I have received a communication from someone claiming to be working for the EDPB informing me that I am not in compliance with the GDPR, is this something the EDPB does?
Please note that the EDPB does not contact individuals, via phone or other means of communication, to inform them of such matters.
Therefore, it could be that the call you received represents a phishing attack targeting you abusing our name.
I submitted feedback to a public consultation, but I cannot see my comments on the public consultation page. How do I know that my feedback was received by the EDPB?
All comments submitted are screened and reviewed manually before being displayed on our website. There should have been a visual confirmation after submitting your comments on our website.
In any case, please allow for some time before your comments are published.
I think my data protection rights have been violated, what can I do?
If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.
DPAs can conduct investigations and impose sanctions where necessary. You can find the contact details for all EEA DPAs here.
I wish to lodge a complaint with a data protection authority (DPA), which authority should I contact?
Under the GDPR, you have the right to lodge a complaint with the Data Protection Authority (DPA) in the country of:
your habitual residence;
your place of work; or
the place where the alleged infringement took place.
In which cases is the dispute resolution mechanism of Art. 65.1 (c) GDPR triggered?
While Art. 65 (a) and (b) relate to the one-stop-mechanism, Art.65.1 (c) GDPR concerns obligations of Data Protection Authorities (DPAs) stemming from the consistency mechanism.
More specifically, every competent DPA has the duty to request an opinion from the EDPB before adopting national measures pursuant to article 64.1 GDPR. Such measures include lists of processing operations for which a Data Protection Impact Assessment (DPIA) is required, or the approval of a new set of standard clauses. In addition, under Art. 64.2 GDPR, any SA may also request an EDPB consistency opinion on any matter of general application or producing effects in more than one Member State.
If an DPA does not request the opinion of the EDPB for the cases listed under Art. 64.1 GDPR or does not follow the EDPB opinion issued under Art. 64 GDPR, any DPA and the European Commission can launch the dispute resolution procedure of Art. 65.1 (c) GDPR about the matter.
Is the guidance adopted by the Article 29 Working Party (WP29) still relevant today?
The EDPB endorsed WP29 documents are available here.
As regards the other existing WP29 documents, they may remain relevant and helpful insofar as the EDPB has not adopted new documents on the topic and/or they are compatible with the GDPR. This amounts to a case-by-case assessment.
My organisation would like to become a certification body, how can we become accredited?
Certification bodies are accredited by the national data protection authorities (DPA) or by the national accreditation body (named in accordance with Regulation 17065/2012). For further information regarding certification bodies, we recommend contacting the national DPA in your country. You can find an overview of all EEA DPAs here.
The dispute resolution mechanism of Art. 65 GDPR has been triggered - what happens next?
Within one month from the referral of the subject matter, the EDPB must adopt a decision by a two-thirds majority.
The one-month deadline to adopt this binding decision can be extended by another month, if the case is complex. When the EDPB is not able to reach a decision within the abovementioned period, the decision must be adopted by a simple majority within two additional weeks. Should the members of the EDPB be split, the decision will be adopted by the vote of the EDPB Chair.
The EDPB has adopted its binding decision: when is it notified to the relevant national Data Protection Authorities (DPAs), in which language and what happens next?
Once the EDPB has adopted a binding decision, the EDPB Chair notifies the binding decision to the relevant national Data Protection Authorities (DPAs) without undue delay.
Prior to the notification, the binding decision is translated into the languages of the relevant national DPAs that have to adopt a final decision or take measures at national level on the basis of the binding decision1. Translation and proofreading can take a few weeks. In any case, the English version of the decision is the only authentic language version.
Next step for the relevant Data Protection Authorities (DPAs)
Once the relevant SAs have been notified of the binding decision, a decision has to be adopted at national level to implement the content of the binding decision. This decision will be adopted without undue delay and at the latest one month after the EDPB has notified its decision. For cross-border cases where no consensus was found (Art. 65.1 (a) GDPR), the final decision will be addressed to the controller or processor and, where relevant, to the complainant.
Please see paragraphs 6 and 7 of Art. 11 of the EDPB Rules of Procedure. In exceptional cases, other Concerned Supervisory Authority (CSAs) can request, providing the reasons, an urgent translation in their official EU language(s) no later than at the moment of adoption of the binding decision.