In January 2024, the EDPB published the report on the designation and position of DPOs as a result of the Coordinated Enforcement Action (“CEA”) conducted in 2023, as part of the Coordinated Enforcement Framework (“CEF”) convened in 2022.
Previously, the same committee conducted the first CEF on the use of cloud services by public administration in 2021.
The CEF, along with the creation of a pool of supporting experts (“SPE”), is considered a key action of the EDPB, aimed at simplifying enforcement and cooperation among supervisory authorities.
In this article, we will try to better understand the institution of the CEF and CEA and how they relate to other instruments for cooperation and coordination among national authorities, as provided for in the GDPR. These initiatives for cooperation and consistency among authorities lead to homogeneous readings of the GDPR and on the resulting implementation methods, which are of great relevance for overcoming interpretative fragmentation and for legal certainty.
Roles and competencies between national supervisory authorities and the EDPB
Under the regulation, without prejudice to the jurisdiction of the courts, national supervisory authorities, within their own jurisdictions, have exclusive competence to carry out investigative activities or take enforcement action in the field of personal data protection (Art. 58, GDPR).
The EDPB is responsible for ensuring consistent application of the regulation (Art. 70, GDPR).
In the CEF there is a combination of these mutual tasks, in that the EDPB provides the platform for sharing the work of the national authorities and is responsible for any guidelines and recommendations given at the outcome of the CEA, while the national authorities provide the investigations and subsequent enforcement actions in their respective jurisdictions, under the CEA.
Consistent application of the GDPR
The General Regulation, as stated in its title, pursues the two objectives of:
- protection of natural persons with regard to the processing of personal data, and
- free movement of data within the Union.
Consistent application of the GDPR, facilitated by cooperation between national authorities, facilitates the free movement of data within the EU. Therefore, the GDPR imposes obligations for coordination and cooperation among national authorities and assigns the EDPB to promote cooperation among EU supervisory authorities.
Coordination and cooperation among national authorities
National supervisory authorities, in carrying out their tasks within their respective jurisdictions, also have a duty to coordinate and cooperate with each other (Articles 57.1(g) and 61.1, GDPR).
The regulation includes specific requirements in Chapter VII headed “Cooperation and Consistency,” which are functional for coordination and cooperation between authorities, such as the one-stop-shop mechanism (Art. 60), mutual assistance (Art. 61), and joint operations (Art. 62). Added to these is the consistency mechanism (Section 2 of Chapter VII).
These provisions aim to achieve the goal of consistent application of the Regulation throughout the Union, for legal certainty and free exchange of data in the EU.