Regulation
Overview
Issues
Concepts
Regulation PDF

To show that the broader concepts can also be turned into a real-life Regulation we have developed a Draft Regulation.

While it is by no means perfect or final, the draft lays down options for harmonised rules relating to procedural aspects of the cooperation between  supervisory authorities and the enforcement of the GDPR.

Article 1 – Objective

Chapter I – Subject Matter, Scope and Definitions

This Regulation lays down harmonised rules relating to procedural aspects of the cooperation between  supervisory authorities and the enforcement of Regulation (EU) 2016/679 (“GDPR”).

Article 2 – Scope[1]

Chapter I – Subject Matter, Scope and Definitions

  1. This Regulation applies to procedures under the GDPR, whenever supervisory authorities of more than one[2] Member State are taking part in the procedure, as well as consequent judicial procedures.[3]

  2. The Regulation also applies to national procedures regarding obligations in Article 28 of this Regulation.[4]

  3. This Regulation does not prevent Member States to further specify procedures.[5]

Article 3 – Definitions

Chapter I – Subject Matter, Scope and Definitions

For the purpose of this Regulation, definitions in the GDPR equally apply to this Regulation and:

  1. ‘National procedural law’ means the law applicable to the procedure of a supervisory authority;[6]

  2.  ‘Filing supervisory authority’ means the supervisory authority concerned, in which the complaint has been lodged,[7] as defined under Article 4(22)(c) GDPR;

  3. ‘Lead supervisory authority’ means the supervisory authority that is competent to act according to Article 56 GDPR;

  4. ‘Party to the procedure’ means any natural or legal person that has procedural rights in a procedure under the relevant national procedural law,[8] including, at the very least, the complainants and respondents;

  5. ‘Complainant’ means any person who filed a complaint under Article 77 GDPR;[9]

  6. ‘Respondent’ means any entity against whom a complaint under Article 77 GDPR is filed, or against whom any ex officio procedure is undertaken;[10]

  7. ‘Complaints procedure’ means an adversarial[11] procedure determining a complaint under Article 77 GDPR;

  8. ‘Ex officio procedure’ means an investigation into the activities of a natural or legal person, public authority, agency or other body[12] initiated on a supervisory authorities own volition under Article 57(1)(a) GDPR;

  9. ‘Scope of a procedure’ means all matters that must be determined in the course of a specific procedure in accordance with the applicable national law;[13]

  10. ‘Handling of a complaint’ means all actions by the supervisory authorities until a legally binding decision on a complaint is reached;[14]

  11. ‘Relevant information’[15] means all information held by a supervisory authority that could affect[16] a procedure or the rights of the parties to the procedure, including all submissions, evidence or other information in the case file[17] and no matter the format of such information,[18] but not drafts and information by the authorities or the Board that form part of their internal decision process;[19]

  12. ‘Rejection of a complaint’[20] means the termination of a procedure under Article 77 GDPR through a negative legally binding decision on procedural grounds, such as inadmissibility of the complaint;

  13. ‘Dismissal of a complaint’[21] means the termination of a procedure under Article 77 GDPR through a negative legally binding decision on the substance of the complaint;

  14. ‘Closing of a complaint’[22] means the termination of a procedure under Article 77 GDPR for reasons that are neither a rejection nor a dismissal of the complaint;

  15. ‘Final authority  decision’[23] means any final and formal determination over the scope of a procedure[24] by a supervisory authority, such as the rejection, dismissal or closing of a compliant or the decision or other end of an ex officio procedure, independent if this leads to a res judicata under national procedural law or not[25] and independent of it being a partial determination or a determination over the entire scope of the procedure;[26]

  16. ‘Procedural determination’[27] means any decision of a supervisory authority or the Board that does not lead to a final determination of matters within the scope of a procedure;

  17. ‘Enforceable decision’[28] means a legally binding decision that is enforceable under the law of the Member State in which it was issued;

  18. ‘Issuing State’ shall mean the Member State in which an enforceable decision was delivered;[29]

  19. ‘Executing State’ shall mean the Member State to which an enforceable decision has been transmitted for the purpose of enforcement;[30]

[1] The Regulation should only apply to cross-country procedures and not to purely national procedures (the bulk of cases). This makes sure that national procedural laws are not interfered with. It does not include cases under ePrivacy or as Directive (EU) 2016/680 the processing of personal data in criminal procedures.

[2] “More than one Member State” to exclude cases where there are multiple SAs in one Member State (e.g. Germany or Spain) and there may be national cooperation between SAs.n SAs.

[3] As far as regulated below.

[4] There are certain elements that are not limited to cross-country procedures.

[5] Minimum harmonization.

[6] The procedural law that applies under national provisions (e.g. the VwVfG in Germany, the Data Protection Act 2018 and Common Law in Ireland and so on).

[7] Wording from Article 77(2) GDPR.

[8] There are countries with „amicus“, third parties with certain rights and alike. This provision should set a minimum standard (data subject, controller and/or processor) but should accept that there are further options under national law (e.g. a controller that is not really the right defendant, third parties within direct interests and alike).

[9] There is a need to define these roles, independent from „data subject“ as the fact if a person is actually a “data subject” maybe an element of the procedure. There are comments that e.g. if there are doubts about the fact that data is personal data, the party does not have standing, which would move this assessment to an early stage.

[10] Definition equally independent from „controller / processor“ as the role under the GDPR may still be subject to the outcome of the procedure.

[11] May have different meanings in Member States. Should express that it is a procedure between the parties and not a regulatory (ex officio) procedure by an authority, independent of individual rights.

[12] Article 4(7) and (8) GDPR for the forms of entities under the GDPR.

[13] The national law where the case is initiated (see Article 5) shall determine the scope of the case. This allows filing SAs to ensure that the entire case is dealt with on a European level and avoids discussions about extending procedures at a later stage. It may be possible to rely on case law by the CJEU in the Brussels Regulation cases to determine the scope of procedures. It seems that the scope of procedures follows very different approaches in Member States.

[14] This definition of “handling” would ensure that each complaint must lead to an outcome (upheld, dismissed, rejected and closed) to ensure that cases are not just “handled” with a simple email saying that there is no action. The word “handling” in Article 78(2) GDPR is not further defined so far.

[15] From Article 60 GDPR, so far not defined.

[16] Some SAs so far exclude information that is before them, but that they did not consider for the decision. This may however be exactly the problem, if SAs should have considered such evidence to get to the correct conclusion. An abstract relevance test could fix this issue.

[17] The wording “case file”

[18] This should include oral (oral hearings, talks or phone calls between parties and the SAs), digital and analogue documents (that are e.g. only to be read physically at the location of the DPA e.g. in PL and BG).

[19] This could be aligned with Article 4(3) of the EU Regulations on access to documents 1049/2001, to the extent that the party rights (which are more relevant than public information rights) are not overriding such interests.

[20] From Article 60 GDPR, so far not defined.

[21] From Article 60 GDPR, so far not defined.

[22] Article 60 GDPR only knows positive or negative outcomes. “Closing” of cases is not foreseen in Article 60 GDPR, but the bulk of all outcomes and partly foreseen in national law (“amicable resolutions”, complaints withdrawn, cases that are declared “moot” and alike). Needs rules in this Regulation to ensure consistent handling of such situations.

[23] See if this can be replaced with “legally binding decision” as in Article 78(1) GDPR.

[24] The decision should always be linked to the scope of the procedure, to ensure that decisions do not go beyond the scope (SAs may still open an “ex officio” if they wish to go further) and the entire scope is dealt with.

[25] In some Member States, cases get “rejected” for formal reasons, but this still allows the case to be resubmitted at a later stage. In other cases, this may lead to a “res judicata”. The Regulation should leave the effect of a rejection to Member State law.

[26] In some Member States SAs may issues “partial decisions” for elements that are quick to decide as part of the SA’s case management. This should be reflected in the definition.

[27] There are many procedural decisions that only concern the management of the case. These decisions should be defined and fall under a different system than final material decisions of the SA. This differentiation is very common in Member State procedural law and allows to limit fights during the course of the procedure.

[28] From Article 1(c) of Council Framework Decision 2005/214/JHA

[29] From Council Framework Decision 2005/214/JHA on the enforcement of penalties.

[30] From Council Framework Decision 2005/214/JHA on the enforcement of penalties.