Author: Stephanie Schiedermair
- The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
- Where reference is made to this paragraph, Art. 5 of Regulation (EU) No 182/2011 shall apply.
- Where reference is made to this paragraph, Art. 8 of Regulation (EU) No 182/2011, in conjunction with Art. 5 thereof, shall apply.
I. Introduction
Art. 93 sets out provisions governing the use of a committee to support the Comm. The provision replaces Art. 31 of the DPD and refers exclusively to the adoption of implementing acts. Pursuant to Art. 291 para. 1 TFEU, it is up to the Member States in principle to adopt all measures of national law necessary to implement legally binding Union acts. Pursuant to Art. 291 para. 2 TFEU, however, implementing powers can be conferred on the Comm and also the Council[1] in a legal act where uniform conditions for implementation are needed. Regulation (EU) No 182/2011, to which Art. 93 para. 1 refers, lays down the overall framework for the adoption of corresponding implementing acts by the Comm (cf. Art. 1 Regulation (EU) No 182/2011).[2]
II. Legal background
Art. 31 DPD created the control mechanisms applicable to the Comm’s exercise of implementing powers, concerning international data transfers (DPD Art. 24 paras. 4 to 6 and Art. 26 paras. 3 and 4). These powers correspond to those referred in Art. 43 paras. 3 to 5 and Art. 46 para. 2 GDPR; and relevant control mechanisms (under the DPD) resemble those created by Art. 93 GDPR. Other provisions similar to Art. 93 GDPR can be found in certain data protection legal instruments, such as the LED (Art. 58).
III. Analysis
As a body, the committee pursuant to Art. 93 GDPR is to be distinguished from the EDPB pursuant to Art. 68 et seq. GDPR. In German, the same word (“Ausschuss”) is used to describe both bodies,[3] whereas English makes a distinction by using the term “board” for the EDPB and “committee” for the committee pursuant to Art. 93 GDPR. The fact that these are two different bodies is also evident from Art. 70 para. 3, which sets out the obligation incumbent upon the EDPB to forward its views, guidelines, recommendations, and best practices to the Comm and the committee pursuant to Art. 93. The committee pursuant to Art. 93 comprises representatives of the Member States.[4] The committee is chaired by a representative of the Comm. The chair submits the draft version of the Comm’s implementing acts to the committee but does not take part in the committee vote.[5]
In the GDPR, the Comm is authorised to adopt implementing acts in eight places.[6] Art. 28 para. 7 gives the Comm powers to lay down standard contractual clauses for matters relating to contract data processing. Art. 28 para. 7 therefore refers to the examination procedure in Art. 93 para. 2.[7] In Art. 40 para. 9, the Comm is authorised to declare codes of conduct within the meaning of Art. 40[8] as having general validity within the EU. The GDPR also gives the Comm implementing powers to lay down technical standards for certification mechanisms and data protection seals pursuant to Art. 43 para. 9.[9] The same applies to assessing the adequacy of the level of protection pursuant to Art. 45 paras. 3 and 5 when it comes to the transfer of data to third countries and international organisations.[10] The Comm is also given implementing powers regarding standard data protection clauses in this area pursuant to Art. 46 para. 2 lit. c and lit. d.[11]
What is more, Art. 47 para. 3, which gives the Comm the option to specify the format and procedures for the exchange of information for binding corporate rules pursuant to Art. 47 also refers to the examination procedure pursuant to Art. 93 para. 2. Art. 61 para. 9 also gives the Comm the power to adopt implementing acts in the examination procedure pursuant to Art. 93 para. 2 for the purpose of specifying the format and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information by electronic means among SAs and between SAs and the EDPB. Finally, Art. 67 also gives the Comm corresponding powers to specify the arrangements for the exchange of information by electronic means between SAs, and between SAs and the EDPB.
[…]
[1]The GDPR does not confer any implementing powers on the Council but only on the Comm, cf. also Jenny in Plath, BDSG/DSGVO, Art. 93, paras. 4, 5.
[2]Regulation (EU) No 182/2011 of the European Parliament and of the Council laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers, OJ L 55, 28 February 2011, p. 13. The Regulation replaces Council Decision 1999/468/EC, OJ L 184, 17 July 1999, p. 23. Regarding the new Comitology Regulation, cf. von der Groeben/Schwarze/Hatje, AEUV, Art. 291, para. 28 et seq.
[3]This also occurs in other languages, e.g. French (“comité”) or Spanish (“comité”).
[4]Cf. Art. 93, para. 1, sentence 2 GDPR in conjunction with Art. 3 para. 2 of Regulation (EU) No 182/2011.
[5]For detailed provisions on procedures within the committee pursuant to Art. 93, cf. Art. 3 of Regulation 182/2011.
[6]Cf. also recital 168 GDPR.
[7]See Art. 28 para. 7: ‘The Commission may lay down standard contractual clauses for the matters referred to in paras. 3 and 4 of this Article and in accordance with the examination procedure referred to in Art. 93 para. 2.’ Cf. also Plath, BDSG/DSGVO, Art. 93, para. 4; Tosoni, ‘Art. 93’, in Kuner/Bygrave/Docksey, pp. 1282 et seq.
[8]For further details, see Roßnagel/Richter Art. 40 para. 1 et seq.
[9]For details on certification and data protection seals, see → Art. 43 mn. 16 et seq.
[10]For further details, see → Art. 43 mn. 3 et seq.
[11]For further details in this respect, too, see → Art. 46 mn. 26 et seq.