Total Fines:
€
∑ =
418.212.904
A common problem when calculating gdpr fines is merging labels from google sheets to google docs. I’ve found a great solution that does exactly that. By the way, it also supports Avery labels. It’s called Foxy Labels.
Nine months after the entry into application of the GDPR, the members of the EDPB are of
the opinion that the GDPR cooperation and consistency mechanism work quite well in
practice. The national supervisory authorities make daily efforts to facilitate this cooperation,
which implies numerous exchanges (written and oral) between them.
These cooperation duties lead to extra workloads, additional time dealing with cases and have
an impact on the budget of the regulators. The handling of cross border cases takes time, due
to the cooperation, to the need to carry out thorough investigations and in order to national
procedural rules. The national SAs have to tackle these challenges regarding the harmonized
protection and enforcement of the GDPR.
Until now, there are 6 final One-Stop-Shop cases.
The experiences of the EDPB regarding consistency is – up to now – limited, as no dispute
resolution through this new EU body was necessary during the reported period.
2
I. Cooperation mechanism among SAs and the consistency mechanism of the EDPB
Cooperation mechanism
The GDPR requires close cooperation between SAs of EEA (EU-28 + Iceland, Norway and
Liechtenstein) in cases implying a cross-border component and supports this by using the
following tools:
the mutual assistance,
the joint operation,
the One-Stop-Shop cooperation mechanism, which introduces the obligatory
intervention of a Lead Supervisory Authority for the cross-border cases.
The cooperation on cross-border cases (ie. on the basis of complaints from individuals) is
conducted by the national supervisory authorities. The EDPB does not deal with those cases
unless a dispute arises between the authorities or in the case of urgency.
Consistency mechanism
One of the main tasks of the EDPB is to ensure the consistent application of the GDPR.
One opportunity to ensure consistency is to provide general guidance on the interpretation
of the GDPR, which will contribute to a common understanding and application of the
provisions by the stakeholders, the supervisory authorities and the public in general. Since 25
May 2018, the EDPB has endorsed 16 guidelines prepared by the Article 29 Working Party
(predecessor of the EDPB) and has adopted 5 additional guidelines.
Another opportunity is to adopt consistency opinions and decisions. These decisions mainly
address the national supervisory authorities and ensures a consistent application and
enforcement of the GDPR.
Standardised communication:
To support the cooperation and the consistency mechanism among the EDPB members the
DG Grow of the EU Commission, together with the EDPB Secretariat and the EDPB members,
have customised an already existing IT system – the Internal Market Information system (IMI).
This system was operational on the first day of the entry into application of the GDPR. This
system provides a structured and confidential way to share information among the SAs.
The feedback of the national regulators on this system is really positive. A dedicated expert
subgroup has been created to ensure the continuous enhancement of the system on the basis
of the feedback collected via a dedicated IT Helpdesk support provided to the EDPB members
by the EDPB Secretariat.
Before a case is produced in the case register of the system, the competent authorities have
to be identified. This registry is the central database from which different procedures can be
started, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
The scheme in the appendix provides an overview of the functioning of the system.
3
- Cooperation Mechanism
a. Preliminary procedure to identify the lead and concerned supervisory authorities
Before starting a One-Stop-Shop procedure for cross-border cases, it is necessary to identify
the authority that will lead the cooperation (Lead SA), and the other Concerned supervisory
authorities (Concerned SA). The Lead SA will have to lead the cooperation procedure, draft
the decision and the Concerned SAs will have the opportunity to raise objections.
The Lead SA is the authority within the EEA where the organisation subject to the
investigation has its main establishment. The main establishment is identified as the central
administration of the investigated company/organisation in the EU.
The EDPB created workflows in the IMI system to enable the SAs to identify their respective
roles. The main purpose of this procedure is to define the roles at an early stage and to avoid
objections on the question of competences at a later stage of the procedure.
In case of conflicting views regarding which authority should act as Lead SA, EDPB has the role
of a dispute resolution body and issues a binding decision.
Since 25 May 2018, 642 procedures have been initiated to identify the Lead SA and the
Concerned SAsin cross-border cases. Out of the 642 procedures, 306 are closed and the Lead
SA identified.
Up to now, no dispute arose on the selection of the Lead SA.
24 EEA countries already initiated procedures and 26 SAs were proposed to act as lead SA.
b. Data base regarding cases with cross-border component
These cases will be registered in a central database from which different procedures can be
initiated, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
Since 25 May 2018, 30 different EEA SAs have registered a total amount of 281 cases with
cross-border component in the IMI system.
The large part of the opened cases derived from complaints by individuals (194 cases). The
rest of the cases (87) has other origins.
The three main topics of the cases are related to the exercise of the data subjects’ rights, to
the consumer rights and to data breaches.
4
c. One-Stop-Shop Mechanism
The GDPR provides a specific cooperation procedure (One-Stop-Shop) for cross-border cases.
A cross border case emerges where the controller or the processor has an establishment in
more than one Member State or where the data processing activity substantially affects
individuals in more than one Member State.
The One-Stop-Shop mechanism implies a cooperation between the Lead SA and the
Concerned SA. The Lead SA will lead the cooperation procedure and plays a key role in the
process to reach consensus between the Concerned SAs and to reach a coordinated decision
with regard to a data controller or processor.
The Lead SA first has to investigate the case while observing its national procedural rules (eg.
provide the right to be heard to the affected persons). During this investigation phase, it can
gather information from another supervisory authority via mutual assistance or conduct joint
investigation, where foreseen in the respective national law.
The IMI system also offers the opportunity for the Lead SA to launch – if necessary – an
informal communication with all the Concerned SAs to collect information to prepare its
draft decision.
Once the Lead SA has completed the investigation, it prepares a draft decision and
communicates it to the Concerned SAs. These can object to the draft decision, which either
leads to a revised draft decision or triggers the dispute resolving mechanism of the board.
If a dispute arose on the draft decision and no consensus is found, the consistency mechanism
is triggered and the case is referred to the EDPB. The EDPB will then act as a dispute resolution
body and issue a binding decision on the case. The Lead SA will have to adopt its final decision
on the basis of the decision of the EDPB.
If the Concerned SAs do not object to the initial draft decision, or the revised one, they are
deemed in agreement with the draft decision. So, the Lead SA can adopt its final decision.
The IMI system offers different procedures to handle the One-Stop-Shop cases: - Informal consultation procedures,
- Draft decisions or revised decision submitted by the Lead SA to the Concerned
SAs, - Final One-Stop-Shop decisions submitted to the Concerned SAs and to the
EDPB.
Since 25 May 2018, 45 One-Stop-Shop procedures were initiated by SAs from 14 different
EEA countries. The 45 procedures are at different stages: 23 are at the informal consultation
level, 16 are at draft decision level and 6 are final decisions.
These first final One-Stop-Shop decisions relate to the exercise of the rights of individuals
(such as the right to erasure), the appropriate legal basis for data processing and data breach
notifications.
The limited number of One-Stop-Shop procedures can be explained because the circulation
of the draft decision is the result of the investigations conducted by the Lead SA respecting
national administrative procedural laws. The number of One-Stop-Shop procedures are
increasing steadily.
5
d. Mutual assistance
The mutual assistance procedure allows each SAs to ask for information to other SAs but also
to request any other measures for effective cooperation (such as prior authorisations,
investigations, etc.).
The mutual assistance can be used for cross-border cases subject to the One-Stop-Shop
procedure (as part of the preliminary phase to gather elements necessary before drafting a
decision), or can also be used for national cases with cross-border component.
The IMI system enables the use of informal mutual assistance, without any legal deadline or
the use of formal mutual assistance where the requested SA has a legal deadline of 1 month
to reply to the request.
Since 25 May 2018, 444 mutual assistance requests (formal and informal) have been
triggered by SAs from 18 different EEA countries.
In 353 cases out of the 444 mutual assistance requests, the answers were sent within 23
days. The remaining 91 cases are ongoing, not yet answered by the requested SA.
e. Joint operations
The GDPR allows the SAs of different member states to carry out joint investigations and joint
enforcement measures. The joint operations can be used in the context of cross-border cases
subject to the One-Stop-Shop procedure (as part of the preliminary phase to gather elements
necessary before the drafting a decision), or can also be used for national cases including a
cross-border component.
Since 25 May 2018 to 31 January 2019, no joint operations have been initiated.
f. Assessment of the cooperation mechanism and suggestions for improvement by the
SAs
In comparison with the EC Directive 95/46/EC where SAs were working separately even on
cross border cases, the GDPR foresees a duty for the SAs to cooperate in order to provide a
consistent application of the GDPR.
The national regulators adapted to this new situation. One of the advantages of the GDPR is
to let some margin of manoeuvre for the SA to address those challenges.
However, the GDPR has been in application only for 9 months and there is still work to be
done at the EDPB level to further streamline the procedure to make the system even more
efficient. The question of the resources allocated to the authorities (and the possibility to
recruit staff speaking also English) has impacts on the global efficiency of the system.
6 - Consistency Mechanism
a. Consistency opinion
For some type of decisions, the national SAs have to require an opinion of the EDPB before
being entitled to adopt its decision. This applies for instance to the approval of cross-border
codes of conducts, the adoption of standardised contractual clauses, or the adoption of
national lists describing the type of processing that must be subject to a Data Protection
Impact Assessment.
The purpose of the consistency opinion issued by the EDPB is to guarantee the consistent
application of the GDPR in cases where a competent SA wants to adopt those specific
measures.
Each national SA, the Chair of the EDPB or the Commission can ask the EDPB to issue a
consistency opinion on any matter of general application or producing effects in more than
one Member State.
Since 25 May 2018, 28 opinions on the national lists of processing subject to a Data Protection
Impact Assessment and 1 opinion on a draft administrative arrangement for the transfer of
personal data between financial supervisory authorities (in the EEA and outside of the EEA)
have been adopted by the EDPB. Currently there are 3 ongoing procedures which are related
to binding corporate rules, to a draft standard contract between Controllers and Processors
and to the interplay between the GDPR and the ePrivacy Directive, in particular as regardsthe
competence of the national data protection supervisory authorities.
b. Dispute resolution
The EDPB intervenes as dispute resolution body and adopt binding decisions, in order to
ensure the consistent application of the GDPR, in following cases:
A dispute takes place within the One-Stop-Shop mechanism (a Concerned SA raises a
relevant and reasoned objection which is not followed by the Lead SA);
A disagreement takes place on the determination of the Lead SA;
A SA does not request or does not follow a consistency opinion of the EDPB.
From 25 May 2018 to 18 February 2019, no dispute resolutions were initiated. This means
that up to now, the SAs were able to reach consensus in all current cases, which is a good sign
in terms of cooperation.
c. Assessment of the consistency mechanism and suggestion for improvement by the
SAs
The following analysis reflects the views and impressions of the authorities in the context of
this report.
Up to now, the EDPB did not have to act as a dispute resolution body, also due to the fact that
the number of decisions resulting from the One-Stop-Shop cases is still relatively small.
7
Since the EDPB has so far focused mainly on the preparation of consistency opinions on
national DPIA lists (on the national lists of processing subject to a Data Protection Impact
Assessment) most authorities emphasised that the experience of the EDPB with the
consistency mechanism in other areas is still limited. However, it is planned that in the coming
months other types of national measures, such as BCRs, codes of conducts, standard contracts
and issues related to certification will be submitted to the EDPB and thus trigger the
consistency mechanism in other fields.
It was indicated that, already on the basis of the first experiences the consistency mechanisms
was found to require many resources, to be time-consuming and to require the authorities to
act swiftly within the given timeframe. In this context, a possible need to extend the deadlines
was addressed.
II. Means and powers of the national supervisory authorities - Budget and human resources
Under the new legal framework, SAs wear two hats. They not only deal with their enhanced
enforcement powers but are required to become more engaged, which implies the need for
more budget and staff.
a. Budget
While, based on information provided by SAs from 26 EEA countries and the EDPS, in most
cases an increase in the budget for 2018 and 2019 was observed, in two cases a decrease and
in 3 cases no changes in the budget were noticed. According to information provided by the
respective SAs, the latter phenomena can be explained by biannual plans for this period of
time.
Although the majority of the 17 replying SAs stated that they would need an increase in the
budget of 30-50%, almost none of them received the requested amount. There are some
extreme examples where this need is close to or even 100 %.
b. Human resources
Based on information provided by SAs from 26 EEA countries and the EDPS, the majority of
SAs have experienced an increase in the number of staff, while for 8 SAs the human resources
did not change. For one SA, there was even a decrease in personnel.
Given the different scope of competences of the SAs (GDPR, e-Privacy, Freedom of
Information), the requirements for more personnel also vary. - Implementation and enforcement of the GDPR at national level
The total number of cases reported by SAs from 31 EEA countries is 206.326. Three different
types of the cases can be distinguished, namely cases based on complaints, cases based on
data breach notifications and other types of cases. The majority of the cases are related to
complaints, notably 94.622 while 64.684 were initiated on the basis of data breach
notification by the controller.
52 % of these cases have already been closed and 1 % of these cases challenged before
national court.
8
Corrective powers:
Regarding the corrective powers, the SAs have different measures to use:
to issue warnings to a controller or processor that intended processing operations are
likely to infringe the GDPR,
to issue reprimands to a controller or a processor where processing operations have
infringed the GDPR,
to order the controller or the processor to comply with the data subject’s requests or
to bring processing operations into compliance with the GDPR,
to impose administrative limitations, bans and fines.
SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2
(i) GDPR. The total amount of the imposed fine is 55.955.871 EUR.
III. Conclusion
Nine months after the entry into application of the GDPR, the members of the EDPB are of
the opinion that the GDPR works quite well in practice making use of the new way of
cooperation including numerous daily exchanges. The One-Stop-Shop cases that have already
led to an outcome tested some of the core principles of the GDPR and were resolved
smoothly. So far, not a single cross-border case has been escalated to the EDPB level.
Despite the increase in the number of cases in the last months, the SAs reported that the
workload is manageable for the moment, in large part thanks to a thorough preparation
during the past two years by SAs, the Article 29 Working Party and by the Board.