menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Spain) language
Contact our local member in Spain mail_outline
Visit the website of RPCC Estudio Jurídico account_balance

arrow_backPrevious Article
Article 68
Next Articlearrow_forward

European Data Protection Board

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 68 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 68 keyboard_arrow_up

Key words related to article 68

Show the recitals of the Regulation related to article 68 keyboard_arrow_down Hide the recitals of the Regulation related to article 68 keyboard_arrow_up

(72) Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(124) Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

(136) In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.

(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union. The Board should act independently when performing its tasks.

Show the recitals of the Directive related to article 68 keyboard_arrow_down Hide the recitals of the Directive related to article 68 keyboard_arrow_up

(65)  Whereas, at Community level, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data must be set up and be completely independent in the performance of its functions; whereas, having regard to its specific nature, it must advise the Commission and, in particular, contribute to the uniform application of the national rules adopted pursuant to this Directive;

The GDPR

Article 68 provides for the establishment of an European Data Protection Board, which will have legal personality and will be represented by its Chair, instead of the Article 29 Working Party.

The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. If a Member State has more than one supervisory authority responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State's law.

The Commission and the European Supervisor shall have the right to participate in the activities and meetings of the Board but without voting rights. For this purpose, the Commission shall designate a representative (paragraph 5).

The Chair of the Board shall communicate to the Commission the activities of the Board.

In the cases referred to in Article 65, such as where the Board must adopt a binding decision, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies and correspond in substance to those of this Regulation (paragraph 6).

The Directive

All practitioners of the data protection law are aware of the major role played by the Article 29 Working Party set up by the Directive. This advisory and independent group is composed of; a representative of the supervisory authority or authorities designated by each Member State , a representative of the authority or authorities established for the Community institutions/bodies, and a representative of the Commission.

The G29 is the author of many opinions and recommendations on current issues related to the technological developments with respect to the protection of the personal data. Its entire works are freely available on the site http://ec.europa.eu/justice/data-protection/article-29/index_fr.htm .

Potential issues

We do not see  a priori  any specific implementation difficulties. 

arrow_back Previous ArticleArticle 68Next Article arrow_forward
arrow_back Previous ArticleArticle 68 Next Article arrow_forward
arrow_back Previous Article Article 68 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 68 Next Article arrow_forward
Regulation
1e 2e

Art. 68

1.   The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

2.   The Board shall be represented by its Chair.

3.   The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

4.   Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State's law.

5.   The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.

6.   In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.
1st proposal close

Art. 64 

1. A European Data Protection Board is hereby set up.

2. The European Data Protection Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor.

3. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, they shall nominate the head of one of those supervisory authorities as joint representative.

4. The Commission shall have the right to participate in the activities and meetings of the European Data Protection Board and shall designate a representative. The chair of the European Data Protection Board shall, without delay, inform the Commission on all activities of the European Data Protection Board.

 
2nd proposal close

Art. 64

1a. The European Data Protection Board is hereby established as body of the Union and shall have legal personality.

1b. The European Data Protection Board shall be represented by its Chair.

2. The European Data Protection Board shall be composed of the head of one supervisory authority of each Member State or his/her representative and of the European Data Protection Supervisor.

3. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, (…) a joint representative shall be appointed in accordance with the national law of that Member State.

4. The Commission and the European Data Protection Supervisor or his/her representative shall have the right to participate in the activities and meetings of the European Data Protection Board without voting right. The Commission shall designate a representative. The chair of the European Data Protection Board shall, communicate to the Commission (…) the activities of the European Data Protection Board.
Directive close

Art. 29

1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, hereinafter referred to as 'the Working Party', is hereby set up.

It shall have advisory status and act independently.

2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.

Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.

3. The Working Party shall take decisions by a simple majority of the representatives of the supervisory authorities.

4. The Working Party shall elect its chairman. The chairman's term of office shall be two years. His appointment shall be renewable.

5. The Working Party's secretariat shall be provided by the Commission.

6. The Working Party shall adopt its own rules of procedure.

7. The Working Party shall consider items placed on its agenda by its chairman, either on his own initiative or at the request of a representative of the supervisory authorities or at the Commission's request.
Spain
compare_arrows
visibility Old law

Artículo 56. Acción exterior.

1. Corresponde a la Agencia Española de Protección de Datos la titularidad y el ejercicio de las funciones relacionadas con la acción exterior del Estado en materia de protección de datos.

Asimismo a las comunidades autónomas, a través de las autoridades autonómicas de protección de datos, les compete ejercitar las funciones como sujetos de la acción exterior en el marco de sus competencias de conformidad con lo dispuesto en la Ley 2/2014, de 25 de marzo, de la Acción y del Servicio Exterior del Estado, así como celebrar acuerdos internacionales administrativos en ejecución y concreción de un tratado internacional y acuerdos no normativos con los órganos análogos de otros sujetos de derecho internacional, no vinculantes jurídicamente para quienes los suscriben, sobre materias de su competencia en el marco de la Ley 25/2014, de 27 de noviembre, de Tratados y otros Acuerdos Internacionales.

2. La Agencia Española de Protección de Datos es el organismo competente para la protección de las personas físicas en lo relativo al tratamiento de datos personales derivado de la aplicación de cualquier Convenio Internacional en el que sea parte el Reino de España que atribuya a una autoridad nacional de control esa competencia y la representante común de las autoridades de Protección de Datos en el Comité Europeo de Protección de Datos, conforme a lo dispuesto en el artículo 68.4 del Reglamento (UE) 2016/679.

La Agencia Española de Protección de Datos informará a las autoridades autonómicas de protección de datos acerca de las decisiones adoptadas en el Comité Europeo de Protección de Datos y recabará su parecer cuando se trate de materias de su competencia.

3. Sin perjuicio de lo dispuesto en el apartado 1, la Agencia Española de Protección de Datos:

a) Participará en reuniones y foros internacionales de ámbito distinto al de la Unión Europea establecidos de común acuerdo por las autoridades de control independientes en materia de protección de datos.

b) Participará, como autoridad española, en las organizaciones internacionales competentes en materia de protección de datos, en los comités o grupos de trabajo, de estudio y de colaboración de organizaciones internacionales que traten materias que afecten al derecho fundamental a la protección de datos personales y en otros foros o grupos de trabajo internacionales, en el marco de la acción exterior del Estado.

c) Colaborará con autoridades, instituciones, organismos y Administraciones de otros Estados a fin de impulsar, promover y desarrollar el derecho fundamental a la protección de datos, en particular en el ámbito iberoamericano, pudiendo suscribir acuerdos internacionales administrativos y no normativos en la materia.

---

Article 56. External action.

1. The Spanish Data Protection Agency is responsible for the ownership and exercise of the functions related to the external action of the State in matters of data protection.

Likewise, the autonomous communities, through the autonomous data protection authorities, are responsible for exercising the functions as subjects of external action within the framework of their powers in accordance with the provisions of Law 2/2014, of 25 of March, of the Action and Foreign Service of the State, as well as to conclude international administrative agreements in execution and concretization of an international treaty and non-normative agreements with the analogous bodies of other subjects of international law, not legally binding for those who sign them, on matters within its competence within the framework of Law 25/2014, of November 27, of Treaties and other International Agreements.

2. The Spanish Data Protection Agency is the competent body for the protection of natural persons with regard to the processing of personal data arising from the application of any International Convention to which the Kingdom of Spain is a party that attributes to a national supervisory authority such competence and the common representative of the Data Protection authorities in the European Data Protection Committee, in accordance with the provisions of Article 68.4 of Regulation (EU) 2016/679.

The Spanish Data Protection Agency will inform the autonomous data protection authorities of the decisions adopted in the European Data Protection Committee and will seek their opinion on matters within their competence.

3. Without prejudice to the provisions of paragraph 1, the Spanish Data Protection Agency:

a) Participate in international meetings and forums outside the European Union established by mutual agreement of the independent supervisory authorities in the field of data protection.

b) It shall participate, as the Spanish authority, in the international organizations competent in the field of data protection, in the committees or working, study and collaboration groups of international organizations dealing with matters affecting the fundamental right to the protection of personal data and in other international forums or working groups, within the framework of the State's foreign action.

c) It shall collaborate with authorities, institutions, organizations and administrations of other States in order to foster, promote and develop the fundamental right to data protection, particularly in the Ibero-American sphere, and may sign international administrative and non-regulatory agreements on the subject.
Old law close

Organic Law 15/1999 on Personal Data Protection regulated. This law has been repealed by Organic Law 3/2018.
Denmark close

arrow_back Previous ArticleArticle 68 Next Article arrow_forward
close

2016 - www.itiplaw.eu.