In Week 3, we introduced a number of GDPR obligations for data controllers and processes. To comply with these legal requirements is not an easy task in data processing practices. Needless to say, it is both time-consuming and costly. Thus, there is no guarantee that the GDPR will be complied with fully by all controllers and processors. Therefore, EU legislators have established enforcement mechanisms to ensure data protection and legal compliance. These enforcement mechanisms include a number of measures and instruments. This week, we will be focusing on the most relevant measures and instruments for controllers and processors.
We hope to draw you a clear picture of the actors involved and of the major issues which require particular attention in order to avoid legal or financial consequences. The first enforcement measures set up by the GDPR is the establishment of national supervisory authorities and of the European Data Protection Board, in short referred to as the Board or the EDPB. Both national and European authorities are independent data protection bodies with powers and authority to monitor and enforce the application of the GDPR. For example, national supervisory authorities can order controllers and processors to provide any information on the performance of their task and to comply with requests from data subjects in exercising their GDPR rights.
In case of cross-border data transfers, the Lead Supervisory Authority, or LSA, comes into play. It is the supervisory authority with the primary responsibility and authority to deal with cross-border data transfers, which coordinates investigations involving multiple supervisory authorities. The Board, on the other hand, plays an important role in policy-making at EU level. Although it does not have a role in controllers’ and processors’ practices as such, it has great influence on law and policy-making and compliance. It issues guidelines, recommendations, and best practices for legal compliance requirements, for instance, regarding procedures for reporting infringements by individuals. Secondly, the GDPR sets out several arrangements to streamline legal compliance by providing guidance in processing practices.
Such arrangements include codes of conduct, data protection certifications, binding corporate rules, and standard contractual data protection clauses. These arrangements are encouraged and supported by national supervisory authorities, the Board, as well as by Member States. The adoption of these legal arrangements allows flexibility while aiming for strict legal compliance. Thirdly, as explained in Week 1, the GDPR grants data subjects several rights. This includes the right to lodge a complaint with a supervisory authority if the data subject considers that data processing relating to him or her infringes the GDPR. It furthermore includes the right to an effective judicial remedy.
This judicial remedy may be targeted against controllers and processors for infringement of the rights of the data subject, or against the legally binding decision of a supervisory authority. Both judicial remedies can be brought before a national court. Protection of these rights guarantees that controllers and processors will meet their GDPR obligations. Fourthly, the GDPR creates a multilayered mechanism to protect the transfer of personal data of EU citizens outside the EU. It places data controllers and processors which process personal data of EU citizens directly under its jurisdiction, even if they are not established in the EU. However, the reality here is that it remains rather difficult to implement the GDPR rules outside the EU.
This protection mechanism for transfers outside the EU is important to be aware of when processing practices involve data transfers outside the EU. In the fifth place, the GDPR sets up liabilities and sanctions for violation of laws. It makes controllers and processors liable for damages suffered as a result of infringements, and provides data subjects with the right to claim compensation. Supervisory authorities can furthermore issue administrative fines for infringement, with the maximum amount of up to 20 million euros, or 4% of the undertaking’s world annual turnover of the previous financial year, whichever is higher, depending on the circumstances of the case. Finally, the sixth measure in the GDPR enforcement mechanism is the role of Member States in compliance and implementation.
Member States need to take concrete decisions on how to implement the GDPR specifically to their domestic circumstances. They furthermore have an important role in establishing certification mechanisms, codes of conduct, data protection in transfers outside the EU, binding corporate rules, and rules and other penalties applicable to infringements of the GDPR. We have taken a quick look at the GDPR enforcement mechanism. In the following steps for this week, we will discuss this mechanism in more detail. We will focus in particular on the aspects that are most relevant for data subjects, controllers, and processors, in order for you to grasp in general who the responsible authorities are and which powers they have.
In this way, you will have a better understanding of the GDPR and how to comply with its provisions.