1
Fields marked with * are mandatory.
Contribution ID: de3ce77d-9d2b-4f03-a400-ac70e9470888
Date: 14/12/2023 09:49:02
Report on the application of the GDPR under Article 97
Questions to Data Protection Authorities / the European Data Protection Board
1
Introduction
According to Article 97 of the GDPR, the Commission should submit a first report on the evaluation and
review of the Regulation to the European Parliament and the Council by 25 May 2020, followed by reports
every four years thereafter. The Commission’s first report was adopted on 24 June 2020 (the ‘2020 report’).
[1] The next report is due by mid 2024 (the ‘2024 report’).
In this context, the Commission should examine, in particular, the application and functioning of:
Chapter V on the transfer of personal data to third countries or international organisations with
particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions
adopted on the basis of Article 25(6) of Directive 95/46/EC; and
Chapter VII on cooperation and consistency.
The GDPR requires that the Commission takes into account the positions and findings of the European
Parliament and the Council, and of other relevant bodies and sources. The Commission may also request
information from Member States and supervisory authorities.
Against this background, this document seeks to obtain the views of the European Data Protection Board
on the abovementioned points. As was also done for the 2020 report, this document also seeks to obtain
information from data protection authorities (DPAs) on their enforcement of the GDPR and on activities
undertaken to promote awareness of data protection rights and obligations.
We would be grateful to receive replies to the below questions (in English) by 15 December 2023.
In 2020, the European Data Protection Board provided a consolidated contribution of the individual replies
of the DPAs to the questionnaire circulated in preparation of the 2020 report.[2] The Commission would be
grateful if the Board would again provide such a contribution, in addition to providing the individual replies
of DPAs. When there are several DPAs in a given Member State, please provide a consolidated reply at
2
national level. In the context of the preparation of the report, and following the input from other
stakeholders, it is not excluded that we might have additional questions at a later stage.
Please note that your replies might be made public or may be disclosed in response to access to
documents requests in accordance with Regulation (EC) No 1049/2001.
[1]
Communication from the Commission to the European Parliament and the Council, Data protection as a
pillar of citizensempowerment and the EU’s approach to the digital transition - two years of application of
the General Data Protection Regulation, 24.6.2020 COM(2020) 264 final.
[2]
https://edpb.europa.eu/sites/default/files/files/file1/edpb contributiongdprevaluation 20200218.pdf
2
Supervisory Authority
*
2.1 Select your supervisory Authority
Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
EDPS
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
3
The NL SA supports adequacy decisions as a durable means to keep personal data protected outside the
boarders of the EEA. We believe that all countries or international organisations that fulfil the criteria should
be considered for a possible adequacy decision. However, we also strongly believe that the standards for
adequacy should not be watered down, and that the Commission should only consider countries or
international organisations for adequacy which can guarantee an adequately high standard of protection for
personal data.
As of yet, the NL SA does not consider that the data protection framework of any third country or
international organisation should be considered by the Commission in view of a possible adequacy decision,
as in the view of the NL SA no other third country or international organisation meets the required threshold.
United Kingdom
United States of America
Sweden
3
Chapter V
*
3.1 In your view, should the data protection framework of any third country or international
organisation be considered by the Commission in view of a possible adequacy decision?
Yes
No
*
3.2 If yes, of which third country or international orgnanisation ?
*
3.3 The Commission is interested in the views of the Board on the third countries for which
enforcement cooperation agreements under Article 50 GDPR should be prioritised, in particular in
light of the volume of data transfers, role and powers of the third country’s supervisory authority
and the need for enforcement cooperation to address cases of common interest. Please mention
the countries that, in your view, should be prioritised and the reasons.
3.4
Reasons for prioritisation if there should be any:
4
3.5
Are there any other suggestions or points you would like to raise as regards tools for
international transfers and/or enforcement cooperation with foreign partners?
4
Chapter VII
In July 2023, the Commission adopted a proposal for a regulation laying down additional procedural rules
relating to the enforcement of the GDPR.[1] The DPAs and the EDPB provided extensive input to the
Commission during the preparation of the proposal and following adoption, the EDPB and the EDPS
adopted a joint opinion on the proposal on 19 September 2023.[2] The questions below focus on DPAs
application and enforcement of the GDPR and do not seek DPAs views on the proposal.
---
[1] Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the
enforcement of Regulation (EU) 2016/679, COM/2023/348 final.
[2] https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-012023-proposal en
4.1
Cooperation Mechanism
4.1.1
One-stop-shop (OSS) Article 60 GDPR
The EDPB Secretariat will extract from IMI the numbers regarding the OSS cases where your DPA has
been in the lead and concerned since 25 May 2018
The Dutch SA would like to raise three points:
1.
The NL SA encourages the Commission to draft and publish SCC’s for wider application, such as the
2.
The NL SA supports BCRs as a viable tool for transfers. However, the procedure for approval of
BCRs is too complicated and time-consuming for wide application. The NL SA would support models or
modular templates for BCRs to streamline the process.
3. The NL SA points out that there is no procedure for approval of ad-hoc CC’s (article 46 (2 (d) GDPR),
which means that ad-hoc CC’s cannot be applied at all in practice at this time.
In our experience we encounter relatively the most controllers in the USA and UK that operate outside the
OSS (no establishments inside the EU). This means that during the investigation (fact-finding) help from the
ICO and FTC is sometimes necessary to obtain the cooperation of the controller or to get the ICO and FTC
to hand over case files. Second, we also have experienced that we have to or want to impose punitive
sanctions (fines or orders), but have no way to collect the fine or enforce the order as the controllers are
situated abroad. It would be beneficial in both situations if there would be effective enforcements cooperation.
5
The NL SA submitted formal RROs in 8 cases.
-
-
-
-
-
Sanctioning and/or calculation of fines
Legal grounds / conformity with Article 6 and 7
Determination of data controllership, joint controllership
Interpretation of the concept of anonymization
Scope of decision does not match scope of complaint lodged
In 2 cases, consensus was reached with the LSA (Belgium, Cyprus)
In 6 cases, no consensus with the LSA was reached (Ireland (6x)
The EDPB Secretariat will extract from IMI the numbers regarding whether your DPA has been in the
situation of the application of the derogation provided for in Article 56(2) GDPR (so-called “local cases”, i.e.
infringements or complaints relating only to an establishment in your Member State or substantially
affecting data subjects only in your Member State).
4.1.1.1
Do you have any comment to make with respect to the identification and handling of local
cases under Article 56(2) GDPR?
Yes
No
*
4.1.1.3 Did you raise relevant and reasoned objections?
Yes
No
*
4.1.1.4 In how many cases did you raise relevant and reasoned objections?
*
4.1.1.5 Which topics were addressed?
*
4.1.1.6 In how many did you reach consensus with the LSA?
4.1.2
Mutual assistance Article 61 GDPR
*
4.1.2.1 Did you ever use Mutual Assistance - Article 61 procedure in the case of carrying out an
investigation?
Yes
No
*
4.1.2.3 Did you ever use Mutual Assistance - Article 61 procedure in the case of monitoring the
implementation of a measure imposed in another Member State?
6
In the experience of the NL SA, Mutual Assistance is working quite well. Many times a more informal request
is done (voluntary Mutual Assistance). This way of information exchange is used on a daily basis and is
generally effective. Clarifications on certain aspects of Mutual Assistance under Article 61 of the GDPR are
necessary. EDPB Guidance is expected to be able to provide most of those clarifications.
To date, there has not been an appropriate case for this.
With regards to question 4.1.3.1, the NL SA would like to clarify the following:
Although staff is not yet exchanged, the NL SA is currently involved in 3 A62JO cases, where an
investigation is carried out in cooperation with other SAs.
A joint investigative action has been performed together with FR SA in the shape of a joint on-site inspection
of a controller
Yes
No
*
4.1.2.5 What is your experience when using Mutual Assistance - Article 61 procedure?
4.1.3
Joint operations Article 62 GDPR
*
4.1.3.1 Did you ever use the Joint Operations - Article 62 procedure (both receiving staff from
another DPA or sending staff to another DPA) in the case of carrying out an investigation?
Yes
No
*
4.1.3.3 Did you ever use Joint Operations in the case of monitoring the implementation/enforcement
of a measure imposed in another Member State?
Yes
No
*
4.1.3.4 Could you explain why you have never used Joint Operations - Article 62 procedure for
implementation/enforcement of a measure imposed in another Member State?
*
4.1.3.5 What is your experience when using Joint operations - Article 62 procedure?
10
telecommunications. Article 15.1 appoints the NL SA as supervisory authority as mentioned in art. 19
(2) of the EU regulation 910/2014 (EIDAS). In this regulation, the articles 17, 19 and 20 grant the NL
SA supervisory competences.
Other
Finally, Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law,
together with our national implementing legislation, allocates to the NL SA the task to receive and
follow up reports within the scope of our authority as laid down in Article 2 of the directive.
Regulation (EU) 1141/2014 on the statute and funding of European political parties and European
political foundations also allocates a tasks to the NL SA in Article 10a(2).
Future (possible) additional tasks
For the foreseeable future, the NL SA expects to be entrusted with additional tasks.
Digital/Data Strategy
- The NL SA expects that the upcoming AI Act (not yet adopted) and possible implementing
legislation might carry with them additional tasks for the NL SA, even though it cannot be said
with certainty at this point which tasks.
- The NL SA expects that the Digital Services Act (DSA) and the upcoming Dutch implementing
legislation (not yet in force) will entrust supervisory and advisory tasks to the NL SA relating to
Article 26(3) and 28(2) of the DSA, which regulate the prohibition of advertisement based on
profiling using special categories of personal data, and the prohibition of advertisement for
minors based on profiling, and Article 40(8)(d) of the DSA, which regulates the advisory task
regarding the judgement whether a researcher meets the requirements laid down in this Article.
For this, the NL SA was up until now granted additional funding equivalent to 0,9 FTE, which
was included in the DCA funding from 2024 (see above).
- The NL SA expects that the Data Governance Act (DGA) and the upcoming implementing
legislation (not yet in force) will entrust advisory tasks to the NL SA relating to Article 12(e), (h),
(m) and (n).
- The NL SA expects that the upcoming Data Act (not yet in force) and possible implementing
legislation might carry with them additional tasks for the NL SA, even though it cannot be said
with certainty at this point which tasks.
4.4.5
Please explain, if needed:
11
45
4.4.6
How would you assess the sufficiency of the resources from your DPA from a human,
financial and technical point of view?
Sufficient
Insufficient
*
Human Resources
*
Financial resources
*
Technical Means
*
4.4.7 is your DPA properly equipped to contribute to the cooperation and consistency mechanisms?
Yes
No
*
4.4.8 How many persons (FTE) work on the issues devoted to the cooperation and consistency
mechanisms?
5
Enforcement
5.1
Complaints
5.3
Corrective measures
20
Given the limited number of fines imposed, it is difficult to speak of violations that "normally" result in a fine.
In general the following can be said.
Article 6 GDPR: Unlawfulness processing - In most cases, there was no legal basis for the processing
because the controller wrongly relied on legitimate interest. An important circumstance appears to be that
personal data is processed without the knowledge of the data subject, for commercial purposes.
Article 32 GDPR: Security measures - In particular in governments that possess a lot of data and have
taken no or insufficient measures to, for example, (1) prevent data (by telephone) from being given to the
wrong person; or (2) processing a large amount of defamatory data without checking its accuracy.
Article 12 + 13/14 GDPR: Transparency - Processing personal data without (sufficiently) informing data
subjects .
5.3.4
Please provide examples of the type of circumstances and infringements that normally
resulted in a fine and include the provisions of the GDPR breached.
25
5.4
Challenges to decisions in national courts
27
29
Incomplete/wrong assessment of the legal ground .
*
5.4.2 Where challenges were successful, what were the reasons of the national courts?
6
Promoting awareness of rights and obligations
*
6.1 Provide details of activities undertaken (publication of guidance, publicity campaigns, etc.) to
promote awareness of data protection rights and obligations among the public and data controllers
and processors. Where relevant, provide links to materials.
The Dutch SA has undertaken the following activities to promote awareness of data protection rights and
obligations among the public and data controllers and processors.
Notably, the activities include a myriad of compliance-related tasks of the NL SA entrusted by the GDPR that
were regrettably omitted from the survey.
Compliance-promoting activities
2020
Codes of conduct (art 40 GDPR)
3
Prior consultations (art 36 GDPR)
8
Guidance for DPOs through individual Q&A’s by
e-mail of telephone
1214
Certification (art 42 GDPR)
1
Compliance enhancing interventions
298
Permits for the processing of personal data of a
criminal nature (art 33 Dutch GDPR
Implementation Act)
65
Exploratory studies (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- Compliance with audit obligation for extraordinary investigating officers
- Proctoring and online video calling in educational sector
- Manufacturers and suppliers of facial recognition cameras
- Update study on smart cities
30
Guidance (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- Guidance for taking care of personal data in case of bankruptcy
- Privacy tips for use of connected cars
- Use of facial recognition in supermarkets
- Guidelines on the interplay of the second payment directive and the GDPR
- Recommendations on processing agreements in the private sector
- Covid19-related:
measuring temperature of employees
recommendations on Covid19-app
recommendations on sharing telecom data in the fight against Covid19
privacy selection aid for video calling apps
Privacy tips for working safely from home
2021
Codes of conduct (art 40 GDPR)
5
Prior consultations (art 36 GDPR)
10
Guidance for DPOs through individual Q&A’s by
e-mail of telephone
1309
Certification (art 42 GDPR)
0
Compliance enhancing interventions
233
Permits for the processing of personal data of a
criminal nature (art 33 Dutch GDPR
Implementation Act)
264
Exploratory studies (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only ):
- Smart cities
- Inventory on use of microtargeting in the run-up to the Dutch elections for the House of Representatives
- Privacy risks in the educational sector
Guidance (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- Privacy manual for election campaigns
- Website dossier on algorithms and Artificial Intelligence
- Guidance on Dutch municipal debt assistance law
- Guidance on positioning Data Protection Officers
- Guidance on intersectoral sharing blacklists containing criminal data
31
- Techblogpost on practical issues with anonymisation of hashes
- Guidance for works councils on the protection of privacy in the workplace
- Advice on the use of Google workspace in the educational sector
2022
Codes of conduct (art 40 GDPR)
4
Prior consultations (art 36 GDPR)
4
Guidance for DPOs through individual Q&A’s by
e-mail of telephone
901
Certification (art 42 GDPR)
1
Compliance enhancing interventions
111
Permits for the processing of personal data of a
criminal nature (art 33 Dutch GDPR
Implementation Act)
324
Guidance (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- Guidance on GDPR for city council members
- Infographic and animated film for small and medium-sized businesses
- Advice on use of Qatari apps during the world cup football in Qatar
2023 (up to and including Q3 2023, i.e. until 30 September 2023)
Codes of conduct (art 40 GDPR)
1
Prior consultations (art 36 GDPR)
2
Guidance for DPOs through individual Q&A’s by
e-mail of telephone
500 (*estimate)
Certification (art 42 GDPR)
0
Compliance enhancing interventions
120 (*estimate)
Permits for the processing of personal data of a
criminal nature (art 33 Dutch GDPR
Implementation Act)
200 (*estimate)
Exploratory studies (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- Follow up report on compliance with audit obligation for extraordinary investigating officers
32
- Algorithmic Risks Report ( First Algorithmic Risks Report Netherlands calls for additional action to control
algorithmic and AI risks | Autoriteit Persoonsgegevens )
Guidance (published on www.autoriteitpersoonsgegevens.nl, most in Dutch only):
- DPO-day (congress for DPO’s with guidance, information on all kinds of topics, 600 DPO’s present)
- Advice about better help for people with serious debts
- Advice on use of COVID19 vaccination data for research on mortality rates
Communication/publicity campaigns
- Issued over 300 press releases and news published on NL SA website
- Launched new NL SA website mid 2023
- 2 animated films about data breaches and complaints
- Organised Open House in June 2023 for general public with info sessions on diverse topics, over 200 visitors
- Privacy campaign with 11 ‘privacy stories’ on the website about fictional but current privacy issues
- Issued 8 newsletters per year, 4 for DPOs and 4 general
- Annual reports
- Organised 2 expert sessions with journalists for national news outlets, 1 on GDPR general and 1 on data
breaches
- Started to directly report to the Dutch House of Representative on questions asked to the responsible Minister
through official reports
- Published 7 stories of NL SA staff about their work at the NL SA on the website
- Developed an App and a curriculum/teaching package for young people called Je Telefoon de Baas (free
translation: ‘Take Charge of Your Phone’, literally: ‘Boss of Your Phone’).
Public affairs
The NL SA participates in ‘round table discussionsin the Dutch parliament. Furthermore the NL SA publishes
position papers, which can be found at
https://www.autoriteitpersoonsgegevens.nl/documenten?f%5B0%5D=document type%3A30.
In addition, the NL SA issues legislative advice as well. Our advices can be found at
https://www.autoriteitpersoonsgegevens.nl/documenten?key=&created%5Bmin%5D=2018-01-
01&created%5Bmax%5D=&f%5B0%5D=document type%3A6. In 2018 the NL SA issued legislative advice 82
times. the following years 105 (2019), 120 (2020), 106 (2021) and 106 (2022) times.
Digital/Data Strategy
The NL SA has been designated as the coordinating authority with regard to algorithm supervision in The
Netherlands. Therefore, the NL SA established the Department for the Coordination of Algorithmic Oversight
(DCA) within the NL SA. The DCA was launched in early 2023 to fulfil this new task, based on a parliamentary
mandate. This task was allocated to the NL SA in response to the desire to better protect public values and
fundamental rights when developing and using algorithms. The focus of the DCA is on improving the protection
of public values and fundamental rights. Such as preventing discrimination and arbitrariness and promoting
transparency. Furthermore, the DCA considers the fairness of algorithms and the prevention of deceptive or
misleading information. The three main activity areas of the DCA are: strengthening supervisory collaboration
33
and promoting and facilitating joint standard setting and guidance for organisations, cross-sectoral and
overarching risk identification, and developments in policies and regulations regarding oversight issues. Further
legal bases for additional activities are expected to follow in 2025 or 2026. The NL SA has received additional
funding for the supervisory tasks in this area:
- From 2023 onwards: structurally EUR 1 million per year, equivalent to 6,5 FTE;
- From 2024 onwards: structurally EUR 2 million per year, equivalent to 13 FTE.