Trans EU
Cross Border Matters
The GDPR seeks to provide for the uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for those doing business in the EU digital market. The European Data Protection Board comprising representatives of the data protection authorities of all Member States plays an important role in this regard.
The supervisory authority of the main establishment or of the single establishment of the controller or processor is competent to act as lead supervisory authority for cross-border processing carried out by that controller or processing in accordance with the legislation.
Without limiting this position, each supervisory authority is competent to handle a complaint lodged with it for a possible infringement, if the subject matter relates only to an establishment in that EU State or if it substantially affects persons in that State only. In these cases, the supervisory authority may act as a lead supervisory authority without delay on that matter.
There are procedures for interaction with other establishments. The lead supervisory authority may decide to handle the case and specified procedures apply. Alternatively, it may remit the matter to the appropriate other authority.
Cooperation Between EU Authorities
There are extensive provisions in the GDPR for cooperation and consistency between EU supervisory bodies. There are provisions for cooperation between the lead supervisory authority and others in matters concerning both. The lead supervisory authority shall cooperate with the others and shall endeavour to reach consensus. The authorities shall exchange information with each other.
The lead supervisory authority may request the other authorities to provide mutual assistance and conduct joint operations. In particular, they may carry out joint investigations and measures. The lead authority shall without delay, communicate the relevant information to other authorities. It shall submit draft decisions to other authorities for their views and take them into account.
Where having consulted as above, the other authority expresses a relevant and reasoned objection, the lead supervisory authority shall, if it does not follow the objection, submit the matter to the consistency mechanism referred to below.
Where the lead authority intends to follow the relevant objection, it shall submit to the other authorities concerned a revised draft decision. Where none of the other authorities object to a draft decision, the lead authority may proceed on the basis that it is agreed.
The lead authority shall adopt and notify the decision to the main establishment or single establishment of the processor or controller, and inform the other bodies concerned and the EU Board, of the decision.
Authorities to Cooperate
Supervisory authorities must provide each other with relevant information and mutual assistance in order to implement and apply the GDPR in a consistent manner. They must put in place effective measures for the purpose of such cooperation. Mutual assistance covers, in particular, information requests and supervisory measures.
Supervisory authorities must put in place measures to reply to a request from other authorities without undue delay and no later than one month after the request. The authority shall not refuse to comply with the request unless it is not competent in relation to the matter concerned, or compliance would infringe EU or national legislation to which the authority is subject.
The authority is to notify the requesting authority of the results and progress of the measures. This is to be done without fee and primarily in electronic format. There is a provision that if the other authority does not cooperate and respond to their request within a certain period, a provisional measure may be adopted. Where urgent authority is needed, there is provision for reference to an EU entity. The EU Commission may specify the format and procedures for mutual assistance.
Joint Operations
Where appropriate, the authorities of several EU states shall conduct joint operations including joint investigations and enforcement.Where the processor has establishments in several Member States or a significant number of data subjects are in more than one State and are likely to be substantially affected by processing operations, each of the relevant Member States has the right to participate in the joint operations.
The supervisory authority which is competent in the matter shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of an authority to participate.
There is provision for the conferral of powers on the authority and members of staff of the other supervisory body for such purposes. This must be done without cost. Any damage or loss caused by its authority or personnel must be made good by the relevant State.
Consistency Mechanism and Complaints
The GDPR provides a “consistency mechanism” which is intended to streamline the handling of cross-border data protection complaints across the EU. The mechanism is based on the concept of a “lead” supervisory authority, meaning the data protection authority of the Member State in which a controller’s “main” or only EU establishment is located.
Complaints will generally fall to be investigated by the data protection authority of the lead supervisory authority, irrespective of the origin of the complaint. That authority may request assistance from other data protection authorities for investigation purposes. The initial conclusion as to whether or not an infringement of data protection rules has occurred, or is occurring, is made by the lead supervisory authority.
Before arriving at any final decision in cross-border cases, the lead supervisory authority must submit a draft decision to the data protection authorities of other Member States with an interest in the case, e.g. either because the complaint has originated in that Member State or the controller concerned has other establishments there.
The lead supervisory authority must have regard to any relevant and reasoned objections to the draft decision submitted by other concerned supervisory authorities, and if consensus cannot be reached, the case will come before the European Data Protection Board – made up of representatives of the data protection authorities of every Member State – for a binding decision.
Consistency and EU Data Protection Board I
In order to contribute to the consistent application of the regulation throughout the EU, the supervisory authorities must cooperate with each other and the EU Commission, through the consistency mechanism.
Any supervisory authority, the EU Board or the Commission may request that any matter of general application or having effect in more than one State, is examined by the Board with a view, to obtaining an opinion in particular in relation to mutual assistance matters.
The EU Board shall issue an opinion where a competent supervisory authority intends to opt out of any of the below measures. For that purpose, the authority shall communicate the draft decision to the Board, when it:
- aims to adopt a list of the processing operations subject to the requirement for a data protection assessment;
- concerns a matter relating to a draft code of conduct or an amendment of it;
- aims to approve criteria for an accreditation body;
- aims to determine standard data protection clauses in contracts for the transfer of data abroad;
- aims to authorise contractual clauses for such purpose;
- aims to approve binding corporate rules for such purpose.
General Consistency and EU Data Protection Board II
The Board shall give an opinion on the matter in accordance with a procedure within a set period. There are provisions for furnishing information to and for cooperation with the Board. There are time limits for the issue of the Board’s opinion (8 weeks subject to extensions).
The relevant decision shall not be adopted by the national supervisory authority while the matter is ongoing with the Board. Where the supervisory authority does not intend to follow the opinion of the Board, it must give details of the relevant grounds and the below dispute resolution provisions apply.
In order to ensure the correct and consistent application of the regulation in individual cases, the Board shall adopt a binding decision in the following cases:
- where, in a case referred, (another) supervisory authority has raised a relevant and reasoned objection to a draft decision of the lead authority which the latter has rejected as not being relevant or reasoned;
- where there are conflicting views on which of the supervisory authorities is competent for the main establishment;
- in certain cases, where the supervisory authority does not request the opinion of the Board as contemplated above or does not follow the opinion.
The decision of the Board is to be adopted within a certain period (one month), which may be extended. It must be reasoned and addressed to the relevant authority.
General Consistency and EU Data Protection Board III
The lead authority or the supervisory authority with which the complaint had been lodged shall adopt its final decision on the basis of the decision of the Board under the dispute resolution procedure set out above. The opinion shall be published on its website. The relevant authority must report back to the Board in relation to the subject matter of the decision.
There are provisions for cases of urgency. Where an authority considers that the request is urgent, in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the above consistency mechanism, adopt immediate provisional measures intended to produce legal effects within its own authority. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them under the procedure to the Board.
There is provision for other authorities acting, where the competent authority has not taken the appropriate measures in a situation where there is an urgent need to act.
Ireland the Lead Authority Domestic Provisions I
Where an inquiry has been conducted in respect of a complaint for which the Irish Data Protection Commission is the competent supervisory authority, then having considered the information obtained in the examination, it may if satisfied that an infringement by the controller or processor to which the complaint relates has occurred or is occurring, make a decision to that effect, or if not so satisfied, make a decision to dismiss the complaint.
The Data Protection Commission shall make a draft decision in respect of the complaint (or, as the case may be, part of the complaint) and, where applicable, as to the envisaged action to be taken in relation to the controller or processor concerned and adopt its decision in respect of the complaint or, as the case may be, part of the complaint.
In making a draft decision the Data Protection Commission shall, where applicable, have regard to the information obtained by the Data Protection Commission in its examination of the complaint, including, where an inquiry has been conducted in respect of the complaint, the information obtained in the inquiry, and any draft for a decision that is submitted to the Data Protection Commission by another EU supervisory authority
Where the Data Protection Commission adopts a decision to the effect that an infringement by the controller or processor concerned has occurred or is occurring, it shall, in addition, make a decision
- where an inquiry has been conducted in respect of the complaint as to whether a corrective power should be exercised in respect of the controller or processor concerned, and where it decides to so exercise a corrective power, the corrective power that is to be exercised, or
- where an inquiry has not been conducted in respect of the complaint as to whether an action should be taken, and where it decides to take such an action, the action that is to be taken.
Ireland the Lead Authority Domestic Provisions II
The Commission, in making its decision shall have due regard to the decision as to the envisaged action to be taken in relation to the controller or processor included in the Commission’s draft decision or, as the case may be, its revised draft decision under
The actions may include the serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:
- comply with the data subject’s request to exercise his or her rights pursuant to a relevant enactment;
- where the enforcement notice is given to the controller, communicate a personal data breach to the data subject;
- rectify or erase personal data or restrict processing
- the taking of such other action in respect of the complaint as the Commission considers appropriate.
Where a complaint is lodged with the Commission or a complaint is lodged with another supervisory authority and the Data Protection Commission is the supervisory authority in respect of the complainant concerned, another supervisory authority is the lead supervisory authority in respect of the complaint, and a decision is made, to dismiss or reject the complaint or, part of the complaint, the Data Protection Commission shall adopt that decision) in respect of the complaint or, as the case may be, part of the complaint.
Notification of decision of Data Protection Commission
The Data Protection Commission shall as soon as practicable after it makes a decision under the above provisions give the controller or processor and the complainant a notice in writing setting out—
- the decision and the reasons for it, and
- where applicable, the corrective power that the Data Protection Commission has decided to exercise in respect of the controller or processor,
Where the Data Protection Commission is the lead supervisory authority in relation to a complaint where the appropriate course is agreed by the authorities concerned, the Data Protection Commission shall, as soon as practicable after it adopts its decision
- give the controller or processor concerned, at its main establishment or single establishment, a notice in writing setting out the decision and the reasons for it, and where applicable, the corrective power that the Data Protection Commission has decided to exercise or, as the case may be, the action that it has decided to take in respect of the controller or processor, and
- (give the complainant concerned a notice in writing setting out the decision and the reasons for it, and where applicable, the corrective power that the Data Protection Commission has decided to exercise or, as the case may be, the action that it has decided to take in respect of the controller or processor.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
EU Legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008