The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation.
To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.
What is a supervisory authority?
A supervisory authority is defined as one or more independent public authorities to be responsible for monitoring the application of the GDPR (in every Member state), in order to protect the fundamental rights and freedoms of natural persons in relation to processing. An authority’s tasks also include contributing to facilitating the free flow of personal data within the Union. In Italy this authority is the “Garante per la protezione dei dati personali”.
What are the features of supervisory authorities?
The fundamental characteristic is their independence. The members of the authorities must remain free from external influence, whether direct or indirect, and can neither seek nor take instructions from anyone. To this end, Member States ensure that supervisory authorities established in their individual countries are provided with the financial and human resources, necessary for the impartial performance of their tasks.
Supervisory authorities are only authorised to exercise their powers within the boundaries of their own Member States. They are not qualified to supervise processing operations of courts acting in their judicial capacity. Requests for their intervention are usually free of charge for data subjects.
What are the tasks of a supervisory authority?
The main tasks of a supervisory authority include:
1) advising national institutions on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;
2) handling complaints lodged by a data subject or his/her attorneys;
3) cooperating with and providing mutual assistance to other supervisory authorities;
4) monitoring relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
5) encouraging the drawing up of codes of conduct and the establishment of data protection certification mechanisms.
What are the powers of a supervisory authority?
To fulfil its tasks a supervisory authority is granted a number of investigative, corrective, authorisation powers. The following are some examples of an authority’s diverse powers:
an authority has the investigative powers:
1) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
2) to carry out investigations and notify of alleged infringements of the Regulation;
3) to obtain access to any premises of the controller and the processor;
the corrective powers:
4) to issue warnings and reprimands to a controller or a processor where processing operations are likely to or have already infringed provisions of the Regulation;
5) to impose a temporary or definitive limitation including a ban on processing;
6) to impose an administrative fine
the authorisation and advisory powers:
7) to authorise processing and standard contractual clauses, approve codes of conduct and issue certifications.
What is the Lead Supervisory Authority (Lead SA)?
The Lead Supervisory Authority is competent for cross-border processing and is located in what is identified as the establishment where decisions are made about the purposes and means of personal data processing, the “main establishment” or the “single establishment” of the controller or processor. Working Party Art. 29, which includes the representatives of the national data protection authorities, has expressed its opinion on the role of the lead supervisory authority and has issued specific guidelines.
The Lead supervisory Authority coordinates all activities among the different “concerned” supervisory authorities involved in cross-border processing, both to facilitate the sharing of information and to reach unanimous agreement. Therefore, the lead supervisory authority may request supervisory authorities to provide mutual assistance and may conduct joint operations. Before a final decision, the Lead SA will submit the draft decision to the other “concerned” authorities for their opinion and take due account of their views. Should the Lead SA decide not to share an objection expressed by the other “concerned” authorities, it must submit the matter to the consistency mechanism. The mechanism provides for the involvement of the European Data Protection Board which must reach a decision on the matter within a month.
What does mutual assistance through the consistency mechanism mean?
Mutual assistance means that activity of cooperation and sharing of information which takes place both among national supervisory authorities and between these and the lead supervisory authority.
Mutual assistance includes, for example, requests to carry out prior authorisations and consultations as well as inspections and investigations.
Requests for assistance shall contain all the necessary information, including the purpose of and reasons for the request. The requested supervisory authority cannot refuse to comply with the request unless it is not competent or compliance with the request would infringe the GDPR, EU or Member State law.