Who is the actor?
The European Data Protection Board (EDPB) is a “body of the Union” with “legal personality” established based on Art. 68 GDPR. It is composed of a supervisory authority of each member state plus the EDPS (The European Data Protection Supervisor, which will be introduced later on). The EDPB replaced the Article 29 Data Protection Working Party (WP29) when the GDPR came into effect. In doing so, it has also endorsed some of the guideline’s opinions of the working party.
The EDPB is responsible for a significant number of tasks that are listed in Art. 70 GDPR. These tasks include, but are not limited to, issuing guidelines, opinions, recommendations and best practices on the application of the GDPR, advising the European Commission on matters regarding the GDPR and promote the exchange of knowledge and information between different supervisory authorities.
Most importantly, the EDPB is concerned with the consistent application and interpretation of the GDPR in all Member States. According to Art. 65(1) GDPR, the EDPB shall adopt binding decisions should a lead supervisory authority not follow an opinion provided by the EDPB or if there exist conflicting views on the application of the GDPR by different supervisory authorities. Such instances trigger “Consistency Mechanism” by which the EDPB may issue opinions on how the GDPR is to be applied across multiple member states. If the supervisory authorities of these member states fail to respect an opinion by the EDPB, the EDPB can make binding decisions, which have to be respected by the supervisory authorities, in order to solve disputes.
What are its tasks?
The EDPB is assigned to advise the European Commission on issues related to personal data protection and on the format and procedures for information exchange between controller, processors and supervisory authorities as well as on certification. In addition, it promotes the cooperation and effective bilateral and multilateral exchange of information and best practices between supervisory authorities. It issues guidelines, recommendations and best practices and examine any questions regarding these or the GDPR. Accreditation of certification bodies and their periodical review is done by the EDPB. Furthermore, it draws up an annual report on protection of natural persons, processing in the Union, third countries and international organizations.
What are its rights and responsibilities?
The EDPB acts independently when performing its tasks.
To fulfil its tasks, the EDPB can publish and establish binding decisions, opinions and guidelines. For instance, the EDPB endorsed the guidance by WP29, for instance on consent, transparency and many more, and published additional guidance. As stated before, the EDPB can issue opinions and binding decisions on the application of the GDPR in member states.
2The European Data Protection Board, (EDPB), Endorsement 1/2018, https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf (last visited 24.11.2020). ↑
3Art. 65(1) GDPR “Dispute resolution by the Board” ↑
4See “Consistency Findings”, EDPB available at https://edpb.europa.eu/our-work-tools/consistency-findings_en (last visited 25.11.2020) ↑
5Endorsement 1/2018, EDPB, available at https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf (last visited: 25.11.2020) ↑
6See “GDPR: Guidelines, Recommendations, Best Practices”, https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en for a list of guidelines and recommendations provided by the EDPB ↑