• No results found

Statutory inquiries by the DPC

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Statutory inquiries by the DPC"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Statutory Inquiries

by the DPC

1

Statutory Inquiries

(2)
(3)

Statutory Inquiries

by the DPC

3

As mentioned above, under the Data Protection Act 2018

(the 2018 Act), the DPC may conduct two different types

of statutory inquiry under Section 110 in order to estab-lish whether an infringement of the GDPR or the 2018

Act has occurred. These are a complaint-based inquiry or

an inquiry of the DPC’s “own volition”. A statutory

inqui-ry essentially consists of two distinct processes — the investigatory process, which is carried out by an investi

-gator of the DPC, and the decision-making process. The decision making process is carried out by a separate

senior decision-maker in the DPC who has had no role in

the investigatory process, usually the Commissioner for

Data Protection.

The objective of any inquiry is to:

establish the facts as they apply to the matters under

investigation in the inquiry;

apply the facts as found to the provisions of the GDPR and/or 2018 Act as applicable in order to analyse

whether an infringement of the GDPR and/or 2018 Act

has been identified;

make a formal decision of the DPC in relation to whether or not there is an infringement; and where an infringement has been identified, make a

formal decision on whether or not to exercise a

cor-rective power, and if so, which corcor-rective power1.

During the investigatory process of an inquiry, authorised officers may be appointed by the DPC and they may exercise a range of investigatory powers under the 2018

Act in the context of an inquiry. In addition to the general

power to issue an information notice compelling the pro

-vision of specified information to the DPC, an authorised officer has a broad range of investigatory powers at his/ her disposal enabling them to gather relevant informa -tion, documents and materials2. These include powers

of entry, search and inspection of premises, equipment,

documents and information, the removal and retention of documents and records, and requiring information and

assistance to be provided to them in relation to access to documents and records and equipment. There is also a power to apply to the District Court for a warrant to enter a premises in order to exercise the authorised officer powers.

1 Corrective powers include imposing an administrative fine

(not applicable for infringements of the LED), issuing a warn

-ing, a reprimand, a temporary or definitive ban on processing or a suspension of international data transfers or a direction to bring processing into compliance, amongst others.

2 In the context of an existing inquiry, the DPC may also launch a statutory “investigation” under Section 137. A Section 137

investigation carries specific additional investigatory powers, such as the power of the authorised officer conducting it to

hold an oral hearing. To date the DPC has not commenced any Section 137 investigations.

General description of the phases

of a statutory inquiry

Set out below in high level terms is a description of each phase of a statutory inquiry by the DPC where the DPC is acting as lead supervisory authority in relation to a cross-border processing issue, and a complaint has been

lodged with the DPC directly, or the DPC has commenced an inquiry of its own volition.

This description is not binding on the DPC but is for general illustrative purposes only, showing the provisional sequencing of phases in an inquiry. It is not determinative of the precise steps which will be followed in each inquiry, which will depend on the nature, circumstances, scope and subject matter of the inquiry. The first wave of DPC

inquiries under the GDPR and 2018 Act are currently

ongoing but will be completed during 2019. As such, the provisional sequencing set out below, may be subject

to changes arising from the crystallisation of the inquiry

process, at both national and EU level, in those cases.

In part, this description is intended to demonstrate that it is not possible for the DPC to summarily apply fines or any other corrective powers. The conduct of an inquiry by the DPC must be in accordance with due process and fair procedures.

Inquiry phases for illustration purposes:

1. Commencement/ notification phase

° Scope determination

° Notification to controller/processor of inquiry commencement

° Issuing of preliminary questions 2. Information gathering phase

° DPC investigator gathers all relevant information/

documents/ materials from the parties — may be

iterative.

3. Draft inquiry report preparation phase

° DPC investigator completes consideration of in -formation/ documents/ materials and factual and

legal analysis and drafts inquiry report

° Draft inquiry report sets out (a) findings of fact

(b) application of the law under the GDPR and/or the 2018 Act to the findings of fact, and (c) draft findings, giving reasons for them, as to whether

or not there has been one or more infringements

of the law by the controller/ processor. The draft inquiry report will not comment on the application of corrective powers.

(4)

4. Submissions phase (draft inquiry report)

° DPC investigator issues draft inquiry report to the

parties

° Parties make submissions on draft inquiry report ° Investigator considers submissions and prepares

finalised inquiry report for DPC decision-maker

5. DPC draft decision-making phase (infringement)

° DPC decision-maker considers inquiry report ° If deficiencies in investigation procedure or out

-standing issues identified, DPC decision-maker

remedies these

° DPC decision-maker makes a “draft decision” (the DPC draft decision) in relation to whether there has been one or more infringements of the GDPR and/or 2018 Act.

6. Notification of DPC draft decision & commencement of GDPR co-operation phase

° DPC decision-maker notifies DPC draft decision to

other concerned EU data protection authorities (DPAs) via the IMI platform

7. Concerned DPA objections phase — if applicable

° DPAs may raise any “relevant and reasoned objec-tion” to the DPC draft decision

° DPC decision-maker considers any such objections and may revise the DPC draft decision

8. EDPB Dispute Resolution phase — if applicable

° EDPB dispute resolution triggered if DPC

decision-maker considers it cannot implement

a concerned DPA objection

° EDPB votes by majority on subject matter of any “relevant and reasoned objection”

° EDPB decision adopted by DPC decision-maker and DPC Draft Decision is revised, as required,

under phase 9 below

9. DPC final decision making (infringement) phase

° DPC decision is finalised

10. Notification of final decision (infringement) phase

° Final DPC decision notified to parties, including any

decision of the EDPB dispute resolution phase

° Right of appeal by either party against the final decision

11. Decision-making phase (corrective power) — if applicable3

° DPC decision-maker decides what corrective pow

-ers including administrative fines apply

° May invite, if relevant, submissions of parties ° Decision on corrective power notified to the

parties

° Right of appeal by controller/ processor against

decision on corrective power

12. Court confirmation phase — if applicable (administrative fine only)

° If administrative fine not appealed by controller/

processor within 28 days, DPC applies to the Irish Court to confirm fine

(5)

Statutory Inquiries

by the DPC

5

Process Flow of the Phases

of a Statutory Inquiry

(6)
(7)

Statutory Inquiries

by the DPC

7

(8)

Data Protection Commission, 21 Fitzwilliam Square,

Dublin 2.

www. dataprotection.ie Email: [email protected]

Tel: 0761 104 800

References

Download now ( PDF - 8 Page - 8.36 MB )

Related documents

Zakat Compliance Intention Behavior on Saving Among Universiti Utara Malaysia's Staff

Because of this, this study is motivated to investigate zakat compliance intention on saving among employees of Universiti Utara Malaysia by using theory of

Getting Virtualized Wireless Sensor Networks IaaS Ready for PaaS

In vWSN IaaS, if we consider the example of Java SunSpots, the Squawk virtual machine [24] provides a similar type of abstraction that allows multiple VSs to access the

Auction Friday & Saturday, Sept. 26 & 27, 2014

1974 Chevrolet Corvette RestoMod Coupe 1975 Pontiac Grand Ville Convertible 1969 Chevrolet Impala Convertible. 866-495-8111 •

Beekeeping - Certificate III. Participants Learning Guide. BSBCMN304A Contribute to personal skill development and learning

The Commonwealth of Australia, the Department of Agriculture, Fisheries and Forestry, Australian Honey Bee Industry Council, the authors or contributors do not assume liability of

A Natural Export: International Connections, Conservation Co-Operation, and How the National Park Idea Became "America's Best Idea"

Finland’s connections to the American national park idea were bolstered by organized international and American park programs such as the world conferences on national parks and

Parenting style and reactive and proactive adolescent violence: evidence from Spain

In the Bonferroni test (α = 0.05), we found that the two groups of male adolescents aged 15 to 18 years, from authoritarian and neglectful families, obtained higher scores in

Assessment of the Entrepreneurship Level of the University Students at the Sports Management Departments

As the result of the study shows that there are significant differences between the findings related to the level of entrepreneurship of the students in the

28TH ANNUAL JUNIOR JUNKANOO PARADE OFFICIAL RESULTS KING & QUEEN COMPETITION PRESCHOOLS

ANATOL RODGERS HIGH SCHOOL 0PTS PLEASE NOTE THAT A 1O POINT PENALTY WAS APPLIED TO THE FOLLOWING SCHOOLS FOR NOT ENTERING THE PARADE IN ITS ORDER OF ENTRY NUMBER. MT