Regulation (EU) 2016/679 of the European Parliament and of the CouncilShow full title

Section 3 European data protection board

Article 68European Data Protection Board

1.The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

2.The Board shall be represented by its Chair.

3.The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

4.Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State's law.

5.The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.

6.In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Article 69Independence

1.The Board shall act independently when performing its tasks or exercising its powers pursuant to Articles 70 and 71.

2.Without prejudice to requests by the Commission referred to in point (b) of Article 70(1) and in Article 70(2), the Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody.

Article 70Tasks of the Board

1.The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a)monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b)advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

(c)advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;

(d)issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Article 17(2);

(e)examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);

(g)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;

(h)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

(i)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Article 47;

(j)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1);

(k)draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l)review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m)issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);

(n)encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o)carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);

(p)specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;

(q)provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

(r)provide the Commission with an opinion on the icons referred to in Article 12(7);

(s)provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.

(t)issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

(u)promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v)promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;

(w)promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x)issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

(y)maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2.Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3.The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4.The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

Article 71Reports

1.The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the Commission.

2.The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (l) of Article 70(1) as well as of the binding decisions referred to in Article 65.

Article 72Procedure

1.The Board shall take decisions by a simple majority of its members, unless otherwise provided for in this Regulation.

2.The Board shall adopt its own rules of procedure by a two-thirds majority of its members and organise its own operational arrangements.

Article 73Chair

1.The Board shall elect a chair and two deputy chairs from amongst its members by simple majority.

2.The term of office of the Chair and of the deputy chairs shall be five years and be renewable once.

Article 74Tasks of the Chair

1.The Chair shall have the following tasks:

(a)to convene the meetings of the Board and prepare its agenda;

(b)to notify decisions adopted by the Board pursuant to Article 65 to the lead supervisory authority and the supervisory authorities concerned;

(c)to ensure the timely performance of the tasks of the Board, in particular in relation to the consistency mechanism referred to in Article 63.

2.The Board shall lay down the allocation of tasks between the Chair and the deputy chairs in its rules of procedure.

Article 75Secretariat

1.The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.

2.The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.

3.The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.

4.Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.

5.The secretariat shall provide analytical, administrative and logistical support to the Board.

6.The secretariat shall be responsible in particular for:

(a)the day-to-day business of the Board;

(b)communication between the members of the Board, its Chair and the Commission;

(c)communication with other institutions and the public;

(d)the use of electronic means for the internal and external communication;

(e)the translation of relevant information;

(f)the preparation and follow-up of the meetings of the Board;

(g)the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board.

Article 76Confidentiality

1.The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.

2.Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council(1).