On July 4 2023, the European Commission presented a Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the General Data Protection Regulation (GDPR) (the Proposal). Divergent enforcement of the GDPR by national Supervisory Authorities (SAs) in cross-border cases – cases that affect individuals located in more than one Member State – has compelled the Commission to redress such divergence through the adoption of this proposal, which will complement the GDPR. It aims at improving the consistent and swift enforcement of the GDPR, while ensuring seamless cooperation among SAs in cross-border cases. The Proposal further harmonizes the rights and obligations of complainants and defendants throughout the handling of a complaint and the investigation process.
1. What Are the Main Takeaways From the Proposal?
For Parties Under Investigation (Controllers and Processors)
The proposal clarifies the rights of defendants and provides them notably with the rights:
- To receive a copy the preliminary findings of the Lead Supervisory Authority (LSA), including the corrective measures being considered, and to provide written reply to these preliminary findings.
- To be heard regarding new elements raised in the revised draft decision.
- To get access to the administrative file (which must include all documents, inculpatory and exculpatory, including facts and documents which are known to the parties under investigation) after notification of the preliminary findings.
- To identify documents submitted for their defense as confidential documents.
- To receive a copy of the statement of reasons explaining the reasoning the binding decision that the European Data Protection Board (EDPB) intends to adopt, and to provide comments on the statement of reasons
For Complainants
The Proposal clarifies the rights of complainants and provides them notably with the rights:
- If a partial or full rejection of the complaint is being considered, the right to submit their views and to get access to the non-confidential version of the documents on which the proposed rejection of the complaint is based.
- To be informed of their right to challenge in court the decision rejecting their complaint.
- To receive a non-confidential copy the preliminary findings of LSA (including where relevant, a non-confidential version of documents included in the administrative file), and to provide written reply to these preliminary findings.
- If a partial or full rejection of the complaint is being considered, to receive a copy of the statement of reasons explaining the reasoning the binding decision that the European Data Protection Board (EDPB) intends to adopt and to provide comments on the statement of reasons.
For SAs
The Proposal sets out common rules to be followed when handling complaints and conducting investigations, notably:
- It introduces a harmonized complaint form and clarifies which information must be submitted along with the complaint form.
- It harmonizes the criteria to be taken in account when assessing the admissibility of a cross-border complaint and the timeframe within which a decision regarding such admissibility must be reached.
- It introduces the obligation for SAs to propose an amicable settlement to the parties when possible.
- It introduces the obligation for the LSA to regularly update the SAs concerned about the progress of the investigation and provide them with relevant information once available.
- It provides SAs concerned with the possibility to provide comments and raised disagreements on the assessment of the LSA.
- It introduces the possibility to request an urgent binding decision from the EDPB if no consensus can be reached between the LSA and the SAs concerned.
2. What Are the Next Steps?
The EU co-legislators, the Council and the Parliament, will now assess the Commission’s proposal and put forward their positions in order to reach an agreement on the final version of the text before it can be formally adopted. Once formally adopted, this new Regulation will enter into force immediately after publication in the Official Journal of the European Union.