Bultenler

European Commission Adopts New Rules to Ensure Stronger Enforcement of the GDPR in Cross-Border Cases

On 4 July 2023, the European Commission (“Commission”) proposed new rules to support the effectiveness and efficiency of enforcement of the General Data Protection Regulation (“GDPR”) in cross-border cases.

The GDPR Procedural Regulation aims to streamline cooperation between data protection authorities (“DPAs”) by harmonizing some aspects of their administrative procedures in cross-border cases.

The new Regulation will set up concrete procedural rules for the authorities when applying the GDPR in cases that affect individuals located in more than one Member State.

For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. For businesses, the new rules will clarify their due process rights when a DPA investigates a potential breach of the GDPR.

The rules will therefore bring swifter resolution of cases, meaning quicker remedies for individuals and more legal certainty for businesses. For data protection authorities, the new rules will smoothen cooperation and enhance the efficiency of enforcement.

This new Regulation presents detailed rules for supporting the smooth functioning of the cooperation and consistency mechanism established by the GDPR, harmonizing rules in the following areas:

  • Complainants Rights: The proposal aims to standardize the criteria for accepting cross-border complaints, eliminating the current challenges posed by different rules followed by DPAs. It establishes common rights for complainants to be heard, even if their complaints are partially or fully rejected. The proposal outlines rules for their involvement when a complaint is being investigated.
  • Parties under Investigation (Controllers and Processors) Rights: The proposal grants the parties being investigated the right to be heard at crucial stages of the procedure, including during dispute resolution by the European Data Protection Board (“EDPB”). It also clarifies the contents of the administrative file and the parties' access rights to it.Streamlining Cooperation and Dispute Resolution: Under the proposal, DPAs will have the ability to provide their perspectives early in investigations and utilize the various cooperation tools provided by the GDPR, such as joint investigations and mutual assistance. These provisions will strengthen the influence of DPAs in cross-border cases, facilitate the early establishment of consensus during investigations, and reduce disagreements later on.
  • The harmonization of these procedural aspects will promote the prompt completion of investigations and ensure that individuals receive swift remedies.

Answers to Questions Regarding Stronger Enforcement of the GDPR in Cross-Border Cases

The Commission's Procedural Regulation does not affect any substantial elements of the GDPR, such as the rights of data subjects, the obligations of data controllers and processors or the lawful grounds for processing personal data as set by the GDPR.

In its 2020 report on the application of the GDPR, the Commission found that procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR's cooperation and dispute resolution mechanisms in cross-border cases (i.e. when there are complainants located in more than one Member State).

Also the Regulation fully maintains and supports this system, where individuals and organisations can deal with their local/lead DPA. Individuals reap the benefits of the ‘one-stop-shop' system every day, by relying on their local DPA to protect their rights, no matter where the organisation processing their data is based. Businesses also benefit from the right to deal with a single Data Protection Authority.

The GDPR is enforced by independent national DPAs, as well as national courts. In cases that involve cross-border processing of personal data (processing that takes place or substantially affects data subjects in more than one Member State) the GDPR's ‘one-stop-shop' enforcement system applies. In such cases, the DPA where the entity under investigation is established conducts the investigation in cooperation with other relevant DPAs.

The proposal introduces additional steps in the cooperation between DPAs to facilitate early consensus-building and to reduce disagreements later in the process which would require the use of the dispute resolution mechanism.

Early in an investigation, the lead DPA must send a ‘summary of key issues' to their counter-parts concerned in the EU. This summary identifies the main elements subject to investigation and the lead DPA's views on the case. This will ensure that the DPAs concerned have all the necessary information to provide their views on the case at an early stage.

The proposal harmonises the elements which must be provided by complainants in cross-border cases. The DPA that receives a complaint should be responsible for determining its admissibility.

The proposal also ensures that complainants will have the same procedural rights in cross-border cases regardless of where the complaint is lodged or which DPA leads the investigation, such as the right to be heard before a decision fully or partially rejecting a complaint, will be adopted.

The regulation recognizes the usefulness of amicable settlements by DPAs, which provide speedy resolution.

Under the new rules, parties under investigation will have the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB. It also clarifies the content of the administrative file and the parties' rights of access to the file.

You can reach further information here.

You can reach Q&A here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr