Tuesday, 17 May 2016

Article 93(2) GDPR comitology - flowchart

Under the General Data Protection Regulation (Regulation (EU) 2016/679), the European Commission has the power to make decisions in certain areas by way of "implementing acts", subject to approval of the relevant act by a committee under Art. 93(2) of the GDPR - which will no doubt become known as the Article 93(2) Committee (or Article 93 Committee).

When considering proposals by the European Commission, this Committee must use the "examination procedure" under the EU "comitology" process, governed by Regulation (EU) No 182/2011 - the same procedure that the Article 31 Committee under the current Data Protection Directive must use.

Flowchart

Below is a flowchart I prepared showing the Article 93(2) procedure. Click on the small image below to download the full PDF flowchart (note: amended 2 June 2016 to expand on what "positive", "negative" and "no opinion" mean).

Article 93(2) GDPR

The areas where the Article 93(2) Committee procedure applies are as follows; some are quite significant so it's important to know how the procedure works.

International transfers

Most of these areas relate to "international transfers" of personal data to third countries outside the European Economic Area or to international organisations:

  • Making decisions on the adequacy of protection of third country, territory or one or more specified sectors within a third country, or an international organisation – Art. 45(3) – or conversely on inadequacy, and repealing, amending or suspending previous adequacy decisions – Art. 45(5)
  • Adopting standard data protection clauses for allowing international transfers (the successor to the current model clauses or standard contractual clauses)– Art. 46(2)(c)
  • Approving standard data protection clauses adopted by national data protection supervisory authorities (SAs) for allowing international transfers - Art. 46(2)(d)
  • Specifying the format and procedures for the exchange of information between controllers, processors and SAs for binding corporate rules (BCRs) – Art. 47(3).

Other areas

The Art. 93(2) procedure also applies to certain other areas:

  • Laying down standard contractual clauses for controller/processor and processor/sub-processor contracts - Art. 28(7)
  • Giving EU-wide validity to an approved code of conduct, amendment or extension submitted to it (following its approval by an SA and the European Data Protection Board) - Art. 40(9)
  • Laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks - Art. 43(9)

    (Note that the last two are relevant to international transfers also, in that transfers may be permitted to recipients who adhere to an approved code or obtain an approved certification, and who also make legally-binding commitments to apply the "appropriate safeguards" - Art. 46(2)(f).)
  • Specifying the format and procedures for mutual assistance betwee SAs and arrangements for the electronic exchange of information between SAs, and between SAs and the Board, in particular the standardised electronic format for SAs to supply information requested by other SAs – Art. 61(9)
  • Implementing acts of general scope to specify arrangements for exchange of information by electronic means between SAs and between SAs and the European Data Protection Board - Art. 67.