Filetype PDF | Posted on 23 Sep 2022 | 4 years ago
Authentication
digital resources
309x Filetype PDF File size 0.72 MB Source: edpb.europa.eu
EVALUATION OF THE GDPR UNDER ARTICLE 97 – QUESTIONS TO DATA PROTECTION AUTHORITIES /
EUROPEAN DATA PROTECTION BOARD
ANSWERS FROM THE GERMAN SUPERVISORY AUTHORITIES
The General Data Protection Regulation (’GDPR’) entered into application on 25 May 2018, repealing
and replacing Directive 95/46/EC. The GDPR aims to create a strong and more coherent data
protection framework in the EU, backed by strong enforcement. The GDPR has a two-fold objective.
The first one is to protect fundamental rights and freedoms of natural persons and in particular their
right to the protection of personal data. The second one is to allow the free flow of personal data and
the development of the digital economy across the internal market.
According to Article 97 of the GDPR, the Commission shall submit a first report on the evaluation and
review of the Regulation to the European Parliament and the Council. That report is due by 25 May
2020, followed by reports every four years thereafter.
In this context, the Commission shall examine, in particular, the application and functioning of:
• Chapter V on the transfer of personal data to third countries or international organisations with
particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions
adopted on the basis of Article 25(6) of Directive 95/46/EC; and
• Chapter VII on cooperation and consistency.
The GDPR requires that Commission takes into account the positions and findings of the European
Parliament and the Council, and of other relevant bodies and sources. The Commission may also
request information from Member States and supervisory authorities. As questions related to Chapter
VII concern more directly the activities of the DPAs, the present document focuses primarily on that
aspect of the evaluation, while also seeking their feedback on Chapter V related issues.
We would be grateful to get the replies to the questions (in English) by 15 January 2019, at the
following e-mail address: JUST-EDPB@ec.europa.eu.
Please note that your replies might be made public.
When there are several DPAs in a given Member State, please provide a consolidated reply at national
level. In the context of the preparation of the evaluation report, and following the input from other
stakeholders, it is not excluded that we might have additional questions at a later stage.
I. CHAPTER V
The GDPR provides that the adequacy decisions adopted by the Commission under Directive 95/46
remain in force under the GDPR until amended, replaced or repealed. In that context, the Commission
is tasked to continuously monitor and regularly evaluate the level of protection guaranteed by such
decisions. The 2020 evaluation provides a first opportunity to evaluate the 11 adequacy decisions
1
adopted under the 1995 Directive. This does not include the decision on the Privacy Shield that is
subject to an ad hoc annual review process and the Japanese adequacy decision that was adopted
last year under the GDPR and is also subject to a specific evaluation exercise (the first one will be in
2021).
1. Has any stakeholder raised with your authority any particular question or concern regarding any
of the adequacy decisions adopted under the 1995 Directive (with the exception of the EU-US
adequacy decision which is not covered by this evaluation process)?
DE SAs answer Yes, a few of the German DPA´s received inquiries regarding the scope and
content of adequacy decisions relating to Canada, Israel, Japan and/ or
Switzerland.
2. Does your authority have any information on the developments of the data protection system of
any of the countries/territories subject to a Commission adequacy decision under the 1995
Directive that you would consider relevant for the Commission’s evaluation?
DE SAs answer The majority of German DPA´s does not have any verified information on this
subject. However, one German DPA stated that as a member of the “Five Eyes”
intelligence alliance (UK/USA Agreement) Canada allegedly uses controversial
methods (https://en.wikipedia.org/wiki/Five_Eyes), which could affect the
adequacy decision.
3. In your view, should any third country or international organisation be considered by the
Commission in view of a possible adequacy decision?
DE SAs answer In the case of Brexit, the United Kingdom should be considered in view of a
possible adequacy decision. In addition, the United Nations should be
considered, since one German DPA received many questions from public bodies
regarding the transfer of personal data to the United Nations and their
specialized agencies.
Regarding the amount of data flows from the EU and the ongoing data
protection reform, it could be interesting to consider, amongst others, Australia
and India as a third country and further consider the data protection situation in
China and Russia.
II. CHAPTER VII
The GDPR provided for one single set of data protection rules for the EU (by a Regulation) and one
interlocutor for businesses and one interpretation of those rules. This “one law one interpretation”
approach is embodied in the new cooperation mechanism and consistency mechanisms. In order to
cooperate effectively and efficiently the GDPR equips the Data Protection Authorities (thereafter the
DPA/DPAs) with certain powers and tools (like mutual assistance, join operations). Where a DPA
intends to adopt a measure producing effects in more than Member State, the GDPR provides for
consistency mechanism with the power to ask for opinions of the European Data Protection Board
2
(EDPB) on the basis of Article 64(1) and (2) GDPR. In addition, in situations where the endeavour to
reach consensus in the cases of one-stop shop (OSS) does not work (i.e. there is a dispute between
the DPAs in specific cases), the EDPB is empowered to solve the dispute through the adoption of
binding decisions.
In this context, the Commission finds it appropriate to request the views of the DPAs / EDPB on their
first experiences on the application of the cooperation and consistency mechanisms. To this aim, the
Commission established the list of questions below, in order to help the DPAs framing their input. It
is understood, that the Commission is also interested in any comments the DPAs may have which
goes beyond the answer to the questions and which concerns the application of the two above-
mentioned mechanisms.
1. Cooperation Mechanism
1.1. OSS – Article 60
a. Has your DPA been involved in any OSS cases? If so, in how many cases since May 2018?
DE SAs answer Yes, for details please refer to the figures to be provided by the EDPB Secretariat,
as agreed on occasion of the Cooperation ESG meeting on 20.-/-21. November
2019.
b. Did you encounter any problems/obstacles in your cooperation with the lead/concerned
DPA? If yes, please describe them.
DE SAs answer The majority of German DPA´s stated to have encountered the following
problems/obstacles in their cooperation with lead/concerned DPAs:
Duration of procedures/long settlement procedures: In many cases LSAs
would not submit a draft decision without delay (Art. 60(3) GDPR)
(probably for reasons of lacking personal resources), or only after
repeated requests. However, in some cases though not even after a
period of several months until today draft decisions have been
submitted by the LSA. Overall, there seems to be a lack of draft
decisions that should be submitted by LSAs without delay, especially in
cases concerning large scale data processing by big companies. In some
cases, LSAs tried to avoid draft decisions by asking German DPAs, if they
would agree to an informal procedure.
The GDPR does not grant the CSAs procedural rights until a draft
decision is submitted by the LSA. If a procedure is protracted, the CSA
has no possibility to influence the proceeding beforehand. The CSA is
only informed on intermediate results with regard to the procedure, but
not with regard to the content. Complainants often react to this with a
lack of understanding.
German DPAs have encountered some difficulties with assumed LSAs
not responding to Article 56 procedures in the IMI system or not
handling the case due to “internal policy reasons” despite having
acknowledged to be LSA. In some cases, the assumed LSAs did not react
at all. In other cases, the assumed LSA refused to act as LSA, but then
3
had to correct this decision. Another German DPA stated, that not all
cases were accepted; by some LSAs obligation seen only for complaint
based cases, not for media reports etc.
National procedural rules can be in conflict with GDPR rules (e.g.
national amicable settlements).
Information of case progress is not always available: Sometimes when
asking the LSA to give an update on the case or respond to queries
regarding the further procedure, no answers are provided, especially if
we try it via Article 61 GDPR Voluntary Mutual Assistance in IMI.
However, in accordance with Article 78 (2) GDPR the data subject needs
to be informed every 3 months on the progress/further proceeding of
the case. It is therefore difficult to fully comply with this obligation.
Problems were also identified in the identification of the LSA: If a
controller has more than one establishment in the EU, it is often not
possible to determine which the main establishment is. In the procedure
according to Article 56 GDPR, relevant supervisory authorities
sometimes do not react, so that further proceedings are not possible.
Sometimes LSAs reject complaints on the grounds of inadmissibility
although the CSA with which the complaint was lodged has already
deemed those complaints to be admissible.
Translation issues: Sometimes LSAs do not provide documents in
English.
German Single Contact Point: During the initial phase of IMI as a tool for
the cooperation procedure, in some instances, the LSA did not involve
German SAs in the Article 60 procedure (e.g. draft decision) although
those SAs had flagged themselves as CSAs. Those irregularities have
almost entirely faded out during the last couple of months. Also in the
early days of IMI, some LSAs failed to create case register entries after
confirming their status as LSAs.
German DPAs sometimes have problems with cases, that started
(shortly) before entry into force of the GDPR (25 May 2018) but are still
ongoing (for example personal data that is not erased and therefore still
stored by a company). Some LSAs refused to act in such cases since their
national law does not allow them to treat pre-GDPR cases, even if the
case would have been transferred to the authority in pre-GDPR times to
assess in their own competence since the controller was always located
in that country.
c. How would you remedy these problems?
DE SAs answer With regard to the remedy of the problems/obstacles described
under II. 1.1. b, the majority of German DPAs stated that all DPAs
should have a common understanding of the requirements set out in
Article 60 GDPR. It could be useful to mandate an expert subgroup
within the EDPB that identifies problems and obstacles within the
OSS mechanism and proposes practical solutions in a structured
manner, i.e. the adoption of guidelines. Although some of these
issues are already being worked on in EDPB subgroups, e.g. the
Cooperation ESG or the IT-User ESG, these only target issues
whenever they come up. This way it is difficult to see the bigger
picture.
4
no reviews yet
Please Login to review.
