Article 75: Secretariat

Article 75: Secretariat requirement is not an obligation you operationalize inside your company; it is an institutional rule that the European Data Protection Board (EDPB) must have a secretariat provided by the European Data Protection Supervisor (EDPS). For a Compliance Officer, the practical action is to scope it out as “not applicable,” document why, and ensure your GDPR program does not mis-map Article 75 as a business control. (Regulation (EU) 2016/679, Article 75)

Key takeaways:

• Article 75 assigns duties to EU institutions (EDPB/EDPS), not to controllers/processors directly. (Regulation (EU) 2016/679, Article 75)
• Your job is correct applicability scoping, evidence of the decision, and clean control mapping so audits don’t chase the wrong artifact.
• Treat mis-scoping as a governance risk: it wastes audit cycles and obscures real GDPR gaps (Articles 5, 24, 28, 30, 32, 33, 35 are typical operational hotspots, separate from Article 75). (Regulation (EU) 2016/679)

Compliance teams regularly inherit GDPR “article-by-article” control matrices from prior audits, customers, or third-party assessors. Article 75 is a classic trap in those matrices because it reads like an operational requirement, but it is actually a structural requirement about how the EDPB is supported: the Board has a secretariat, and that secretariat is provided by the EDPS. (Regulation (EU) 2016/679, Article 75)

If you are a controller or processor building a defensible GDPR program, you should not waste time creating an internal “secretariat” control. What you do need is a tight applicability determination that stands up to scrutiny: show that you understand what the article governs, that you have a documented method to classify requirements, and that your control framework focuses on obligations that actually apply to your processing activities. (Regulation (EU) 2016/679)

This page gives requirement-level implementation guidance for scoping and documenting Article 75: secretariat requirement. The goal is speed: make a decision, capture evidence, and prevent the issue from recurring in audits, customer due diligence, or internal control testing.

Article 75: what the requirement says and what it means for you

Plain-English interpretation

Article 75 states that the EDPB “shall have a secretariat,” and that the secretariat “shall be provided by the European Data Protection Supervisor.” (Regulation (EU) 2016/679, Article 75)

Operational meaning for most organizations: this is not a controller/processor obligation. It does not require your company to appoint a “secretariat,” fund an EDPB function, or create a new internal governance body. Your operational obligation is limited to correctly scoping and documenting non-applicability inside your compliance mapping so your GDPR program remains accurate and auditable.

Who it applies to (entity and operational context)

Direct addressees

• European Data Protection Board (EDPB): must have a secretariat. (Regulation (EU) 2016/679, Article 75)
• European Data Protection Supervisor (EDPS): provides that secretariat. (Regulation (EU) 2016/679, Article 75)

Typical controllers/processors

• Most private-sector and public-sector organizations acting as controllers or processors do not have direct duties under Article 75 beyond understanding it as part of the GDPR’s institutional framework. (Regulation (EU) 2016/679)

Edge cases (practical scoping note) If you are an EU institution/body/agency operating in a context tied to the EDPS/EDPB, your legal team should confirm whether internal policies require specific interfacing steps with EDPB secretariat processes. The text in Article 75 itself still describes EDPS provision of the secretariat, not an external organization’s operational control. (Regulation (EU) 2016/679, Article 75)

Regulatory text

“1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.” (Regulation (EU) 2016/679, Article 75)

What the operator must do with this text (practically):

• Classify the requirement as institutional governance (EDPB/EDPS), not as an organizational processing control.
• Record an applicability decision (“Not applicable to our organization because we are not the EDPB or EDPS”).
• Remove or prevent incorrect control mappings that force teams to “evidence” something that the law does not ask them to do. (Regulation (EU) 2016/679, Article 75)

Implementation goal for a CCO/GRC lead

Control objective (what “good” looks like)

You can answer, quickly and consistently:

• Whether Article 75 applies to your organization.
• Why you concluded that.
• Where that decision is documented.
• How your control framework prevents reintroducing the same mapping error in future audits.

This is governance hygiene. Auditors and customers often judge program maturity by whether your mapping is precise, not bloated.

What you actually need to do (step-by-step)

Step 1: Make an applicability determination (and tie it to your role-and-scope register)

Create a short entry in your GDPR obligations register:

Decision points

1. Are we the “Board” referenced in Article 75 (the EDPB)?
2. Are we the EDPS?
3. If neither, do we have any delegated role to provide EDPB secretariat services?

Expected result for most organizations: “No” to all, therefore Not Applicable. (Regulation (EU) 2016/679, Article 75)

Operator tip: Put the applicability logic into your standard scoping method so Article 75 doesn’t resurface every time you refresh your GDPR crosswalk.

Step 2: Update your GDPR control mapping (stop forcing a fake control)

Find any internal documents where Article 75 is mapped to a corporate control (common places: ISO 27001 mapping sheets, SOC 2 control matrices, “GDPR Article Checklist” tabs).

Actions:

• Mark Article 75 as institutional requirement.
• Replace any internal control reference with “N/A, see applicability memo.”
• Add a pointer to operationally relevant GDPR controls (for example, governance and accountability controls you actually run), but do not claim they “satisfy” Article 75.

Step 3: Create a requirement-specific operating procedure (SOP) for “non-applicable” articles

You need a repeatable way to handle GDPR articles that are structural, definitional, or authority-facing.

Minimum SOP content:

• Owner: GRC lead or privacy counsel delegate.
• Trigger events: new audit, new customer due diligence request, annual control library refresh.
• Required approvals: privacy counsel sign-off for “N/A” classifications.
• Evidence packet checklist (see below).

Step 4: Add an audit response snippet (reduce back-and-forth)

Prepare a two-paragraph standard response you can paste into:

• audit PBC requests,
• security questionnaires,
• customer DPAs or “GDPR article compliance” checklists.

Suggested wording (customize):

• “Article 75 governs the EDPB’s secretariat and specifies it is provided by the EDPS; it does not impose obligations on our organization as a controller/processor. We track this as not applicable in our GDPR obligations register and maintain a documented applicability determination.” (Regulation (EU) 2016/679, Article 75)

Step 5: Retain evidence on a recurring cadence

This requirement is low operational burden, but evidence still matters because the failure mode is documentation drift. Schedule a periodic review aligned to your normal compliance refresh cycle.

Daydream note: If you use Daydream to manage your control library, store the Article 75 applicability memo and map it as “institutional/N/A,” so future assessments inherit the decision instead of re-opening it.

Required evidence and artifacts to retain

Keep an “Article 75 evidence packet” with:

1. Applicability memo (one page)

   • Requirement text excerpt
   • Applicability rationale
   • Approver (privacy counsel) and date
     (Regulation (EU) 2016/679, Article 75)

2. Role-and-scope register entry

   • Confirms your organization is not the EDPB/EDPS
   • Reference to the memo

3. Control mapping screenshot/export

   • Shows Article 75 marked N/A
   • Shows no internal “secretariat” control is claimed

4. SOP for non-applicable requirement handling

   • Owner, triggers, approvals, storage location

5. Audit/customer questionnaire response template

   • Pre-approved language to ensure consistency

Common exam/audit questions and hangups

Auditors, assessors, and customers tend to ask:

• “Show your control for GDPR Article 75.”
  Hangup: They expect a control because it is an “article checklist” item.
  Your answer: Provide the memo and mapping. Cite Article 75 text. (Regulation (EU) 2016/679, Article 75)

• “Who is your ‘secretariat’ for the Board?”
  Hangup: Confusion between your internal privacy governance and the EDPB.
  Your answer: Explain the EDPB vs. corporate governance distinction, then show your privacy governance structure separately (but don’t claim it meets Article 75).

• “Why is this marked N/A?”
  Hangup: Some reviewers distrust N/A entries.
  Your answer: Use the decision tree (EDPB? EDPS? delegated role?) and get counsel sign-off.

Frequent implementation mistakes and how to avoid them

1. Creating an internal “EDPB secretariat” control

   • Why it happens: checklist compliance behavior.
   • Fix: Reclassify Article 75 as institutional; map your real governance to the correct GDPR accountability obligations instead. (Regulation (EU) 2016/679)

2. Marking N/A without a memo

   • Why it happens: teams treat N/A as self-evident.
   • Fix: one-page memo, counsel-approved, stored with your audit artifacts.

3. Over-citing Article 75 to justify unrelated practices

   • Why it happens: teams want every process tied to a citation.
   • Fix: keep Article 75 narrow; cite the GDPR generally for broader governance context if needed. (Regulation (EU) 2016/679)

4. Letting third parties dictate your mapping

   • Why it happens: customer checklists include every article.
   • Fix: respond with the prepared snippet and evidence packet; do not create a fake control just to satisfy a spreadsheet.

Enforcement context and risk implications

No public enforcement cases are provided for Article 75 in the supplied sources. Practically, your risk is indirect:

• Audit inefficiency risk: time spent evidencing non-requirements.
• Program credibility risk: a control matrix full of mis-scoped requirements makes real gaps harder to spot and explain.
• Contracting risk: customers may misinterpret “Article coverage” as “operational controls,” causing negotiation friction. Keep your evidence tight and consistent. (Regulation (EU) 2016/679)

Practical 30/60/90-day execution plan

First 30 days (stabilize)

• Locate where GDPR articles are tracked (GRC tool, spreadsheet, policy mapping).
• Write and approve the Article 75 applicability memo with privacy counsel sign-off. (Regulation (EU) 2016/679, Article 75)
• Update the control mapping to N/A and link to the memo.

Days 31–60 (standardize)

• Publish the SOP for handling non-applicable GDPR articles (owner, triggers, approvals, storage).
• Create the standard audit/customer response snippet and get it approved.
• Train the compliance intake path (whoever answers questionnaires) to use the snippet and attach the memo.

Days 61–90 (prevent recurrence)

• Run a “mapping QA” pass: identify other institutional/structural GDPR articles that are incorrectly mapped as business controls, and correct them.
• Add a lightweight review step to your annual compliance refresh: confirm Article 75 remains N/A and the memo is still current. (Regulation (EU) 2016/679, Article 75)
• If you use Daydream, centralize the memo and mapping decision so future audits inherit the same evidence packet.

Frequently Asked Questions

Does Article 75 require my company to appoint a GDPR secretariat or committee?

No. Article 75 describes the EDPB’s secretariat and says it is provided by the EDPS. Your company should document that the requirement is not applicable to you as a controller/processor. (Regulation (EU) 2016/679, Article 75)

An auditor asked for evidence of “Article 75 compliance.” What do I provide?

Provide your applicability memo, the updated control mapping showing “N/A,” and the approved response language. Quote the Article 75 text to anchor the rationale. (Regulation (EU) 2016/679, Article 75)

Should I map Article 75 to our internal privacy governance meetings anyway?

Don’t map it as “satisfied.” You can separately document your governance as part of your GDPR accountability program, but Article 75 is an institutional requirement about the EDPB/EDPS. (Regulation (EU) 2016/679, Article 75)

Can a customer contract require us to meet Article 75?

A contract can ask for many things, but Article 75 itself assigns responsibilities to the EDPB/EDPS. Treat the request as a questionnaire mismatch, respond with the memo, and clarify what GDPR operational controls you do run. (Regulation (EU) 2016/679, Article 75)

What’s the minimum documentation that will satisfy due diligence reviewers?

A short applicability memo with counsel approval, plus a control mapping entry that links to it, usually resolves the request without extended debate. Keep it ready as a reusable evidence packet. (Regulation (EU) 2016/679, Article 75)

How do we keep this from popping up every year in audits?

Build an SOP for “institutional/N/A” GDPR articles, store the evidence packet in your GRC system, and require reviewers to use the approved snippet when responding to checklists. (Regulation (EU) 2016/679, Article 75)