Opinion 03/2023 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
1 Adopted Opinion 03/2023 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 3 February 2023 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3)-(8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of…
How it connects
Related across sources
Full text 50 sections
Adopted Opinion 03/2023 on the draft decision of the competent supervisory authority of Romania regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR Adopted on 3 February 2023
Adopted
Adopted The European Data Protection Board Having regard to Article 63, Article 64 (1)(c), (3)-(8) and Article 41 (3) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1 Having regard to Article 10 and Article 22 of its Rules of Procedure of 25 May 2018, Whereas: (1) The main role of the European Data Protection Board (hereinafter “the Board”) is to ensure the consistent application of the GDPR when a supervisory authority (hereinafter “SA”) intends to approve the requirements for accreditation of a code of conduct (hereinafter “code”) monitoring body pursuant to article 41. The aim of this opinion is therefore to contribute to a harmonised approach with regard to the suggested requirements that a data protection supervisory authority shall draft and that apply during the accreditation of a code monitoring body by the competent supervisory authority. Even though the GDPR does not directly impose a single set of requirements for accreditation, it does promote consistency. The Board seeks to achieve this objective in its opinion by: firstly, requesting the competent SAs to draft their requirements for accreditation of monitoring bodies based on article 41(2) GDPR and on the Board’s “Guidelines 1/2019 on Codes of Conduct and Monitoring bodies under Regulation 2016/679” (hereinafter the “Guidelines”), using the eight requirements as outlined in the guidelines’ accreditation section (section 12); secondly, providing the competent SAs with written guidance explaining the accreditation requirements; and, finally, requesting the competent SAs to adopt the requirements in line with this opinion, so as to achieve an harmonised approach. (2) With reference to article 41 GDPR, the competent supervisory authorities shall adopt requirements for accreditation of monitoring bodies of approved codes. They shall, however, apply the consistency mechanism in order to allow the setting of suitable requirements ensuring that monitoring bodies carry out the monitoring of compliance with codes in a competent, consistent and independent manner, thereby facilitating the proper implementation of codes across the Union and, as a result, contributing to the proper application of the GDPR. (3) In order for a code covering non-public authorities and bodies to be approved, a monitoring body (or bodies) must be identified as part of the code and accredited by the competent SA as being capable of effectively monitoring the code. The GDPR does not define the term “accreditation”. However, article 41 (2) of the GDPR outlines general requirements for the accreditation of the monitoring body. There are a number of requirements, which should be met in order to satisfy the competent supervisory authority to accredit a monitoring body. Code owners are required to explain and 1 References to the “Union” made throughout this opinion should be understood as references to “EEA”.
Adopted demonstrate how their proposed monitoring body meets the requirements set out in article 41 (2) GDPR to obtain accreditation. (4) While the requirements for accreditation of monitoring bodies are subject to the consistency mechanism, the development of the accreditation requirements foreseen in the Guidelines should take into consideration the code’s sector or specificities. Competent supervisory authorities have discretion with regard to the scope and specificities of each code, and should take into account their relevant legislation. The aim of the Board’s opinion is therefore to avoid significant inconsistencies that may affect the performance of monitoring bodies and consequently the reputation of GDPR codes of conduct and their monitoring bodies. (5) In this respect, the Guidelines adopted by the Board will serve as a guiding thread in the context of the consistency mechanism. Notably, in the Guidelines, the Board has clarified that even though the accreditation of a monitoring body applies only for a specific code, a monitoring body may be accredited for more than one code, provided it satisfies the requirements for accreditation for each code . (6) The opinion of the Board shall be adopted pursuant to article 64 (3) GDPR in conjunction with article 10 (2) of the EDPB Rules of Procedure within eight weeks from the first working day after the Chair and the competent supervisory authority have decide d that the file is complete. Upon decision of the Chair, this period may be extended by a further six weeks taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION: SUMMARY OF THE FACTS 1 The Romanian Supervisory Authority (hereinafter “RO SA”) has submitted its draft decision containing the accreditation requirements for a code of conduct monitoring body to the Board, requesting its opinion pursuant to Art. 64 (1)(c) GDPR, for a consistent approach at Union level. The decision on the completeness of the file was taken on 28 October 2022. 2 In compliance with article 10 (2) of the Board Rules of Procedure, due to the complexity of the matter at hand, the Chair decided to extend the initial adoption period of eight weeks by a further six weeks. ASSESSMENT General reasoning of the Board regarding the submitted draft accreditation requirements 3 All accreditation requirements submitted to the Board for an opinion must fully address article 41 (2) GDPR criteria and should be in line with the eight areas outlined by the Board in the accreditation section of the Guidelines (section 12, pages 21-25). The Board opinion aims at ensuring consistency and a correct application of article 41 (2) GDPR as regards the presented draft. 4 This means that, when drafting the requirements for the accreditation of a body for monitoring codes according to articles 41 (3) and 57 (1) (p) GDPR, all the SAs should cover these basic core requirements
Adopted foreseen in the Guidelines, and the Board may recommend that the SAs amend their drafts accordingly to ensure consistency. 5 All codes covering non-public authorities and bodies are required to have accredited monitoring bodies. The GDPR expressly request SAs, the Board and the Commission to “encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium sized enterprises.” (article 40 (1) GDPR). Therefore, the Board recognises that the requirements need to work for different types of codes, applying to sectors of diverse size, addressing various interests at stake and covering processing activities with different levels of risk.
In some areas, the Board will support the development of harmonised requirements by encouraging the SA to consider the examples provided for clarification purposes.
When this opinion remains silent on a specific requirement, it means that the Board is not asking the RO SA to take further action.
This opinion does not reflect upon items submitted by the RO SA, which are outside the scope of article 41 (2) GDPR, such as references to national legislation. The Board nevertheless notes that national legislation should be in line with the GDPR, where required. Analysis of the RO SA’s accreditation requirements for Code of Conduct’s monitoring bodies
Taking into account that: a. Article 41 (2) GDPR provides a list of accreditation areas that a monitoring body need to address in order to be accredited; b. Article 41 (4) GDPR requires that all codes (excluding those covering public authorities per Article 41 (6)) have an accredited monitoring body; and c. Article 57 (1) (p) & (q) GDPR provides that a competent supervisory authority must draft and publish the accreditation requirements for monitoring bodies and conduct the accreditation of a body for monitoring codes of conduct. the Board is of the opinion that: GENERAL REMARKS
The Board notes that on 22 February 2022, “the Guidelines 04/2021 on Codes of Conduct as tools for transfers” were adopted. These guidelines do not add any additional requirements for the accreditation of monitoring bodies that monitor codes of conduct intended for international transfers. Rather, the guidelines provide further specifications of the general requirements established by the Guidelines 1/2019 (Section 12) taking into account the specific context of international transfers. 2 For the sake of clarity, the Board recommends the RO SA to add a reference to the above-mentioned guidelines, which are relevant in the context of monitoring codes of conduct intended for international transfers. 2 See Section4.2 of the EDPB Guidelines 04/2021 on Codes of Conduct as tools for transfers 6 Adopted
For the sake of consistency, the Board encourages the RO SA to adjust the terminology used in the requirements to the one used in the Guidelines, this applies in particular to the following terms. The Board also encourages the RO SA to revise the requirements in order to avoid misunderstandings stemming from the translation of the document into English (for example, “criteria for accreditation” should be replaced by “requirements for accreditation”, section 1.4. “Liability” should be replaced by “Accountability”).
As regards Section 4 of the draft accreditation requirements, the Board takes into account that paragraph 3 of the draft accreditation requirements is in Romanian language in the submitted draft version of the requirements. The Board, on the basis of the information provided to the Board by the RO SA, understands that the wording of this sentence in English is - “The monitoring procedures can be designed in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code.” The Board recommends that the RO SA ensures the inclusion of this paragraph in English, in the final amended version of the requirements.
For the sake of consistency and clarity, the Board encourages the RO SA to replace throughout the draft accreditation requirements the term “National Supervisory Authority for Personal Data Processing” with the term “Competent Supervisory Authority” in line with the terminology used in the Guidelines. At the same time the Board encourages the RO SA to rephrase in the definition section of the draft requirements a definition of the term “Competent Supervisory Authority“, to be understood as the National Supervisory Authority for Personal Data Processing.
The Board recommends to elaborate the definition of “Accreditation”, so that it is defined in line with the Guidelines, by addition of a last sentence: “The accreditation of a monitoring body applies to a specific code”.
The Board notes that the requirements in Section 2 point 3 state that an internal monitoring body “could be an internal department within the code owner”. The Board considers that it should be made explicit that an internal monitoring body cannot be setup within a code member. Therefore, the Board recommends adding a relevant requirement.
The Board observes that, Chapter 1 Section 2 paragraph 7 of the requirements mention a renewal of accreditation. However, it is not stated explicitly that in all cases of renewal a repeated evaluation of compliance of the monitoring body with the requirements is carried out. The Board welcomes the provision concerning the re-assessment. However, for the sake of clarity and transparency, the Board recommends the RO SA to explicitly state that in case of substantial changes to the monitoring body relating to the monitoring body’s ability to function independently and effectively, such a review will be always be conducted.
The Board notes that Art. 41 GDPR does not refer to the validity of the accreditation of a monitoring body and that there is a margin of manoeuvre for the national SAs. Moreover, the Board notes that the accreditation requirements should be re-assessed periodically, in order to ensure compliance with the GDPR. Indeed, even if the requirements establish a time limit for the accreditation of the monitoring body, this is to be considered without prejudice of the exercise, at any time, of the SA’s supervisory powers with regard to the obligations of the monitoring body. Therefore, for the sake of clarity, the Board encourages the RO SA to clarify that the requirements may be reviewed periodically and to provide transparent information on what happens after the expiry of the validity of the accreditation and what the procedure will be. 7 Adopted INDEPENDENCE
With respect to the definition of independence, the Board encourages the RO SA to elaborate what independence means. To ensure consistency, such clarification could rely on the wording agreed by the Board in the previous opinions, by specifying that the rules and procedures shall allow the monitoring body to perform the monitoring of compliance with a code of conduct in complete autonomy, without being directly or indirectly influenced or subjected to any form of pressure that might affect its decisions. According to the Board, independence for a monitoring body should be understood as a series of formal rules and procedures for the appointment, terms of reference and operation of the monitoring body. In the Board’s view, these rules and procedures will allow the monitoring body to perform the monitoring of compliance with a code of conduct in complete autonomy, without being directly or indirectly influenced, or subjected to any form of pressure that might affect its decisions. This means that a monitoring body should not be in a position to receive any instructions regarding the exercise of its task from code members, the profession, industry or sector to which the code applies, or from the code owner itself. Therefore, the monitoring body must demonstrate impartiality and independence in relation to four main areas: legal and decision-making procedures, financial resources, organisational resources and structure and accountability. In this regard, the Board observes that the RO SA’s accreditation requirements do not cover entirely the four areas outlined and are not structured in line with the Guidelines. The Board recommends to elaborate the requirements in line with the Guidelines concerning structure and areas covered. Furthermore, the Board encourages the RO SA to include practical examples that provide a clearer view on how the independence can be demonstrated in the four areas.
The Board acknowledges that Subsection 1.2. point 2 in terms of ability to act free from instructions and protected from any sort of sanctions or interference, whether direct or indirect, as a consequence of the fulfilment of its task, the monitoring body is compared to a data protection officer. To avoid confusion and misinterpretation regarding the nature of the monitoring body, the Board encourages to redraft Subsection 1.2., paragraph 2 of the requirements without such a comparison.
With regard to Subsection 1.2, paragraph 2 of the draft accreditation requirements, the Board takes note of all the elements demonstrating the monitoring body’s independence with respect to its organizational structure. Among others, it is stated that the monitoring body must not be subject to sanctions for the performance of its tasks. The Board considers that it should be further clarified that the monitoring body assumes responsibility for its activities, and it cannot be subject to sanctions by neither the code owner nor the code members. Therefore, the Board encourages the RO SA to redraft this part of the requirements so that the monitoring body is protected, both from the code owner and from the code members, against any dismissal or sanction, direct or indirect, for the performance of its duties.
With regard to the financial independence (subsection 1.3 Budget and resources), in the opinion of the Board, the monitoring body would not be considered financially independent if the rules governing its financial support allow a code member, who is under investigation by the monitoring body, to stop its financial contributions to it, in order to avoid a potential sanction from the monitoring body. Therefore, the Board encourages the RO SA to elaborate further this requirement by providing more examples of how the monitoring body can provide such evidence.
Regarding subsection 1.3 paragraph 3 on internal monitoring bodies, the Board recommends the RO SA to add a requirement to prove that the internal monitoring body has a specific separated budget that the internal monitoring body is able to manage independently.
With regard to the accountability of the monitoring body, the Board notes that the monitoring body should be able to demonstrate “accountability” for its decisions and actions in order to be considered independent. The Board considers that the accountability requirements in subsection 1.4. of the RO SA’s 8 Adopted draft accreditation requirements do not fully cover all the elements that should be taken into account. The RO SA should clarify what kind of evidence is expected from the monitoring body, in order to demonstrate accountability. This could be accomplished through such things as setting out roles and decision-making framework and its reporting procedures, and by setting up policies to increase awareness among the staff about the governance structures and the procedures in place. Thus, the Board recommends the RO SA to strengthen the requirements for accountability, to allow for a better understanding of its content in relation to the independence of the monitoring body, and offer examples of the kind of evidence that the monitoring bodies can provide. CONFLICT OF INTEREST
As a general remark in this section, the Board is of the opinion that, for practical reasons, examples of cases where a conflict of interest could arise might be helpful. An example of a conflict of interest situation would be the case where personnel conducting audits or making decisions on behalf of a monitoring body had previously worked for the code owner, or for any of the organisations adhering to the code. Therefore, the Board encourages the RO SA to add some examples, similar to the one provided in this paragraph.
The Board considers that the measures and procedures in place aiming at preventing conflicts of interest should ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties. Therefore, the Board recommends that the RO SA includes in the accreditation requirements that the procedures and measures in place to avoid conflict of interest ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties.
Furthermore, for the sake of consistency and clarity, the Board encourages the RO SA to replace, throughout the draft accreditation requirements, the terms “impartiality” with the term “independence” in line with the terminology used in the Guidelines and keep the term impartiality only in the context of organizational independence of monitoring bodies. EXPERTISE
As required by the Guidelines, every code must fulfil the monitoring mechanism criteria (cf. section 6.4 of the Guidelines), by demonstrating “why their proposals for monitoring are appropriate and operationally feasible” (para. 41 of the Guidelines). In this context, all codes with monitoring bodies will need to explain the necessary expertise level for their monitoring bodies in order to deliver the code’s monitoring activities effectively. Section 3 of the RO SA draft accreditation requirements refers to the “appropriate level of expertise necessary to perform its role effectively”. A reference to the level of experience as required by the code itself is missing. The Board encourages the RO SA to add examples so that the data protection expertise, experience and knowledge required, are reflected in the code itself.
The Board agrees with the RO SA that expertise needs to involve the subject-matter (sector) of the code, in which case the relevant requirements that must be fulfilled can be specific, based on the sector to which the code applies. In this context, the Board recommends clarifying section 3 paragraph 2 that different interests involved and the risks of the processing activities addressed by the code should also be taken into account.
Moreover, the Board notes that RO SA’s expertise requirements do not differentiate between staff at the management level and, therefore, in charge of the decision-making process, and staff at the operating level, conducting the monitoring activities. In this regard, the Board encourages the RO SA to clarify in 9 Adopted section 3 which requirement should be met by the staff performing the monitoring function and the personnel making the decisions. ESTABLISHED PROCEDURES AND STRUCTURES
As regards Section 4 of the draft accreditation requirements, the Board notes that paragraph 3 of the draft accreditation requirements states that: “The monitoring procedures can be designed in different ways as long as they take into account factors such as the risks raised by the data processing in scope of the code, complaints received or specific incidents and the number of members of the code.” The Board observes that the essence of the requirements is in line with the paragraph 72 of the Guidelines. However, the Board considers that the consideration in section 4 paragraph 4 of the requirements is meant as an example. Therefore, for the sake of clarity and consistency, the Board encourages to distinguish the requirements that are meant as examples of possible ways to comply with the requirements from the requirements themselves. The Board also recommends to add some examples in the requirements, such as random or unannounced audits, annual inspections, regular reporting and the use of questionnaires.
With regard to section 4 Paragraph 5, the Board notes that the procedure to ensure the monitoring of the code of conduct will take into account the “number of code members”. Since the number of code members may not be known at the moment the monitoring body applies for accreditation, the Board encourages the RO SA to refer to the expected number and size of the code members. TRANSPARENT COMPLAINT HANDLING
Regarding the complaints about code members (Section 5 of the RO SA accreditation requirements), the Board acknowledges that complaints handling process requirements should be set at a high level and contain reasonable time frames for answering complaints. Thus, the Board recommends the RO SA to take a more flexible approach, by stating that the monitoring body will have to provide the complainant with progress reports or the outcome within a reasonable timeframe, such as three months.
Regarding Section 5 paragraph 2 of the RO SA’s draft accreditation requirements, the Board considers that under section 74 of the Guidelines, the requirements related to the complaint handling process should contain the obligation of the monitoring body to make its decisions or general information thereof, publicly available. The Board notes that the wording of the accreditation requirements currently only addresses the need to ensure availability of sufficient resources to ensure that decisions are made publicly available. Therefore, the Board recommends that the requirement is redrafted to include a obligation for the monitoring body to make decision publicly available. COMMUNICATION WITH THE RO SA
The Board notes that Heading of Section 6 contains a reference to the competent supervisory authority. Considering that this section covers the communication with the RO SA, for the sake of clarity and consistency the Board recommends that “Competent supervisory authority” should be replaced by reference to “National Supervisory Authority for Personal Data Processing”. REVIEW MECHANISMS
With regard to section 7 of the RO SA’s draft accreditation requirements, the Board notes that the reference to the periodic review does not mention that the SA will review the compliance with the 10 Adopted requirements periodically. Thus, the Board encourages the RO SA to clarify that the requirements may be reviewed periodically and to provide transparent information on how the periodic review will work in practice and what happens after the expiry of the validity of the accreditation.
The Board notes that under section 7.2 of the requirements there is no reference to the fact that the updating of the code of conduct is the responsibility of the code owner. The Board is of the opinion that, in order to avoid confusion, a reference to the code owner should be made. Therefore, the Board encourages the RO SA to amend this section accordingly so to include such a reference to the code owner. LEGAL STATUS
The code of conduct itself will need to demonstrate that the operation of the code’s monitoring mechanism is sustainable over time, covering worst-case scenarios, such as the monitoring body being unable to perform the monitoring function. In this regard, it would be advisable to require that a monitoring body demonstrates that it can deliver the code of conduct’s monitoring mechanism over a suitable period of time. The financial, human and material resources to ensure the continuity of the monitoring body should be accompanied with the necessary procedures to ensure the functioning of the monitoring mechanism over a suitable time. Therefore, the Board recommends RO SA to explicitly require that monitoring bodies shall demonstrate continuity of the monitoring function over time. The Board also encourages the RO SA to include in the accreditation requirements that, in order to demonstrate the continuity of the monitoring function, the monitoring body should demonstrate that it has sufficient financial and other resources, and the necessary procedures.
The Board notes that the RO SA’s requirements or explanatory notes do not reference subcontracting, leaving this area open for monitoring bodies applying for accreditation to decide upon. The Board recommends that RO SA clarifies whether the monitoring body may have recourse to subcontractors, on which terms and conditions and that these are reflected in the explanatory notes or ordinance accordingly. If RO SA indicates that subcontracting is allowed, the Board recommends that the RO SA indicates, in the requirements, that the obligations applicable to the monitoring body are applicable in the same way to subcontractors.
The Board observes that section 8 paragraph 4 requires the monitoring board to have a premises in the EEA. The Board is of the opinion that a monitoring body requires an establishment in the EEA. This is to ensure that they can uphold data subject rights, deal with complaints and that GDPR is enforceable and also ensures supervision by the SA. The Board encourages that RO SA clarify that the premises of monitoring body are to be understood as an establishment in the EEA. CONCLUSIONS / RECOMMENDATIONS
The draft accreditation requirements of the RO Supervisory Authority may lead to an inconsistent application of the accreditation of monitoring bodies and the following changes need to be made:
Regarding general remarks, the Board recommends that the RO SA: 1. adds a reference to Guidelines 04/2021, which are relevant in the context of monitoring codes of conduct intended for international transfers. 2. elaborates the definition of “Accreditation”, by addition of a last sentence with the following wording: “The accreditation of a monitoring body applies to a specific code”. 11 Adopted 3. clarifies in the text of the requirements that internal monitoring bodies cannot be set up within a code member, but only within a code owner. 4 Explicitly state that in case of substantial changes to the monitoring body relating to the monitoring body’s ability to function independently and effectively, a review of the body that ensures that the monitoring body still meets the requirements for accreditation will be always conducted.
Regarding independence the Board recommends that the RO SA: 1. further develops the requirements, in line with the four areas, for example ; 2. to add a requirement to prove that the internal monitoring body has a specific separated budget; 3. strengthens the requirements for accountability in the draft requirements, to allow for a better understanding of its content in relation to independence of the monitoring body, and offer examples of the kind of evidence that the monitoring body can provide.
Regarding conflict of interest the Board recommends that the RO SA: 1. includes in the accreditation requirements that the procedures and measures in place to avoid conflict of interest ensure that the monitoring body shall refrain from any action incompatible with its tasks and duties.
Regarding expertise the Board recommends that the RO SA: 1. clarifies that other factors such as the size of the sector concerned, the different interests involved and the risks of these processing activities should be taken into account, in order to assess the level of expertise of the monitoring body.
Regarding established procedures and structure the Board requires that the RO SA: 1. adds some examples in the requirements, such as random or unannounced audits, annual inspections, regular reporting and the use of questionnaires. In addition, the monitoring procedures can be designated in different ways as long as they take into account factors such as the risks raised by the data processing within the scope of a code, complaints received or specific incidents and the number of members of a code.
Regarding transparent complaint handling the Board requires that the RO SA: 1. takes a more flexible approach, by stating that the monitoring body will have to provide the complainant with progress reports or the outcome within a reasonable timeframe, such as three months. 2. aligns the text of the accreditation requirements with the Guidelines, in order to ensure that the decisions, or general information thereof, are publicly available.
Regarding communication with the RO SA the Board requires that the RO SA: 1 In the heading of the Section 6 replaces “Competent supervisory authority” with “National Supervisory Authority for Personal Data Processing”.
Regarding the legal status the Board requires that the RO SA: 1. explicitly requires that monitoring bodies demonstrate continuity of the monitoring function over time; 12 Adopted 2. clarifies whether the monitoring body may have recourse to subcontractors and on which terms and conditions and that these are reflected in the requirements or explanatory notes. If subcontracting is allowed, amend the requirements or explanatory notes, so that the obligations applicable to the monitoring body are applicable in the same way to subcontractors. FINAL REMARKS
This opinion is addressed to the Romanian supervisory authority and will be made public pursuant to Article 64 (5) (b) GDPR.
According to Article 64 (7) and (8) GDPR, the RO SA shall communicate to the Chair by electronic means within two weeks after receiving the opinion, whether it will amend or maintain its draft decision. Within the same period, it shall provide the amended draft decision or where it does not intend to follow the opinion of the Board, it shall provide the relevant grounds for which it does not intend to follow this opinion, in whole or in part. 51. The RO SA shall communicate the final decision to the Board for inclusion in the register of decisions, which have been subject to the consistency mechanism, in accordance with article 70 (1) (y) GDPR. For the European Data Protection Board The Chair (Andrea Jelinek)