The EDPB has published its first review of the implementation of the GDPR, in particular the functioning of the cooperation and consistency mechanism. The GDPR requires EU Data Protection Supervisory Authorities (SAs) to cooperate in order to provide a consistent application of the GDPR. The EDPB concludes that nine months after the entry into force of the GDPR, the cooperation and consistency mechanism is working well. All one-stop-shop cases have so far been resolved smoothly, with no cross-border case being escalated to the EDPB for dispute resolution purposes.
To support the cooperation and consistency mechanism, the EDPB have customised an existing IT system, the Internal Market Information System (IMI), in order to provide a structured and confidential way for SAs to share information.
Some of the highlights of the review are set out below.
- Identifying the Lead & Concerned SAs – 642 procedures have been initiated to identify the Lead SA and Concerned SAs in cross-border cases. Out of the 642 procedures, 306 are closed and the Lead SA identified. Up to now no dispute has arisen in relation to the selection of the Lead SA.
- Cross-border cases – 30 different SAs have registered a total amount of 281 cases with a cross-border component in the IMI system. The cases concerned three main topics: the exercise of individuals’ rights, consumer rights, and data breaches.
- One-Stop-Shop (OSS) Mechanism – 45 OSS procedures were initiated by SAs from 14 different EEA countries, and 6 final decisions have been delivered. These final decisions concerned individuals’ rights (e.g. the right to erasure), the appropriate legal basis for data processing and data breach notifications.
- Mutual Assistance – 444 mutual assistance requests (formal and informal) have been triggered by SAs from 18 different EEA countries. In 353 cases, the answers were speedily sent within 23 days.
- Joint Operations – The GDPR allows SAs to carry out joint investigations and joint enforcement measures, however no joint operations have been initiated to date.
- Consistency Opinions – The EDPB has adopted 28 opinions on national lists of processing operations requiring a DPIA, and one opinion on a draft administrative arrangement for the transfer of personal data between EEA and non-EEA financial supervisory authorities. Since this review was published, the EDPB has also issued an opinion on the interplay between the GDPR and e-Privacy Directive. It is currently working on further opinions in relation to BCRs and a draft standard contract between controllers and processors.
- Dispute Resolution – No dispute resolution by the EDPB has yet been required.
Budget and Human Resources
- The EDPB notes that under the GDPR, “SAs wear two hats. They not only deal with their enhanced enforcement powers but are required to become more engaged, which implies the need for more budget and staff”.
- Budget – In most cases, SAs received an increase in budget for 2018 and 2019. However, in two cases there was a decrease in budget, and three cases no change in budget occurred.
- Human Resources – The majority of SAs experienced an increase in the number of staff, while for eight SAs the number of staff did not change. For one SA, there was a decrease in staff.
Enforcement at national level
- Cases – The SAs reported a total number of 206,236 cases. These cases derived from complaints (94,622), data breach notifications (64,684) and other reasons. 52% of these cases have already been closed, and 1% are being challenged before national courts.
- Use of Corrective Powers by SAs – SAs from 11 EEA countries have imposed administrative fines, with the total amount of €55,955.871 being imposed.