to a single DPA. Company Y ’s head quarters are in Russia but has significant t business operations Italy, Germany, France , and the Czech Republic.   Since two years, furthermore, the company has changes it s IT system and processing operations take place in a cloud platform.  What does company Y need to do to qualify for one stop shop? 

  24. Remedies Right to lodge a complaint with a supervisory authority Data Subjects have the right to lodge complaints concerning the processing of his or her personal data with a DPA in the Member State in which they live or work, or the Member State in which the alleged infringement occurred. (possible conflict with One stop shop)  Right to an effective judicial remedy against a supervisory authority Against: decisions of a DPA concerning them; any failure by a DPA to deal with a complaint within three months; and any unlawful processing of their personal data by a controller or processor. Right to an effective judicial remedy against a controller or processor Against a controlleror a processorif the datasubject considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. Representation of data subjects A not-for-profit body, organisation or association whose statutory objectives are in the public interest and which is active in the field of the protection of data subjects' rights and freedoms, may lodge a complaint to a DPA on behalf of a data subject or exercise the right to judicial remedy and the right to seek compensation on behalf of data subjects. Venue for legal proceedings Proceedings against a controller or processor may be brought in: the Member State in which the controller or processor has an establishment; or the Member State in which the data subject resides (except when controller is a DPA or public authority).

  25. Right to compensation and liability A data subject who has suffered material and non material damage as a result of the unlawful processing of his or her personal data has the right to receive compensation from the controller or processor for the harm suffered. Any controller involved in the processing is liable for the harm caused (processors are liable for damage caused by sub-processors) When involved in the same processing operation, controller and/or processor are liable for the whole of the damage A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage If more thanonecontrollerorprocessor is responsibleforthedamage, each of themshall be held liable for the entire damage Ifa controller or processor haspaid full compensation for the damage suffered, itcanclaim back from the other controllers or processors involved in the same processing that part of the compensation theyareresponsiblefor Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

  26. Liability of joint controllers Each joint controller is liable for the entirety of the damage Data subject can ask full compensation to one controller Joint controllers may then recover damages from one another Good for data subjects, who are protected in case national law recognize partial liability of controllers. Bad for ‘some’ joint controllers, may have to pay high amounts and then recover from the other(s) (joint) controllers.

  27. Administrative fines Each DPA shall ensure that it imposes sanctions and administrative fines in a manner that is effective, proportionate and dissuasive. Where a Member State's legal system does not provide for administrative fines, fines may be initiated by the DPA and imposed by the national courts. No much change with the old regime, but changes to both the amount of any fines and the factors relevant to determining those fines. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 

  28. Application of administrative fines by DPAs In imposing a fine, DPAs have to consider: • the nature, gravity and duration of the infringement; • the number of data subjects affected and the level of harm suffered by them; • the intentional or negligent character of the infringement; • any action taken by the controller or processor to mitigate the harm; • any relevant previous infringements by the controller or processor; • the degree of co-operation with the relevant DPA; • whether the infringement was self-reported by the controller or processor and any other aggravating or mitigating factors • maximum amount of administrative fines (For serious infringements of the GDPR: • €20 million or • 4% of an undertaking's worldwide turnover for the preceding financial year

  29. Penalties and criminal sanctions Member States set their own rules on penalties applicable to infringements of the GDPR, in particular those infringements that are not subject to administrative fines.  Member States may also provide their own rules on criminal sanctions for infringement of the GDPR. The possible introduction of criminal sanctions may present a risk for organizations, depending on Member States’ decision

  30. Caselaw A concrete example of a compliant brought to a DPA: Adam v. the pharmacist A concrete case in which prior notification may be needed: have you done your data protection impact assessment? Which jurisdiction is competent to hear a complaint and who qualifies for the One-Stop-Shop? The  Weltimmo v Nemzeti case of 2014 in front of the ECJ Right to judicial remedy and what to do when you are not satisfied with the DPA’s reponse:  the Schrems (Case C-362/14) in front of the ECJ

  31. Evaluation and feedback Any further questions? Evaluation forms Attendance sheet

  32. Credits These training materials are based on standard training materials developed in the context of the project “Supporting Training Activities on the Data Protection Reform” – STAR (http://www.project-star.eu/). This project has received funding from the European Union under the REC Action Grant programme. Grant Agreement No 769138 (2017-2019). The default version of training materials are available free-of-charge on the STAR project website

More Related