GDPR Tasks of the Board
- Categories Blog, Free Data Protection Resources
- Date August 29, 2020
Article 70 GDPR
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;
(b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;
(c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);
(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the appli cation of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);
(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;
(l) review the practical application of the guidelines, recommendations and best practices;(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);
(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);
(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;
(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);
(n) encourage the drawing-up of codes of conduct and the estab lishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;
approve the criteria of certification pursuant to Article 42(5) and maintain a public register of certification mechanisms and data protection seals and marks pursuant to Article 42(8) and of the certified controllers or processors established in third countries pursuant to Article 42(7);
approve the requirements referred to in Article 43 (3) with a view to the accreditation of certification bodies referred to in Article 43;
(q) provide the Commission with an opinion on the certification requirements referred to in Article 43(8);
(r) provide the Commission with an opinion on the icons referred to in Article 12(7);
(s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or inter national organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.
(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;
(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;
(v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appro priate, with the supervisory authorities of third countries or with international organisations;
(w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.
(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and
(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
Professor mr drs Romeo F. Kadir MA MSc LLM LLM (Adv) EMBA EMoC
At present Romeo Kadir serves as the President of the Global Association of Data Protection Professionals Europe (GADPPRO). GADPPRO is a thought leader self-regulatory association of data protection professionals based in the European Union, active around the globe and the first European Association of data protection professionals open for members outside the EU. Please visit www.gadppro.org for more information.
First appointed Data Protection Officer (DPO) ever in the Netherlands (European Union) at a semi-public entity. Seasoned European Privacy and Data Protection Expert (22+ years of practical experience in EU Privacy and Data Protection Law, Business Management, Compliance and Ethics).
Studied European and International Law, Political Sciences and Business Administration. Romeo Kadir is EIPACC EADPP Professor European Privacy & Data Protection Law at Universitas Padjadjaran UNpad (Indonesia) and Honorary Visiting Research Fellow with O.P. Jindal Global University (New Delhi), Senior Associate Fellow with Vidhi Centre for Legal Policy (New Delhi), Lecturer Science Honours Academy and Lecturer at the International Molengraaff Institute, Utrecht University (UU, Netherlands). In 2010 he was founder of the first European Data Protection Academy focusing on privacy-only executive education.
Present Occupations in European Data Protection Law
Member of the International Bar Association (IBA)
Member of the International Board of Experts with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
Member of the International Strategic Board with EuroPrivacy Certification Scheme (Geneva and Luxembourg)
Member of the Swiss-Chinese Law Association (SCLA)
Former Occupations in European Data Protection Law
President European Institute for Privacy, Audit, Compliance & Certification (EIPACC)
Co-Founder/Vice-President European Association for Data Protection Professionals (EADPP)
Chair EADPP Certification Committee Data Protection Professionals,
Chair EADPP Academic Board
Chair EADPP Expert Committee on Cybersecurity
Chair EADPP Expert Committee on Artificial Intelligence (AI)
President Supervisory Board of the Dutch Privacy Complaints Office (NPKI)
Rapporteur to UN Monitoring Commission Human Rights on behalf of the Dutch Privacy Foundation (SPN)
Publications
'Handbook DPO - A Practical Guide', Privacy Publishing Group (2017)
Editor-in-Chief of ‘Data Protection Dictionary’, authored, edited and coordinated ‘Handbook for the Data Protection Officer – A practical Guide’, ‘The Ultimate GDPR Business Guide – Six Volumes’ and other relevant books in the field of privacy and data protection (www.dataprotectionbooks.com)
www.romeokadir.eu
You may also like
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3 Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2 Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …
Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1 Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …