We highly appreciate the Commission’s efforts to remove some of the procedural barriers to a more uniform approach to GDPR enforcement.
We believe that all of the areas suggested by the Commission (and by the EDPB) are suitable for a greater degree of harmonisation. In this context, we would only point out that the new legislative acts should also take into account the fact that Member States have different arrangements for administrative procedures, whether in the handling of complaints, the exercise of control or the imposition of administrative sanctions. Any judicial review of decisions of supervisory authorities will be carried out at the level of Member States’ courts and their administrative justice rules. It is therefore necessary to leave room for the Member States to ensure that these rules are properly linked to the rules of administrative procedures modified by any new legislative act.
At the same time, we would like to point out that the proposed initiative completely neglects the harmonisation of cross-border investigations in relation to the position of data protection officers of the parties under investigation (controllers or processors). The position of the data protection officers is very specific and delicate in terms of the supervisory authorities’ approach to the investigation of (cross-border) cases. On the one hand, DPOs are supposed to cooperate with the supervisory authorities (Article 39(1)(d) and (e) GDPR), but at the same time they are bound by a duty of loyalty towards the controllers or processors concerned (which usually arises from the employment or other relationship between them and the controller or processor concerned). In practice, despite the text of Article 38(3) of the GDPR, it will often not be clear to what extent the DPO is required to cooperate in an investigation carried out by a supervisory authority, and to provide the supervisory authority with information obtained in the course of his/her own supervisory and control activities, especially if such information could be used against the controller or processor concerned. In this context, we believe that the most important issue would be to clarify the scope of the confidentiality obligations (and here also the right to refuse to testify) that are foreseen in Article 38(5) GDPR. Unfortunately, the assumption of the European legislator that EU or national law would regulate this issue has not been fulfilled and, for example, no such regulation has been adopted in some countries, such as the Czech Republic. This puts the data protection officers in a very complicated situation, as it is not clear to what extent are they obliged to provide the supervisory authorities with sensitive information they have obtained in the course of their control activities (e.g., about GDPR violations detected in the course of internal control or internal investigation of incidents).
Therefore, we believe that it would be appropriate to harmonise at European level, within the framework of the forthcoming legislative act, the conditions for the activities of data protection officers and their cooperation with supervisory authorities and to stress that the cooperation mentioned has to be reciprocal. We furthermore believe it would be appropriate to harmonise in particular the scope of their duty of confidentiality and the right to refuse to testify, so that they are not at disadvantage in the case of a cross-border investigation.
EFDPO Press Office, phone +49 30 20 62 14 41, email: firstname.lastname@example.org,
President: Thomas Spaeing (Germany)
Vice Presidents: Xavier Leclerc (France), Judith Leschanz (Austria), Inês Oliveira (Portugal), Vladan Rámiš (Czech Republic)
The European Federation of Data Protection Officers (EFDPO) is the European umbrella association of currently 14 national associations for data protection and privacy officers. Its objectives are to create a European network of national associations to exchange information, experience and methods, to establish a continuous dialogue with the political sphere, business representatives and civil society to ensure a flow of information from the European to the national level and to proactively monitor, evaluate and shape the implementation of the GDPR and other European privacy legal acts. In doing so, the EFDPO aims to strengthen data protection as a competitive and locational advantage for Europe. The new association is based in Brussels.
Member associations of the EFDPO
- Austria: privacyofficers.at – Verein österreichischer betrieblicher und behördlicher Datenschutzbeauftragter
- Brazil: ANPPD – Associação Nacional dos Profissionais de Privacidade de Dados
- Czech Republic: Spolek pro ochranu osobních údajů
- Croatia: CENTAR FERALIS
- France: UDPO, Union des Data Protection Officer – DPO
- French Polynesia: U.D.P.O PACIFIC
- Germany: Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e. V.; Fachverband Externe Datenschutzbeauftragte (FED) e.V.
- Greece: Hellenic Association for Data Protection and Privacy (HADPP)
- Liechtenstein: dsv.li-Datenschutzverein in Liechtenstein
- Portugal: APDPO PORTUGAL Associação dos Profissionais de Proteção e de Segurança de Dados
- Slovakia: Spolok na ochranu osobných údajov
- Switzerland: Data Privacy Community; Swiss Association of Data Protection Officers