When will the EDPB’s decision be published in those cases where it settles conflicting views on a draft decision or where it decides on the Lead Supervisory Authority (LSA)?
Once the Lead Supervisory Authority (LSA) or, in some cases the Concerned Supervisory Authority (CSA), with which the complaint was lodged has notified the EDPB of the date its final decision was communicated to the controller or processor and, where relevant, to the complainant, the EDPB will publish its own decision on its website.
Where can I find documents that were adopted during a recent/the latest EDPB plenary?
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
Once published, recently adopted documents will be listed under “latest publications” on the main page of this website.
You can also find overviews of the documents adopted per plenary on the EDPB news page.
The dispute resolution mechanism of Art. 65 GDPR has been triggered - what happens next?
Within one month from the referral of the subject matter, the EDPB must adopt a decision by a two-thirds majority.
The one-month deadline to adopt this binding decision can be extended by another month, if the case is complex. When the EDPB is not able to reach a decision within the abovementioned period, the decision must be adopted by a simple majority within two additional weeks. Should the members of the EDPB be split, the decision will be adopted by the vote of the EDPB Chair.
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities (DPAs), as well as the DPAs of Iceland, Liechtenstein and Norway (the European Economic Area or EEA).
What is the EDPS?
The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority.
The EDPS is responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies (EUIs) as well as providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Can a Data Protection Authority (DPA) challenge an Art. 65 GDPR decision by the EDPB?
As addressees of the EDPB decisions, the relevant Data Protection Authorities (DPAs) that wish to challenge these decisions can bring an action for annulment before the European Court of Justice (CJEU) within two months of being notified.
No. The EDPB does not handle complaints or conduct investigations. If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.
How does cross-border cooperation work under the GDPR?
The General Data Protection Regulation (GDPR) requires the Data Protection Authority (DPA) of the European Economic Area (EEA) to cooperate closely - under the umbrella of the European Data Protection Board (EDPB) - to ensure the consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. One of their tasks is to coordinate decision-making in cross-border data processing cases. A processing is cross-border when:
data processing takes place in more than one country;
or it substantially affects or it is likely to substantially affect individuals in more than one country.
Under the so-called one-stop-shop mechanism Art. 60 GDPR, the Lead Supervisory Authority (LSA) acts as the main point of contact for the controller or processor for a given processing, while the Concerned Supervisory Authorities (CSAs) act as the main point of contact for individuals in the territory of their Member State. The LSA is the authority in charge of leading the cooperation process. It will share relevant information with the CSAs, carry out the investigations, prepare the draft decision relating to the case, and cooperate with the other CSAs in an endeavour to reach consensus on this draft decision.
I have received a communication from someone claiming to be working for the EDPB informing me that I am not in compliance with the GDPR, is this something the EDPB does?
Please note that the EDPB does not contact individuals, via phone or other means of communication, to inform them of such matters.
Therefore, it could be that the call you received represents a phishing attack targeting you abusing our name.