Implementation of the GDPR: The European Data Protection Board1

Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB

On 18 May 2016 the Brussels Privacy Hub hosted a second workshop within the BPH Workshops Series on the Implementation of the GDPR. The workshop took place at the premises of the Institute of European Studies, the Vrije Universiteit Brussel. The second workshop reflected on legal provisions of the General Data Protection Regulation (GDPR). setting up and determining the role of European Data Protection Board (EDPB). The participants of the workshop discussed the following:

Rationale: The EDPB will replace the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (often referred as ‘Article 29 WP’) that was established under the Data Protection Directive. Consequently, the EDPB will be composed of representatives of national data protection authorities. The EDPB Chair must be a national commissioner and will be appointed by members of the board. The EDPB will have a legal personality and therefore it will be possible to challenge its decisions, differently from the Article 29 WP, at the CJEU. The European Data Protection Supervisor (EDPS) will provide a secretariat for the newly set up body. It is expected that within this new arrangement the guidance will be organised in a more structured fashion.

Powers: In general, the EDPB powers can be divided into opinion-making and dispute resolution. According to Article 70 of the GDPR, the EDPB will ensure the consistent application of the updated legal framework by advising the Commission on questions related to the protection of personal data in the Union, issuing guidelines, recommendations, and best practices on procedures on questions related to the application of the GDPR, encouraging development of codes of conduct and the establishment of data protection certification mechanisms and data protection seals, promoting the cooperation among the DPAs and training programmes, and finally by facilitating and promoting a consistency mechanism. Article 70 (y) obliges the EDPB to establish and maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

Consistency mechanism: The consistency mechanism has been developed in order to avoid fragmented interpretation of the GDPR. The EDPB will play a crucial within the consistency mechanism as it will review and approve national DPAs decisions concerning the application of the GDPR and it also may resolve disputes between or among the concerned national DPAs.

The role of they EDPS: The EDPS will provide a secretariat for the EDPB and therefore, some suggested that the GDPR strengthens the EDPS role within the updated framework. At the same time, the GDPR insists that the EDPB shall work independently and will not be under the instruction of the EDPS, even if the staff is shared between the EDPB and the EDPS. There will be a separate budget line at the EDPS for staff and other resources that should be allocated for the Board. The EDPB will be an EU “body”, not an agency or institution because of institutional set up. Provided that the EDPS is an EU body, the EDPB cannot be considered to be an EU agency.



[1] The report is based on the notes of participants, Lina Jasmontaite did not take part in the workshop.