Dear President,

I am writing to follow up on the European Commission’s reply of 21 June 2022 in this inquiry (C(2022) 3686 final).

The Commission’s reply is helpful in several respects. It emphasises the Commission’s expectations given the particular role of the Irish authorities when it comes to GDPR implementation. The reply also mentions the Commission’s expectation that its main information source (the EDPB) will soon improve how it presents GDPR-related data.

The Commission’s reply contains some relatively specific information on the sources of information, but not a detailed and comprehensive account of the actual information that it has so far collected.

This inquiry concerns the implementation of a fundamental right of citizens and, more specifically, seeks to determine whether the Commission is doing enough to ensure the GDPR is fully enforced vis-à-vis major technology companies in Ireland. The focus is to verify whether the Commission has informed itself adequately to arrive at the necessary conclusions. To help in that process, the Commission is kindly asked to respond to the issues in the enclosed annex.

If the Commission deems it useful to organise another meeting between its services and my inquiry team, that would be possible.

I would be grateful if the Commission could reply to this letter by no later than 30 September 2022. The Commission may also wish to respond to the complainant’s comments on its reply, a copy of which is enclosed.

Yours sincerely,

 

Emily O'Reilly

European Ombudsman

Strasbourg, 19/07/2022

 

Enclosures:

· annex

· the complainant’s comments on the Commission’s reply

· the complainant’s letter of 16 March 2022 to the Irish DPC

 

 

ANNEX

The Commission’s role - including for information gathering - is separate from the EDPB

The Commission has pointed out that its main source of information about the implementation of the GDPR is the EPDB.

The Ombudsman appreciates that the EDPB has a dedicated role for EU-wide coordination to ensure consistent application of the GDPR. Information that it gathers is clearly important when it comes to the work that the Commission carries out to monitor the implementation of the GDPR.

The Commission nonetheless remains autonomous in its specific role of monitoring whether the GDPR is being infringed. If the data produced by the EDPB - for its own and separate purpose of promoting the consistent application of the GDPR - is not fully pertinent for the Commission’s role, the Commission has full competence to request, from any source, the relevant data. This includes defining the detailed specific data requested, the way it shall be presented, and any related clarifications.

The Commission is requested to comment on these points.

The Irish Data Protection Commissioner appears to have been a key source of information so far

The specific data that the Commission has provided so far or referred to in this inquiry are contained in the documents listed below[1]. The Commission is asked to verify whether the list is complete.

1. ‘Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities’, EDPB publication of 5 August 2021 prepared in response to a request from the European Parliament[2]

2. ‘DPC LARGE-SCALE STATUTORY INQUIRIES – STATUS UPDATE FEBRUARY 2022*’, an overview of inquiries conducted by the Irish Data Protection Commissioner, provided to the European Ombudsman on a confidential basis on 3 March 2022.

3. ‘One-Stop-Shop Cross-Border Complaints Statistics - 25 My 2018 - 31 December 2021’, a publication of 15 March 2022 of the Irish Data Protection Commission[3]

Can the Commission clarify whether it had made prior requests, for its monitoring work, to the Irish DPC regarding precisely what data should be contained in items 2 and 3, and how that data should be presented?

If the reply to this question is negative, it is assumed that the choice of data and how it is presented were determined by the Irish DPC. Can the Commission please also respond to this point?

With regard to item 3, the complainant wrote to the Irish DPC on 16 March 2022 (enclosed), pointing to the additional data that his organisation would consider relevant for a proper insight into that authority’s implementation of the GDPR. It appears that the complainant has not yet received a reply. Could the Commission please comment on the possibility of the Commission requesting those data directly from the Irish DPC?

 

[1] The reference is here to ‘data’, it does not include, therefore, internet links to for instance minutes of meetings, or similar material, that the Commission has also referred to.

[2] https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf

[3] The Commission had also previously drawn attention to the statistics in the DPC’s annual report for 2021. The publication for 2018-2021 is understood to provide more detailed relevant information.