The European Data Protection Board (EDPB) is an independent European body, entrusted with guaranteeing the consistent application of the data protection rules (not only the GDPR but also the Law Enforcement Directive, which rules matters of data protection in the specific domain of law enforcement) across the European Union and the European Economic Area (involving Iceland, Lichtenstein, Norway additionally). For that purpose, it issues guidelines and opinions on matters of relevant importance and issues binding decisions in case of dispute between national data protection authorities.
It is composed of representatives of the different national data protection authorities and the European Data Protection Supervisor (EDPS). The European Commission also participates in its meetings, but it does not have voting powers.
The EDPB has been established by the GDPR. During the period in which the previous Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) was in force, the European data protection authority was the so-called Article 29 Data Protection Working Party which ceased to exist as of 25 May 2018.
The national data protection authorities (Recitals 117 to 123, Articles 51 to 59 of the GDPR) are public independent authorities, set up by Member States, to supervise compliance with the GDPR. Their main competencies are:
- Investigate possible violations of the data protection norms;
- Sanction the wrongdoers;
- Handle complaints presented against legal and natural persons under their authority;
- Provide expert advice on data protection issues
Their geographical competence is determined by the country where the data processing activities take place. The list of all national data protection authorities can be found here.
An issue that arose regarding the competence of national data protection authorities involves their competence to investigate potential breaches of the GDPR (in the particular case, unlawful data transfers to third countries) when there is already a position in this regard taken by the European Commission. As per the judgement of the Grand Chamber of the Court of Justice of the European Union (Maximillian Schrems v. Data Protection Commissioner, 6 October 2015), the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities. However, it is ultimately for the Court of Justice to decide whether or not a Commission decision is valid.
Besides data protection authorities with national scope, there can also exist regional authorities, as allowed by Article 51(3) of the GDPR, which establishes that when there are several data authorities in one Member State there should be one main authority that represents all other authorities in the EDPB.
However, up until now, only Germany used this possibility. Germany is composed of 16 states (Bundesländer) and all have their own Data Protection Authority, alongside one federal supervisory authority.
The EDPB shall not be confused with the European Data Protection Supervisor (EDPS), an independent supervisory authority originally established by Regulation (EC) No 45/2001, and currently regulated by Regulation (EU) No 2018/1725. The main functions of the EDPS are:
- Ensure the protection of personal data and privacy rights within the activities performed by European bodies and institutions;
- Advise EU institutions and bodies in various matters related to data protection;
- Intervene before the European Court of Justice to provide expert advice on data protection issues;
- Supervise new technologies, able to put at risk person data;
- Cooperate with national data protection authorities.