To show that the broader concepts can also be turned into a real-life Regulation we have developed a Draft Regulation.

While it is by no means perfect or final, the draft lays down options for harmonised rules relating to procedural aspects of the cooperation between  supervisory authorities and the enforcement of the GDPR.

Article 18 – European coordination committee

Chapter V – Cooperation

  1. The Board shall appoint one or more European Coordination Committees (“Coordination Committee”)[67] of three to five members. Members are part of secretariat under Article 75 GDPR. Members perform their tasks exclusively under the instructions of the Board and may only be discharged by the Board.[68]

  2. The Coordination Committee shall decide over disputes between supervisory authorities and necessary procedural determinations. In its rules of procedure, the Board may designate tasks under Articles 64(1) and 65 GDPR to the Coordination Committee.

  3. The decisions by the Coordination Committee shall be based on the information before it,[69] issued within one week, reasoned and addressed to the supervisory authorities. Decisions by the Coordination Committee are binding on the supervisory authorities and may be challenged by the parties only in the course of a remedy against a legally binding decision of the supervisory authorities or the Board.[70]

  4. The supervisory authorities shall not adopt a decision on the subject matter submitted to the Coordination Committee during the period under paragraph 3. The period of the decision process is not taken into account for deadlines under national law or in this Regulation.

Article 19 – Procedural determinations

Chapter V – Cooperation

  1. Proceedings against procedural determinations of the supervisory authorities must be brought with the remedy against the legally binding decision. Deadlines under applicable national law are delayed for that period.[71]

  2. Parties to the procedure may apply to the Coordination Committee to make a determination in the following cases:[72]

    (a) When a controller is established in the Union, but no supervisory authority declares itself as being the lead supervisory authority under Article 56 GDPR.

    (b) When a supervisory authority violates Articles 60 to 66 GDPR and this Regulation to the detriment of the parties.

    (c) When a complaints procedure is not determined within the deadlines under this Regulation.

  3. Concerned supervisory authorities may apply to the coordination committee to make a determination in any matter or dispute between supervisory authorities that must be determined to continue the procedure.

  4. Applications under paragraph 2 and 3 must be made within two weeks from the delivery of the procedural determination by a supervisory authority.[73]

Article 20 – Draft decisions and objections

Chapter V – Cooperation

  1. A draft decision must fulfill the requirements of a legally binding decision. Unless already included in the draft decision, the lead authority must provide the following information together with the draft decision:

    (a) A neutral summary[74] of the positions of the parties to the procedure and

    (b) the case file.

  2. A reasoned and relevant objection must contain:

    (a) the specific element  in relation to the infringement of the GDPR or the envisaged action that should be investigated,[75] changed, removed from or added to the draft decision

    (b) the reasons for this change; and

    (c) the significance of the risks under Article 4(24) GDPR.

  3. A significant risk under Article 4(24) GDPR is assumed if the supervisory authority declared itself to fall under Articles 4(22)(b) or (c) GDPR.[76]

  4. Within a period of four weeks, the lead supervisory authority shall either submit the matter to the consistency mechanism referred to in Article 63 or submit a revised draft decision under Article 60(5) GDPR.[77]

[67] Could be developed from existing enforcement sub group, but with permanent members that deal with procedural issues during the OSS procedure.

[68] Given that the committee oversees independent SAs (like the EDPB) the committee must also be self-governed by the SAs via the EDPB.

[69] This should limit the need to investigate matters further by the committee itself.

[70] This moves the option for legal redress to the end of the procedure and allows errors to “heal” in the meantime.

[71] Some Member States allow for “interlocutory” procedures (like “Judicial Reviews”), which would conflict with the timelines and the system for dealing with procedural issues under this Regulation. This proposed solution would ensure that the procedure under this Regulation can not be paused via national interlocutory procedures, while it would allow parties to bring these claims at a later stage by pausing the statute of limitation during the European procedure.

[72] This should be cases where the procedure gets “stuck” and no SA has an option or interest to start the procedure anew, such as negative competence conflicts (where two SAs take the view the other SA is in charge).[73] This should ensure quick legal certainty for the duration of the procedure.

[73] This should ensure quick legal certainty for the duration of the procedure.

[74] There should be a principle that the LSA may not argue their legal view, but rather represent the case in an utmost neutral and balanced way, so that other SAs have the full picture. Specific SAs have previously limited the summary to the points that supported their findings, but removed facts that would point in other directions.

[75] It seems useful if SAs must raise very specific changes (e.g. a specific fine or action) instead of rather generic criticism, as the objections form the scope of the Article 65 procedure and the LSA should be enabled to

[76] The Regulation could add an assumption to limit this barrier for CSAs, without amending the GDPR.

[77] Currently the GDPR does not foresee any deadlines.