To show that the broader concepts can also be turned into a real-life Regulation we have developed a Draft Regulation.

While it is by no means perfect or final, the draft lays down options for harmonised rules relating to procedural aspects of the cooperation between  supervisory authorities and the enforcement of the GDPR.

Article 27 – Contents

Chapter VII – Legally binding decisions

  1. Without prejudice to additional requirements under national law, any legally binding decision shall be issued in writing, using a concise, transparent, intelligible form and clear and plain language.[79] It shall at least contain the following elements:[80]

    (a) the name of the supervisory authority which issued the decision;

    (b) the date of issue of the decision;

    (c) the relevant facts of the case;

    (d) the grounds for the decision;

    (e) the exercised corrective powers, penalties or other measures; and

    (f) information on the right of an effective remedy under Article 78 GDPR or any applicable national law.

  2. In a case where the legally binding decision must be issued by the filing supervisory authority in accordance with Articles 60(8) or (9) GDPR, the lead authority shall ensure that the decision contains all elements necessary under the applicable national law of the filing supervisory authority. The filing supervisory authority shall assist the lead supervisory authority in drafting the decision.[81]

  3. The information provided to the parties under Article 60(7) to (9) GDPR shall include a copy of the legally binding decision.

Article 28 – Transparency of legally binding decisions

Chapter VII – Legally binding decisions

  1. Supervisory authorities must publish all legally binding decisions without undue delay, but no later than three months after adoption,[82] unless they are not materially departing from previously published decisions.[83]

  2. In accordance with applicable law, supervisory authorities and the Board may:

    (a) redact party names and any other information that may allow identifying parties; and

    (b) redact other information that is legally protected under applicable law.

[79] Guidelines 2/2020, para 109, replaced with the wording of Article 12(1) GDPR.

[80] Ensuring that decisions are complying with minimal requirements.

[81] A decision from country A may simply not be 1:1 valid in country B, where the Court would review the decision issued by the DPA in Country B under the law of Country B. As an alternative a decision could be seen as fully compliant with Union law if certain minimal requirements are met – however this would likely get into conflict with national law.

[82] This should ensure transparency, but ensure legal certainty and deterrence.

[83] This would ensure that repetitive decisions do not have to be published.