Article 64 of GDPR: Opinion of The Board
Article 64 of GDPR provides for the instances when the European Data Protection Board will issue an opinion.
When the Board issues an opinion (Article 64(1) GDPR)
In the following instances, when the supervisory authorities submit a draft of their decision, the European Data Protection Board or EDPB must issue an opinion:
- Relating to the adoption of a list of processing requirements that will need a DPIA (Article 64(1)(a) GDPR)
- Relating to a draft code of conduct (Article 64(1)(b) GDPR)
- Approval of accreditation criteria of a body (Article 64(1)(c) GDPR)
- Relating to the determination of standard data protection clauses (Article 64(1)(d) GDPR)
- Regarding the authorization of contractual clauses (Article 64(1)(e) GDPR)
- Regarding the approval of binding corporate rules (Article 64(1)(f) GDPR)
Opinion relating to matters of general application (Article 64(2) GDPR)
The following matters can be submitted to the Board for an opinion by the Chair of the Board or the Commission:
- Matters of general application
- Matters generating effects in more than one EU member state
- When a supervisory authority does not comply with its obligation for mutual assistance
- When a supervisory authority does not respond to joint operation demands
Rendering of opinion by the Board (Article 64(3) GDPR)
The Board must render its opinion within 8 weeks based on a rule of a simple majority.
Due to the complexity of the subject-matter, the Board may extend its 8-week timeline by an additional 6 weeks.
A member of the Board that does not object within a reasonable period is deemed to be in agreement with the draft decision of the Board.
Information required from the supervisory authorities (Article 64(4) GDPR)
The supervisory authorities must provide the following information to the Board as soon as possible:
- Summary of the facts related to the matter
- Their draft decision
- The grounds based on which the measures needed to be taken are necessary
- Views of other concerned supervisory authorities
Notification by the Board (Article 64(5) GDPR)
The Chair of the Board will notify the following as soon as possible:
- Notify other Board members of any relevant information it has received (Article 64(5)(a) GDPR)
- Notify the supervisory authority and the Commission of its opinion and release it publicly (Article 64(5)(b) GDPR)
Draft decision of the supervisory authority (Article 64(6) GDPR)
During the period of time the Board is to render its opinion, the supervisory authorities will not adopt their draft decision.
Supervisory authority decision following the opinion of the Board (Article 64(7) GDPR)
Within 2 weeks from the rendering of the Board’s opinion, the supervisory authority will decide whether it will maintain its draft decision or amend it.
The supervisory authority must take full account of the opinion of the Board in its decision and will notify the Board if it will maintain its decision or amend it.
In the case of an amended decision, it will provide the Board with a draft of the amended decision.
Supervisory authority not following the opinion of the Board (Article 64(7) GDPR)
When the supervisory authority decides not to follow the opinion of the Board, it must provide the Board with the relevant grounds.
This will also trigger the dispute resolution process provided in GDPR.
Recitals applicable to Article 64 of GDPR
Relevant Recitals: 136
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 64 or relevant recitals
GDPR Text: Article 64 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)