Skip to content
Guidance · EDPB ·of-the-edpb-to-the-evaluation-of-the-gdpr EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Contribution of the EDPB to the evaluation of the GDPR under Article 97

Summary

1 Adopted Contribution of the EDPB to the e valuation of the GDPR under Article 97 Adopted on 18 February 2020 2 Adopted Table of content s General EDPB policy messages ................................ ................................ .......................... 3 Questionnaire on Evaluation of the GDPR under Article 97 ................................ ................. 5 Reply of the European Data Protection Board ................................ ................................ .... 5 I.…

How it connects

Full text

1 Adopted Contribution of the EDPB to the e valuation of the GDPR under Article 97 Adopted on 18 February 2020 2 Adopted Table of content s General EDPB policy messages ................................ ................................ .......................... 3 Questionnaire on Evaluation of the GDPR under Article 97 ................................ ................. 5 Reply of the European Data Protection Board ................................ ................................ .... 5 I. Chapter V ................................ ................................ ................................ ....................... 5 Adequacy decisions ................................ ................................ ................................ .................. 5 Standard contractual clauses ................................ ................................ ................................ .... 6 Supervisory Authorities’ Tools for international transfers ................................ .......................... 7 II. Chapter VII ................................ ................................ ................................ .................... 7 1. Cooperation Mechanism ................................ ................................ ................................ ....... 7 1.1 OSS – Article 60 ................................ ................................ ................................ ................................ .......... 9 1.2 Mutual assistance – Article 61 ................................ ................................ ................................ ................. 12 1.3 Joint operations – Article 62 ................................ ................................ ................................ .................... 14 2. Consistency mechanism ................................ ................................ ................................ ...... 15 2.1 Opinion - Article 64 GDPR ................................ ................................ ................................ ........................ 15 2.2 Dispute resolution - Article 65 GDPR ................................ ................................ ................................ ....... 17 2.3 Urgency Procedure – Article 66 ................................ ................................ ................................ ............... 17 3. Exchange of information: Standardised communication ................................ ....................... 17 4. European Data Protection Board ................................ ................................ ......................... 18 5. Human, technical and financial resources for effective cooperation and participation to the consistency mechanism ................................ ................................ ................................ .......... 26 6. Enforcement ................................ ................................ ................................ ....................... 31 7. Additional requests ................................ ................................ ................................ ............. 35 7.1 Data Breach notifications (Art. 33 GDPR) ................................ ................................ ................................ 35 7.2 Initiatives for SMEs ................................ ................................ ................................ ................................ .. 35 3 Adopted Ge neral EDPB policy messages 1 The application of the GDPR in this first year and a half has been successful. The GDPR has strengthened data protection as a fundamental right and harmonized the interpretation of data protection principles. D ata subject rights have been reinforced and da ta subjects are increasingly aware of the modalities to exercise their data protection rights. Moreover, data controllers and processors within the EU now benefit from one single set of rules bringing more legal certainty and a single interlocutor through the one - stop - shop mechanism. The framework provides for increased investigative and corrective powers for supervisory authorities (SAs), including significant fines. The GDPR also contributes to an increased global visibility of the EU legal framework and is being considered a model outside of the EU. Since the entry into application of the GDPR, the EDPB as a new decision - making EU body - building on the work of the Working Party 29 (“WP 29”) - has adopted various opinions and guidelines 2 to clarify fund amental provisions of the GDPR and to ensure consistency in the application of the GDPR by SAs. More specifically, the EDPB has done so with the objective of developing guidance on new and emerging technologies. In this respect, the EDPB emphasizes that th e GDPR is a technologically neutral framework designed to be comprehensive and to foster innovation by being able to adapt to different situations without being complemented by sector - specific legislation. The EDPB underlines that the GDPR is fully applica ble to emerging technologies and it will continue to elaborate on the impact of emerging technologies on the protection of personal data. The EDPB acknowledges that the implementation of the GDPR has been challenging, especially for small actors, most notably SMEs. SAs have been developing several tools to support SMEs in complying with the GDPR 3 . The EDPB is committed to facilitating the development of these tools in order to further alleviate the administrative burden. The EDPB is convinced that the cooperation between data protection authorities will result in a common data protection culture and consistent monitoring practices. However, the EDPB notes that SAs have identified challenges while implementing the cooperation and consistency mechanism. I n particular, the patchwork of national procedures and practices has an impact on the cooperation mechanism. This is mainly due to differences in complaint handling procedures, position of the parties in the proceedings, admissibility criteria, duration of proceedings, deadlines, etc. The EDPB is examining possible solutions to overcome these challenges and to ensure a common application of the key concepts relating to the cooperation procedure. T he European Commission should monitor whether national proced ures hinder the full effectiveness of the cooperation mechanism and eventually legislators may also have a role to play in ensuring further harmonization. The EDPB stresses that the effective application of the powers and tasks attributed by the GD PR to S As is largely dependent on the resources available to them. In this regard, the EDPB notes that most of the SAs state that resources made available to them are insufficient. Therefore, it is of the utmost 1 This text has been drafted in the context of the GDPR evaluation notably concerning Chapters V and VII of the GDPR in accordance with Article 97 GDPR. 2 See Section II (“Chapter VII”) , subsection 4 of this document . 3 See Section II, “Additional requests” , subsection 7.2 of this document. 4 Adopted importance that all SAs are provided with sufficien t resources by the Member States to carry out their tasks. The EDPB notes that this applies, in particular, to the one - stop - shop mechanism, as its success depends on the time and effort that SAs can dedicate to individual cases and cooperation. Next, the E DPB underlines that transfers of personal data to third countries or international organisations form an integral part of the digital environment. The EDPB welcomes the interest of third countries to engage with the EU in the context of an adequacy decisio n. Adequacy decisions are an important tool to ensure the continuous protection of personal data transferred from the European Economic Area to third countries and International organisations . The EDPB remains committed to providing independent assessments of the tools developed by the European Commission with regard to the strengthened requirements of the GDPR, especially enforceable rights, effective redress and safeguards concerning onward transfers. The EDPB considers these assessments to be of the utmo st importance. The EDPB will participate in the evaluation of current adequacy decisions and the adoption of future ones, while emphasising that it needs to receive all relevant documents in time to allow for a thorough assessment. With respect to other t ools for international transfers, the EDPB recalls its ongoing work on binding c orp o r a te r u l e s, c o d e s of c ond u c t , ce rtifi c a tion me c h a nis m s and administrative arrangements for transfers between public authorities . The EDPB is of the view that there is a pressing need for the European Commission to bring the existing set of SCCs in line with the GDPR and to draft additional SCCs that cover new transfer scenarios. In particular, the adoption of a set of processor - to - p rocessor SCCs would allow the appropriate framing of such transfers in accordance with Article 46 GDPR. In conclusion, after only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time . Rather than revising the GDPR itself, the EDPB calls upon the EU legislators, in particular the Europe an Commission, to intensify efforts towards the adoption of an ePrivacy Regulation to complete the EU framework for data protection and confidentiality of communications. 5 Adopted Questionnaire on Evaluation of the GDPR under Article 97 Reply of the European Dat a Protection Board In addition to the general policy messages above , the EDPB would like to provide a synthesis of the contributions and replies by its members to the Questionnaire on the Evaluation of the GDPR sent by the European Commission. This allows the EDPB as a single body to convey some additional messages with a EU - wide perspective. I. Chapter V The elements presented below constitute a summary answer of the EDPB’s general view on the international transfer tools as a response to the Commission’s questions. With respect to the specific answers to these questions, please check the national contribu tions. Adequacy decisions The EDPB welcomes the interest of third countries to engage with the EU in the context of an adequacy decision. Adequacy decisions are an important solution to ensure the continuous protection of personal data transferred from th e European Economic Area to third countries and International organisations. The EDPB remains committed to provide independent assessments of the tools elaborated by the European Commission with regard to the strengthened requirements of the GDPR, especial ly for enforceable rights, effective redress and safeguards concerning onward transfers. The EDPB considers these assessments to be of the utmost importance. The EDPB will participate in the evaluation of current adequacy decisions and the adoption of futu re ones, while emphasising that it needs to receive all relevant documents in time to allow for a thorough assessment. The first adequacy decision (reciprocal) adopted under the GDPR with Japan is both an encouraging sign of the Union's ability to maintain the necessary data exchanges between the Union and its international partners and an important precedent that should be taken into account to adjust the practice for future adequacy decisions and the review of existing ones . On the substance, adequacy decisions should focus on the assessment of the existing legislation of the third country concerned as a whole, in theory and practice, in light of the assessment criteria set out directly in Article 45(2) GDPR. In the case of the Japan adequacy decision , which is the only example for such a decision under the GDPR, the assessment of the legislation of the third country concerned was combined with specifically negotiated additional rules only applicable for transfers between th e EU and this third country. The EDPB took note of the repeated commitments and reassurances of the European Commission and of the Japanese authorities regarding the binding and enforceable nature of the Supplementary Rules whilst inviting the European Co mmission to continuously monitor their binding nature and effective application in Japan as their legal value is an essential element of the EU – Japan adequacy. The EDPB encourages the European Commission to ensure that an architecture of adequacy, relyi ng on Supplementary Rules, will be a sustainable and reliable system that will not raise practical issues 6 Adopted regarding the concrete and efficient compliance by foreign entities and enforcement by the third country data protection authority. The presence of a precise and effective control system for these rules, in particular for onward transfers of personal data transferred from the EU on the basis of adequacy decision must be subject to regular monitoring by the European Commission . The EDPB believes that the re are improvements to be made regarding the procedure for consulting the EDPB when adopting adequacy decisions . Indeed, it is absolutely necessary, that all relevant documents are transmitted sufficiently in advance and translated into English to the EDPB to enable informed and useful discussions before the final adoption of adequacy decisions. Provisions should be included in adequacy decisions to allow the SAs to effectively cooperate to enforce data protection rules. This is also applicable to any revie w by the European Commission of existing adequacy decisions. In such context, the European Commission should consult the EDPB on the overall assessment of the necessity to revise them and not only on the suggested complements to the relevant adequacy decisions. From this point of view, the effective and reliable coo peration between the different actors is essential to allow all parties to exercise their advisory functions and their responsibilities in a useful way. In the field of international negotiations, the Commission should continue its current practice to excl ude data protection from the di scussions on trade agreements. T he EDPB also underlines the need to remain careful towards the development of concepts such as the “free flow of data”, even if “with trust” discussed at the last G20 and G7. It also recalls th e need, before any free flow of data is contemplated, to provide strong data protection rules ensuring that the level of protection afforded to such data by the GDPR or by an adequacy decision will not be undermined when onward transferred. Standard contra ctual clauses Article 46(5) GDPR provides that decisions adopted by the European Commission on the basis of Article 26(4) of Directive 95/46/CE shall remain in force until amended, replaced or repealed. It is on such basis that the different sets of Standa rd Contractual Clauses (SCCs) for transfers adopted by the European Commission under Directive 95/46/CE are still being used by organizations as appropriate safeguards under Article 46. However, those SCCs do not take into account the evolutions brought by the GDPR compared to the previous regime with respect to a number of requirements to be complied with by controllers and processors. This raises legal and operational issues or concerns for concerned organizations that find themselves in a delicate situat ion notably on how to address the gaps resulting from the use of an instrument adopted under the previous regime with the new framework in application since May 25th 2018. This applies more particularly for transfers occurring in a controller to processor relationship and requiring the use of controller to processor SCCs of 2010 which do not reflect the changes introduced to processor obligations by Article 28 GDPR. There is a pressing need that the Commission provides organizations with updated set s of all SCCs to ensure legal certainty and address operational issues resulting from the use of “old” SCCs. The provision of updated SCCs could also take into account current cases pending at the EU Court of Justice on international transfers. In addition, the ex isting SCCs are not adapted to all transfer scenarios, especially those occurring in a processor - to - processor relationship or transfers of personal data from a processor in the EEA to a controller outside the EEA. Th ese situation s frequently occur in pract ice according to information 7 Adopted provided by stakeholders to SAs. The adoption of additional set s of SCCs in a near future would allow the appropriate framing of such transfers in accordance with Article 46 GDPR. Supervisory Authorities’ Tools for internationa l transfers T he EDPB recalls its ongoing work on already existing international transfer tools such as binding c orp o r a te r u l e s (BCRs) and on new tools such as c o d e s of c ond u c t and ce rtifi c a tion me c h a nis m s as tools for transfers or legally binding instruments and administrative arrangements for transfers of personal data between public authorities. On BCRs, the EDPB has updated its BCR referentials for controllers and processors in light of the GDPR. This update is an ongoing task of the Board to ensure that the referentials reflect the requirements of the GDPR in a most accurate way. Their update shall also take into account the practical experience of the SAs. Since the coming into force of the GDPR, the EDPB has adopted 3 positive Opinions on national decisions approving BCRs while more than 40 BCRs are in the pipeline for approval, half of which could be expected to be approved by the end of 2020. On Codes of Conduct and Certification as tools for tran sfers, the EDPB is currently preparing guidelines for interested stakeholders, which can be expected to be finalised by the end of 2020 for a first adoption before their submission for public consultation. Finally, on legally binding instruments and admin istrative arrangements, the EDPB is also preparing guidelines addressed to public authorities and bodies wishing to transfer personal data to public entities outside the EEA. These guidelines have been adopted and will be published for public consultati on before their final adoption. . II. Chapter VII 1. Cooperation Mechanism The new instruments of the cooperation introduced by the Chapter VII were an important step to formalise and strengthen the exchanges and the cooperatio n among SAs within the EU. The high number of the interactions between supervisory authorities ( SAs ) in the dedicated system proves that cooperation is already a concrete reality. To enable SAs to cooperate even before the formal OSS procedure is triggered , t he EDP B created a dedicated workflow in the Internal Market Information (IMI) to facilitate the SAs in identifying their respective roles of the Lead Supervisory Authority (LSA) and Concerned Supervisory Authorities (CSAs). Between 25 May 2018 until 31 December 2019, 1346 procedures were initiated to identify the LSA and CSAs. All SAs have been identified at least once as an LSA or a CSA. All the cases with a cross - border component are registered in a central database ( IMI Case register) from which all cooperation and consistency procedures can be initiated. Not all cases which are registered in Case register concern One - stop - shop procedures. A case in th e Case register may: • refer to one complaint and can lead to Article 60 procedure; 8 Adopted • refer to several c omplaints and in consequence can lead to the several Article 60 procedures; • relate to consistency procedure s (Articles 64, 65 or 66), Article 61 (Voluntary) Mutual Assistance or Article 62 Joint Operations which will not necessarily lead to any One Stop Shop Art. 60 procedures; • be also used for cross border communications, i.e. for transferring the complaints that do not concern the cross - border processing in accordance to Article 4 (23) GDPR and in consequence does not lead to Article 60 procedure . As explained above the definition of the case in IMI system is a broad term . It should be noted that the IMI case register does not include those cross - border cases that are still in the preliminary phase of identifying the roles of the LSAs and CSAs. In a ddition, not all cross - border complaints filed at individual SAs may have been uploaded onto IMI yet. T herefore the IMI statistics may differ from the national reporting by the SAs as the national case management systems are usually organised around the in dividual complaints. Between 25 May 2018 until 31 December 2019, 807 cases have been registered in IMI. The detailed breakdown is available below. AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IS IT LI LT LU LV MT NL NO PL PT RO SE SI SK UK LSA 17 24 1 14 8 92 6 10 2 41 7 64 1 11 127 1 16 4 5 87 6 18 45 7 9 2 3 20 0 0 56 CSA 166 157 34 56 74 435 327 145 165 337 202 332 31 219 164 133 306 131 146 170 144 146 229 271 227 206 161 280 158 226 228 0 50 100 150 200 250 300 350 400 450 Number of Cases per LSA & CSA LSA CSA 9 Adopted 1.1 OSS – Article 60 a. Has your DPA been involved in any OSS cases? If so, in how many cases since May 2018? The IMI system offers different step s to follow when handling Article 60 procedures: • informal consultation to collect necessary information and enable the communication between involved SAs; • draft decision submitted by the LSA to the CSAs which trig gers the formal OSS procedure; • revised decision submitted by the LSA to the CSAs in case of the CSA raised a reasoned and relevant objection ; • final decision submitted to all EDPB members. Between 25 May 2018 and 31 December 2019 , L ead S upervisory Authorities (LSAs) issued 1 4 1 draft decisions under Article 60(3), out of which 7 9 resulted in final decisions under Article 60(6) . So far, 21 SAs have adopted those draft decision s acting as the LSAs and all SAs acted as Concerned Supervisory Authorities (CSAs) . The detailed breakdown is available below . 10 Adopted b. Did you encounter any problems/obstacles in your cooperation with the lead/concerned DPA? If yes, please describe them The challenges identified by the EDPB members in the framework of the o ne - stop - shop mechanism are the following: • different national administrative procedures The EDPB members identified as main challenge the differences in the national administrative procedur es , concerning in particular: complaint - handling procedures, position of the parties in the proceedings, admissibility criteria, duration of proceedings, deadlines, possibility to share confidential information with other SAs , concre te consultation of the CSAs on draft measures, etc. • different interpretations of concepts relating to the cooperation mechanism Drawing from the experience in the practical application of the cooperation mechanism , the EDPB members see a need to reach a c ommon understanding of several terms relating to the cooperation mechanism (e.g. “relevant information”, “without delay”, “draft decision”, “amicable settlements”) in order to ensure its effective functioning . The EDPB is constantly working on resolving these issues in the dedicated expert subgroups of the Board. • involvement of the CSAs in the case Because of these above - mentioned issues, the LSAs have different approaches regarding the start of the cooperation procedure, the timing of involvement of CSAs, and the communication of relevant information to them. 11 Adopted The EDPB recommen ded its members to exchange all relevant factual and legal information as soon as possible and to submit draft decisions without delay, as required by Article 60 GDPR . In addition, all documents and information necessary for the OSS purposes have to be pro vided in English, which requires additional human and financial resources from SAs. c. How would you remedy these problems? T he one - stop - shop and the cooperation mechanism are still relatively new procedures. In order to better understand the potential obstacles and identify available solutions, the EDPB is undertaking in particular the following steps: • further clarif ication of the applicable procedural steps in the case of Article 60 GDPR ; • analysis of the di fferent national administrative procedural laws and practices; • further work towards a common interpretation of key concepts and terms of the GDPR one - stop - shop and the cooperation procedure; • strengthening of the communication among the SAs ; • exploiting all the tools provided by the GDPR to enhance cooperation, including joint operations . Apart from the steps undertaken by the EDPB members themselves, the EU COM should monitor whether national procedures hinder the full effectiveness of the cooperation mechan ism and eventually legislators may also have a role to play in ensuring further harmonization. d. Is your national administrative procedure compatible with the OSS? (e.g. do you identify a clear step which can be referred to as a “draft decision”? Are the par ties heard before you produce such draft decision?) In general, the EDPB members believe that their national administrative procedures are compatible with the OSS procedure . Nevertheless, the interaction between the cooperation mechanism set out in the GDPR and national procedures gives rise to some concerns . As expla ined in the previous replies , there are some significant differences , such as : • procedure s of the complaint handling, including the admissibility criteria; • time frame for the handling of complaint or cases (i . e. some laws having strict deadlines and others no deadlines at all ); • modalities of implementation of the right to b e heard for the parties of a proceeding; • role of the complainant (the latter not being always perceived as a party to the proceeding before the SA ) ; • different complaint - handling methods including resolving complaints by the vindication of the specific complainant’s rights, amicable settlement and prioritisation of complaints for handling to the extent appropriate . 12 Adopted e. Were you in the situation of the application of the derogation provided for in Article 56(2) GDPR (so - called “local cases”, i.e. infringements or complaints relating only to an establishment in your Member State or substantially affecting data subjects only in your Member State)? The SAs used the Artic le 56 (2) p rocedure 6 5 times. The detailed breakdown is available below: Article 56 Local cases f. Is the OSS living up to its expectations? If not, what would you identify as its shortcomings? How can they be remedied? So far, the SAs under the GDPR have gained valuable experience in the application and implementation of the OSS - mechanism and generally regard the OSS and cooperation mechanism as useful means to enhance cross - border cooperation. As explained before, as the entry into ap plication of the GDPR is still relatively recent, i t is premature to make an exhaustive assessment of the OSS - mechanism itself as provided by the GDPR. However, it should be underlined that the effective application of the one - stop - shop procedures depends of the consistent interpretation of the key GDPR terms, the alignment of the national administrative procedures, adequate human and financial resources of SAs, further improvement of communication tools and reasonable timeframe of the case handling . 1.2 Mutual assistance – Article 61 a. Did you ever use this tool in the case of carrying out an investigation? The SAs have triggered 1 15 Mutual Assistance (Art 61) procedure. Most of the SAs used the Mutual Assistance in the case of carrying out an investigation. Furthermore, the SAs have launched 2427 procedures to assist each other on a voluntary basis. While designing the GDPR modules in IMI , SAs introduce d this procedure to enable a more flexible mutual AT CY CZ DE DK EL ES FR HU IE IT LU MT NL NO PL RO SI UK Sent 0 0 2 9 1 2 11 4 1 4 3 0 0 6 1 2 13 1 5 Received 1 3 0 2 0 0 2 2 0 39 0 1 1 6 0 1 0 0 7 0 5 10 15 20 25 30 35 40 Number of Art. 56 Local cases sent and received per SA 13 Adopted assistance for matters not needing a tight deadline , as it is based on the general principle of cooperation between SAs. Article 61 Formal Mutual Assistance Article 61 Voluntary Mutual Assistance AT BE CZ DK EE FI FR DE HU IE IS LT IT LU MT NL PL RO SI LV ES NO PT SK SE UK Sent 7 1 10 13 2 0 2 20 3 2 0 1 0 8 2 3 12 1 2 0 26 0 0 0 0 0 Received 10 3 2 1 2 2 11 10 3 19 1 0 2 9 0 4 3 2 4 1 2 1 1 2 2 18 0 5 10 15 20 25 30 Art 61 Mutual Assistance procedures sent and received per SA Sent Received AT BE BG HR CY CZ DK EE FI FR DE EL HU IS IE IT LV LI LT LU MT NL NO PL PT RO SK SI ES SE UK Sent 73 12 0 5 31 66 16 45 11 92 260 15 204 48 527 77 2 16 36 165 181 79 35 151 1 18 85 31 49 30 65 Received 100 78 39 38 38 42 63 43 41 109 356 43 46 35 359 49 33 30 43 141 35 103 44 60 42 38 40 36 110 55 222 0 50 100 150 200 250 300 350 400 450 500 Voluntary Mutual Assistance procedures sent and received per SA Sent Received 14 Adopted b. Did you ever use this tool in the case of monitoring the implementation of a measure imposed in another Member State? Three SAs used this tool for monitoring the implementation/enforcement of a measure i mposed in another Member State. c. Is this tool effectively facilitating your work? If yes, how? If not, why? The vast majority of SAs finds the mutual assistance a very useful to ol for cooperation and have not encountered any particular obstacle in applying the Mutual Assistance procedure . At the same time they believe that, the formal mutual assistance which foresees a strict deadline of 1 month to answer has been used only to a limited extent (around 1 15 procedures in 18 months) . T herefore , the detailed assessment of the effectiveness of this instrument is not possible at this stage. The voluntary mutual assistance exchange, not implying a legal deadline and strict duty to answer , is more frequently used . d. Do you encounter any other problems preventing you from using this tool effectively? How could they be remedied? Most SAs have not encountered any particular obstacle in applying this procedure. 1.3 Joint operations – Article 62 a. Did you ever use this tool (both receiving staff from another DPA or sending staff to another DPA) in the case of carrying out and investigation? The joint operation procedure has not yet been triggered by the SAs. However , several SAs are consi dering starting this type of cooperation in 2020. b. Did you ever use this tool in the case of monitoring the implementation/enforcement of a measure imposed in another Member State? See reply to 1.3.a . c. Is it effectively facilitating your work? If yes, how? If not, why? See reply to 1.3.a . d. Did you encounter any problems (e.g. of administrative nature) in the use of this tool? How could they be remedied? The SAs do not have enough practical experience to reply to this question. However, a legal issue was point ed out by one SA as its national law does not contain any provision implementing Art. 62 GDPR. The EDPB is working on the practical implementation of this tool in order to provide more clarity and consistency within the limits of the legal framework and on the basis of SAs’ experience . 15 Adopted 2. Consistency mechanism 2 .1 Opinion - Article 64 GDPR a. Did yo u ever submit any draft decision to the Board under Art 64(1)? Between 25 May 2018 and 31 December 2019, t he EDPB adopted 36 opinions under Article 64 (1) GDPR : • 31 Opinions on Article 3 5 (4) GDPR (all EU+ EEA countries) • 2 Opinions on Binding Corporate Rules (Equinix Inc. and ExxonMobil Corporation) (Article 47 GDPR) (UK SA and BE SA) • 2 Opinions on the draft accreditation requirements for a code of conduct monitoring body pursuant to Article 41 GDPR (AT SA and UK SA) • 1 Opinion on dra ft Standard Contractual Clauses according to Article 28(8) GDPR (DK SA) b. Did you ever submit any draft decision to the Board under Art 64(2)? The EDPB adopted 6 opinions under Article 64 (2) GDPR : • 3 Opinions on national DPIA lists pursuant to Article 35(5) GDPR ( CZ SA, ES SA and FR SA) ; • 1 Opinion on an administrative arrangement for the transfer of personal data between EEA and non - EEA financial supervisory authorities (EDPB Secretariat on behalf of the Chair) ; • 1 Opinion on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and power of SAs (BE SA) ; • 1 Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment (FR SA and SE SA) . c. Did you have any problems by complying with the obligations under A rticle 64(7) GDPR, i.e. taking utmost account of opinion of the EDPB? If so please describe them. Overall, no major problems with complying with A rticle 64 (7) GDPR were identified so far. The GDPR does not include a clear procedure to ensure that the changes made to the draft decision were fully in line with those requested by the Board. The EDPB solved this issue by adapt ing its own rules of procedure to further detail the practical implementation of th e Article 64(7) GDPR and to clarify the steps of the procedure applicable after the adoption of the EDPB opinion ( Article 10.6 to 10. 8 of the EDPB rules of procedure) . The new version of the EDPB rules of procedure ensures a close monitoring of the impleme ntation of the EDPB opinions. This has led to a full implementation of the EDPB opinions. Last , the practice has show n that the two - week deadline set out in Article 64(7) can be relatively short since SAs also need some time for internal validation. 16 Adopted d. Was the “communication of the draft decision” complete? Which documents were submitted as “additional information”? The precise list of documents and information for each type of Article 64 (1) procedure was identified by the SAs and the EDPB S ecretariat while designing the IMI system and the result was embedded in the system . In practice , the initiating SA cannot technically send the request for Art. 64 (1) opinion without providing all relevant information. The SAs should provide inter alia a summary of the relevant facts, a summary of the views of other SAs and parties involved, elements that the EDPB should take into account, the draft decision of the SAs with all relevant annexes and other documents which are precisely identified , such as for example for the Code s of Conduct or BCR - related opinions. e. Were there any issues concerning the translations and/or any other relevant information? In accordance to Art. 23 (2) of the EDPB Rules of Procedure (RoP), documents drafte d by SAs for the procedures foreseen under Article 64 – 66 GDPR and Article 70 GDPR shall be submitted in English. Other useful documents may be translated by the EDPB Secretariat in accordance with Article 11(2) of the EDPB RoP. For the moment, a ll SAs initiating Article 64 procedures provided all the documents in English and no translation was needed for documents sent by SAs to initiate an Art. 64 procedure . Some SAs raised issues relating to the translations they have to provide when sending document to the EDP B and relating to the proofreading of EDPB adopted opinions ( volume constantly increasing , costs, time consuming) . f. Does that tool fulfil its function, namely to ensure a consistent interpretation of the GDPR? Generally, in the cases where the procedure has been used by the EDPB so far, the tool has proven helpful in ensuring a consistent interpretation of the GDPR. Up to now, all the SAs have demonstrate d their commitment to apply the procedure and to implement the opinion s of the EDPB into their national decisions. As much as the process has been directly established by the GDPR, it would have been more efficient for each opinion to cover a specific topi c and be applicable throughout the EEA area. This would have avoided , for example, having 31 opinions on DPIA lists. Indeed , f or the purposes of Article 64(1)( a) - ( e) GDPR the adoption of 28 different opinions resulted in the multiplication of documents tha t makes it harder for the public and stakeholders to access relevant information. At the same time, the EDPB recognizes that the choice made in the GDPR enables each SA to take into consideration national specificities. With regard to Article 64(1)(f), th e work is still on progress and the efficiency of the tool for this specific article is difficult to assess without longer experience . In addition, Article 64(2) effectively allow the Board to reach common positions on questions of general relevance . It has also been used in practice to fill gaps left by the legislator such as the absence of a reference to Article 46(3)(b) and Article 35 ( 5 ) under 64(1). 17 Adopted Until now, the EDPB was able to deliver all the opinions within the legal dea dline. However, the practice show s that the deadlines (8 + possibly 6 weeks) provided for in GDPR can be relatively short for findi ng an agreement among all members . 2 .2 Dispute resolution - Article 65 GDPR a. Was this procedure used? If yes, what was your experience during the process? The EDPB has not adopted any binding decision yet, since so far the involved SAs have been able to reach consensus on cross - border cases in the cooperation mechanism . One SA had requested an Article 65 EDPB binding decision in the past , but t h is submission was procedurally premature and has subsequently been withdrawn. b. Which documents were submitted to the EDPB? See reply to question 2.2. a) . c. Who prepared the translation, if any, of that documents and how much time did it take to prepare it? Were all the documents submitted to the EDPB translated or only some of them? See reply to question 2.2. a) . Generally, in accordance to Art. 23 (2) of the EDPB RoP, docume n ts drafted by the SAs for the procedures foreseen under Article 64 – 66 GDPR and Article 70 GDPR shall be submitted in English. Other documents may be translated by the Secretariat in accordance to Article 11(2) of the EDPB RoP. 2 .3 Urgency Procedure – Ar ticle 66 a. Did you ever adopt any measure under urgency procedure? This procedure has not been triggered yet. 3. Exchange of information: Standardised communication a. What is your experience with the standardised communication through the IMI system? Since 25 May 2018 the SAs have been using the Internal Market Information (IMI) s ystem to exchange information necessary for the GDPR cooperation and consistency mechanism in a standardised and secured way. IMI is a system developed by the European Commiss ion’s DG GROW and was adapted to cater for the needs of the GDPR, in close cooperation with the Secretariat of th e EDPB and the national SAs . T he system has been frequently used since day one. To ensure that the system is adapted to the changing needs of SAs, the EDPB created a dedicated expert subgroup which discusses and validates the necessary changes of the system (i.e. new workflow for the EDPB written procedure, several chan ges of the fields names, changes of the number of characters available in the fields, available reports for different procedures, change of bilateral workflow of the information mutual assistance request into multilateral etc . ). Additionally the EDPB IMI H elpdesk has been created within the EDPB Secretariat with dedicated staff providing day - to - day assistance to the users. 18 Adopted M ost of the EDPB members are satisfied with the use of the IMI system. However, the overall assessment at this stage is not possible, as several procedures have not yet been used (Article 62, Article 65 or Article 66 GDPR ). A majority of the SAs are of the opinion that the IMI system should be further adapt ed to the ir needs in cooperation with DG GROW ( e.g., concerns with bundling complaints, high number of notifications and overall user - friendliness should be addressed). 4. European Data Protection Board a. Can you provide an indicative breakdown of the EDPB work according to the tasks listed in Article 70? Article 70(1)(a) - Articles 64 and 65 Article 64 GDPR : • 31 Opinions on article 35.4 GDPR (all EEA countries); • 3 Opinions on article 35.5 GDPR (CZ, ES, FR); • 2 Opinions on Binding Corporate Rules (Equinix Inc. and ExxonMobil Corporation ); • 2 Opinions on the draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR (AT, UK); • 1 Opinion on the draft Standard Contractual Clau ses submitted by the DK SA (Article 28(8) GDPR); • 1 Opinion on the draft Administrative Arrangement between EEA and non - EEA Financial Supervisory Authorities; • 1 Opinion on the interplay between the ePrivacy Directive and the GDPR, in particular regarding th e competence, tasks and powers of data protection authorities; • 1 Opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment. Article 65 GDPR: No binding decision have been taken yet by the EDPB . Article 70(1)(b) - advise the Commission • Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications (2018); • Statement on an ePrivacy regulation (2019); • Statement of the EDPB on the data protection impacts of economic concent ration ; • Opinion on Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters; • EDPB - EDPS Joint Opinion on the processing of patients’ data and the role of the European Commission within the eHealth Digit al Service Infrastructure (eHDSI) (also on the basis of Article 42(2) of the Regulation 2018/1725) ; 19 Adopted • Opinion concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) . Article 70(1)(c) - advise the Commission on the format and procedures for the exchange of information between controllers, processors and SAs for BCRs • WP29 Recommendation on the Standard application form for approval of the Processor Binding Corporate Rules (Endorsed by the EDPB); • WP29 Recommendation on the Standard application form for approval of the Controller Binding Corporate Rules (Endorsed by the EDPB); • WP29 Working Document setting forth a co - operation procedure for approval of the Bin ding Corporate Rules for controllers and processors (Endorsed by the EDPB); • A register of EDPB approved BCR is available online : https://edpb.europa.eu/our - work - tools/account ability - tools/bcr_en Article 70(1)(d) - Procedures referred to in Article 17(2) / Article 70(1)(e) - any question covering the application of the GDPR • Information note on data transfers under the GDPR in the event of a no - deal Brexit; • Statement on the US Foreign Account Tax Compliance Act (FATCA); • Statement on the use of personal data in the course of political campaigns; • Guidelines on “The criteria of the Right to be Forgotten in the search engines cases under the GDPR” (Part 1); • Guide lines on Article 25 Data Protection by Design and by Default; • Guidelines on processing of personal data through video devices; • Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to da ta subjects; • Guidelines on the territorial scope of the GDPR (Article 3); • WP29 Guidelines on Consent under Regulation 2016/679 (Endorsed by the EDPB); • WP29 Guidelines on Transparency under Regulation 2016/679 (Endorsed by the EDPB); • WP29 Guidelines on the right to "data portability" under Regulation 2016/679 (Endorsed by the EDPB); • WP29 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulati on 2016/679 (Endorsed by the EDPB); • WP29 Guidelines on Data Protection Officers ('DPOs') (Endorsed by the EDPB); • WP29 Position paper on the derogations from the obligation to maintain records of processing activities pursuant to Article 30(5) GDPR (Endorse d by the EDPB). Article 70(1)(f) - specifying the criteria and conditions for decisions based on • WP29 Guidelines on Automated individual decision - making and Profiling for the purposes of Regulation 2016/679 (Endorsed by the EDPB) . 20 Adopted profiling pursuant to Article 22(2) Article 70(1)(g) - On personal data breach (Art. 33(1) and (2)) • WP29 Guidelines on Personal data breach notification under Regulation 2016/679 (Endorsed by the EDPB) . Article 70(1)(h) - On personal data breach (Art. 34(1)) • WP29 Guidelines on Personal data breach notification under Regulation 2016/679 (Endorsed by the EDPB) (see also point (g) above) . Article 70(1)(i) - specifying the criteria and requirements for personal data transfers based on BCRs adhered to by controllers and processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned (Art. 47) • Information note on BCRs for companies which have ICO as BCR Lead Supervisory Authority; • WP29 Working Doc ument setting up a table with the elements and principles to be found in Binding Corporate Rules for Processors (Endorsed by the EDPB); • WP29 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules for Controllers (Endorsed by the EDPB) . Article 70(1)(j) - specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1) Guidelines on derogations of Article 49 under Regulation 2016/679. Article 70(1)(k) - applicat ion of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines (Art. 83) WP29 Guidelines on the application and setting of administrative fines (Endorsed by the EDPB). Article 70(1)(l) - review the practical application of the guidelines, recommendations and best practices Stakeholder Survey on adopted Guidance, in EDPB 2018 Annual report (p. 23 and following). Article 70(1)(m) - Establish common procedures for reporting of infringements of GDPR (Art. 54(2)) / 21 Adopted Article 70(1)(n) - encourage the drawing - up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks (Art. 40 and 42) • Guidelines on Codes of Conduct and Monitoring Bodies under Reg ulation 2016/679; • Guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation . Article 70(1)(o) - approve the criteria of certification (Art. 42(5)) and maintain a public register of certification mechanisms and data protection seals and marks (Art. 42(8)) and of the certified controllers or processors established in third countries (Art. 42(7)) • Guidelines on certification and identifying certification criteria in accordance with Artic les 42 and 43 of the Regulation (see also under (n)); • register is available online: https://edpb.europa.eu/our - work - tools/accountability - tools/certification - mechanisms - seals - and - marks_en Article 70(1)(p) - approve the requirements in Article 43(3) with a view to the accreditation o f certification bodies in Art. 43 Guidelines on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679). Article 70(1)(q) - an opinion on the certification requirements (Art. 43(8)) No draft delegated act received. Article 70(1)(r) - opinion on the icons (Art. 12(7)) No draft delegated act received. Article 70(1)(s) - assessment of the adequacy of the level of protection in a third country or international organisation • WP29 Working document on Adequacy Referential (Endorsed by the EDPB); • Opinion regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan; • EU - U.S. Privacy Shield - Second Annual Joint Review report; • EU - U.S. Privacy Shield - Third Annual Joint Review report. Article 70(1)(t) - See under point (a) . 22 Adopted issue opinions on draft decis ions of SAs pursu ant to Art. 64(1), 64(2), 65 and Art. 66 Article 70(1)(u) - promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities • WP29 Guidelines on the Lead Supervisory Authority (Endorsed by the EDPB); • IMI (Internal Market Information System) was chosen as the IT platform to support cooperation and consistency procedures under the GDPR. IMI is a system developed by the European Commission’s DG GROW and was adapted to cater for the needs of the GDPR, in close cooperation with the Secretariat of the European Data Protection Board and the national SAs . 14 IMI modules, 19 forms and more than 10.000 data fields were put in place to address the needs of SA s and the GDPR procedures; • The EDPB Secretariat created a dedicated space on a Confluence platform (EDPB Information exchange platform) to facilitate the effective bilateral and multilateral e xchange of information amongst the EDPB members; • Creation of the press communication network to ensure effective bilateral and multilateral exchange of communication materials (ie. press information, and speeches) and to ensure consistent external communic ation on EDPB activities; • Creation of the EDPB members’ DPO network to exchange best practices between the SAs and relevant information on data protection practices; • The EDPB Secretariat prepares draft summaries of all article 60 GDPR final decisions and share them on the EDPB Information exchange platform (Confluence); • The EDPB Secretariat created and financed 141 accounts to enable the national SAs to access the EP network and to remotely participate in expert group meetings or to organise bilateral remote meetings by secured videoconferencing system (JABBER). Article 70(1)(v) - promote common training programmes and facilitate personnel exchange s betw een SAs • European Data Protection Board secondments programme for exchanges of staff between SAs , EDPB - EDPS Joint Decision and launching of the first pilot programme; • 2 days of training for SAs on BCR review (Oslo, 2019); Article 70(1)(w) - promote the exchange of knowledge and documentation on data protection legislation and practice • Presentation on the last development regarding the Brazilian data protection law by a Brazilian expert (summer 2019); • The EDPB became observer to the international co nference of data protection commissioners in 2019 (ICDPPC became the Global Privacy Assembly); • The EDPB Secretariat prepares summaries of ECJ Judgements relating to data protection and uploads them on EDPB Information exchange platform (Confluence); 23 Adopted • The ED PB Secretariat creates dedicated sections in the EDPB Information exchange platform (Confluence) to enable the EDPB Members to share information relating to EEA national data protection legislations. • IMI : Register of the Information on national legislation on the public access to documents Article 70(1)(x) - issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9) No code of conduct yet received. A register is available online: https://edpb.europa.eu/our - work - tools/accountability - tools/register - codes - conduct - amendments - and - extensions - art - 4011_en Article 70(1)(y) - maintain a publicly accessible electronic register of decisions taken by SAs and courts on issues handled in the consistency mechanism The register is available online: https://edpb.europa.eu/our - work - tools/consistency - findings/register - for - decisions_en Article 70(3) forward opinions, guidelines, recommendations, and best practices to t he Commission and to the Art. 93 committee and make them public The EDPB sent letters on opinions, recommendation, adequacy review reports, statements, and final version of guidelines. All of t hese are published on the EDPB website. Article 70(4 ) Consultation of and comments from interested parties • The EDPB organised 7 public consultations (on all draft version of EDPB guidelines) for a duration between 6 and 8 weeks. The guidelines were finalised after having taken into account the result of the consultation; • All the WP29 guidelines endorsed by the EDPB have been subject to a public consultation before being finalised; • The EDPB organised 3 stakeholders events in 2019 (in the context of fu ture “PSD2”, “the concept of controller and processor” and the “data subject rights” guidelines). Others not included in Article 70 GDPR list of tasks • EDPB pleading before the CJEU in Case C - 311/18 (Facebook Ireland and Schrems); • EDPB LIBE report on the implementation of GDPR; • EDPB contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime. • Recommendation on the draft list of the European Data Protection Supervisor regarding the processing oper ations subject to the requirement of a data protection impact assessment (Article 39.4 of Regulation (EU) 2018/1725) 24 Adopted b. For the EDPB Secretariat: Can you provide an indicative breakdown of the EDPB Secretariat work and allocation of resources (full - time equivalent) according to the tasks listed in Article 75? The EDPB Secretariat The EDPB Secretariat is composed of a multifaceted team , facilitat ing the Board’s fair and effective decision - making and acts as a gateway for clear and consistent communications. To this end, under the lead of 1 FTE, a team is composed of 19 FTEs bringing together legal, IT and communications experts, supported by an experience d administrative team. The Secretariat deals with a range of tasks, from ensuring respect of the legal framework, drafting legal documents, issue management and providing IT solutions to ensuring transparent communications, handling media relations and pla nning as well as organizing meeting s. C urrently , 9 FTE case officers provide analytical support , as well as administrative support to the EDPB Expert S ubgroups (ESGs) and plenary meetings pursuant to Article 75(6) (f) . In terms of a nalytical support ( which represents 45 % of the case officers’ work / 4 FTE out of 9 ), the EDPB Secretariat is responsible “for the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board” pursuant to Article 75(6)(g) . As such, since May 2018, the EDPB Secretariat has led the dra fting for 45 out of 67 (67%) of the documents adopted by the EDPB , and m ore specifically: • 39 consistency opinion s (out of 42), • 1 recommendation (out of 1), • 5 (out of 15) other official documents (statement on political campaign s , info note on Brexit or ICO as Lead BCR SA, LIBE report . ..) In addition, the EDPB Secretariat case officers regularly provide support to draft EDPB guidelines (9 guidelines since May 2019 ) and draft many of the info notes summarising the main discussion point s for the plenary meetings . The case officers also handl e requests for public access to documents , security of information (LISO) and DPO activities . Finally, they provid e legal expertise with regard to requests for information and media enquiries. In terms of a dministrative support to the ESG s ( which represents 55 % of the case officers’ work/5 FTE out of 9 ), case officers work closely with subgroup coordinators to plan meetings, prepare the agenda, share meetings documents , take minutes , ensure the exchange of information on a daily basis and provide other administrative support as necessary. In addition, the EDPB Secretariat employs 4 FTE for pure ly administrative and logistical support . This support covers: • organising all EDPB meetings and events . This includes meeting planning, facility management, handling the invitation s and reimbursement of participants, coordinating security and catering; • coordinating the translation and proof readings of all official documents in all the official EU languages , pur suant to Article 75(6)(e). 25 Adopted • management of SAs contact lists and ensuring access to the EDPB’s secure IT systems and mailing lists; • acting as operational initiating officers for financ ial operations relating to the S ecretariat, EDPB, Chair and deputy Chairs expenditures - (meetings, missions, contracts, procurement); Furthermore, to enable effective and secure communication and information exchange between members and guarantee the consistency o f official documents over time, 4 FTE deal with IT matters and record management . Their tasks include : • provid ing development, use, maintenance, support, training, statistics and user guides for the EDPB IT communication tool and One Stop Shop communication tool (EDPB website, EDPB Information exchange platform, EDPB IMI exchange system for cooperation and consistenc y, EDPB Videoconferencing system), pursuant to Article 75(6)(d) GDPR. • provid ing IT support for the organisation of EDPB meetings (videoconferencing facilities, voting system for the plenaries), • elaborat ing and implementing document management policies and procedures and an EDPB naming convention; e nsur ing the application of the rules and of the concepts concerning in particular registration, filing, conserva tion and transfers of documents (1 FTE out of the 4) T o ensure tran sparent and timely c ommunication with third parties, the Secretariat includes 2 FTE who deal with all external communications . Their tasks , in light of Article 75(6) (c), cover inter alia: • Day - to - day media relations (media monitoring, replying to information enquiries, coordination of interview requests and organisation of press conferences and media briefings) and drafting and distributing press releases; • Coordination of external communica tions with the EDPB communications network, including joint communication on EDPB news, joint information campaigns and joint development of communication tools; • Ensuring EDPB’s online presence (social media accounts + website); • Production of EDPB publicat ions, including the annual report (including a stakeholder survey pursuant to Article 71(2) ); • Coordination of public information (open days, information stands at international conferences and replying to citizens’ enquiries); • Management of relations with external stakeholders: organisation of stakeholder events, follow - up and coordination of requests for meetings and participation in conferences, preparation of speeches, briefing and presentations for the chair and deputy chairs ; • Ensuring public relations with other institutions. All staff members contribute to ensure the day - to - day business of the EDPB and daily exchanges of information between the members of the EDPB , its Chair and the Commission, pursuant to Article 75(6) (a) and (b) GDPR. The E DPS horizontal supporting service In line with the MoU agreed with the EDPB, the EDPS is responsible for ensuring that the EDPB receives adequate human and financial resources and for providing administrative support where needed. 26 Adopted 4 EDPS FTE are providing the necessary support relating to finance and procurement ( including purchase of all goods and services, reimbursement of travel expenses for plenaries and subgroup meeting ), H R support to the EDPB Secretariat staff (including selection, recruitm ent, payroll, appraisal, promotion, learning and development and respect for ethics), support for the preparation, monitoring and execution of the budget, other horizontal matters (including ethics, internal control and liaison with different auditing stak eholders) but also some technical support relating to the EDPB external communication. 5. Human, technical and financial resources for effective cooperation and participation to the consistency mechanism The EDPB notes that the effective application of th e GDPR and the success of the one - stop - shop mechanism is largely dependent on the time and resources that SAs have at their disposal . It is therefore of the utmost importance that the Member States provide SAs with strengthened human, financial and technic al resources. This would enable the SAs to perform their increased missions properly and meet the expectations of the legislator and of the public. The need for sufficient resources also applies to the EDPB Secretariat, which plays a key role in the prepa ration and execution of many of the tasks entrusted to the EDPB. a. How many staff (full - time equivalent) has your DPA? Please provide the figures at least for 2016, 2017, 2018, 2019 and the forecast for 2020. 27 Adopted b. What is the budget of your DPA? Please provide the figures (in euro) at least for 2016, 2017, 2018, 2019 and the forecast for 2020. The budgets of SAs have to be interpreted in light of possible differences in the sco pe of competences, activities, and financial responsibilities at national level. 28 Adopted €0 €10.000.000 €20.000.000 €30.000.000 €40.000.000 €50.000.000 €60.000.000 €70.000.000 €80.000.000 €90.000.000 BE CZ DE DK ES FI FR IE IT LU NL NO PL SE UK BUDGET IN EUROS BE CZ DE DK ES FI FR IE IT LU NL NO PL SE UK BUDGET Forecast 2020 €8.962.200 €6.720.533 €85.837.500 €5.623.114 €16.500.000 €4.500.000 €20.143.889 €16.900.000 €30.127.273 €6.691.563 €18.600.000 €6.580.660 €9.413.381 €10.300.000 €61.000.000 BUDGET 2019 €8.197.400 €6.541.288 €76.599.800 €5.610.128 €15.187.680 €3.500.000 €18.506.734 €15.200.000 €29.127.273 €5.442.416 €18.600.000 €5.708.950 €7.506.345 €8.800.000 €52.000.000 BUDGET 2018 €8.217.300 €6.473.781 €64.496.694 €4.740.039 €14.384.376 €2.400.000 €17.395.563 €11.700.000 €26.927.498 €4.415.419 €12.900.000 €5.386.140 €4.929.757 €8.000.000 €30.000.000 BUDGET 2017 €8.472.000 €6.247.455 €56.790.875 €2.973.887 €14.101.070 €1.900.000 €17.035.799 €7.500.000 €21.061.842 €2.499.348 €10.500 €5.012.750 €4.895.470 €5.100.000 €28.000.000 BUDGET 2016 €8.132.800 €5.933.043 €51.671.540 €2.792.078 €14.101.070 €1.800.000 €18.853.380 €4.700.000 €19.889.832 €2.050.922 €8.100.000 €4.512.660 €4.526.315 €4.500.000 €26.300.000 2016 - 2020 - SAs BUDGET ABOVE 4,5 MILLIONS 29 Adopted 30 Adopted c. Is your DPA dealing with tasks beyond those entrusted by the GDPR? If yes, please provide an indicative breakdown between those tasks and those entrusted by the GDPR. The answers provided by the SAs show that all of them perform some tasks in addition to those entrusted by the GDPR. While most SAs are also responsible for matters relating to the L aw Enforcement Directive, the ePrivacy framework, and the coordinated supervision of EU agencies and large - scale systems, a variety of other tasks are assigned to them by national laws. A more detailed overview is provided by the individual answers of the SAs. d. How would you assess the resources from your DPA from a human, financial and technical point of view? Most of the SAs have explicitly stated that they do not have enough resources while there are some SAs who do not see a need for further resources at this stage. HR, Financial, Technical resources SAs The resources are not enough AT, BE, BG , DE 4 , EE, ES , FI , FR , GR , IE , IS , IT , LT , LV, MT , NL , PT , PL, RO , SK , SI The resources are enough CY, CZ, DK, HR, HU, LU, NO, SE, UK e. More specifically, is your DPA properly equipped to contribute to the cooperation and consistency mechanism? How many persons work on the issues devoted to the cooperation and consistency mechanism? Most of the SAs stated that they are not properly equipped to contribute to the cooperation and consistency mechanism. The number of staff members working on these matters varies among the SAs. For further details , please check the individua l answers provided by the SAs. Properly equipped to contribute to Cooperati on and Consistency? SAs Not properly equipped AT, BE, DE, ES, FR, GR, HR, IS, IT, PL, PT, RO, SI, SK Properly equipped DK, CZ, HU, IE, LU, NO, SE, UK 4 DE: In an overall view, the German DPAs had an increase in staff and budget. However the majority of the German Länder DPAs stated that the current staffing is not found to be sufficient for the effective performance of its tasks in the sense of Article 52 (4) GDPR. At present, the staffing does not allow an adequate and proactive fulfillment of the statutory tasks, despite the recent increases in resources. Overall, there is still a pent - up demand for human resources in order to avoid a situation incompatible with EU law due to insufficient resources. 31 Adopted 6. Enforcement The data concerning enforcement actions taken by the EDPB mem bers since May 2018 are showing an increased attention and effort toward enforcement of data protection laws by most SAs . The EDPB appreciates the new enforcement tools provided by the GDPR and the SAs made use of a wide range of corrective measures, i.e. not only admin istrative fines bu t also warnings and reprimands. a. How many complaints (excluding request for information) did you receive since May 2018? What kind of communication with you/request do you qualify as a complaint? Between 25 May 2018 and 30 November 2019 the EU/EEA SAs received approximately 275 . 557 complaints altogether 5 . The figures referring to complaints received by each SA vary a lot, as revealed by the graph s below. 5 Based on replies from 30 SAs. For 1 SA, the amount refers to both complaints and data breach notifications. For another 1 SA, the amount refers to complaints as well as reports where the complainant was not directly concerned. 32 Adopted With regard to the definition of complaint, the SAs are generally relying on Article 77 GDPR and therefore consider as a complaint a submission to a SA by an identified natural person - or a not - for - profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR - who considers that the processing of personal data relating to him or her infringes the GDPR. The figures on complaints in the tables above have to be interpreted in light of possible differences in the application of the concept of “complaint” at national level (e.g. different admissibility requirements, consideration of express requests for mediation as complaints). Also, mere information requests are generally not considered to be complaints. The EDPB is aware of these discrepancies and is working in order to identify possible ways forward. b. Which corrective powers did you use since May 2018? Corrective powers under the GDPR SAs art. 58(2)(a) - warnings 6 AT, BE, CY, CZ, DE , EE, FR, GR, HU, IT, LT, LV, MT, UK art. 58(2)(b) - reprimands 7 AT, BE, BG, CY, CZ, DE, DK, EE, ES, FI, FR, GR, HU, IT, LT, LV, MT, NL, NO, PL, RO, SE, SK, UK art. 58(2)(c) - order to comply with data subject's requests to exercise individual rights AT, BE, BG, CY, CZ, DE, DK, EE, ES, FI, FR, HR, HU, IS, IT, LT, LU, LV, MT, NO, PL, PT, RO, SE, SI, SK 6 SI SA has issued warnings, reprimands and fines pursuant to the Personal Data Protection Act, a predecessor of the GDPR in Slovenia, as the the legislative amendments, giving the SI SA the power to issue GDPR fines, have not yet been passed in Slovenia . 7 See previous footnote . 33 Adopted art. 58(2)(d) - order to bring processing operations into compliance AT, BE, BG, CY, CZ, DE, DK, EE, ES, FI, FR, GR, HR, HU, IS, IT, LT, LV, MT, NL, NO, PL, PT, RO, SE, SI, SK art. 58(2)(e) - order to communicate a data breach to the data subject AT, DK, FI, FR, HU, IS, IT, MT, PL , LV art. 58(2)(f) - temporary or definitive limitation, including a ban on processing AT, DE, DK, GR, HU, IS, IT, LT, MT, NL, PT, RO, SI art. 58(2)(g) - order of rectification or erasure or restriction of processing, and notification to recipients AT, BE, BG, CZ, DE, DK, EE, ES, FI, HR, HU, IS, LU, LV, NO, PL, PT art. 58(2)(h) - withdrawal of certification / order to certification body to withdraw certification or not to issue certification / art. 58(2)(i) - administrative fine 8 AT, BE, BG, CY, CZ, DE, DK 9 , ES, FR, GR, HU, IT, LT, LV, MT, NL, NO, PL, PT, RO, SE, SK art. 58(2)(j) - order to suspend data flows to a recipient in a third country or IO / Additional powers under national law EE (precept with penalty payments), NL (Incremental penalty payment), FI (conditional fines), FR (order under a daily penalty) , UK (Notices of intent; Enforcement Notices; Preliminary Enforcement Notices) c. Are you resolving any possible infringements of the Regulation with the help of so - called “amicable settlements”? Some SAs resolve possible infringements with so - called “amicable settlements” or “amical resolution” pursuant to provisions in their natio nal law or explicit procedures. O th er SAs aim at resolving cases in a conciliating way, even though this is not foreseen as a formal outcome of the proceedings, the case is closed when an agreement is reached between the parties or the data subject request has been satisfied. This is especi ally common when data subjects’ rights are at stake or when minor infringements are concerned . Nine SAs did not make use of amicable settlements . d. How many fines did you impose since May 2018? Please provide examples. Between 25 May 2018 and 30 N ovember 2019, 22 EU/EEA SAs made use of this corrective power issuing approximately 7 85 fines altogether 10 . Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future . Most of the fines related to p rinciples relating to processing of personal data (Art. 5 GDPR) ; l awfulness of processing (Art. 6 GDPR) ; v alid consent (Art. 7 GDPR) ; p rocessing of special categories of personal 8 See previous footnote . 9 Please note that as stated in recital 151, the legal system of Denmark does not allow for administrative fines. Fines can only be imposed by the national courts, which means that th e Danish SA reports infringement s to the Police, which then takes the case to court. 10 Based on replies from 30 SAs . Out of these, around 110 fines referred to infringements occurred before 25th of May 2018. 34 Adopted data ( Art. 9 GDPR) ; t ransparency and r ights of the data subjects (Art. 12 to 22 GDPR) ; s ecurity of processing and data breaches (Art. 32 to 34 GDPR) . e. Which attenuating and or aggravating circumstances did you take into account? Several SAs stated that all the factors mentioned by Article 83 GDPR are usually taken into account while imposing administrative fines and that they largely rely on the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, adopte d by the Article 29 Working Party on 3 October 2017 and endorsed by the EDPB on 25 May 2018 . In addition, some SAs adopted internal guidelines or procedures specifically directed at establishing criteria for imposing administrative fines. Relying on the individual contributions from SAs describing the practice up to the end of 2019 , the circumstances that are most frequently taken into account are : the degree of cooperation with the SAs, whether the infringement had a systematic / repetitive nature, whether the action was intentional , th e measures taken by the controller to remedy the problem or to avoid future infringements, the nature a nd duration of the infringement, whether relevant previous infringements were made by the same contr oller, the nature of the controller (e.g. a professio nal in the industry, an entit y under great public attention), the categ ories of personal data affected, and the number of aff ected data subjects. 35 Adopted 7 . Additional requests 7.1 Data Breach notifications (A rt. 33 GDPR) The European Commission asked the SAs to provide figures regarding the personal data breaches notified to the SAs. 7.2 Initiatives for SMEs The European Commission asked the SAs whether they have taken any initiative with regard to SMEs, and if so, which ones. Several SAs included a hotline for consultations and t he development or participation in an EU - funded project addressed to SMEs. The organisation or participation in semin ars/workshops/trainings addressed to SMEs is also a relevant initiative. In order to keep on addressing the specific needs of the SMEs, the EDPB is aware of the importance of developing further tools to help them implement appropriately the GDPR and to all eviate as much as possible their administrative burden . In any case, the risk - based approach promoted by the legislator in the text should be maintained, as risks for data subjects do not depend on the size of the controllers. Several tools have already be en designed by the EDPB members to support SMEs in their compliance with the GDPR: 21000 158 193 6794 521 400 7957 2587 37413 218 153 498 268 1951 340 9500 744 115 3273 5762 1434 171 9418 45561 665 92 98 1220 1536 UK SK SI SE RO PT PL NO NL MT LV LU LT IT IS IE HU HR FR FI ES EE DK DE CZ CY BG BE AT Number of personal data breach notification to SAs - from 25.05.18 - 30.11.19 36 Adopted SA Initiatives for SMEs AT - A nnual campaigns for awareness raising - P resentations and lectures in front of various audiences - Publication of guidance material and FAQs on SAs website - A ttending conferences - A doption of DPIA lists BE - 2018: publication of a GDPR brochure for SME’s ; - 2019: large - scale SME consultation to identify their needs with regard to GDPR - compliance; - January 2020: the BOOST - project : co - financed by the European Commission and will seek to produce guidance and tools for the topics of transparency, DPIA and the concept of controllership. BG - Permanent hot - line for consulta tions - SMEDATA project : the a im is to ensure the protection of personal data through innovative tools for SMEs and citizens. Organization of awareness - raising and training events and development of a self - assessment tool and a mobile application. Summary of the concrete actions: ✓ Survey on challenges faced by SMEs and their associations while implementing GDPR; (results: here and here ); ✓ 13 training events for more than 800 representatives of SMEs in 8 Bulgarian cities – Blagoevgrad, Vratsa, Plovdiv, Sofia, Varna, Burgas, Pleven and Veliko Tarnovo in September and October 2019; ✓ ‘ GDPR in your pocket’ – Mobile application . ✓ Internat ional conference „SME Challenges and GDPR ” for more than 170 participants on the 2019, 29 th November CY - W ritten guidances (for example, as regards CCTVs in restaurants or use of biometric (fingerprint) systems in gyms) - Tailored - cut workshops for specific fields, like the media - Presentation, speeches to professional associations, represented mainly by SMEs. Please find below an indicative list of presentations/ speeches, which are available on our Office’s website: o Regulation and Enforcement in the Digital Age (REDA): Speech at the University of Nicosia on 22/11/2019 o The GDPR in the field of insurance: Speech at the Insurance Institute on 07/11/2019 o The GDPR in the field of start - ups: video to members of Domina Plus, in Nicosia on 29/07/2019 o The GDPR in the field of real estate: Presentation at the Cyprus Chamber of Commerce on 27/06/2019 o The GDPR in the field of beauty salon s: Presentation at the Beauty Salons Association on 07/03/2019 o The GDPR in the field of Internal Auditing: Presentation at the Internal Auditors Association on 20/02/2019 o The GDPR in the field of Dieticians and Nutritionists: Presentation at the 10th Inter national Conference of Dieticians and Nutritionists, in Nicosia, on 25/11/2018 o The GDPR in the field of Opticians and Optometrists: Presentation at the 17th Conference of Opticians and Optometrists, in Nicosia on 24/11/2018 o The GDPR in the field of Fiduciary Services: Address of the Commissioner at the Cyprus Fiduciary Association on 27/06/2018 o The GDPR in the field of Travel Agencies: Presentation at the Cyprus Chamber of Commerce on 02/03/2018 o The GDPR in the field of Commercial Maritime: Speech to members of the Cyprus Maritime Chamber in Limassol, on 11/12/2017 o The GDPR in the field of International Investments: Speech to members of the Association of Cyprus International Investment Firms (ACIIF), in Limassol, on 05/12/2017 37 Adopted o The GDPR in the field o f international business: Speech to members of the Cyprus International Business Association (CIBA), in Limassol in November 2017 CZ - Publication of EDPB Guidelines & Opinions on the SA’s website - Adoption of DPIA lists (35.4 and 35.5 GDPR) - Hotline for cons ultations - 16 seminars for DPOs since 25/5/2018 around the country - Specific event for SMEs that do not need a DPO. - Presentations about GDPR on over 120 conferences and seminars, most of them organised for SMEs. DE - permanent individual advice upon request by controllers, processors and data protection officers of SMEs, including start - ups - participation in training events, seminars and workshops as guest speakers aiming to support SMEs in implementing and monitoring their GDPR compliance - publication of a wide range of guidance material and Q&As aimed for SMEs on various websites of DE SAs DK - Development of an interactive guide to assist SMEs with their GDPR compliance (the Privacy Compass). - Participation in conferences and events addressed to SMEs. - Publication of information addressed to SMEs on its website. - Telephone hotline - Podcast with topics focusing on SMEs - Checklists, FAQs, guidelines and other publications. EE - Guidance materials , incl. GDPR DPIA art 35.5 list - Consultations - Joint - trainings with different professional associations - Hot - line for data subjects and data controllers/processors - Being an initiative partner to develop further trainings for DPOs (by the major universities in Estonia) ES - An important part of the ES SA activity is focused on evaluating the impact of GDPR on SMEs and developing tools. - Hotline for consultations for controllers and processors - Consultation with SMEs to know the main impact of GDPR - Publication of several guidelines and tools aimed at supporting SMEs in their adaptation to the GDPR. o Example of a tool: FACILITA_RGPD: online questionnaire with which companies and professionals can verify through a series of questions that the processing operations they carry out can be considered of low risk and obtain the minimum essential documents to facilitate the application of the GDPR at the end of the test. 38 Adopted FI - Issued guidance materials and p rovided feedback on sector - specific guidance - Participated in seminars as speakers - Organisation of seminars - Hotline for consultations (data subjects and stakeholders) and hotline for controllers and processors - Monthly newsletter - Updates to the website/guidance based on feedback given by users - In the process of finalizing a DPIA - tool directed specially to the needs of SMEs. FR - A dedicated pack available on the website of the CNIL , with a practical guide and forms - A video with a Youtuber on how to apply the GDPR - A simplified register (available in French as well as in English ); - A MOOC - Specific content concerning security and a guide Other general tools, widely used by SMEs: - a hotline; - FAQs on the website; - the DPIA software; - the white list for processing exempted from DPIA; - a notification form available online (developed w ithin the EDPB). HR - Cooperation in different ways with stakeholders from public and private sector in order to raise awareness on personal data protection of small and medium entrepreneurs and to help them to comply with the GDPR. This includes activities such as seminars, wo rkshops, conferences, where employees of the Croatian DPA participate as a speakers. - Promotion of the EDPB guidelines, opinions, promo materials among the SMEs - Publication of the DPIA list - In cooperation with partners from Ireland and Belgium, planned im plementation of a project co - financed by the European Commission in duration of 24 months, titled ARC - Awareness Raising Campaign for small and medium enterprises. The main objectives of the Awareness Raising Campaign for SMEs (ARC project) are: raising aw areness of SMEs about the GDPR obligations, helping SMEs to comply with those obligations and answering their questions about the implementation of the GDPR. These objectives will be achieved through the following activities planned within the project: run ning a survey to identify SMEs needs, preparation of educational materials about the GDPR (based on a previous survey of needs), organization of onsite consultations in all major Croatian regional centres, during which SMEs will be able to receive direct s upport to resolve their specific problems, organization of two international conferences to exchange experiences and show best practices and preparation of publications on outcomes of the project. Overall expected direct result of ARC project is increased knowledge and understanding among SMEs on the principles of data protection. 39 Adopted HU - NAIH is operating a hotline for SMEs between 15 March 2019 and 15 March 2020 to assist them in the compliance with the GDPR. In this period NAIH provides information for SMEs regarding the interpretation and proper application of the GDPR. This EU co - funded project is taking place in a framework of a consortium including several stakeholders. The responses shall be formulated so as to provide graspable assistance in the interpr etation of law applicable relevant to the merit of the question, and to highlight the relevant aspects in the application of law related to the given question, the factors to be considered among them, and their significance. The answer shall contain no opi nion as to the lawfulness of any concrete data processing. - The consortium is also drafting an innovative handbook for SMEs based on the questions and answers in the indicated period. IE - Joint initiative with HR SA for the next 2 years, to provide support to the SMEs, supported by a Commission grant. - Guidance on the website IS Activities for SMEs: 1. Publication of five information leaflets: • New Data Protection Rules (controllers; business and governmental entities) • New Data Protection Rules (processors) • Data Protec tion for Minors (focus on teenagers) • Data Protection for Minors (focus on parents and those working with young children) • Data Protection for Individuals 2. IS SA’s nationwide tour in October and November 2018. • Nine informational sessions were held across Iceland with the last one, which took place in Reykjavik, also being live streamed. PowerPoint presentations along with video recordings from the final session in Reykjavík are available on the IS SA’s website . 3. Various conferences on data protection • A kick - off conference on the GDPR in September 2016 held by the IS SA focusing on what it would mean and changes that needed to be made within organisations. 300 people attended the conferenc e. Two information leaflets were published simultaneously. • Yearly booth presence at the UT - mass in February (largest technology conference in Iceland, both for organisations and the general public). 4. The IS SAs new and improved website • A new and updated Q&A for organisations and data subjects was published in August 2018. Next wave of Q&A will be published on the Data Protection Day 28 January 2019. • A template for a data processing agreement and record of processing activit ies. • Excerpts of EDPB Guidelines regarding the GDPR. • Education material and slides for DPOs. • Guidance on security measures. • List of guidance and excerpts of EDPB Guidance can be found at the IS SAs website . 5. A service desk for smaller and medium sized enterprises and local authorities where specific questions on the implementation of the new legislation and related topics could be posed. The DPA strived to prioritize those queries and to answer them within a few working days. The service desk was open for 13 months, ending in the fall o f 2019. 40 Adopted IT - SMEDATA project: Concrete actions: ✓ 12 regional awareness - raising events for SMEs and legal professionals (2 in Milan, 2 in Genoa, 2 in Florence, 2 in Rome, 2 in Salerno and 2 in Cosenza). ✓ 2 events regarding a self - assessment tool for sustainable awareness based on SMEs’ specific needs and processes (attendance of more than 60 representatives of trade associations and associated companies, and universities) ✓ Development of a mobile application as a free open - source software tool assisting citizens and SMEs in understanding and complying with GDPR; ✓ Plan to organise an international conference in Rome at the end of 2020 as a dissemination campaign and communication of the project. ✓ Plan to organise two events for trainers in Rome by April 2020; LT - Presentations and seminars for various SME‘s audiences; - Publication of guidance material and FAQs on SAs website; - Attending conferences and other events; - Meetings with the representatives of the SME; - Huge amount of consultations for SME; - SME is one of the target audiences of the SolPriPa project, promoting high standards of data protection as a fundamental right and central factor of consumer trust in digital economy, co - financed by the European Commission. 20 seminars, preparing of the gu idance, presentations, leaflets. LU With regard to LU SA initiatives towards controllers in general, including SME’s (SMEs represent >90% of LU based companies and 55% of local employment): - Providing general advise via e - mail and phone hotline for SMEs co ntacting CNPD for guidance; - Monthly newsletter to 1700 subscribers; - Simplified and structured form for Databreach notifications designed in a way to guide controllers in their analysis of the data breach; - Development of a GDPR maturity self - assessment tool (for businesses in general) which is an innovative, intuitive solution enabling users to check the level of coverage of their organizations against the GDPR requirements; - Organisation of workshops (open data protection laboratories “DaProLab”) dedicated t o DPOs and business managers from SMEs (and other organizations); - Joint trainings for business owners of SMEs with their professional business association on identifying their stakeholders in the context of GDPR; - Publication of a guidance for employers and employees on surveillance on the working place; - Participation in conferences and events addressed to young businesses and entrepreneurs (startups). LV - Since 2018: LV SA participates as the Leading Authority in the European Commission’s Project on “General Data Protection Regulation possibilities and responsibilities for small and medium - sized enterprises (SMEs); rights and risks for minors (DPSME)”. The Aim of the Project is to improve the readiness of the small and medium - sized enterprises and to fulfill the requirements of the GDPR. Project’s time frame is 24 months - 01.12.2018. - 30.11.2020. - In 2019, 10 seminars were organized in all regions of Latvia (Riga, Jelgava, Cesis, Jekabpils, Ventspils, Valmiera, Daugavpils, Liepaja, Ludza) and a final co nference in Riga, November 26 on different topics for SMEs, where lecturers from Latvia and abroad shared their experiences. Within this phase, a recommendation - a Guide to Data Processing for Small and Medium - Sized Enterprises 41 Adopted ( https://www.dvi.gov.lv/en/general/recommendation - celvedis - data - apstrade - small - and - modernem/ ) was also developed. The next stage will be regional educational seminars (4 - hour training workshops) and National competition for minors (aged 13 to 17) implemented during 2020. - Inspectorate participates also in a project of the European Commission - GDPR Compliance - Cloud Platform for Micro Enterprises as a partner for the Leading a uthority – Spanish Company. Time frame of the Project is 01.05.2018 - 31.10.2020 and aim is to develop a cloud platform and a handbook for micro enterprises in order to ensure the compliance with GDPR. - The most common way of providing and information is also Inspectorate’s ability to provide a written answers to person’s applications, on - the - spot consultations (on previous agreed time frame) and phone consultations. Any interested person (also SMEs) are welcomed to clarify an information on different question s on personal data protection . - Additionally there are also different seminars, workshops, conferences organised in Latvia, where Inspectorate is invited to act as a speaker (also with relevant topics for SMEs). For example, on 29th May, 2019 the Forum “Di gital Era” – (Data safety and GDPR Forum) was organised where also Inspectorate’s representatives were invited to speak. MT - Development of a 24 months project which, in part, is specifically dedicated to assist SMEs in complying with the GDPR. EU - funded p roject. - An online compliance tool will be developed and launched during an event that will be organised together with constituted bodies in Malta. 42 Adopted NL - starting in 2018 an information campaign to inform the general public and organisations about the upcoming GDPR, to help them prepare (Hulp bij privacy’ (help with privacy). We launched a special website www.hulpbijprivacy.nl ). We pushed this website with social content, radio commercials, events and adverti sements. We also developed several tools. For example https://rvo.regelhulpenvoorbedrijven.nl/avg/#/welkom . Step by step organisations could find out what to do to prepare for the GD PR. - 2019: we continued a campaign started in 2018 to inform about the GDPR. We aimed at different target audiences (general public, youngsters and SME). Activities • Campaign aimed at SME • Awareness campaign aimed at general public (increasing media usage) • Development of educational material for secondary schools Output SME • Online privacyvideos • Advertisements • SME events • 5 issues (content, social posts, interviews, videos) • Radio commercials Output General public • Radio commercials • Social posts • Privacy video Output Youngsters • Webapp, smartphone challenge www.jetelefoondebaas.nl • Educational material to be used in combination with smartphone challenge • Social posts PL - Awareness - raising activities at many levels (including educational and informational activities) - Infoline and website, which provide information on the latest positions and communications of the PL SA and access to the database of administrative decisions. - Thematic studies on the website , including guidelines an d manuals. - Cooperation with DPOs - Special hotline for consultations - Thematic newsletters (more than 6000 subscribers) - Monitoring of the legislative process and issuance of opinions on the compliance of the draft regulations with the data protection law. PT - Development of two models of the register provided by Article 30 GDPR (one for controllers and the other for processors). - Participation in multiple awareness - raising initiatives, most of them addressed to SMEs. - General basic guidance through FAQs secti on in its website, on issues about which there are more interest, in particular from SMEs. 43 Adopted RO For 2018: - in order to celebrate the European Data Protection Day, RO SA organised the Conference on “Applying the General Data Protection Regulation”, at the Palace of Parliament, on the 26 th of January 2019; - “Open Doors Day” was organised at the premises of the RO SA; - the Supervisory Authority prepared and made available to the public some informative materials (brochures, leaflets) dedicat ed to the European Data Protection Day; - a message of public interest regarding the main issues regulated by Regulation (EU) 2016/679 was disseminated in the means of public transport and was also broadcast through the television system available in the sub ways; - RO SA has also launched a Guidelines for the application of the General Data Protection Regulation by the data controllers issued by the National Supervisory Authority for Personal Data Processing; - RO SA adopted Decision no. 174 of 18 th of October 20 18 on the list of the kind of processing operations which are subject to the requirement for a data protection impact assessment - RO SA has actively participated in the most important events in the field of data protection, organised by various public insti tutions or private entities, including non - governmental organizations; - RO SA participated in a series of conferences, symposia and seminars, in Bucharest and in the country; - RO SA participated in a series of radio and TV interviews; - RO SA participated in t he meetings of inter - institutional working groups in order to discuss on draft normative acts initiated by some ministries, but also on various complex issues regarding the protection of personal data; - RO SA also participated in the specialised parliamenta ry committees in order to support the proposals or draft laws regarding aspects of personal data protection; - concerning the controllers from the private sector, there were working numerous meetings at the premises of the Supervisory Authority, during which discussions were held on issues regarding the legal conditions of data processing in different fields of activity, as well as on the drafting of the codes of conducted by some controllers’ associations; - press releases posted on the RO SA’s website in the “News” section; - information in the special section dedicated to the Regulation Data Protection General. For 2019: - in order to celebrate the European Data Protection Day, RO SA organised the Conference on “Ensuring compliance with the European Regulation on data protection and applicable national regulations”, at the Palace of Parliament, on the 28 th of January 2019; - the Supervisory Authority prepared and made available to the public some informative materials (brochures, leaflets) dedicated to the European Data Protection Day; - an anniversary debate – 1 year of GDPR – was organized on the 24 th of May 2019, at the premises of RO SA, in which representatives of professional associations and unions participated; - RO SA has also launched a Guidelines on questions and answers regarding the application of Regulation (EU) 679/2016; - a message of public interest regarding the main issues regulated by Regulation (EU) 2016/679 was disseminated in the means of public transport and was also broadcast through th e television system available in the subways and at the Henri Coandă International Airport; - “Open Doors Day” was organised at the premises of the RO SA; 44 Adopted - RO SA has actively participated in the most important events in the field of data protection, organised by various public institutions or private entities, including non - governmental organizations; - RO SA participated in a series of conferences, symposia and seminars, in Bucharest and in the country, such as: o 4 meetings to hold lectures on data processing by NGOs; o 2 at the Institution of the Prefect of different counties County for supporting seminars with the theme “Data protection in the local public administration”; o 6 conferences for holding lectures on the data protection rules; - RO SA participated in a se ries of radio and TV interviews; - RO SA participated in the meetings of inter - institutional working groups in order to discuss on draft normative acts initiated by some ministries, but also on various complex issues regarding the protection of personal data ; - RO SA also participated in the specialised parliamentary committees in order to support the proposals or draft laws regarding aspects of personal data protection; - concerning the controllers from the private sector, there were working numerous meetings at the premises of the Supervisory Authority; - 48 press releases posted on the RO SA’s website in the “News” section; - information in the special section dedicated to the Regulation Data Protection General. SE - Development of an interactive guide for S ME s to assist them with the GDPR compliance. - Participation in conferences and events addressed to S ME s, including giving lectures. - A national privacy report which illustrated the different problems for SMEs to comply with the GDPR - The website, checklist, FAQs, guidelines and other publications are tailor - made to have an easy and understandable language, specifically bearing in mind data subject and SMEs SI Support for SMEs is provided by guidelines and other materials/activities - guidelines: 6, - infographics: 6, - forms (templates): 6, - pro bono lectures for data controllers and processors: more then 150, - An EU project RAPiD.si is also being implemented, with the focus on SMEs, providing: o articles in SME related magazines: 8, o monthly LinkedIn publica tion and newsletter for SMEs, o a dedicated SME helpline: 1008 calls received o a website specifically oriented towards SMEs (upravljavec.si) o seminars and lectures for SMEs, organized in partnership with the Chamber of Commerce and Industry of Slovenia SK - Publication of EDPB Guidelines & Opinions on the SA’s website - Adoption of DPIA lists (35.5 GDPR) - Attendance to multiple seminars/workshops/conferences to provide lectures on SEMs - Organisation of a workshop on the data protection day 2019, where one of the topics was “Processing of personal data by SMEs”. - Providing advice via e - mail to SMEs that contact the SK SA for guidance. UK An overview of the ICO’s SME Specific guidance and support can be found via https://ico.org.uk/for - organisations/business/ 45 Adopted Specific support for SMEs includes: - A micro business re source page - A number of small business FAQs for different sectors (small hospitality businesses; small retailers) - A self - assessment for small business owners and sole traders - A number of data protection self - assessment checklists for these areas: o Controllers checklist o Processors checklist o Information security o Direct marketing o Records management o Data sharing and subject access o CCTV - A privacy notice template - An advice helpline for small organisations - A checklist on Subject Access Requests for SMEs _____ _________________

Similar Content