Answer given by Ms Jourová on behalf of the European Commission
3.10.2018
The General Data Protection Regulation (GDPR)[1] grants individuals several remedies in case of an alleged infringement of their rights, such as the right to lodge a complaint with a supervisory authority or to bring proceedings before the courts.
They may mandate a not-for-profit body to exercise their rights on their behalf. Additionally, Member States may provide that a not-for-profit organisation, which has been properly constituted in accordance with the national law, pursues public interests and is active in the field of the data protection, may lodge a complaint and start proceedings in courts independently of a data subject’s mandate.
Except where this is allowed pursuant to Article 80 GDPR, other persons wishing to act independently of a data subject’s mandate do not have standing to exercise the rights granted to individuals under the GDPR.
The Commission does not currently have any overview of the illegal practices mentioned by the Honourable Member. Article 97 of the regulation provides that by May 2020 the Commission shall submit a report on the evaluation and review of the regulation. The Commission will assess during the coming year of application whether there is a need to evaluate such practices in its forthcoming report on the application of the new rules.
Under the GDPR, the promotion of public awareness in relation to the processing of personal data is primarily a task for the independent national supervisory authorities[2].
The Commission has undertaken several actions to ensure appropriate information is disseminated in all the Member States about the new rules[3]. The Commission has also issued a call for proposals for an amount of EUR 2 million to support data protection authorities in their awareness-raising activities[4].
- [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
- [2] Article 57(1)(a) of the GDPR.
- [3] In January 2018, the Commission published its communication on the guidance for the direct application of the GDPR, together with an online toolkit targeting citizens and small and medium-sized enterprises (SMEs) to raise their understanding of the new rules.
- [4] http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/rec/topics/rec-rdat-trai-ag-2017.html