Article 73: Chair

Article 73: Chair requirement means the European Data Protection Board (EDPB) must formally elect, from among its members, one chair and two deputy chairs by simple majority, and maintain clear records of that election. To operationalize it, you need a defined election procedure, documented voting outcomes, and an evidence packet that proves the election occurred and was properly authorized. (Regulation (EU) 2016/679, Article 73)

Key takeaways:

• This is a governance requirement for the EDPB, not an operational duty for typical controllers or processors. (Regulation (EU) 2016/679, Article 73)
• If you are a supervisory authority or support one, you should be able to evidence the election process, vote, and resulting appointments. (Regulation (EU) 2016/679, Article 73)
• Treat the election as an auditable control: procedure, minutes, decision record, and retention. (Regulation (EU) 2016/679, Article 73)

Most GDPR requirements you operationalize as a CCO or GRC lead land on your organization as a controller or processor. Article 73 is different. It’s a governance rule for the European Data Protection Board: the Board must elect a chair and two deputy chairs from among its members by simple majority. (Regulation (EU) 2016/679, Article 73)

Why should you care? Because governance controls still show up in real life during oversight, assurance, and third-party diligence. If you operate inside a supervisory authority, advise one, or provide services that support Board-level processes (secretariat support, collaboration tooling, records management), you may be asked to demonstrate that the election mechanism exists, is followed, and is evidenced. Even outside those contexts, Article 73 is a useful pattern for building “decision-grade” evidence: defined authority, simple voting rules, traceable minutes, and retention.

This page translates Article 73 into a requirement-level operating procedure: who owns it, what artifacts you must produce, what auditors ask for, and what breaks most often.

Regulatory text

Regulatory excerpt: “The Board shall elect a chair and two deputy chairs from amongst its members by simple majority.” (Regulation (EU) 2016/679, Article 73)

Operator meaning (what you must do):

• Establish a formal election mechanism for EDPB leadership roles (chair and two deputies). (Regulation (EU) 2016/679, Article 73)
• Limit eligibility to existing Board members (no external candidates). (Regulation (EU) 2016/679, Article 73)
• Use a simple-majority voting rule and document the result. (Regulation (EU) 2016/679, Article 73)
• Retain records that prove the election happened and who was elected. (Regulation (EU) 2016/679, Article 73)

Plain-English interpretation

Article 73: chair requirement is a narrow governance control: the EDPB must choose its leadership through a vote, and the vote must meet one clear threshold: simple majority. (Regulation (EU) 2016/679, Article 73)

For implementation, treat “simple majority” as a rule you must define operationally in your procedure (for example, what counts as a valid vote, how abstentions are handled, what quorum assumptions apply if you have them elsewhere). Article 73 itself only fixes the voting standard and the offices to be elected; it does not describe nomination mechanics, term length, or removal. Do not add “GDPR says…” requirements that are not in the text when writing your control narrative. (Regulation (EU) 2016/679, Article 73)

Who it applies to (entity and operational context)

In scope (direct)

• European Data Protection Board (EDPB) and the governance processes that run Board elections. (Regulation (EU) 2016/679, Article 73)

In scope (indirect, practical)

You will operationalize this requirement if you are:

• A supervisory authority participating as a Board member and responsible for internal readiness to nominate, vote, and record participation in Board decisions. (Regulation (EU) 2016/679, Article 73)
• A secretariat or supporting function that administers Board meetings, captures minutes, manages official records, or operates the tooling used for voting and documentation. (Regulation (EU) 2016/679, Article 73)
• A third party supporting a supervisory authority or Board process (collaboration platforms, e-signature, secure voting, records retention). Your obligation is contractual, but your evidence will be tested because it underpins a legal governance requirement. (Regulation (EU) 2016/679, Article 73)

Typically out of scope

• Most private-sector controllers and processors. Article 73 does not impose an “elect a chair” obligation on them. (Regulation (EU) 2016/679, Article 73)

What you actually need to do (step-by-step)

Below is an operator-grade procedure you can drop into a governance runbook for the Article 73: chair requirement.

Step 1: Assign ownership and define the control boundary

• Name an accountable owner (for example, Board secretariat lead or governance counsel) and a backup owner.
• Define the boundary: “EDPB chair and deputy chair election process and recordkeeping.” (Regulation (EU) 2016/679, Article 73)

Artifact: RACI snippet for the election process (owner, preparer, approver, record custodian).

Step 2: Write the election SOP (the minimum viable version)

Your SOP should answer these exam-grade questions, without overreaching beyond Article 73:

• Who can be nominated (must be “amongst its members”). (Regulation (EU) 2016/679, Article 73)
• Who can vote (Board members).
• What “simple majority” means in your process language (counting method, tie-handling approach, and any escalation path). (Regulation (EU) 2016/679, Article 73)
• How votes are captured (in-meeting, written, electronic), and how integrity is protected (access control, tamper-evident logs).
• What record is the official “result” (minutes, resolution, decision record), and where it is stored.

Artifact: “Article 73 Election Procedure” (version-controlled).

Step 3: Prepare an election pack before the meeting

Build a standardized packet so the process is repeatable:

• Candidate eligibility checklist (membership confirmation). (Regulation (EU) 2016/679, Article 73)
• Voting template (ballot format or motion language that cites “simple majority”). (Regulation (EU) 2016/679, Article 73)
• Minute-taking template that captures: motion, vote counts, outcome, effective date, and named roles (chair, deputy 1, deputy 2).

Artifact: Election meeting pack (agenda + templates).

Step 4: Execute the election and capture outcome evidence

During the election:

• Run the vote exactly as the SOP states.
• Capture attendance and voting eligibility.
• Record the vote totals and confirm the “simple majority” threshold was met. (Regulation (EU) 2016/679, Article 73)
• Record the elected individuals and roles.

Artifact: Approved minutes/resolution with vote outcome.

Step 5: Post-election confirmations and controlled publication

After the vote:

• Issue a formal appointment notice internally (and externally if your governance process requires publication).
• Update internal governance registers (chair/deputy names, effective date, reference to decision record).
• Ensure access to the official record is controlled and retention is set.

Artifact: Governance register update + controlled communication.

Step 6: Retain an auditable evidence packet

Treat the election as a control with an evidence bundle stored in a system of record:

• SOP version in effect at the time of election
• Agenda and election pack
• Attendance record
• Minutes/resolution signed/approved per your governance rules
• Vote record (counts, method, integrity logs if electronic)
• Post-election notifications and register updates

Artifact: “Article 73 Evidence Packet” (single folder or case file).

Practical tooling note: If you run this through Daydream, structure it as a requirement record with an attached SOP, a recurring evidence task for each election event, and a “decision record” template that forces capture of vote method and majority determination.

Required evidence and artifacts to retain (audit-ready list)

Evidence item	What it proves	Common reviewer expectation
Election SOP	There is a defined, repeatable process	Dated, approved, version-controlled
Candidate eligibility record	Candidates were Board members	Clear membership basis (Regulation (EU) 2016/679, Article 73)
Meeting agenda + pack	Election was planned and governed	Standard templates used
Attendance/participant list	Voter set was defined	Aligns with minutes
Minutes/resolution	The election occurred and who won	Includes vote and outcome (Regulation (EU) 2016/679, Article 73)
Vote record / system logs	Simple majority determination is defensible	Tamper-evident controls if electronic
Governance register update	Organization operationalized the decision	Traceable back to minutes

Common exam/audit questions and hangups

1. “Show me the rule you followed for simple majority.”
   Hangup: teams assume the concept is self-explanatory and fail to define how they count votes and abstentions. Anchor the definition in your SOP and show the count in the minutes. (Regulation (EU) 2016/679, Article 73)

2. “Were the elected individuals eligible?”
   Hangup: missing membership verification. Keep a membership confirmation step in the election pack. (Regulation (EU) 2016/679, Article 73)

3. “Where is the authoritative record?”
   Hangup: scattered artifacts across email, chat, and shared drives. Designate a system of record and point to it consistently.

4. “Who approved the minutes/resolution?”
   Hangup: drafts exist, but final approval is unclear. Your SOP should specify how minutes become official records.

Frequent implementation mistakes and how to avoid them

• Mistake: Treating Article 73 as a controller/processor obligation.
  Fix: In your GDPR obligations register, mark Article 73 as “governance requirement for the Board,” and only assign actions if you are in a supervisory authority or supporting role. (Regulation (EU) 2016/679, Article 73)

• Mistake: No explicit “simple majority” calculation in the evidence.
  Fix: Put the threshold in the motion language and show the vote totals in the signed minutes. (Regulation (EU) 2016/679, Article 73)

• Mistake: Overbuilding the procedure with non-required elements.
  Fix: Keep the SOP lean. Article 73 specifies the roles and voting rule; avoid asserting term lengths or special quorum rules unless they come from your separate governance instrument. (Regulation (EU) 2016/679, Article 73)

• Mistake: Weak record integrity for electronic voting.
  Fix: Restrict access, preserve logs, and retain an export of the final vote record alongside the minutes.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 73. (Regulation (EU) 2016/679, Article 73)

Operationally, your risk is less about fines and more about governance defensibility: if leadership elections are challenged, you need a clean record that shows eligibility, a simple-majority vote, and a traceable decision record. (Regulation (EU) 2016/679, Article 73)

Practical execution plan (30/60/90-day)

Day 0–30: Establish the minimum viable control

• Assign ownership and a record custodian.
• Draft and approve the “Article 73 Election Procedure.”
• Build templates: agenda item, motion language, minutes section, evidence checklist.

Day 31–60: Make it operational

• Implement a system-of-record location and naming convention for the evidence packet.
• Run a tabletop exercise: simulate an election, produce the minutes, and confirm evidence completeness.
• Train the administrative staff who will run the meeting and capture minutes.

Day 61–90: Hardening and audit readiness

• Add integrity controls for electronic voting (access restrictions, audit logs, export format).
• Create a standing “election evidence packet” checklist in your GRC workflow (Daydream fits well here).
• Run an internal assurance review: can someone independent reconstruct the election and majority calculation from the file alone?

Frequently Asked Questions

Does Article 73 apply to private companies under GDPR?

Not directly. Article 73 sets governance rules for the European Data Protection Board to elect a chair and two deputy chairs by simple majority. (Regulation (EU) 2016/679, Article 73)

What evidence should I keep to prove compliance with the article 73: chair requirement?

Keep the election SOP, the meeting pack, attendance records, and the approved minutes or resolution showing the vote totals and outcome. The evidence should show the chair and two deputy chairs were elected from among members by simple majority. (Regulation (EU) 2016/679, Article 73)

How do we define “simple majority” in our SOP?

Define it in operational terms: how votes are counted, how abstentions are treated, and how ties are resolved. Then show that calculation in the official minutes for the election event. (Regulation (EU) 2016/679, Article 73)

We used an electronic voting tool. What will reviewers ask for?

Expect questions about who had access, whether results can be altered, and where logs are stored. Retain an export of the final vote record and any supporting logs with the approved minutes. (Regulation (EU) 2016/679, Article 73)

Do we need to publish the election results?

Article 73 only states the Board must elect a chair and two deputy chairs by simple majority from among its members. Publication requirements, if any, should come from your separate governance rules, not from Article 73. (Regulation (EU) 2016/679, Article 73)

How can Daydream help with this requirement in practice?

Use Daydream to track the requirement, store the approved SOP, and generate an “evidence packet” task whenever an election occurs. That gives you one place to produce minutes, vote records, and the decision record during audits or oversight reviews.