GDPR EU Institutions and bodies.pdf
0 likes393 views
The document details various institutions and bodies involved in the EU's governance, including the European Parliament, European Commission, European Council, and the Council of the European Union, highlighting their roles and responsibilities. It also discusses the European Court of Human Rights and the European Court of Justice, explaining their functions in relation to human rights and EU law. Additionally, the document covers the structure and responsibilities of data protection authorities and the GDPR's provisions for safeguarding personal data.
GDPR EU Institutions and bodies.pdf
- 1. GDPR: EU Institutions and bodies by Andrey Prozorov, CISM 09.10.2019
- 2. EU Institutions and bodies 1. European Parliament (EP) 2. European Commission (EC) 3. European Council (EUCO) 4. Council of the European Union (the Council) 5. Council of Europe (CoE) 6. European Court of Human Rights (ECHR) 7. European Court of Justice (ECJ) 1. Supervisory authority (SA) / Data Protection Authority (DPA) 2. Article 29 Working Party (WP29) 3. European Data Protection Board (EDPB, the Board) 4. European Data Protection Supervisor (EDPS) *EU Institutions (7) are listed in Article 13 of the Treaty on European Union: the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank and the Court of Auditors. By Andrey Prozorov 2
- 3. European Parliament (EP) • The European Parliament (EP) is the legislative branch of the European Union and one of its seven institutions. Together with the European Commission and the Council of the European Union ('the Council', which should not be confused with the European Council and the non-EU Council of Europe organisation) it exercises the tripartite legislative function of the European Union. • Since 1979, it has been directly elected every five years by European Union citizens. • The Parliament is composed of 751 members (MEPs). • The President of the European Parliament (Parliament's speaker) is David Sassoli (PD), elected in July 2019. The president's signature is required for enacting most EU laws and the EU budget. Presidents serve 2.5 year terms. • Key responsibilities: (1) legislative development, (2) development of the budget (3) supervisory oversight of other institutions (especially European Commission), (4) democratic representation. • The European Parliament has three places of work: Brussels (Belgium), Luxembourg City (Luxembourg) and Strasbourg (France). Luxembourg City is home to the administrative offices (the "General Secretariat"). Meetings of the whole Parliament ("plenary sessions") take place in Strasbourg and in Brussels. Committee meetings are held in Brussels. • www.europarl.europa.eu By Andrey Prozorov 3
- 4. European Commission (EC) • The European Commission (EC) is the executive branch of the European Union, responsible for proposing legislation, implementing decisions, upholding the EU treaties and managing the day- to-day business of the EU. • Unlike in the Council of the European Union, where members are directly and indirectly elected, and the European Parliament, where members are directly elected, the Commissioners are proposed by the Council of the European Union, on the basis of suggestions made by the national governments, and then appointed by the European Council after the approval of the European Parliament. • The Commission is steered by a group of 28 Commissioners, known as 'the college‘ (informally known as "commissioners"). Together they take decisions on the Commission's political and strategic direction. A new college of Commissioners is appointed every 5 years. • the Commission are based in Brussels and Luxembourg. • ec.europa.eu By Andrey Prozorov 4
- 5. European Commission (EC) and GDPR • EC ensures appropriate publicity for the approved Codes of conduct and certification mechanisms (Art.40-41) • EC adopts implementing acts laying down technical standards for certification mechanisms and data protection seals and marks (Art.42-43) • EC decides that a third country (or specified territory) ensures an adequate level of protection (103, Art.45) • EC publishes in the Official Journal of the European Union and on its website a list of the third countries (or specified territory) for which it has decided that an adequate level of protection is or is no longer ensured. (Art.45) • EC shall have the right to participate in the activities and meetings of the Board (EDPB) without voting right. (Art.68) • By 25 May 2020 and every four years thereafter, EC shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public. (Art.97) • EC may adopt delegated acts. As soon as it adopts a delegated act, EC shall notify it simultaneously to the European Parliament and to the Council (Art.92) • EC shall, if necessary, submit appropriate proposals to amend GDPR and other Union legal acts on the protection of personal data. (Art.97, 98) By Andrey Prozorov 5
- 6. European Council (EUCO) • The European Council (informally EUCO) is a collective body that defines the European Union's overall political direction and priorities. It comprises the heads of state or government of the EU member states (28), along with the President of the European Council and the President of the European Commission. • Established as an informal summit in 1975, the European Council was formalised as an institution in 2009 upon the entry into force of the Treaty of Lisbon. • It is not one of the EU's legislating institutions, so does not negotiate or adopt EU laws. Instead it sets the EU's policy agenda, traditionally by adopting 'conclusions' during European Council meetings which identify issues of concern and actions to take. • The meetings of the European Council, still commonly referred to as EU summits, are chaired by its president and take place at least twice every six months; usually in the Europa building in Brussels. Decisions of the European Council are taken by consensus, except where the Treaties provide otherwise. • www.consilium.europa.eu By Andrey Prozorov 6
- 7. Council of the European Union (the Council) • The Council of the EU is the institution representing the member states' governments. Also known informally as the EU Council, it is where national ministers from each EU country meet to adopt laws and coordinate policies. • The Council of the European Union is the third of the seven Institutions of EU as listed in the Treaty on European Union. It is one of three legislative bodies and together with the European Parliament serves to amend and approve the proposals of the European Commission. • The primary purpose of the Council is to act as one of two vetoing bodies of the EU's legislative branch, the other being the European Parliament. Together they serve to amend, approve or disapprove the proposals of the European Commission, which has the sole power to propose laws. • The Council represents the executive governments of the EU's member states (28) and is based in the Europa building in Brussels. • www.consilium.europa.eu By Andrey Prozorov 7
- 8. European Council (EUCO) Heads of State or Government 28 countries European Commission (EC) 28 «commissioners» Suggesting legislation («the sole initiator») and budgets. Implementing decisions, upholding the EU treaties. European Parliament (EP) 751 parliamentarians elected by EU citizens Council of the European Union (the Council) Government ministers from each EU country Jointly approve EU legislation and budget Setting overall political direction and priorities Approving the members and the President of the European Commission. Has the power to censure the Commission (2/3 of the votes) By Andrey Prozorov 8
- 9. By Andrey Prozorov 9
- 10. European Council (informally EUCO) Council of the European Union (the Council) Council of Europe (CoE) Европейский совет Совет Европейского союза Совет Европы www.consilium.europa.eu www.consilium.europa.eu www.coe.int The European Council is the EU institution that defines the general political direction and priorities of the European Union. It consists of the heads of state or government of the member states, together with its President and the President of the Commission. The Council of the EU is the institution representing the member states' governments. Also known informally as the EU Council, it is where national ministers from each EU country meet to adopt laws and coordinate policies. The Council of Europe is an international organisation whose stated aim is to uphold human rights, democracy and the rule of law in Europe. It drafted the European Convention on Human Rights (ECHR) in 1950 (entered into force on 3 September 1953) By Andrey Prozorov 10
- 11. Council of Europe (CoE) • The Council of Europe is an international organisation whose stated aim is to uphold human rights, democracy and the rule of law in Europe. The Council of Europe is an entirely separate body from the European Union. It is not controlled by it. • Founded in 1949, it has 47 member states, covers approximately 820 million people and operates with an annual budget of approximately 500 million euros. • Unlike the EU, the Council of Europe cannot make binding laws, but it does have the power to enforce select international agreements reached by European states on various topics. The best known body of the Council of Europe is the European Court of Human Rights, which enforces the European Convention on Human Rights. • Strasbourg, France • www.coe.int By Andrey Prozorov 11
- 12. https://echr.coe.int/Documents/Convention_ENG.pdf The Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights, was opened for signature in Rome on 4 November 1950 and came into force in 1953. Since its adoption in 1950 the Convention has been amended a number of times and supplemented with many rights in addition to those set forth in the original text. The Convention secures in particular: • the right to life, • the right to a fair hearing, • the right to respect for private and family life, • freedom of expression, • freedom of thought, conscience and religion and, • the protection of property. The Convention prohibits in particular: • torture and inhuman or degrading treatment or punishment, • slavery and forced labour, • death penalty, • arbitrary and unlawful detention, and • discrimination in the enjoyment of the rights and freedoms set out in the Convention. By Andrey Prozorov 12
- 13. By Andrey Prozorov 13
- 14. European Court of Human Rights (ECHR) • Not to be confused with the European Court of Justice, the highest court of the European Union. • The European Court of Human Rights is an international court set up in 1959. It rules on individual or State applications alleging violations of the civil and political rights set out in the European Convention on Human Rights. • The Court was established on 21 January 1959 on the basis of Article 19 of the European Convention on Human Rights when its first members were elected by the Consultative Assembly of the Council of Europe. Since 1998 it has sat as a full-time court and individuals can apply to it directly. • Judges are elected for a non-renewable nine-year term. The number of full-time judges sitting in the Court is equal to the number of contracting states to the European Convention on Human Rights, currently 47. • Not an EU institution, no powers of enforcement. Role in data protection: ensure right to privacy (not data protection). • Strasbourg, France • echr.coe.int By Andrey Prozorov 14
- 15. European Court of Justice (ECJ) • The European Court of Justice (ECJ), officially just the Court of Justice, is the supreme court of the European Union in matters of European Union law. As a part of the Court of Justice of the European Union it is tasked with interpreting EU law and ensuring its equal application across all EU member states. • The Court was established in 1952 and is based in Luxembourg by the Treaty of Paris. • It is composed of one judge per member state – currently 28 – although it normally hears cases in panels of three, five or 15 judges. • The ECJ is the highest court of the European Union in matters of Union law, but not national law. It is not possible to appeal against the decisions of national courts in the ECJ, but rather national courts refer questions of EU law to the ECJ. • curia.europa.eu By Andrey Prozorov 15
- 16. For GDPR 1. Supervisory authority (SA) / Data Protection Authority (DPA) 2. Article 29 Working Party (WP29), replaced 3. European Data Protection Board (EDPB, the Board) 4. European Data Protection Supervisor (EDPS) By Andrey Prozorov 16
- 17. SA / DPA ‘Supervisory authority’ means an independent public authority which is established by a Member State. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’). (Art.51) Tasks (by Art.57): Monitor and enforce the application of GDPR, promote awareness and give advices, handle complaints by a data subject, conduct investigations… Activity report (Art.59): Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board. By Andrey Prozorov 17
- 18. SA Investigative powers (Art.58 1) SA corrective powers (Art.58 2) SA authorisation and advisory powers (Art.58 3) • to order the controller and the processor to provide any information it requires • to carry out investigations in the form of data protection audits • to carry out a review on certifications • to notify the controller or the processor of an alleged infringement of GDPR • to obtain access to all personal data and to all necessary information • to obtain access to any premises, including to any data processing equipment and means • to issue warnings to a controller or processor • to issue reprimands to a controller or a processor • to order the controller or the processor to comply with the data subject's requests • to order the controller or processor to bring processing operations into compliance • to order the controller to communicate a personal data breach to the data subject • to impose a temporary or definitive limitation including a ban on processing • to order the rectification or erasure of personal data or restriction of processing • to withdraw a certification or to order the certification body to withdraw a certification • to impose an administrative fine • to order the suspension of data flows to a recipient in a third country or to an international organisation • to advise the controller • to issue opinions on any issue related to the protection of personal data • to authorise processing • to issue an opinion and approve draft codes of conduct • to accredit certification bodies • to issue certifications and approve criteria of certification • to adopt standard data protection • to authorise contractual clauses • to authorise administrative arrangements • to approve binding corporate rules By Andrey Prozorov 18
- 19. What are Data Protection Authorities (DPAs)? • DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State. • Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en By Andrey Prozorov 19
- 20. Data Protection Authorities (DPAs) 1. Austria: Österreichische Datenschutzbehörde 2. Belgium: Commission de la protection de la vie privée 3. Bulgaria: Commission for Personal Data Protection 4. Croatia: Croatian Personal Data Protection Agency 5. Cyprus: Commissioner for Personal Data Protection 6. Czech Republic: The Office for Personal Data Protection 7. Denmark: Datatilsynet 8. Estonia: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) 9. Finland: Office of the Data Protection Ombudsman 10. France: Commission Nationale de l’Informatique et des Libertés 11. Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit 12. Greece: Hellenic Data Protection Authority 13. Hungary: National Authority for Data Protection and Freedom of Information 14. Ireland: Data Protection Commissioner 15. Italy: Garante per la protezione dei dati personali 16. Latvia: Data State Inspectorate 17. Lithuania: State Data Protection 18. Luxembourg: Commission Nationale pour la Protection des Données 19. Malta: Office of the Data Protection Commissioner 20. Netherlands: Autoriteit Persoonsgegevens 21. Poland: The Bureau of the Inspector General for the Protection of Personal Data – GIODO 22. Portugal: Comissão Nacional de Protecção de Dados – CNPD 23. Romania: The National Supervisory Authority for Personal Data Processing 24. Slovakia: Office for Personal Data Protection of the Slovak Republic 25. Slovenia: Information Commissioner 26. Spain: Agencia de Protección de Datos 27. Sweden: Datainspektionen 28. United Kingdom: The Information Commissioner’s Office EUROPEAN FREE TRADE AREA (EFTA) 1. Iceland: Icelandic Data Protection Agency 2. Liechtenstein: Data Protection Office 3. Norway: Datatilsynet 4. Switzerland: Data Protection and Information Commissioner of Switzerland https://edpb.europa.eu/about-edpb/board/members_en By Andrey Prozorov 20
- 21. The Article 29 Working Party • The Article 29 Working Party (Art. 29 WP) was an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB) under GDPR. • The composition and purpose of Art. 29 WP was set out in Article 29 of the Data Protection Directive, and it was launched in 1996. • Its main stated missions were to: • Provide expert advice to the States regarding data protection • Promote the consistent application of the Data Protection Directive in all EU state members, as well as Norway, Liechtenstein and Iceland • Give to the Commission an opinion on community laws (first pillar) affecting the right to protection of personal data • Make recommendations to the public on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community • https://ec.europa.eu/newsroom/article29/news-overview.cfm By Andrey Prozorov 21
- 22. WP29 Guidelines 1. Guidelines on consent under Regulation 2016/679, WP259 rev.01 2. Guidelines on transparency under Regulation 2016/679, WP260 rev.01 3. Guidelines on Automated individual decision- making and Profiling for the purposes of Regulation 2016/679, WP251rev.01 4. Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01 5. Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01 6. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, WP248 rev.01 7. Guidelines on Data Protection Officers ('DPO'), WP243 rev.01 8. Guidelines for identifying a controller or processor's lead supervisory authority, WP244 rev.01 9. Position Paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR 10. Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP 263 rev.01 11. Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data, WP 264 12. Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data, WP 265 13. Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01 14. Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules, WP 257 rev.01 15. Adequacy Referential, WP 254 rev.01 16. Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253 By Andrey Prozorov 22
- 23. By Andrey Prozorov 23
- 24. EDPB (the Board) Article 68 European Data Protection Board 1.The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality. 2.The Board shall be represented by its Chair. 3.The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. By Andrey Prozorov 24
- 25. EDPB (the Board) • The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. • The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA EEA States are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs. The EDPB is established by the General Data Protection Regulation (GDPR), and is based in Brussels. The European Commission and -with regard to the GDPR related matters- the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting right. • The EDPB has a Secretariat, which is provided by the EDPS. A Memorandum of Understanding determines the terms of cooperation between the EDPB and the EDPS. • edpb.europa.eu By Andrey Prozorov 25
- 26. EDPB Secretariat • The Secretariat, which is provided by the European Data Protection Supervisor (EDPS), offers analytical, administrative and logistical support to the EDPB. • This support includes preparation of positions, and organising EDPB meetings and communication. • Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB. • The terms of cooperation between the EDPB and the EDPS are established by the Memorandum of Understanding. By Andrey Prozorov 26
- 27. Main Tasks of the Board Article 70 Tasks of the Board (a-y): • monitor and ensure the correct application of GDPR… • advise the Commission… • issue guidelines, recommendations, and best practices… • encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms… • carry out the accreditation of certification bodies and its periodic review… • provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organization… • promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide… Article 71 Reports • Annual public report to the European Parliament, to the Council and to the Commission. By Andrey Prozorov 27
- 28. EDPB Guidelines • Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 • Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 • Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) • EDPB Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) - Annex 1 • EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 - version adopted after public consultation • Recommendation 01/2019 on the draft list of the European Data Protection Supervisor regarding the processing operations subject to the requirement of a data protection impact assessment (Article 39.4 of Regulation (EU) 2018/1725) • Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects - version for public consultation • Guidelines 3/2019 on processing of personal data through video devices - version for public consultation By Andrey Prozorov 28 https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
- 29. European Data Protection Supervisor • The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority. • Its general mission is to: • monitor and ensure the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals; • advise EU institutions and bodies on all matters relating to the processing of personal data, on request or on our own initiative. In particular, they are consulted by the European Commission on proposals for legislation, international agreements, as well as implementing and delegated acts with impact on data protection and privacy; • monitor new technology that may affect the protection of personal information; • intervene before the Court of Justice of the EU to provide expert advice on interpreting data protection law; • cooperate with national supervisory authorities and other supervisory bodies to improve consistency in protecting personal information. • https://edps.europa.eu By Andrey Prozorov 29
- 30. By Andrey Prozorov 30 Thanks!