CIPP/E SUPERVISION AND
ENFORCEMENT QUESTIONS &
SOLUTIONS
supervisory authorities - ANSWERdata protection authorities
Article 51(1)(u) - ANSWERrequires DPAs to keep records of any infringements of the
Regulation, as well as records of any actions taken under Article 58(2). The keeping of
these records is already a standard practice across the member states, and, indeed,
they provide a primary source material for the regulators when devising their national
and collective work programmes. Moreover, in some jurisdictions, such as the UK, the
DPAs consider the regulatory track record of organisations when taking decisions on
discrete issues. In other words, the worse the track record, the greater the possibility of
adverse results for the controller or processor.
can DPAs charge data subjects or DPOs for their services? - ANSWERno. Article 57(3)
makes it clear that DPAs cannot charge data subjects or DPOs for their services.
However, Article 57(4) does give the ability to charge back administration costs on
manifestly unfounded or excessive requests.
Supervisory authorities/data protection authorities - ANSWERpromote awareness by
helping organizations understand their obligations under the GDPR, and by serving in
an advisory capacity so organizations may approach them for advice on data protection
issues
conduct investigations on GDPR compliance
protect fundamental human rights, including raising public awareness, by providing
information to individuals who have requested information and by managing data
subjects complaints
draw up annual reports that explain the data protection in their country, current issues
and the agenda for the following year
facilitate the free flow of personal data within the EU. this supports the fundamental role
of the eu to promote free trade and the free movement of data.
arguably the most effective tool for supervision and enforcement - ANSWERself-
regulation
how GDPR advances self regulation - ANSWERthe concept of accountability (see
Article 5(2)), which places a positive obligation on the controller to be able to
demonstrate compliance with the data protection principles, through the introduction of
requirements for data protection officers (DPOs) (see Articles 37 to 39), and through a
heightened focus on codes of conduct and certification schemes for data protection
seals and marks (see Articles 40 to 43). Likewise, controllers have regulatory functions
, over their processors, and processors must regulate their sub-processors (see Article
28).
GDPR Article 4 - ANSWERexpands the Article 5(2) accountability requirement of
demonstrable compliance, which provides a comprehensive framework for effective risk
management. The intent of Chapter 4 is that controllers will identify their risks, then set
their positions to address them, which they shall supervise and enforce through their
business-as-usual activities. In combination, the requirements in Chapter 4 look very
much like forms of self-regulation.
3 categories of powers for supervisory authorities - ANSWER(article 58) investigative,
corrective, and authorization and advisory
supervisory authority investigative powers - ANSWERincludes data protection audits.
can require you to hand over information; they can also conduct data protection audits
and visit your premises to do that, which is VERY rare. Under GDPR they have ability to
do audits and organization needs the accountability records to show compliance.
supervisory authorities corrective powers - ANSWERcan issue warnings and
reprimands to controllers and processor that they think are not in compliance with
GDPR. They can order companies to tell data subjects when they've experienced a data
breach, if they review the notification that's been given to them and decide that
individuals need to be notified. They can ban processing activities that they consider to
be in breach of GDPR. And when data subjects complain to them because they feel
their requests are not being met, they can order a company to comply with data
subject's request.
supervisory authorities authorization and advisory powers - ANSWERwhen DPIA shows
high risk to individuals you have to consult with SA and they can decide to authorize
what you were going to do anyway or they can decide to not give the authorization or
require you to make changes to it. They can also approve codes of conduct or
certification criteria or BCR that companies bring to it, and they can create their own sort
of versions of the model contracts, their own standard clauses, or review companies
who put their own proposed model clauses to them and authorize those.
Chapter 11 accountability as it relates to self regulation. - ANSWERThe focus on
demonstrable proof of compliance should cause the controller to look critically at its data
processing activities through performance testing and similar exercises and make it
adjust and refine its activities as need requires in order to achieve good data protection.
In other words, as part of their business-as-usual activities, controllers should carry out
tasks similar to some of those that DPAs are empowered to carry out by Article 58.
Controllers' relationships with processors are governed by Article 28, which creates
relationships of supervision and enforcement. The principal tools advanced by Article 28
include pre-contractual due diligence, contract formation and post-contractual
requirements for demonstrable compliance, including audits, inspections, the delivery-
up of necessary information and breach notification pursuant to Article 33. Article 28(4)
ENFORCEMENT QUESTIONS &
SOLUTIONS
supervisory authorities - ANSWERdata protection authorities
Article 51(1)(u) - ANSWERrequires DPAs to keep records of any infringements of the
Regulation, as well as records of any actions taken under Article 58(2). The keeping of
these records is already a standard practice across the member states, and, indeed,
they provide a primary source material for the regulators when devising their national
and collective work programmes. Moreover, in some jurisdictions, such as the UK, the
DPAs consider the regulatory track record of organisations when taking decisions on
discrete issues. In other words, the worse the track record, the greater the possibility of
adverse results for the controller or processor.
can DPAs charge data subjects or DPOs for their services? - ANSWERno. Article 57(3)
makes it clear that DPAs cannot charge data subjects or DPOs for their services.
However, Article 57(4) does give the ability to charge back administration costs on
manifestly unfounded or excessive requests.
Supervisory authorities/data protection authorities - ANSWERpromote awareness by
helping organizations understand their obligations under the GDPR, and by serving in
an advisory capacity so organizations may approach them for advice on data protection
issues
conduct investigations on GDPR compliance
protect fundamental human rights, including raising public awareness, by providing
information to individuals who have requested information and by managing data
subjects complaints
draw up annual reports that explain the data protection in their country, current issues
and the agenda for the following year
facilitate the free flow of personal data within the EU. this supports the fundamental role
of the eu to promote free trade and the free movement of data.
arguably the most effective tool for supervision and enforcement - ANSWERself-
regulation
how GDPR advances self regulation - ANSWERthe concept of accountability (see
Article 5(2)), which places a positive obligation on the controller to be able to
demonstrate compliance with the data protection principles, through the introduction of
requirements for data protection officers (DPOs) (see Articles 37 to 39), and through a
heightened focus on codes of conduct and certification schemes for data protection
seals and marks (see Articles 40 to 43). Likewise, controllers have regulatory functions
, over their processors, and processors must regulate their sub-processors (see Article
28).
GDPR Article 4 - ANSWERexpands the Article 5(2) accountability requirement of
demonstrable compliance, which provides a comprehensive framework for effective risk
management. The intent of Chapter 4 is that controllers will identify their risks, then set
their positions to address them, which they shall supervise and enforce through their
business-as-usual activities. In combination, the requirements in Chapter 4 look very
much like forms of self-regulation.
3 categories of powers for supervisory authorities - ANSWER(article 58) investigative,
corrective, and authorization and advisory
supervisory authority investigative powers - ANSWERincludes data protection audits.
can require you to hand over information; they can also conduct data protection audits
and visit your premises to do that, which is VERY rare. Under GDPR they have ability to
do audits and organization needs the accountability records to show compliance.
supervisory authorities corrective powers - ANSWERcan issue warnings and
reprimands to controllers and processor that they think are not in compliance with
GDPR. They can order companies to tell data subjects when they've experienced a data
breach, if they review the notification that's been given to them and decide that
individuals need to be notified. They can ban processing activities that they consider to
be in breach of GDPR. And when data subjects complain to them because they feel
their requests are not being met, they can order a company to comply with data
subject's request.
supervisory authorities authorization and advisory powers - ANSWERwhen DPIA shows
high risk to individuals you have to consult with SA and they can decide to authorize
what you were going to do anyway or they can decide to not give the authorization or
require you to make changes to it. They can also approve codes of conduct or
certification criteria or BCR that companies bring to it, and they can create their own sort
of versions of the model contracts, their own standard clauses, or review companies
who put their own proposed model clauses to them and authorize those.
Chapter 11 accountability as it relates to self regulation. - ANSWERThe focus on
demonstrable proof of compliance should cause the controller to look critically at its data
processing activities through performance testing and similar exercises and make it
adjust and refine its activities as need requires in order to achieve good data protection.
In other words, as part of their business-as-usual activities, controllers should carry out
tasks similar to some of those that DPAs are empowered to carry out by Article 58.
Controllers' relationships with processors are governed by Article 28, which creates
relationships of supervision and enforcement. The principal tools advanced by Article 28
include pre-contractual due diligence, contract formation and post-contractual
requirements for demonstrable compliance, including audits, inspections, the delivery-
up of necessary information and breach notification pursuant to Article 33. Article 28(4)
