Data Law

Powers of control

• to monitor and promote data protection at the national level;

• to advise data subjects and controllers as well as the government and the public at large;

• to hear complaints and assist data subjects with alleged violations of data protection rights;

• to supervise controllers and processors.

Powers of intervention

Supervisory authorities also have the power to intervene if necessary by:

• warning, reprimanding or even fining controllers and processors;

• ordering data to be rectified, blocked or deleted;

• imposing a ban on processing or an administrative fine;

• referring matters to court

As personal data processing often involves controllers, processors and data subjects located

in different states, supervisory authorities are required to cooperate with other supervisory

authorities in Europe. A cooperation mechanism will allow for a coordinated approach

between all the supervisory authorities involved in the case. The lead supervisory authority –

of the main or single establishment – will consult and submit its draft decision with the other

concerned supervisory authorities. The supervisory authority of each Member State and the

European Data Protection Supervisor (EDPS) will be part of the European Data Protection

Board.

Also, EU law and CoE law require each supervisory authority to act with complete

independence in performing its tasks and when exercising its powers. The independence of

the supervisory authority and its members is fundamental in guaranteeing full objectivity

when deciding on data protection matters. Several examples and cases law show and

explain the CJEU’s definition of the meaning of ‘complete independence’ .

Article 69 - Independence (GDPR)

The Board shall act independently when performing its tasks or exercising its powers

pursuant to Articles 70 and 71.

Without prejudice to requests by the Commission referred to in Article 70(1) and (2), the

Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor

take instructions from anybody.

Article 58 (GDPR), on the other hand, stipulates the three powers of the supervisory

authorities: investigative powers; corrective powers; authorisation and advisory powers.

As controllers’ and processors’ activities are often cross-border and data processing affects

data subjects located in multiple Member States, the question arises concerning the division

of competences between the different supervisory authorities. The article 56 GDPR meet our

need

Lead authority for cross-border processing: When a business (controller or processor)

processes personal data in more than one member state, a single supervisory authority must

act as “lead authority” to oversee such cross-border processing activities. This lead authority

is responsible for coordinating GDPR supervision and enforcement activities with respect to

the company in question.

Determination of the lead authority: The lead authority shall be determined on the basis of

the principal place of business of the data controller or processor, or the place where the

main decisions concerning data processing are made. If the company has multiple main

offices, the lead authority will be that of the member state where the office making the main

decisions regarding data processing is located.

Role of the lead authority: The lead authority is responsible for managing and coordinating

investigations and taking the necessary corrective measures. It acts in close cooperation

with the other supervisory authorities concerned, which are those in the member states

where the data subjects reside or where the processing activity has significant effects.

Cooperation between supervisory authorities: Supervisory authorities must cooperate

closely and exchange all relevant information to ensure consistent application of the GDPR.

The lead authority must follow the procedure set forth in Articles 60 et seq. of the GDPR to

ensure that decisions are agreed upon among all supervisory authorities concerned.

The GDPR establishes a general framework for cooperation between supervisory

authorities and provides more specific rules on the cooperation of supervisory authorities in

cross-border activities of data processing.

-​ Mutual assistance

-​ Share relevant information

-​ Joint operations, investigations, enforcement measures.

The regulation establishes a ‘one-stop-shop mechanism’ and includes provisions

mandating cooperation between different supervisory authorities.

The GDPR in art. 60 introduces the one-stop-shop principle, which applies if:

-​ the data controller (or manager) operates in several states of the European Union;

-​ the processing of data, even if carried out by a data controller based in a single

State, substantially affects the data subjects residing in more than one EU Member

State.

Since the objective of the European regulation is to harmonize the rules and the application

of these rules in the territory of the control Union, i.e. that of the country where they have

their head office, rather than with the authorities of 28 European states. The decision taken

by the national supervisory authority also applies to other EU countries. This principle,

strongly desired by businesses, leads to a simplification of procedures and should ensure

greater consistency of decisions. There are, however, also negative aspects, for example it

allows the company to choose the Supervisory Authority with which it will deal, obviously

being able to decide where to establish the headquarters within the territory of the Union.

Therefore this principle can lead to greater difficulties for citizens, whose complaints can be

addressed to the Authority of the country where the company is based, which could also be

different from the country of residence of the citizen who believes he has been wronged.

Therefore citizens may encounter difficulties due to distance (and language difference) in

asserting their rights. Furthermore, this principle is also in contrast with the principles

underlying the legislation aimed at protecting consumers, which entails the competence of a

judge at the residence of the consumer. All that ends up fueling the idea of ​

a bureaucratic

Europe far from the citizens. For this reason the principle was partly tempered.

The GDPR also about EDPB (European Data Protection Board): The European Data

Protection Board (EDPB) is another important actor in ensuring that data protection rules are

applied effectively and consistently throughout the EU. The GDPR established the EDPB as

an EU body with legal personality. Similar to the Working Party, the EDPB comprises the

heads of the supervisory authorities of each Member State and the EDPS, or their

representatives. The EDPS enjoys equal voting rights, with the exception of cases related to

dispute resolution, where it may vote only on decisions concerning principles and rules

applicable to EU institutions which correspond in substance with those of the GDPR.

The EDPB’s tasks are detailed in Art. 64, 65 and 70 of the GDPR and include

comprehensive duties which can be divided into three main activities:

-​ Consistency

-​ Consultation

-​ Guidance

For example, the tasks of the European Data Protection Board include monitoring the correct

application of the regulation, advising the Commission on relevant issues, and issuing

opinions, guidelines or best practices on a variety of topics.

EDPB decisions may be challenged before the CJEU.

The main difference with the European Data Protection Supervisor (EDPS) is that the

European Data Protection Board (EDPB) will not only issue opinions. it will also issue

binding decisions regarding cases where a supervisory authority has raised a relevant and

reasoned objection in cases of one-stop-shops; where there are conflicting views on which

of the supervisory authorities is the lead; and, finally, where the competent supervisory

authority does not request or does not follow the opinion of the EDPB. The objective is to

ensure a consistent application of the regulation throughout the Member States.

The GDPR establishes a consistency mechanism to ensure the regulation is consistently

applied throughout the Member States, whereby the supervisory authorities cooperate with

each other and, where relevant, with the Commission. The consistency mechanism is used

in two situations.

-​ where a competent supervisory authority intends to adopt measures, such as a list of

processing operations requiring a Data Protection Impact Assessment (DPIA), or to

determine standard contractual clauses.

-​ binding decisions for supervising authorities in one-stop-shop cases and where a

supervising authority does not follow or does not request an opinion from the EDPB.

Specific type of data and their protection rules

In several instances, special legal instruments have been adopted at European level to apply

the general rules of Modernised Convention 108 or of the General Data Protection

Regulation in specific situations such as:

Electronic communications: The processing of personal data relating to the delivery of

communications services at the EU level is regulated in the Directive on privacy and

electronic communications. Confidentiality of electronic communications relates not only

to the content of a communication but also to metadata, such as information about who

communicated with whom, when and for how long, and location data, such as where the

data were communicated from. The Directive on privacy and electronic communications

distinguishes three main categories of data generated in the course of a communication:

-​ the data constituting the content of the messages sent during communication – these

data are strictly confidential;

-​ the data necessary for establishing and maintaining the communication – so-called

metadata, referred to as “traffic data” in the directive – such as information about the

communication parties, time and duration of the communication;

-​ within the metadata, there are data specifically relating to the location of the

communication device, so-called location data.

The 2009 amendments of the same directive introduce the E-Privacy directive, in term of:

1.​ The restrictions on sending emails for direct marketing purposes were extended to

short message services, multimedia messaging services and other kinds of similar

applications; marketing emails are prohibited unless prior consent was obtained.

Without such consent, only previous customers may be approached with marketing

emails, if they have made their email address available and do not object.

2.​ An obligation was placed on Member States to provide judicial remedies against

violations of the ban on unsolicited communications.

3.​ Setting of cookies, software that monitors and records a computer user’s actions, is

no longer allowed without the computer user’s consent.

In January 2017, the European Commission adopted a new proposal for an e-Privacy