The GDPR
The Regulation seeks to provide solutions to the lack of coordination between the various national authorities potentially competent under the Directive via single window mechanism established by Article 56. The “lead” supervisory authority is the only authority competent to monitor the activities of the controller or the processor carried out throughout the Union and to take the relevant decisions. The competence of the “lead” supervisory authority is specified in Article 56 of the Regulation that we refer to.
Article 60 of the Regulation impose on the ‘lead’ supervisory authority the obligation to cooperate with the other supervisory authorities with a view to reach a consensus in cases of potential debate on the designation of the competent supervisory authorities, in particular, to exchange all useful information (paragraph 1). Such exchange of information must be carried out by electronic means, by using a standard form (paragraph 10).
The lead supervisory authority may request at any time from the other “supervisory authorities concerned” the provision of mutual assistance in application of Article 61. According to article 4 (22) of the Regulation, the supervisory authority may be concerned by the processing in three cases:
“a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing;
or c) a complaint has been lodged with that supervisory authority.”
In addition, the lead authority may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State (Article 60, paragraph 2).
Let’s recall, in the comments to Article 56, we have seen that when one national authority other than the leading supervisory authority is, however, competent by application of the second paragraph of Article 56 to handle a claim lodged with it, it should inform the lead supervisory authority. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case or the authority should handle it at local level.
In the case where the lead supervisory authority decides to handle the case, paragraph 3 of Article 60 shall apply. This provision requires the lead supervisory authority to communicate “without delay” the useful information on the matter to the other supervisory authorities concerned. The supervisory authority shall also submit without delay a draft for a decision to the other supervisory authorities concerned in order to obtain their opinion and take due account of their views.
The other supervisory authorities have the ability to raise objections to the draft decision within a period of four weeks (paragraph 4). In the absence of response within the time limits set by the provision, the other supervisory authorities shall be deemed to have approved the draft for a decision and shall be bound by it (paragraph 6).
The lead supervisory authority shall, if it does not follow the “relevant and reasoned” objection provided by any other supervisory authority, submit the matter to the consistency mechanism referred to in Article 63 (4). The relevant and reasoned objection is defined in Article 4 (24) of the Regulation as “an objection as to whether there is an infringement of this Regulation, or, as the case may be, whether envisaged action in relation to the controller or processor complies with this Regulation. The objection shall clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
In this case, the European Data Protection Board must make a binding decision on all aspects of the said objection and must in particular consider whether there is a violation of the Regulation (see Article 65 (1) (a)).
Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. They will have a period of two weeks to provide their opinion. In this case, the procedure provided for in paragraph 3 shall apply (Art. 60, (5)).
At the end of this procedure, the lead supervisory authority shall adopt the decision and communicate it to the main establishment of the controller or the processor and shall inform the other supervisory authorities concerned, as well as the European Data Protection Board, making sure to include a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant of the decision (paragraph 7).
Where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof (paragraph 8).
In the case of a mixed decision, i.e., where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. In this case, the allocation of competences shall be as follows:
- the lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, and
- the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof (paragraph 9).
The controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union (paragraph 10). The controller or processor shall notify the lead supervisory authority of the measures taken for complying with the decision, thenshall also inform the other supervisory authorities concerned.
Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply (Article 60 (11)). This provision authorises the relevant supervisory authority to adopt without delay temporary measures with a limited legal scope within the territory of its Member State.
The Directive
The Directive only provides that the supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information. However, no provision of the Directive regulates the modes of cooperation between the national supervisory authorities.
The absence of obligation for coordination to the national supervisory authorities in the Directive has led to many problems for companies that operate on a transnational level facing the application of different national legislations.
Potential issues
The implemented procedure seems highly complex and will lead to considerable work for the authorities concerned, who may often have to deal with the same case. Concomitant action by two separate authorities according to the nature of the decision (rejection or admission) is more likely to cause confusion for the complainant and concerned controllers/subcontractors who may no longer know who their interlocutor is.
European Union
European data protection board (EDPB)
Guidelines on the application of Article 60 GDPR - 2/2022 (14 march 2022)
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments of the controller or processor on their territory or through complaints from their residents against these processing activities. Indeed, data subjects should be able to easily pursue their data protection rights and should be able to complain to a supervisory authority at their place of habitual residence. This supervisory authority also remains the contact point for the complainant in the further course of the complaint-handling process. In order to meet all these requirements, Article 60 GDPR regulates the cooperation procedure between the lead supervisory authority and the other supervisory authorities concerned. These guidelines handle the interactions of the supervisory authorities with each other, with the EDPB and with third parties under Article 60 GDPR. The aim is to analyse the cooperation procedure and to give guidance on the concrete application of the provisions.
General considerations
A common understanding of the terms and basic concepts is a prerequisite for the cooperation procedure to run as smoothly as possible. Firstly, the guideline states that:
- the cooperation procedure applies in principle to all cross-border processing cases,
- the lead supervisory authority is primarily responsible for handling such cases, without being empowered to ultimately decide on its own, and that
- the cooperation procedure does not impact the independence of the supervisory authorities, which retain their own discretionary powers within the framework of cooperation. It is recalled that the effects of national procedural regulations must not lead to limiting or hampering the cooperation under the GDPR.
Structure and Content of the guidelines
These guidelines are based on the requirements of Article 60 and clarify paragraph by paragraph the conditions arising from the regulation itself and its practical implementation. In the context of Article 60(1) GDPR, it is established that the principles to be observed throughout the whole cooperation procedure are mutual obligations. It is stressed that while the achievement of consensus among the SAs is not an obligation, the endeavour to reach an agreed consensual decision is an overarching objective to be achieved through a mutual and consistent exchange of all relevant information. This exchange of information is obligatory for all CSAs, including the LSA. The meaning of "relevant" in this context is further clarified through examples. In terms of timeliness, the paper recommends sharing the relevant information proactively and as quickly as possible. Lastly, the possibility to use informal means of communication to reach consensus is recalled. The following section on Article 60(2) GDPR addresses the situation of the LSA requesting CSA(s) to provide mutual assistance pursuant to Article 61 GDPR and conducting joint operations pursuant to Article 62 GDPR and provides guidance on the specifications of these instruments in the context of an ongoing cooperation procedure.
The paper addresses the process of the submission of the draft decision under Article 60(3) GDPR. It highlights that the LSA has to act proactively and as quickly as possible and that the CSAs should be able to contribute to the overall procedure, also before the creation of the draft decision (e.g. exchange of information). In addition, the LSA is required to submit a draft decision to the CSAs in all cases of cross border processing.
The sections on Article 60(4)-(6) GDPR outline the different scenarios that follow the submission of a draft decision by the lead supervisory authority and thus provide a consistent approach to the procedure between the submission of a (revised) draft decision and either the triggering of the binding effect in the absence of relevant and reasoned objections or the submission to the dispute resolution procedure. The guidelines also recognise the possibility for the LSA to adapt and resubmit the draft decision submitted under Article 60(4) GDPR prior to the expiry of the four-week period, provided that new factors or considerations justify such adaptation and that their importance is fairly balanced against the expediency of the cooperation procedure. In addition, it is specified that there may be multiple revised decisions but only in cases where it is likely to reach a consensus due to substantive convergence between the LSA and other CSA(s). This is followed by the analysis of the different scenarios after the (revised) draft decision has become binding on the lead supervisory authority and the supervisory authorities concerned. It is clarified which supervisory authority has to adopt the final national decision pursuant to Article 60(7)-(9) GDPR on the basis of the draft decision that has become binding and which supervisory authority has to notify the controller/processor or the complainant. In this context, the distinction between notifying and informing is also addressed.
Furthermore, the guidelines address the important distinction between situations that constitute a dismissal/rejection of a complaint, with the consequence that the complaint-receiving SA adopts the final decision, and situations in which the lead supervisory authority acts on the complaint in relation to the controller, with the consequence that the lead supervisory authority adopts the final decision. In this context, it is highlighted that terms of EU law not making express reference to member state law must normally be given an autonomous and uniform interpretation. The following section outlines the duties of the controller or processor to ensure that processing activities in all its establishments are in compliance with the final decision (Article 60(10) GDPR). The last section addresses the specific requirements of the application of Article 66 GDPR (Urgency Procedure) in the course of an ongoing cooperation procedure (Article 60 (11) GDPR). A quick reference guide annexed to the guidelines is intended to give practitioners in the supervisory authorities a quick overview of the procedure and to illustrate the complex procedure.
Link
Guidelines on relevant and reasoned objection under Regulation 2016/679 - 9/2020 (9 March 2021)
Within the cooperation mechanism set out by the GDPR, the supervisory authorities (“SAs”) have a duty to “exchange all relevant information with each other” and cooperate “in an endeavour to reach consensus”.2 This duty of cooperation applies to every stage of the procedure, starting with the inception of the case and extending to the whole decision-making process. The achievement of an agreement on the outcome of the case is therefore the ultimate goal of the whole procedure established by Article 60 GDPR. In the situations in which no consensus is reached among the SAs, Article 65 GDPR entrusts the EDPB with the power to adopt binding decisions. However, the exchange of information and the consultation among the Lead Supervisory Authority (“LSA”) and the Concerned Supervisory Authorities (“CSAs”) often enables an agreement to be reached at the early stages of the case.
According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs, which then may raise a relevant and reasoned objection within a specific timeframe (four weeks).3 Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks.
When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a) GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “relevant and reasoned” and if so, on all the matters which are the subject of the objection.
Therefore, one of the key elements signifying the absence of consensus between the LSA and the CSAs, is the concept of “relevant and reasoned objection”. This document seeks to provide guidance with respect to this concept and aims at establishing a common understanding of the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4(24) GDPR).
Article 4(24) GDPR defines “relevant and reasoned objection” as an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.
This concept serves as a threshold in situations where CSAs aim to object to a (revised) draft decision to be adopted by the LSA under Article 60 GDPR. As the unfamiliarity surrounding “what constitutes relevant and reasoned objection” has the potential to create misunderstandings and inconsistent applications by the supervisory authorities, the EU legislator suggested that the EDPB should issue guidelines on this concept (end of Recital 124 GDPR).
In order to meet the threshold set by Article 4(24) GDPR, a submission by a CSA should in principle explicitly mention each element of the definition in relation to each specific objection. Therefore, the objection aims, first of all, at pointing out how and why, according to the CSA, the draft decision does not appropriately address the situation of infringement of the GDPR, and/or does not envision appropriate action towards the controller or processor in the light of the demonstration of the risks that such draft decision, if left unchanged, would entail for the rights and freedoms of data subjects and for the free flow of personal data in the Union, where applicable. An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indications, and showing why such issues are to be deemed “relevant” as further explained below. The proposals for amendments put forward by the objection should aim to remedy these potential errors.
Indeed, the degree of detail of the objection and the depth of the analysis included therein may be affected by the degree of detail in the content of the draft decision and by the degree of involvement of the CSA in the process leading to the draft decision issued by the LSA. Therefore, the standard of “relevant and reasoned objection” is grounded on the assumption that the LSA’s obligation to exchange all relevant information is complied with, allowing the CSA(s) to have an in-depth understanding of the case and therefore to submit a solid and well-reasoned objection. To this end, the need for each legally binding measure of SAs to “give the reasons for the measure” (see Recital 129 GDPR) should also be kept in mind. The degree of involvement of the CSA by the LSA in the process leading to the draft decision, if it leads to an insufficient knowledge of all the aspects of the case, can therefore be considered as an element to determine the degree of detail of the relevant and reasoned objection in a more flexible way.
The EDPB would first like to emphasise that the focus of all SAs involved (LSA and CSAs) should be on eliminating any deficiencies in the consensus-finding process in such a way that a consensual draft decision is the result. Whilst acknowledging that raising an objection is not the most preferable tool to remedy an insufficient degree of cooperation in the preceding stages of the one-stop-shop proceeding, the EDPB nevertheless acknowledges that it is an option open to CSAs. This would be a last resort to also remedy (alleged) deficiencies in terms of CSAs’ involvement by the LSA in the process that should have led to a consensus-based draft decision, including as regards the legal reasoning and the scope of the investigations carried out by the LSA in respect of the case at hand.
The GDPR requires the CSA to justify its position on the LSA’s draft decision by submitting an objection that is “relevant” and “reasoned”. It is crucial to bear in mind that the two requirements, “reasoned” and “relevant”, are to be deemed cumulative, i.e. both of them have to be met. Consequently, Article 60(4) requires the LSA to submit the matter to the EDPB consistency mechanism when it is of the opinion that the objection does not meet at least one of the two elements.
The EDPB strongly advises the SAs to raise their objections and exchange information through the information and communication system set up for the exchange of information among SAs. They should be clearly marked as such by using the specific dedicated functions and tools.
Link
Retour au sommaire
Article 29 Working Party
Guidelines for identifying a controller or processor’s lead supervisory authority
(Approved by EDPB)
Link
Retour au sommaire
European Union
CJEU caselaw
C-230/14 (1 october 2015) - Weltimmo
1. Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
2. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
3. Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).
Opinion of Advocate general
Judgment of the Court
Retour au sommaire
Retour au sommaire