What is self-regulation under the GDPR?
An organization’s supervision and enforcement of its own policies, processes, and procedures.
Examples: through risk assessments, control implementation, and ongoing monitoring
How does GDPR support self-regulation?
- Through accountability
- DPOs
- Codes of conduct
- Certifications
- Controller-processor relationship requirements
When is a DPIA required under Article 35?
When processing is likely to result in high risk to individuals’ rights and freedoms.
What is a key feature of DPIA-related consultation?
Consultation with a DPA is required if high risk remains despite mitigation measures.
What is the role of a Data Protection Officer?
(DPO)
A supervisory and enforcement figure required to cooperate with DPAs and not subject to dismissal.
How is a DPO described under GDPR?
More like a quasi-regulator than a traditional employee.
Why should organizations follow a code of conduct?
To enhance and demonstrate compliance, build trust, apply best practices, and gain competitive edge.
Who drafts a code of conduct?
A representative body
Example: an industry association
To whom is a national code of conduct submitted for approval?
The competent Data Protection Authority
(DPA)
To whom is a transnational code of conduct submitted?
The European Data Protection Board
(EDPB)
What happens after a code of conduct is approved?
It is published and subject to ongoing monitoring.
What are the requirements for a monitoring body?
- Independence
- Expertise
- Procedures for monitoring
- Complaint handling
- Violation response capacity
What roles do DPAs retain with codes of conduct?
Supervisory and enforcement roles
Includes levying fines and revoking accreditation
What is a key feature of certification under GDPR?
Provides outward transparency and a visible certificate, seal, or mark.
How long is certification valid?
Up to 3 years
How is a code of conduct different from certification?
A code is:
- Internal
- Sector-specific
- Demonstrates compliance to regulators
What is the consistency mechanism?
A cooperation framework among:
- Supervisory authorities
- EDPB
- European Commission
Ensures consistent GDPR application across EU.
How do organizations identify the appropriate DPA for transnational codes?
By considering:
- Processing activity
- Sector
- Data subjects affected
- Location of code or monitoring body headquarters
What options do data subjects have to enforce GDPR rights?
- Litigate within national framework
- File complaint with DPA
What is typically the easiest and cheapest way to enforce GDPR rights?
Filing a complaint with the Data Protection Authority
(DPA)
Where can data subjects file a GDPR complaint?
- Place of residence
- Place of work
- Where the infringement occurred
What are representative actions?
Group litigation/class actions to help citizens collectively enforce GDPR rights.
Who can represent individuals in representative actions?
- Civil Society Organizations
- Privacy advocates
- Pressure groups
What types of damage can compensation claims cover?
- Material (financial loss)
- Non-material (emotional distress, reputational harm)
-
Early Data Protection Laws74
-
EU Institutions & Other Data Protection Laws94
-
Personal Data & Controller-Processor Relationship55
-
Risk Management & Data Subject Rights106
-
Data Processing Principles & Special Categories of Data69
-
Fair Processing Information & Third Country Data Transfers53
-
Territorial and Material Scope & Accountability56
-
Self-regulation & the European Data Protection Board63
-
Employee Data34
-
Surveillance and Direct Marketing64
-
Important Technology Concepts42
