Regulation
Overview
Issues
Concepts
Regulation PDF

To show that the broader concepts can also be turned into a real-life Regulation we have developed a Draft Regulation.

While it is by no means perfect or final, the draft lays down options for harmonised rules relating to procedural aspects of the cooperation between  supervisory authorities and the enforcement of the GDPR.

Article 4 – Determination of roles of supervisory authorities[31]

Chapter II – General Provisions

  1. Any supervisory authority may declare itself a lead supervisory authority in accordance with Article 56(1) GDPR, if the criteria is fulfilled at the time of the opening of a procedure.[32]

  2. Any supervisory authority may declare itself to be a supervisory authority concerned in accordance with Article 4(22) GDPR. The other supervisory authorities grant it all rights as a supervisory authority concerned from the moment of this declaration.

  3. Declarations under paragraph 1 and 2 must be shared with all parties to the procedure and all supervisory authorities within two weeks.

  4. Supervisory authorities assumed to be the lead supervisory authority, until another supervisory authority or the parties to the procedure challenge the declaration in accordance with Article 65(1) GDPR. Parties to the procedure must challenge that status within two weeks from receiving the declaration before the Board or Cooperation Committee.[33]

Article 5 – Applicable Procedural Law

Chapter II – General Provisions

  1. Without prejudice to this Regulation, the applicable national procedural law of the supervisory authority governs to all direct interaction between that supervisory authority and the parties before it.[34] Applicable national procedural law may not hinder residents of other Member States to fully participate in procedures.[35]

  2. Any complainant has a right to communicate solely with the supervisory authority that a complaint was lodged with under Article 77 GDPR.[36]

  3. The GDPR and this Regulation govern all interaction between supervisory authorities of different Member States within the scope of this Regulation.

  4. The interaction and sharing of information between supervisory authorities as well as the supervisory authorities and the Board shall be neither restricted nor prohibited by national law. Cooperation under the GDPR and this Regulation may not be limited, delayed or denied based on differences in national procedural laws.[37]

Article 6 – Minimal procedural Guarantees

Chapter II – General Provisions

  1. Without prejudice to additional rights under relevant national law that go beyond the following provisions, all parties to the procedure have at least the right to:[38]

    (a) have his or her affairs handled impartially and fairly, ensuring that all parties to the procedure are treated equally,[39] even if they are before different supervisory authorities;

    (b) be heard before any measure that adversely affect the party  is taken,[40] including the decision to close, dismiss or reject a complaint;[41]

    (c) have access to all files of the procedure,[42] including all evidence, submissions or other communication[43] between the other parties and a supervisory authority that concern the procedure, no later than two weeks after their occurrence;

    (d) and receive a legally binding decision within a reasonable time as specified under applicable national law, but no later than six months from the opening of the proceedings.[44]

  2. To ensure the principle of equality in paragraph 1(a) is upheld,[45] supervisory authorities must inform each other about all steps of the procedure and shall grant all procedural rights that go beyond the rights under this Regulation and national procedural law, if parties before another supervisory authority are granted such rights.

  3. Supervisory authorities may limit the rights referred to in paragraph 1 in accordance with the national procedural law applicable in relation to a party receiving the information, to protect legitimate interests of confidentiality and trade secrets of others. Supervisory authorities may only take strictly proportionate measures, such as redacting specific parts of documents or other information. Supervisory authorities must always inform the parties about the existence of redacted information and issue a reasoned decision for any limitation.[46]

Article 7 – Cooperation between supervisory authorities

Chapter II – General Provisions

  1. The lead supervisory authority shall coordinate and manage the procedure in accordance with the GDPR, this Regulation and its applicable national procedural law.[47] It shall manage each procedure in cooperation with the concerned supervisory authorities and comply with any request from them.

  2. The lead supervisory authority shall take all necessary steps and structure the procedure in an efficient and expedient way, ensuring that the GDPR is fully enforced.[48]  It shall include all information regarding the case in a case file.[49]

  3. The lead supervisory authority shall, provide instant access to the case file to the concerned supervisory authorities. Relevant information must be added to the case file without undue delay, but no later than one week from the moment that the lead supervisory authority received such information.

  4. When divergent views are to be expected,[50] the lead supervisory authority shall initiate an exchange with all concerned supervisory authorities with an aim to reach an early consensus.

  5. Supervisory authorities shall use their powers under Articles 60 to 66 GDPR and Articles 19 and 20 of this Regulation in the case of inactivity of another supervisory authority, if this is necessary to ensure compliance with this Regulation and the GDPR.[51]

  6. Any supervisory authority which receives relevant information for a procedure shall, without delay, provide any relevant information to the lead supervisory authorities concerned, but no later than one week from the moment that it received such information.

  7. Any written exchange or decision by the supervisory authorities shall use a concise, transparent, intelligible and easily accessible form, using clear and plain language.[52]

  8. Each supervisory authority shares relevant information in the original format and language and provide a translation to a language the lead supervisory authority accepts. The parties shall be provided with the original and a translation to the language of the national procedure.[53]

  9. An automated translation is sufficient, if a supervisory authority certifies that the translation does not materially depart from the original.[54] The Board shall provide automated and manual translation services to the supervisory authorities.

Article 8 – Expedited Procedure[55]

Chapter II – General Provisions

  1. A lead supervisory authority can decide to conduct an expedited procedure if:

    (a) The procedure does not concern novel or unclear legal issues, especially because there is existing European case law, Board decisions under Article 65 GDPR, or Board guidelines under Articles 64 or 70(1)(d) to (k) GDPR on these legal questions; and

    (b) the supervisory authority does not intend to depart from them; and

    (c) the facts and circumstances of the case are likely established without the need to exercise powers under Article 58(1)(b) and (f) GDPR.

  2. In the event that the conditions of paragraph 1 no longer apply, the lead supervisory authority shall continue the procedure without relying on the procedure under this Article.

  3. During the expedited procedure the supervisory authority may:

    (a) [Example: solely translate the legally binding decision or any other form of termination of the procedure]

    (b) [Example: adopt its decision based solely on the complaint and the response of the respondent]

    (c) [Example: not hear the party that wins the case]

    (d) [Example: use forms / an EU online system to communicate with the parties]

  4. The lead supervisory authority shall decide on whether it chooses to make use of the expedited procedure within one month from the initiation of proceedings and inform all concerned supervisory authorities about this decision no later than within one week. The concerned supervisory authorities shall inform the parties to the procedure before them about the decision under paragraph 1 or 2 within one week from receiving the notification from the lead supervisory authority.

  5. Member States may provide for limitations of requirements under national procedural law for expedited procedures.

Article 9 – Procedures of special relevance[56]

Chapter II – General Provisions

  1. A lead supervisory authority can declare a procedure to have special relevance, if:

    (a) it concerns a large number of data subjects in more than one Member State, but likely at least one percent of the population of any Member State; and

    (b) it concerns novel or unclear legal issues, especially because there is no or no consistent is existing European case law, Board decisions under Article 65 GDPR or Board guidelines under Articles 64 or 70(1)(d) to (k) GDPR on these legal questions.

  2. The following provisions apply to such procedures:

    (a) The periods within Articles 60, 65 and 66 of the GDPR and Chapter III, IV and V of this Regulation may be extended for the same period of time only once.

    (b) The lead supervisory authority may request resources from other Supervisory Authorities, the Board and the Secretariat. The Board shall provide these resources, as far as possible.

  3. The lead supervisory authority must notify all supervisory authorities of a declaration under paragraph 1. Following the receipt of the notification, the concerned supervisory authorities shall inform the parties to the procedure before them within one week about the declaration of special relevance.

  4. Member States may provide specific requirements under national procedural law for procedures of special relevance.

Article 10 – Relationship between multiple procedures

Chapter II – General Provisions

In accordance with applicable national law, competent supervisory authorities may join or separate procedures that effect the same subject matter and the same respondents. The existence of other procedures that effect the same subject matters and the joining or separation of such procedures may not undermine or limit party rights under Article 6 of this Regulation.[57]

[31] The Regulation would need some structure to define who is a LSA and a CSA now in each procedure. We have situations of “positive” and “negative” conflicts, where more SAs want to be LSA or none wants to be one. This must be determined at the very start. There is LSAs, CSAs and “other SAs” (that are neither LSA nor CSA). Requiring to take positions and allow raising issues early seems useful, at the same time this can start very lengthy discussions about decision structures of controllers and their “main establishment”, so it may be reasonable to contain the decision to the information available at the time and not allow to start new investigations with no good reason.

[32] Currently jurisdiction shifts according to EDPB Opinion 8/2019 any change in company structure or decision making patterns. The GDPR does so far not specify the relevant time for determining the LSA. Especially in the tech industry, products, start-ups and alike are rather fluid, leading to cases that need to be restarted over and over again. It is also likely that the Member State SA that is locates at the main establishment at the time of a violation is best placed to investigate factual matters. The enforcement in other member states should be allowed in accordance with the provisions on enforcement below.

[33] A short deadline could increase legal certainty for the rest of the procedure

[34] Statement of the obvious, but still a matter of debates with some SAs.

[35] Some SAs require e.g. national ID cards or other elements as the sole way to communicate with them, which makes access for other EU citizens virtually impossible.

[36] Equivalent to Article 56(6) GDPR for the controller/processor. Written as a “right” to also allow to just directly talk to the LSA on a voluntary basis.

[37] Some SAs limit cooperation, as they do not find the procedural law of another SA equivalent. Similar to Article 1 GDPR, that foresees the free flow of data, this Regulation should prohibit any such limita

[38] This Article is based on Article 41 CFR, with some additional specifications.

[39] See Article 20 CFR (equality), further defined in paragraph 2 below.

[40] Article 41 CFR

[41] To further define what “adversely affected” can mean in GDPR procedures.

[42] Article 41 CFR („every person to have access to his or her file“)

[43] This would also include oral communication, to capture “off record” oral exchanges.

[44] This would also apply to ex officio cases and also give a right to controllers and processors to have a case decided and not be subject to “endless” investigations. However, such a right can also lead to delay tactics to have the SA run out of time.

[45] This provision would require the “leveling up” if one SA grants extra rights to a party that is not foreseen in this Regulation or the GDPR. By “leveling up” the fairness of the procedure (“equality of arms”) is maintained.

[46] Article 41 CFR: “the right of every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy;” Maybe refer to: Directive (EU) 2016/943 on the protection of know-how and trade secrets.  Regulation (EC) No 1049/2001 has very wide definitions such as „commercial interests“ which seems reasonable if freedom of information is balanced with commercial interests, while the right to be heard and have access to files by a party may require a more limited exception than freedom of information.

[47] By default the LSA law defines the procedure.

[48] Some high level principles, as can be found in various national procedural laws.

[49] The “case file” should include all information. It is later referred to as the documents that need to be shared.

[50] EDPB Guidelines 2/2020, para 94.

[51] This would add an obligation by authorities to take action if their counterparts are not taking action, to ensure that the parties must not travel to another Member

[52] Guidelines 2/2020, Para 109 – combined with existing wording from Article 12(1) GDPR. Could be expanded to all exchanges. Should make translations simpler too.

[53] Providing also originals allows the parties to understand the documents (e.g. when the Member State use the same language) or ensure that the translations are correct.

[54] This could deal with the de facto practice, even if it seems unclear if this is acceptable from an access to documents perspective. Especially Member States with smaller language groups may suffer from limited quality of automated translations. The fact that SAs must certify that the translation is correct would maybe form a middle ground between efficiency and quality.

[55] The expedited procedure could include some shortcuts and limitations of steps for “clear cut” cases, such as unanswered SARs, no response on the exercise of other GDPR rights and alike.

[56] Cases that have huge significance could get more time and resources under the Regulation.

[57] This should prevent that “ex officio” procedures are blocking complaints procedures and/or the core of complaints is outsourced into an “ex officio” procedure, without the complainant being heard.