Publications & Events
Article

Chapter 14: Data Protection Authorities – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

National Data Protection Authorities ("DPAs") are appointed to implement and enforce data protection law, and to offer guidance. As set out in Chapter 16, DPAs have significant enforcement powers, including the ability to issue substantial fines. Understanding the role and responsibilities of DPAs is vital to achieving compliance.

What types of organisations are most affected?

The nature of an organisation's business, and the sector in which it operates, makes no difference to the ability of DPAs to enforce the law against that organisation. DPAs have the power and authority to regulate all organisations and all forms of business activity, to the extent that personal data are processed.

What should organisations do to comply?

The appropriate guidance depends on the nature of the organisation's business:

  • organisations that operate in multiple Member States will need to carefully consider their options in relation to establishment and the "One-Stop-Shop".
  • organisations that only operate in a single Member State (and only process personal data of residents of that Member State) are unlikely to notice significant differences in their interactions with DPAs.

   

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

   

Issue The Directive The GDPR Impact

Responsibilities of DPAs

DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws.

Art.28

Each Member State was required to appoint one or more DPAs to implement the Directive and protect the rights and freedoms of individuals.

 Rec.117; Art.51

Each Member State is required to appoint one or more DPAs to implement the Regulation and protect the rights and freedoms of individuals.

 The primary roles and responsibilities of DPAs have not significantly changed. Organisations can largely rely on their pre-existing experience of interactions with DPAs.

Jurisdiction

Each DPA is appointed at a national level, through national legislation. Its jurisdiction and enforcement powers are largely restricted to the territory of its own Member State.

Art.28

Each DPA had oversight of processing activities taking place on the territory of its own Member State only.

 Rec.124; Art.51, 55, 56

Each DPA can only exercise its powers on the territory of its own Member State but, under the "One-Stop- Shop" (see below), the DPA's regulatory actions may affect processing that occurs in other Member States.

 Organisations that operate across multiple Member States face a new set of challenges in their interactions with DPAs.

 Organisations that operate only within a single Member State, and only process personal data of residents of that Member State, are largely unaffected.

Independence

DPAs must be free from all outside influences, including government control.

Art.28(1)

Each DPA had to act with complete independence in carrying out its functions.

 Rec.117, 118 & 121; Art.52

Each DPA must act with complete independence in carrying out its functions.

 The GDPR essentially replicates the requirements set out in the Directive, albeit in greater detail.

Establishment and appointment of DPAs

In order to ensure that DPAs apply and enforce EU data protection law in a fair, uniform and impartial manner, certain minimum requirements must be met in terms of their establishment and appointment.

Art.28

Each DPA had to:

  • have the skills and experience necessary to perform the role; and
  • be subject to a duty of professional secrecy.

 Rec.121; Art.53-54

Each DPA must:

  • be created through a transparent procedure;
  • have the skills and experience necessary to perform the role; and
  • be subject to a duty of professional secrecy.

 The changes in the GDPR are unlikely to impact organisations acting in a business context.

The "One-Stop-Shop"

The concept of a "One-Stop- Shop" is found in other areas of regulatory enforcement (e.g., trading standards). The aim of the One-Stop-Shop is to provide a single, uniform decision-making process in circumstances in which multiple regulators have responsibility for regulating the same activity performed by the same organisation in different Member States.

The WP29 has issued Guidelines on Lead DPAs (WP 244) (the "Lead DPA Guidelines") which provide further clarity on how to determine which DPA is the lead DPA for a given controller.

N/A

The Directive did not provide a One-Stop-Shop mechanism. As a result, it was not uncommon for a single organisation to be subject to inconsistent decisions from DPAs across multiple Member States.

 Rec. 124-128; Art.55-56; WP29 Lead DPA Guidelines

Identifying a lead DPA is only relevant where a controller or processor established in the EU is carrying out cross-border processing of personal data (as defined in Article 4(23) of the GDPR). If a controller has establishments in multiple Member States, the DPA for its "main establishment" (i.e., the place where its main processing decisions are taken) will be its lead DPA. The lead DPA has the power to regulate that controller across all Member States (to the extent its data processing activities involve cross-border data processing).

Forum-shopping is not permitted and organisations should be able to demonstrate the basis for claiming a main establishment, taking into account the following factors:

  • where decisions about processing are made;
  • where the power to implement those decisions lies;
  • where the decision-makers with responsibility for the processing are located; and
  • where the relevant entity has its corporate registrations.

 In theory, the "One- Stop-Shop" means greater harmonisation, and a more uniform application of EU data protection law, as an organisation will generally deal with a single lead DPA.

 Whilst the Lead DPA Guidelines encourage informal cooperation between lead and concerned DPAs to reach a mutually acceptable course of action, in practice, it remains to be seen whether DPAs will abide by the requirements of the "One-Stop-Shop" and refrain from attempting to regulate organisations that are subject to another DPA's jurisdiction.

Tasks of DPAs

DPAs are required to perform certain tasks, including monitoring and enforcement of EU data protection law.

Art.28(4)

The tasks of DPAs included obligations to:

  • monitor and enforce the application of the Directive (as implemented under the laws of the relevant Member State); and
  • hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims.

 Rec.122, 123; Art.55, 57

The tasks of DPAs include obligations to:

  • monitor and enforce the application of the GDPR;
  • promote awareness of the risks, rules, safeguards and rights pertaining to personal data (especially in relation to children);
  • advise national and governmental institutions on the application of the GDPR;
  • hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims;
  • establish requirements for Impact Assessments;
  • encourage the creation of Codes of Conduct and review certifications (see Chapter 12);
  • authorise Model Clauses and BCRs (see Chapter 13);
  • keep records of sanctions and enforcement actions (see Chapter 16); and
  • fulfil "any other tasks related to protection of personal data".

 The tasks of DPAs are more broadly defined in the GDPR than in the Directive (in a significant way). However, in the overwhelming majority of cases, these changes likely make little practical difference to organisations acting in a business context.

Powers of DPAs

DPAs have the power to enforce data protection laws at a national level.

Art.28(3)

Each DPA had oversight of processing activities taking place on the territory of its own Member State only.

 Rec.129; Art.58

DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR and bring legal proceedings where necessary.

 The legal powers of DPAs are largely unchanged. At a practical level, it is likely that there will continue to be some variation between the practical enforcement powers available to DPAs, due to variations in the national laws of Member States.

Activity reports

In order to ensure fairness and transparency, DPAs are required to draw up and publish regular reports explaining their activities.

Art.28(5)

Each DPA was required to, at regular intervals, draw up a report on its activities. The report had to be made available to the public.

 Art.59

Each DPA must draw up an annual report on its activities. The report must be made available to the public.

 The GDPR essentially replicates the requirements set out in the Directive.

EU-level DPA coordination

In principle, DPAs meet together to agree on important issues and offer guidance on the correct interpretation of EU data protection law. Although this guidance is not legally binding, it is often indicative of the enforcement position that individual DPAs will take.

Art.29

The WP29 was made up of representatives of DPAs from each Member State. Its primary function was to provide advice on the interpretation and application of EU data protection law.

 Art.51(3), 68-76

The EDPB is made up of representatives of DPAs from each Member State. It provides advice, but also takes an active role in enforcing EU data protection law. Where more than one DPA is appointed in a Member State (e.g., in Germany each Bundesland has a DPA) the Member State appoints a single representative to the EDPB.

 In effect, the EDPB replaces the WP29 and assumes the WP29's functions. However, the extent to which the EDPB will play an active role in enforcement proceedings remains uncertain.

DPA cooperation

In order for EU data protection law to operate consistently across all Member States, it is important for DPAs to cooperate with one another (see Chapter 15).

Art.29

DPAs were required to cooperate to the extent necessary to implement and enforce EU data protection law.

 Rec.133, 134; Art.61-62

DPAs are required to cooperate and provide each other with mutual assistance. They also have formal legal authority to carry out joint operations.

 In cases in which organisations are under investigation in multiple Member States, these changes should make the investigation process easier to manage.

 In most other cases, these changes have no practical impact on organisations.

Consistency Mechanism

One of the most significant difficulties organisations face in dealing with DPAs is the inconsistent nature of decisions taken at the national level.

N/A

The Directive offered no formal mechanism for ensuring that DPAs reached decisions that are consistent. As a result, DPAs adopted different positions on the same issue, from time to time.

 Rec. 135-138; Art.4(23), 56, 63-67

Where an organisation engages in cross-border data processing (i.e., processing that affects data subjects in multiple Member States), a DPA that wishes to take action must consult with the other affected DPAs to ensure consistency in the application of the GDPR.

 For any organisation that operates in multiple Member States, the Consistency Mechanism is a positive development, as it should result in a more uniform application of EU data protection law to the processing operations of that organisation.

   

Commentary: The role and function of DPAs

DPAs are responsible for enforcing EU data protection law. They (together with the EDPB) also provide guidance on the interpretation of that law. While such guidance is not legally binding, it is strongly indicative of the enforcement position that DPAs are likely to take.

DPAs are appointed by each Member State. Some Member States (e.g., Germany) appoint multiple DPAs in a federal structure. Others (e.g., Denmark) appoint separate public bodies with responsibility for enforcing different aspects of data protection law.

Most organisations tend not to deal directly with a DPA unless a complaint has been made regarding that organisation, or a serious breach of the law has occurred. When dealing with DPAs, it is important for an organisation to ensure that it has legal advisors who are both experienced in the field and familiar with the operations of DPAs.

Commentary: The Consistency Mechanism

Where a DPA takes a decision that only affects the processing of personal data on the territory of its own Member State (e.g., where an organisation only operates within that Member State) the Consistency Mechanism does not apply. However, where a DPA takes a decision affecting processing across multiple Member States, that decision must be notified to the EDPB, which must then produce an opinion on the decision within eight weeks (extended to 14 weeks in complex cases). (In exceptional circumstances, a DPA can take emergency measures lasting up to three months without going through the Consistency Mechanism).

In principle, the Consistency Mechanism will ensure that organisations will face consistent compliance requirements across the Member States in which they do business. However, in practice there is a risk that the EDPB will face large numbers of requests from Concerned DPAs in a very short space of time, and this may lead to inconsistent application of the relevant principles. In addition, organisations and data subjects have no direct voice in the Consistency Mechanism, which may lead to difficulties in ensuring transparency in the process.

Example: Qualifying for the One-Stop-Shop

Q. Organisation A would like to qualify for the One-Stop-Shop (because it would like to simplify its EU data protection compliance obligations by dealing with a single DPA, as far as possible). Organisation A is headquartered in New York, and has EU operations in the UK, France, Germany and Spain. Most of its data processing operations take place on a "cloud" platform, rather than at individual locations. How can Organisation A qualify for the One-Stop-Shop?

A. In order to qualify for the One-Stop-Shop, Organisation A will need to have a "place of main establishment" in the EU (i.e., a headquarters for its operations in the EU, or a location at which it takes decisions regarding processing activities in the EU). If Organisation A does not have a place of main establishment in the EU, it will not qualify for the One-Stop-Shop, and will instead continue to deal with the DPA of each Member State in which it operates.

   

   

NEXT CHAPTER
Chapter 15: Cooperation and consistency

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP