Compliance and enforcement of data protection law
Data Protection Impact Assessment
Art. 35 GDPR
- Impact assessment must be carried out where processing is likely to result in a
high risk to the rights and freedoms of individuals
What are ‘’high risk’’ processing operations?
- Personal data are processed for making decisions concerning natural persons,
following any systematic and extensive evaluation of personal aspects relating to
the individuals (profiling);
- Sensitive data or personal data relating to criminal convictions and offences are
processed on a large scale;
- Processing involves the large-scale, systematic monitoring of publicly accessible
areas
Obligation for supervisory authorities to adopt and publish a list of processing
operations that need impact assessment
Obligations for controllers:
- Proportionality and risks to the rights of individuals
- Planned security measures to address the risks identified
Consistency of lists: collaborations between supervisory authorities
Rights in the Enforcement of Data Protection
1. Right to lodge a complaint
2. Right to effective judicial remedy
3. Right to mandate a non-profit
4. Right to compensation
Right to lodge a complaint
Art. 57 and 77 GDPR
Obligations for supervisory authorities:
- Adopt measures to facilitate the submission of complaints, e.g., create of an
electronic complaint submission form
- Investigate the complaint
- Inform the person of the outcome of the proceedings dealing with the claim
Where can the complaint be submitted?
- Habitual residence
- Place of work
- Place of the alleged infringement
Right to appeal to the courts
Right to effective judicial remedy
Effective judicial remedy is a fundamental right both under Article 47 of the EU
Charter of Fundamental Rights and Article 13 ECHR
Data Protection Impact Assessment
Art. 35 GDPR
- Impact assessment must be carried out where processing is likely to result in a
high risk to the rights and freedoms of individuals
What are ‘’high risk’’ processing operations?
- Personal data are processed for making decisions concerning natural persons,
following any systematic and extensive evaluation of personal aspects relating to
the individuals (profiling);
- Sensitive data or personal data relating to criminal convictions and offences are
processed on a large scale;
- Processing involves the large-scale, systematic monitoring of publicly accessible
areas
Obligation for supervisory authorities to adopt and publish a list of processing
operations that need impact assessment
Obligations for controllers:
- Proportionality and risks to the rights of individuals
- Planned security measures to address the risks identified
Consistency of lists: collaborations between supervisory authorities
Rights in the Enforcement of Data Protection
1. Right to lodge a complaint
2. Right to effective judicial remedy
3. Right to mandate a non-profit
4. Right to compensation
Right to lodge a complaint
Art. 57 and 77 GDPR
Obligations for supervisory authorities:
- Adopt measures to facilitate the submission of complaints, e.g., create of an
electronic complaint submission form
- Investigate the complaint
- Inform the person of the outcome of the proceedings dealing with the claim
Where can the complaint be submitted?
- Habitual residence
- Place of work
- Place of the alleged infringement
Right to appeal to the courts
Right to effective judicial remedy
Effective judicial remedy is a fundamental right both under Article 47 of the EU
Charter of Fundamental Rights and Article 13 ECHR
