(135) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established. That mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
(136) In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.
(137) There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded. A supervisory authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.
(138) The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effects by a supervisory authority in those cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned should be applied and mutual assistance and joint operations might be carried out between the supervisory authorities concerned on a bilateral or multilateral basis without triggering the consistency mechanism.
There is no recital in the Directive related to article 63.
Article 63 introduces a control principle for overall consistency in applying the Regulation across the EU, including requiring the supervisory authorities to cooperate with each other and with the Commission through the mechanisms set out in Article 64 to Article 67.
A brief outline of these mechanism are:
- Requesting the opinion of the European Data Protection Board on some draft decisions of national authorities before adopting them (Art. 64);
- Requesting a binding decision of the European Data Protection Board in case of disputes between national authorities (Art. 65);
- Allowing an authority, in some cases, to adopt provisional measures under an urgency procedure (Art. 66 (1) or even definitive measures after requesting the urgent opinion of the European Board (Art. 66 (2)).
The Directive did not address any consistency requirements for the supervisory authorities.
A system to ensure the consistency of the application of the Regulation is essential, especially as there is real room for manoeuvring left to the States in the application of the Regulation. Let’s hope that the system is not too restrictive and will not result in significantly slowing down the decision-making processes of the national authorities.
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.
1st proposal close
For the purposes set out in Article 46(1), the supervisory authorities shall co-operate with each other and the Commission through the consistency mechanism as set out in this section.
2nd proposal close
1. For the purpose set out in Article 46(1a), the supervisory authorities shall co-operate with each other through the consistency mechanism as set out in this section.
2. The European Data Protection Board shall issue an opinion whenever a competent supervisory authority intends to adopt any of the measures below (…). To that end, the competent supervisory authority shall communicate the draft decision to the European Data Protection Board, when it:
(c) aims at adopting a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 33(2a);
or (ca) concerns a matter pursuant to Article 38(2b) whether a draft code of conduct or an amendment or extension to a code of conduct is in compliance with this Regulation;
or (cb) aims at approving the criteria for accreditation of a body pursuant to paragraph 3 of Article 38a or a certification body pursuant to (…) paragraph 3 of Article 39a;
(d) aims at determining standard data protection clauses referred to in point (c) of Article 42(2);
or (e) aims to authorising contractual clauses referred to in point (d) of Article 42(2);
or (f) aims at approving binding corporate rules within the meaning of Article 43.
3. The European Data Protection Board shall adopt a binding decision in the following cases:
a) Where, in a case referred to in paragraph 3 of Article 54a, a concerned supervisory authority has expressed a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected an objection as being not relevant and/or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of the Regulation;
b) Where, there are conflicting views on which of the concerned supervisory authorities is competent for the main establishment;
d) Where a competent supervisory authority does not request the opinion of the European Data Protection Board in the cases mentioned in paragraph 2 of this Article, or does not follow the opinion of the European Data Protection Board issued under Article 58. In that case, any concerned supervisory authority or the Commission may communicate the matter to the European Data Protection Board.
4. Any supervisory authority, the Chair of the European Data Protection Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
5. Supervisory authorities and the Commission shall electronically communicate to the European Data Protection Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other concerned supervisory authorities.
6. The chair of the European Data Protection Board shall without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the European Data Protection Board shall, where necessary, provide translations of relevant information.
No specific provision
See DSG-Text concerning Art 51 GDPR (Link).
In force until May 25, 2018:
Communication to the European Commission and to the other Member States of the European Union
§ 54 DSG 2000
(1) The Federal Chancellor shall communicate to the European Commission whenever a federal law concerning the right to process sensitive data has been adopted upon its promulgation in the Federal Law Gazette.
(2) The Data Protection Authority shall communicate to the other member states of the European Union and the European Commission in which cases
1. no permit was issued for abroad data flows to a third country because the requirements of § 13 para. 2 sub-para 1 were considered not to have been met;
2. a permit was issued for abroad data flows to a third country without an adequate level of data protection because the requirements of § 13 para. 2 sub-para 2 are deemed to have been met.