EDPB contribution to the evaluation of the GDPR
- Articles and memoranda
- Posted 20.04.2020
The European Data Protection Board (“EDPB”) and the national supervisory authorities (“SAs”) have reviewed and evaluated the GDPR1 . Since May 2018, they have observed a satisfying harmonisation of the data protection principles and a reinforcement of the data subject’s awareness of their rights (see the EDPB contribution adopted on 18 February 2020 here).
The EDPB has outlined difficulties in relation to the cooperation and consistency mechanism due to the differences in national procedures. It has concluded that it is premature to revise the GDPR and rather calls for the EU legislators to focus on the adoption of an e-Privacy Regulation.
Adequacy decisions2 remain important to cover personal data transfers outside of the EEA. But there is a pressing need to update the existing set of Standard Contractual Clauses (SCCs) to meet the GDPR requirements and to cover new transfer scenarios (e.g. processor-to-processor transfers)3 . Meanwhile, the EDPB is currently working on other appropriate safeguards4 .
The EDPB has also stressed that the effective implementation of the GDPR depends on the resources of the SAs. In this respect, the CNPD (“Commission Nationale pour la Protection des Données”), among few other SAs (CY, CZ, DK, HR, HU, NO, SE and UK), stated that it has enough resources to perform its missions.
Key Facts and numbers5
- Complaints6 received by national SAs:
- Rank 1: Germany 66,965
- Rank 2: UK 64,667
- Rank 3: Netherlands 37,275
- Rank 23: Luxembourg 926
- Personal Data breaches notified to SAs:
- Rank 1: Germany 45,561
- Rank 2: Netherlands 37,413
- Rank 3: UK 21,000
- Rank 17: Luxembourg 498
- Corrective powers used by the CNPD7 :
- - Order to comply with data subject's requests (Art. 58(2)(c) GDPR)
- - Order of rectification or erasure or restriction of processing (Art. 58(2)(g) GDPR)
- Administrative fines relate to violation of the:
- - principles relating to processing of personal data (Art. 5 GDPR)
- - lawfulness of processing (Art. 6 GDPR)
- - valid consent (Art. 7 GDPR)
- - processing of special categories of personal data (Art. 9 GDPR)
- - transparency and rights of the data subjects (Art. 12 to 22 GDPR)
- - security of processing and data breaches (Art. 32 to 34 GDPR)
- Circumstances most frequently taken into account to impose a fine are the:
- - degree of cooperation with the SAs
- - systematic/repetitive nature of the infringement
- - intentional action
- - measures taken to remedy the problem or to avoid future infringements
- - nature and duration of the infringement
- - previous infringements by the same controller
- - nature of the controller (e.g. a professional in the industry, an entity under great public attention)
- - categories of personal data affected
- - the number of affected data subjects
This may also interest you :
- EDPB published standard clauses for (sub-)processing activity
- CNIL - French Data Protection Supervisory Authority’s strategy for 2020
1 | Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). | |||
2 | An adequacy decision permits data transfers or onward transfer outside the EEA. | |||
3 | SCCs adopted under the Directive 95/46/CE remain in force under the GDPR until amended, replaced or repealed, but those SCCs do not take into account the evolutions brought by the GDPR, in particular the processor obligations under Article 28 GDPR. | |||
4 | binding corporate rules, codes of conduct, certification mechanisms and administrative arrangements for transfers between public authorities. | |||
5 | between May 25th 2018 and November 30th 2019. | |||
6 | Considered as a complaint are generally all submissions to a SA by an identified natural person or a not-for-profit body, organisation or association that fulfils the conditions provided by Article 80 GDPR, who considers that the processing of personal data relating to him or her infringes the GDPR. | |||
7 | 22 SAs issued approximately 785 fines altogether. The CNPD is one of the 8 SAs which has not issued any administrative fine since 30 November 2019. | |||