16%
Exit Survey
 
 

LIST OF POWERS, ACTIVITIES and STATISTICS of DATA PROTECTION AUTHORITIES


18.12.2015
1. GENERAL INFORMATION and COMPETENCE
1.1. General information
1.2. Data protection competence
1.3. Competence in spam matters and in telecom data breach cases
1.4. Competence in the freedom of information matters
1.5. Principal legal and organisational developments
1.6. Highlights in case law
2. EDUCATIONAL and CONSULTATIVE ACTIVITIES
2.1. Activity: answering questions
2.2. Activity: adoption of guidance texts
2.3. Activity: approval of self-regulatory acts
2.4. Activity: training sessions and other public events
2.5. Activity: media work
2.5.1. Sub-activity: work in social media
2.6. Activity: annual reporting
3. SUPERVISION and ENFORCEMENT ACTIVITIES
3.1. Activity: mediation
3.2. Activity: comparative survey
3.3. Activity: notice without investigation
3.4. Activity: preventive audit
3.5. Activity: registration
3.6. Activity: authorisations for personal data processing
3.6.1. Sub-activity: authorisation to data transfer to 3rd countries
3.6.2. Sub-activity: prior checking
3.7. Activity: investigation and resolution of infringements
3.7.1. Initiation options
3.7.2. Investigative measures
3.7.3. Resolutions
4. POLICY ADVISING
5. ADDITIONAL ACTIVITIES
6. INTERNATIONAL GROUPS and FORA
 
 
 

1. GENERAL INFORMATION and COMPETENCE

 
 
 

1.1. General information

 
 
 
Name of the country:
   
 
 
 
Name of the authority:
   
 
 
 
Territorial competence in the whole country
 
Yes
 
No
 
 
 
If the previous answer was No, then in which territory:
   
 
 
 

Explanation: the description of territory includes also – if relevant – short comments on territorial differences in substantive competence (e.g.: data protection and spam competence in the whole country, FoI competence only in some parts of the country).

 
 
 

Annual budget of the reporting year in euros:

   
 
 
 

Staff (annual average) in full-time-equivalents of the reporting year:

   
 
 
 
The authority is led by
 
single Head
 
College of Commissioners
 
 
 

1.2. Data protection competence



Legal competence in the scope of the Directive 95/46/EC and Framework Decision 2008/977/JHA (respectively for EDPS – the Regulation 45/2001):
 
 
 
Coverage of the entire scope of both the legal instruments
 
Yes
 
No(If No – description of the limited scope)
 
 
 
 
Comments:
   
 
 
 

Explanation: Please give the description of a limited scope using general terms as much as possible, without specific national terminology (e.g.: private sector only, federal public sector only).
Territorial limitations are described in the sub-chapter 1.1.
The matters should not be taken into account in the description of a limited scope if they are also outside of the scope of the Directive according to the Art. 3 (2): like public security, defence, State security and activities of the State in areas of criminal law.
Possible exceptions mentioned in Art. 9 of the Directive (freedom of expression) should also not be taken into account in the description of a limited scope.
Next 2 questions are reserved for the exclusions under Art. 3 (2) and exceptions under Art. 9 of the Directive.
Activities outside of the data protection, spam matters and freedom of information are described under 5. Chapter “Additional activities”.

 
 
 
Brief description of the DPA’s data protection competence in the areas, excluded from the scope of the Directive according to the Art. 3 (2): first of all public security, defence, State security and activities of the State in areas of criminal law.
   
 
 
 

Explanation: Please describe here briefly the substantial competence, not procedures. Chapter 3 (“Supervision and enforcement activities”) covers also possible procedural exceptions related to the areas mentioned in the Art. 3 (2) of the Directive.

 
 
 
Brief description of the DPA’s data protection competence in the matters of journalism and freedom of expression:
   
 
 
 

Explanation: Please describe here briefly the substantial competence, not procedures. Chapter 3 (“Supervision and enforcement activities”) covers also possible procedural exceptions related to journalism and freedom of expression area according to the Art. 9 of the Directive.

 
 
 

1.3. Competence in spam matters and in telecom data breach cases

 
 
 
Legal competence in the area of unsolicited communications (spam matters) - according to Article 13 of the Directive 2002/58/EC (as amended in the directive 2009/136/EC):
 
In the whole scope
 
Not at all (data protection matters only)
 
If partially, then in which matters:
 
 
 
 
Comments:
   
 
 
 
Additional competence in case of telecom data breaches - to act as the competent national authority according to the Art. 4 of the Directive 2002/58/EC (as amended in the directive 2009/136/EC):
 
Yes
 
No
 
If partially, then how:
 
 
 
 
Comments:
   
 
 
 

Explanation: if the DPA is exercising its usual supervisory competence in relation to use of personal data in the unsolicited communications, then it will not be taken into account under spam matters.
Spam matters are distinctive from data protection matters because the Article 13 of the Directive 2002/58/EC contains specific rules for unsolicited communications like opt-in and opt-out rules, easy unsubscribe option rule.
These rules will be applied despite of the fact of who the addressee of unsolicited communications is (an identified or identifiable natural person, a legal person or an unidentified or unidentifiable person). Data protection rules cover only data of identified or identifiable natural persons.

 
 
 

1.4. Competence in the freedom of information matters

 
 
 
Legal competence in the area of supervision over responding to information requests – according to Art. 8 of the pending Convention of the Council of Europe on Access to Official Documents of 2009
 
Yes
 
No
 
 
 
Comments:
   
 
 
 
If you answered Yes to the previous question, then does the DPA also have competence to supervise information holders in the matters of:
a) disclosure of public sector information on the web
 
Yes
 
No
 
 
 
Comments:
   
 
 
 
b) protection of restricted information – if restricted information has been revealed then does the DPA have the competence at least to investigate it (even if the revealed information does not contain personal data)?
 
Yes
 
No
 
 
 
Comments:
   
 
 
 
c) machine-readability of public sector information in the meaning of the Art. 5 of Directive 2013/37/EU on re-use of public sector information
 
Yes
 
No
 
 
 
Comments:
   
 
 
 

Explanation: If the DPA is merely exercising its usual personal data protection competence within public sector information, then it is not taken into account under freedom of information (FoI) competence.
All questions on access to and re-use of public sector information above cover also sector-specific legislation like in the field of access to environmental information (see the Århus Convention of 1998 and Directive 2003/4/EC).

 
 
 

1.5. Principal legal and organisational developments

 
 
 

Principal legal and organisational developments in the reporting period

   
 
 
 

1.6. Highlights in case law

 
 
 

Highlights in case law in the reporting period

   
 
     |