Article 70
Tasks of the Board

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 70 keyboard_arrow_down Hide the recitals of the Regulation related to article 70 keyboard_arrow_up

(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The Board should act independently when performing its tasks.

Show the recitals of the Directive related to article 70 keyboard_arrow_down Hide the recitals of the Directive related to article 70 keyboard_arrow_up

(65) Whereas, at Community level, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data must be set up and be completely independent in the performance of its functions; whereas, having regard to its specific nature, it must advise the Commission and, in particular, contribute to the uniform application of the national rules adopted pursuant to this Directive;

 

The GDPR

Like Article 30 of the Directive, Article 66 of the Regulation describes the tasks of the European Data Protection Board. Compared to the Directive, the tasks are supplemented in order to take account of the enlargement of the field of activities of this Board within and outside the Union.

Like the Article 29 Working Party, the Board has the task to ensure the consistent application of the future Regulation. To this end, its tasks are as follows:

- to monitor and ensure the correct application of this Regulation within the consistency control mechanism (a); the Board plays a central role in this mechanism by giving an opinion on some drafts for decisions by the authorities (see Article 64) or by resolving any disputes between the national authorities through binding decisions (see Art. 65);

- to advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation (b) and on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules (c).

It is also a responsibility of the Board to issue guidelines, recommendations and best practices:

- on the procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17 (2) of the Regulation (d);

- to further specify the criteria and conditions for decisions based on profiling pursuant to Article 22 (2) (f); or for establishing personal data breaches and determining whether there has been undue delay (Article 31) and for the particular circumstances in which a controller or a processor is required to provide notification of a personal data breach (g);

- as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34 (h);

- to further specify the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and by processors and, when necessary, requirements to ensure the protection of personal data of the data subjects concerned as referred to in Article 43 (i);

- to further specify the criteria and requirements for personal data transfers on the basis of Article 44 of the Regulation (j);

- for establishing common procedures for reporting by natural persons of Regulation infringements (m);

The Board shall also examine on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines or recommendations (e).

The Board shall draw up guidelines for national supervisory authorities concerning the application of measures referred to in Article 58 and the setting of administrative fines pursuant to Article 83 (k).

In addition, the Board will have the task to:

- encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42 (n);

- carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43 (6) and of the accredited controllers or processors established in third countries pursuant to Article 42 (7) (o);

- specify the requirements referred to in Article 43 (3) with a view to the accreditation of certification bodies under Article 42 (p);

The Board must also give an opinion to the Commission on:

- the certification requirements referred to in Article 43 (8) (q);

- on the standardized icons used to inform the data subjects pursuant to Article 12 (7) (r);

the adequacy of the level of protection in a third country or international organization, including assessment of whether a third country or an international organization still ensures an adequate level of protection. To that end, the Board shall provide all necessary documentation, including correspondence with the government of the third country concerned, the territory or specified sector of the processor concerned (s);

The Board shall also give an opinion on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64 (t).Pursuant to the consistency mechanism, some draft decisions of the supervisory authorities must be submitted to the Board for opinion (see Articles 64, 65 and 66).

The Board shall also promote:

- the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities (u);

- the elaboration of common training programmes and facilitation of personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organizations (v);

- the exchange of information, knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide (w);

The Board shall also:

- issue opinions on codes of conduct drawn up at Union level (x). Pursuant to Article 40 (9), the power to extend the Commission has the power to extend the validity of a code of conduct approved by the Union.

- maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled under the consistency mechanism (y).

An innovation that is worth highlighting is the ability recognized by the Commission to ask the audit committee to give an opinion within a given period, referring to a particular emergency situation (paragraph 2).

Finally, the works of the Board (advice, guidelines, recommendations and good practices) must be published and communicated to the Commission and to the committee referred to in article 93 (paragraph 3).

The final version of the Regulation vests in the Board the power to consult the concerned parties and give them the opportunity to present their point of view within a reasonable time. The results of this consultation should be made public, without prejudice to Article 76 (paragraph 4).

The Directive

Article 30 of the Directive already listed the tasks of the board of the Article 29 Working Party to the Commission, as well as the way the Board is called to contribute to the uniform application of the national transposition rules.

These tasks logically include the ability of the Board to examine any question relating to the transposition of the Directive by the Member States, in order to ensure its uniform application.

Then, Article 30 (2) gave the Article 29 Working Party the task to provide advice to the Commission regarding the level of protection in the Community and in third countries, as well as on the codes of conduct developed at Community level.

The Article 29 Working Party should also advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms.

In addition to these tasks, the Working Party should inform the Commission on any divergences between the laws or practices of Member States likely to affect the corresponding protection for persons with regard to the processing of personal data in the Union. 

The Working Party also had a general competence to adopt initiative for recommendations on any matter pertaining to the protection of personal data in the Union.

Article 30 allowed for a dialog between the Article 29 Working Party and the Commission, in order to prepare a report on the response given by the Commission to the recommendations made by the Article 29 Working Party. This report was communicated to Parliament and published.

Finally, the Article 29 Working Party has the obligation to prepare an annual activity report on the status of the personal data protection in the Union and in third countries. This report was publicised and communicated to the Commission and the Parliament.

Potential issues

The tasks assigned to the Board are both essential and numerous, including intervention at the request of the national supervisory authorities. Since mainly composed of members of the national authorities, the Board will not only have to be provided with the means to operate (see Article 75), but also the Member States must take into account these tasks in considering the human and financial resources they will provide to their national authority. 

Regulation
1e 2e

Art. 70

1.   The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

(c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;

(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);

(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);

(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;

(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;

(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);

(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);

(n) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);

(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;

(q) provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

(r) provide the Commission with an opinion on the icons referred to in Article 12(7);

(s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.

(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;

(w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

1st proposal close

Art. 66

1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission, in particular:

(a)     advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

(b)     examine, on its own initiative or on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;

(c)     review the practical application of the guidelines, recommendations and best practices referred to in point (b) and report regularly to the Commission on these;

(d)     issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 57;

(e)     promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities;

(f)      promote common training programmes and facilitate personnel exchanges between the supervisory authorities, as well as, where appropriate, with the supervisory authorities of third countries or of international organisations;

(g)     promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

2. Where the Commission requests advice from the European Data Protection Board, it may lay out a time limit within which the European Data Protection Board shall provide such advice, taking into account the urgency of the matter.

3. The European Data Protection Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 87 and make them public.

4. The Commission shall inform the European Data Protection Board of the action it has taken following the opinions, guidelines, recommendations and best practices issued by the European Data Protection Board.

2nd proposal close

Art. 66

1. The European Data Protection Board shall promote the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission, in particular: (aa) monitor and ensure the correct application of this Regulation in the cases provided for in Article 57(3) without prejudice to the tasks of national supervisory authorities;

(a) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation; 9565/15 CHS/VH/np 176 ANNEX DGD2C EN (b) examine, on its own initiative or on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(ba) draw up guidelines for supervisory authorities concerning the application of measures referred to in paragraph 1, 1b and 1c of Article 53 and the fixing of administrative fines pursuant to Articles 79 and 79a;

(c) review the practical application of the guidelines, recommendations and best practices referred to in points (b) and (ba);

(ca) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 38 and 39;

(cb) carry out the accreditation of certification bodies and its periodic review pursuant to Article 39a and maintain a public register of accredited bodies pursuant to paragraph 6 of Article 39a and of the accredited controllers or processors established in third countries pursuant to paragraph 4 of Article 39;

(cd) specify the requirements mentioned in paragraph 3 of Article 39a with a view to the accreditation of certification bodies under Article 39;

(ce) give the Commission an opinion on the level of protection of personal data in third countries or international organisations, in particular in the cases referred to in Article 41; (d) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in paragraph 2 and on matters submitted pursuant to paragraph 4 of Article 57; 

(e) promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities;

(f) promote common training programmes and facilitate personnel exchanges between the supervisory authorities, as well as, where appropriate, with the supervisory authorities of third countries or of international organisations;

(g) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide; (h) (…);

(i) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues dealt with in the consistency mechanism.

2. Where the Commission requests advice from the European Data Protection Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The European Data Protection Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 87 and make them public.

Directive close

No specific provision

close