The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.
Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.
How can I apply for the European Data Protection Seal?
Controllers should formally submit their EU-wide certification criteria to:
the competent data protection authority (DPA) in the EEA country where the scheme owners have their headquarters;
the competent data protection authority (DPA) in the EEA country where a certification body operating the certification mechanism have their headquarters, considering the member state in which the most certificates are likely to be issued.
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities (DPAs), as well as the DPAs of Iceland, Liechtenstein and Norway (the European Economic Area or EEA).
Where can I find documents that were adopted during a recent/the latest EDPB plenary?
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
Once published, recently adopted documents will be listed under “latest publications” on the main page of this website.
You can also find overviews of the documents adopted per plenary on the EDPB news page.
Who are the members of the Board?
The EDPB brings together the EU DPAs and the European Data Protection Supervisor (EDPS). The EEA EFTA countries (Iceland, Liechtenstein and Norway) are also members with regard to GDPR-related matters and without the rights to vote and to be elected as chair or deputy chair. The European Commission and - with regard to GDPR-related matters - the EFTA Surveillance Authority have the right to participate in the activities and meetings of the Board without voting rights.
Can a Data Protection Authority (DPA) challenge an Art. 65 GDPR decision by the EDPB?
As addressees of the EDPB decisions, the relevant Data Protection Authorities (DPAs) that wish to challenge these decisions can bring an action for annulment before the European Court of Justice (CJEU) within two months of being notified.
I have received a communication from someone claiming to be working for the EDPB informing me that I am not in compliance with the GDPR, is this something the EDPB does?
Please note that the EDPB does not contact individuals, via phone or other means of communication, to inform them of such matters.
Therefore, it could be that the call you received represents a phishing attack targeting you abusing our name.
I submitted feedback to a public consultation, but I cannot see my comments on the public consultation page. How do I know that my feedback was received by the EDPB?
All comments submitted are screened and reviewed manually before being displayed on our website. There should have been a visual confirmation after submitting your comments on our website.
In any case, please allow for some time before your comments are published.
I think my data protection rights have been violated, what can I do?
If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.
DPAs can conduct investigations and impose sanctions where necessary. You can find the contact details for all EEA DPAs here.
In which cases is the dispute resolution mechanism of Art. 65.1 (c) GDPR triggered?
While Art. 65 (a) and (b) relate to the one-stop-mechanism, Art.65.1 (c) GDPR concerns obligations of Data Protection Authorities (DPAs) stemming from the consistency mechanism.
More specifically, every competent DPA has the duty to request an opinion from the EDPB before adopting national measures pursuant to article 64.1 GDPR. Such measures include lists of processing operations for which a Data Protection Impact Assessment (DPIA) is required, or the approval of a new set of standard clauses. In addition, under Art. 64.2 GDPR, any SA may also request an EDPB consistency opinion on any matter of general application or producing effects in more than one Member State.
If an DPA does not request the opinion of the EDPB for the cases listed under Art. 64.1 GDPR or does not follow the EDPB opinion issued under Art. 64 GDPR, any DPA and the European Commission can launch the dispute resolution procedure of Art. 65.1 (c) GDPR about the matter.