Chapter 14: Data Protection Authorities – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 14: Data Protection Authorities – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

National Data Protection Authorities ("DPAs") are appointed to implement and enforce data protection law, and to offer guidance. As set out in Chapter 16, DPAs have significant enforcement powers, including the ability to issue substantial fines. Understanding the role and responsibilities of DPAs is vital to achieving compliance.

What types of organisations are most affected?

The nature of an organisation's business, and the sector in which it operates, makes no difference to the ability of DPAs to enforce the law against that organisation. DPAs have the power and authority to regulate all organisations and all forms of business activity, to the extent that personal data are processed.

What should organisations do to prepare?

The appropriate preparations depend on the nature of the organisation's business:

  • organisations that operate in multiple Member States will need to carefully consider their options in relation to establishment and the "One-Stop-Shop".
  • organisations that only operate in a single Member State (and only process personal data of residents of that Member State) are unlikely to notice significant differences in their interactions with DPAs.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Responsibilities of DPAs

DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws.

blank

Art.28

Each Member State is required to appoint one or more DPAs to implement the Directive and protect the rights and freedoms of individuals.

does not materially change

Rec.117; Art.51

Each Member State is required to appoint one or more DPAs to implement the Regulation and protect the rights and freedoms of individuals.

positive

The primary roles and responsibilities of DPAs do not significantly change. Organisations can largely rely on their existing experience of interactions with DPAs.

blank

Jurisdiction

Each DPA is appointed at a national level, through national legislation. Its jurisdiction and enforcement powers are largely restricted to the territory of its own Member State.

blank

Art.28

Each DPA has oversight of processing activities taking place on the territory of its own Member State only.

materially changes

Rec.124; Art.51, 55, 56

Each DPA can only exercise its powers on the territory of its own Member State but, under the "One-Stop-Shop" (see below), the DPA's regulatory actions may affect processing that occurs in other Member States.

negative

Organisations that operate across multiple Member States will face a new set of challenges in their interactions with DPAs.

 

neutral

Organisations that operate only within a single Member State, and only process personal data of residents of that Member State, will be largely unaffected.

blank

Independence

DPAs must be free from all outside influences, including government control.

blank

Art.28(1)

Each DPA must act with complete independence in carrying out its functions.

does not materially change

Rec.117, 118 & 121; Art.52

Each DPA must act with complete independence in carrying out its functions.

neutral

The GDPR essentially replicates the requirements set out in the Directive, albeit in greater detail.

blank

Establishment and appointment of DPAs

In order to ensure that DPAs apply and enforce EU data protection law in a fair, uniform and impartial manner, certain minimum requirements must be met in terms of their establishment and appointment.

blank

Art.28

Each DPA must:

  • have the skills and experience necessary to perform the role; and
  • be subject to a duty of professional secrecy.

materially changes

Rec.121; Art.53-54

Each DPA must:

  • be created through a transparent procedure;
  • have the skills and experience necessary to perform the role; and
  • be subject to a duty of professional secrecy.

neutral

The changes in the GDPR are unlikely to impact organisations acting in a business context.

blank

The "One-Stop-Shop"

The concept of a "One-Stop-Shop" is found in other areas of regulatory enforcement (e.g., trading standards). The aim of the One-Stop-Shop is to provide a single, uniform decision-making process in circumstances in which multiple regulators have responsibility for regulating the same activity performed by the same organisation in different Member States.

The WP29 has issued Guidelines on Lead DPAs (WP 244) (the "Lead DPA Guidelines") which provide further clarity on how to determine which DPA is the lead DPA for a given controller.

blank

N/A

The Directive does not provide a One-Stop-Shop mechanism. As a result, it is not uncommon for a single organisation to be subject to inconsistent decisions from DPAs across multiple Member States.

materially changes

Rec. 124-128; Art.55-56; WP29 Lead DPA Guidelines

Identifying a lead DPA is only relevant where a controller or processor established in the EU is carrying out cross-border processing of personal data (as defined in Article 4(23) of the GDPR). If a controller has establishments in multiple Member States, the DPA for its "main establishment" (i.e., the place where its main processing decisions are taken) will be its lead DPA. The lead DPA has the power to regulate that controller across all Member States (to the extent its data processing activities involve cross-border data processing).

Forum-shopping is not permitted and organisations should be able to demonstrate the basis for claiming a main establishment, taking into account the following factors:

  • where decisions about processing are made;
  • where the power to implement those decisions lies;
  • where the decision-makers with responsibility for the processing are located;
  • where the relevant entity has its corporate registrations.

positive

In theory, the "One-Stop-Shop" will mean greater harmonisation, and the more uniform application of EU data protection law, as an organisation will generally deal with a single lead DPA.

 

unknown at this stage

Whilst the Lead DPA Guidelines encourage informal cooperation between lead and concerned DPAs to reach a mutually acceptable course of action, in practice, it remains to be seen whether DPAs will abide by the requirements of the "One-Stop-Shop" and refrain from attempting to regulate organisations that are subject to another DPA's jurisdiction.

blank

Tasks of DPAs

DPAs are required to perform certain tasks, including monitoring and enforcement of EU data protection law.

blank

Art.28(4)

The tasks of DPAs include obligations to:

  • monitor and enforce the application of the Directive (as implemented under the laws of the relevant Member State); and
  • hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims.

materially changes

Rec.122, 123; Art.55, 57

The tasks of DPAs include obligations to:

  • monitor and enforce the application of the GDPR;
  • promote awareness of the risks, rules, safeguards and rights pertaining to personal data (especially in relation to children);
  • advise national and governmental institutions on the application of the GDPR;
  • hear claims brought by data subjects or their representatives, and inform data subjects of the outcome of such claims;
  • establish requirements for Impact Assessments;
  • encourage the creation of Codes of Conduct and review certifications (see Chapter 12);
  • authorise Model Clauses and BCRs (see Chapter 13);
  • keep records of sanctions and enforcement actions (see Chapter 16); and
  • fulfil "any other tasks related to protection of personal data".

neutral

The tasks of DPAs are significantly more broadly defined in the GDPR than in the Directive. However, in the overwhelming majority of cases, these changes will make little practical difference to organisations acting in a business context.

blank

Powers of DPAs

DPAs have the power to enforce data protection laws at a national level.

blank

Art.28(3)

Each DPA has oversight of processing activities taking place on the territory of its own Member State only.

does not materially change

Rec.129; Art.58

DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR and bring legal proceedings where necessary.

neutral

The legal powers of DPAs are largely unchanged. At a practical level, it is likely that there will continue to be some variation between the practical enforcement powers available to DPAs, due to variations in the national laws of Member States.

blank

Activity reports

In order to ensure fairness and transparency, DPAs are required to draw up and publish regular reports explaining their activities.

blank

Art.28(5)

Each DPA must, at regular intervals, draw up a report on its activities. The report must be made available to the public.

does not materially change

Art.59

Each DPA must draw up an annual report on its activities. The report must be made available to the public.

neutral

The GDPR essentially replicates the requirements set out in the Directive.

blank

EU-level DPA coordination

In principle, DPAs meet together to agree on important issues and offer guidance on the correct interpretation of EU data protection law. Although this guidance is not legally binding, it is often indicative of the enforcement position that individual DPAs will take.

blank

Art.29

The WP29 is made up of representatives of DPAs from each Member State. Its primary function is to provide advice on the interpretation and application of EU data protection law.

materially changes

Art.51(3), 68-76

The EDPB is made up of representatives of DPAs from each Member State. It provides advice, but also takes an active role in enforcing EU data protection law. Where more than one DPA is appointed in a Member State (e.g., in Germany each Bundesland has a DPA) the Member State appoints a single representative to the EDPB.

neutral

In effect, the EDPB replaces the WP29 and assumes the WP29's functions. However, the extent to which the EDPB will play an active role in enforcement proceedings remains uncertain.

blank

DPA cooperation

In order for EU data protection law to operate consistently across all Member States, it is important for DPAs to cooperate with one another (see Chapter 15).

blank

Art.29

DPAs are required to cooperate to the extent necessary to implement and enforce EU data protection law.

materially changes

Rec.133, 134; Art.61-62

DPAs are required to cooperate and provide each other with mutual assistance. They also have formal legal authority to carry out joint operations.

positive

In cases in which organisations are under investigation in multiple Member States, these changes should make the investigation process easier to manage.

 

neutral

In most other cases, these changes have no practical impact on organisations.

blank

Consistency Mechanism

One of the most significant difficulties organisations face in dealing with DPAs is the inconsistent nature of decisions taken at the national level.

blank

N/A

The Directive offers no formal mechanism for ensuring that DPAs reach decisions that are consistent. As a result, DPAs take different positions on the same issue, from time to time.

materially changes

Rec. 135-138; Art.4(23), 56, 63-67

Where an organisation engages in cross-border data processing (i.e., processing that affects data subjects in multiple Member States), a DPA that wishes to take action must consult with the other affected DPAs to ensure consistency in the application of the GDPR.

positive

For any organisation that operates in multiple Member States, the Consistency Mechanism is a positive development, as it should result in a more uniform application of EU data protection law to the processing operations of that organisation.

 

Further analysis

Commentary: The role and function of DPAs

DPAs are responsible for enforcing EU data protection law. They (together with the WP29/EDPB) also provide guidance on the interpretation of that law. While such guidance is not legally binding, it is strongly indicative of the enforcement position that DPAs are likely to take.

DPAs are appointed by each Member State. Some Member States (e.g., Germany) appoint multiple DPAs in a federal structure. Others (e.g., Denmark) appoint separate public bodies with responsibility for enforcing different aspects of data protection law.

Most organisations tend not to deal directly with a DPA unless a complaint has been made regarding that organisation, or a serious breach of the law has occurred. When dealing with DPAs, it is important for an organisation to ensure that it has legal advisors who are both experienced in the field and familiar with the operations of DPAs.

Commentary: The Consistency Mechanism

Where a DPA takes a decision that only affects the processing of personal data on the territory of its own Member State (e.g., where an organisation only operates within that Member State) the Consistency Mechanism does not apply. However, where a DPA takes a decision affecting processing across multiple Member States, that decision must be notified to the EDPB, which must then produce an opinion on the decision within 8 weeks (extended to 14 weeks in complex cases). (In exceptional circumstances, a DPA can take emergency measures lasting up to three months without going through the Consistency Mechanism).

In principle, the Consistency Mechanism will ensure that organisations will face consistent compliance requirements across the Member States in which they do business. However, in practice there is a risk that the EDPB will face large numbers of requests from Concerned DPAs in a very short space of time, and this may lead to inconsistent application of the relevant principles. In addition, organisations and data subjects have no direct voice in the Consistency Mechanism, which may lead to difficulties in ensuring transparency in the process.

Example: Qualifying for the One-Stop-Shop

Q. Organisation A would like to qualify for the One-Stop-Shop (because it would like to simplify its EU data protection compliance obligations by dealing with a single DPA, as far as possible). Organisation A is headquartered in New York, and has EU operations in the UK, France, Germany and Spain. Most of its data processing operations take place on a "cloud" platform, rather than at individual locations. How can Organisation A qualify for the One-Stop-Shop?

A. In order to qualify for the One‑Stop-Shop, Organisation A will need to have a "place of main establishment" in the EU (i.e., a headquarters for its operations in the EU, or a location at which it takes decisions regarding processing activities in the EU). If Organisation A does not have a place of main establishment in the EU, it will not qualify for the One-Stop-Shop, and will instead continue to deal with the DPA of each Member State in which it operates.

 

NEXT CHAPTER
Chapter 15: Cooperation and consistency

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP