• DE - Deutsch
  • EN - English
  • FR - français
Parliamentary question - E-004275/2021(ASW)Parliamentary question
E-004275/2021(ASW)

    Answer given by Mr Reynders on behalf of the European Commission

    Under the General Data Protection Regulation (GDPR)[1], the independent national data protection supervisory authorities are in charge of the enforcement of data protection rules, under the control of courts, without prejudice to the Commission’s competences as guardian of the Treaties . The Commission has no enforcement powers vis-à-vis individual controllers and is thus not entitled to comment on specific incidents.

    The French data protection authority CNIL has, as the competent supervisory authority, all necessary tools to follow up with the controller concerned. The controller has also brought the suspected attack to the attention of law-enforcement authorities[2].

    It is the responsibility of the authorities issuing EU Digital COVID Certificates as controllers to implement appropriate security measures[3]. Neither Regulation (EU) 2021/953, nor the GDPR, prevent them from using external processors in fulfilling their tasks. Should they choose to rely on an external processor, GDPR provides for requirements for the contract with the processor, to ensure that the controller stays in control of the processing.

    The Commission does not intend to propose changes to the legal framework as a follow-up to this incident. The rules on data breach notifications introduced by the GDPR ensured that the controller brought this incident to the attention of the CNIL and informed the persons affected. It is precisely because the EU has adopted data protection rules such as GDPR that the data protection supervisory authorities can take action against alleged breaches of privacy and data protection.

    Last updated: 24 November 2021
    Legal notice - Privacy policy