The New European Data Protection Board: composition and compentence

The 25th of May 2018, is the date of entry into force of the General Data Protection Regulation (GDPR) which also imply the inauguration of the new European Data Protection Board (Hereafter EDPB) which will officially replace the article 29 Working Party, an advisory committee established under the Directive 95/46/EC (the “Data Protection Directive”).

Composition and organisation

The European Data Protection Board will be composed of heads from each national data protection authorities, the European Data Protection Supervisor (EDPS), representatives from the European Commission. (The Commission has no voting rights.)

The EDPB isformally represented by its Chair, who has the chief role in organising the work of the EDPB in particularly when administering the conciliation procedure for disputes between national supervisory authorities.

The EDPB will also have its own Secretariat which is provided by the EDPS, but which acts solely under the direction of the chair of the EDPB.

Decision making

The EDPB is to be an independent body which adopts its own rules of procedure and organise its own affairs.

The EDPB normally decides matters by a simple majority (for instance opinions), but rules of procedure and binding decisions (in the first instance) are to be determined by a two-thirds majority.

Competences

The main role of the EDPB is to guarantee consistent application of the GDPR and settle disputes between national data protection authorities (in concordance with the consistency mechanism in article 63 of the GDPR).

To fulfill this objective, the European Data Protection Board may:

  • Adopt Binding decisions (when settling disputes in case of conflicting views between the DPAs and the lead DPAs).
  • Adopt Opinions (For example with regards to a draft code of conduct  on a sectoral level or with regards to standard data protection clauses).
  • Adopt Guidelines (best practices) as well as statements ,recommendations and advice (for example on demand of the Commission,
  • Finally, the EDPB has to prepare an Annual Report.

Conclusion

The question which often comes up is to know whether the new EDPB is more than simply a rebranding taking into account that the WP29’s subgroups will be continuing their work as usual.

In our opinion the EDPB as an independent body will be able to help national authorities to coordinate their actions (One-stop shop mechanism) as recent technological progress makes it extremely difficult to locate data subjects and the processing of their data in the same country or territory. The EDPB will also harmonize the consistent application of the GDPR in member states in a far more effective manner due to its independence and ability to give opinions regarding certification systems as well as codes on a sectoral level.

 More information on this topic?

Contact Bart Van den Brande, managing partner, or Mathieu Desmet, junior associate