The EU EDPB (European Data Protection Board) came up with a Coordinated Enforcement Framework (CEF) in 2020 with the objective of facilitating joint actions among Supervisory Authorities under the EU General Data Protection Regulation, 2016.
The objective of the CEF was to facilitate joint actions among supervisory authorities in a coordinated manner. The legal basis of the CEF is contained in Article 61(1) read with Article 57(1)(g) of the GDPR. Article 61(1) reads:
“Supervisory authorities shall provide each other with relevant information and mutual assistance in order to
implement and apply this Regulation in a consistent manner, and shall put in place measures for effective
cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory
measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.”
Article 57(1)(g) states:
“1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its
territory: …
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory
authorities with a view to ensuring the consistency of application and enforcement of this Regulation;”
Article 62, which deals with joint operations of supervisory authorities is also relevant for this purpose. Article 62(1) provides: “The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations
and joint enforcement measures in which members or staff of the supervisory authorities of other Member
States are involved.”
The role of EDPB is captured in Article 70(1)(u) of the GDPR, which states:
“1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its
own initiative or, where relevant, at the request of the Commission, in particular:…
(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best
practices between the supervisory authorities;”
These provisions form the legal basis for the CEF, which is basically a structure for coordinating recurring annual activities of the Supervisory Authorities under the GDPR through the EDPB.
On the CEF, the EDPB Document states: “The objective of the CEF is to facilitate joint actions in the broad sense in a flexible
but coordinated manner, ranging from joint awareness raising and information gathering to an
enforcement sweep and joint investigations.” (Para 5).
Why is the CEF important? The ultimate aim is compliance with GDPR and protection of rights and freedoms. The CEF reduces risks of compliance in wake of new technologies in data protection.
The CEF works in the following way:
In 2022, the EDPB picked the role of Data Protection Officers for its 2023 Study. Now EDPB has come up with the report on the designation and position of Data Protection Officers, which can be accessed from here. The 2022 study was on use of cloud-based services by the public sector.
For 2024, the topic has been chosen by the EDPB in October 2023, which relates to the implementation of the right of access by controllers.