PERSONAL DATA – European Commission proposal for new rules to strengthen application of GDPR in cross-border cases
Legal watch
26 July 2023
The new Regulation establishing additional procedural rules relating to the application of Regulation (EU) 2016/679 proposed by the European Commission on July 4, 2023 (“Regulation”) aims to streamline cooperation between data protection authorities (“DPAs”) when enforcing the General Data Protection Regulation (“GDPR”) in cross-border cases[1] .
The Regulation lays down procedural rules for the handling of complaints and the conduct of investigations, in complaint-based and ex officio cases by supervisory authorities in the cross-border enforcement of the GDPR.
The Regulation will include concrete procedural rules, including the obligation for the lead data protection authority to send a “summary of key issues” to its counterparts. This summary must include the main points covered by the investigation, as well as its opinion on the case.
This Regulation will:
- Reduce disagreements and facilitate consensus between authorities from the earliest stages of the process;
- Clarify the information that individuals need to provide when filing a complaint, and ensure that they are properly involved in the process;
- Clarify the procedural rights of companies when a DPA investigates a possible breach of the GDPR;
- Resolve cases more quickly (swifter remedies for individuals, legal security for businesses).
The Regulation provides rules to harmonize procedural rules in cross-border cases in the following areas:
- Rights of complainants:
- Harmonization of requirements for a cross-border complaint to be admissible, removing the obstacles arising from the different rules applied by DPAs;
- Common rights given to complainants ensuring them that they will be heard in the event that their complaints are rejected in whole or in part;
- If the complaint is investigated, the proposal governs the way in which they are involved in the investigation.
- Rights of parties under investigation (data controllers and data processors):
- Right to be heard at key stages of the procedure;
- Clarification of the administrative file and the parties’ right of access to it.
- Streamlining cooperation and dispute resolution:
- DPAs will be able to give their opinion at an early stage of investigations and make use of all the cooperation tools provided for by the GDPR (e.g., joint investigations, mutual assistance);
- The Regulation will increase influence of DPAs on cross-border issues (early consensus-building during the investigation and reduction of later disagreements);
- The Regulation details rules to facilitate swift completion of the GDPR dispute resolution mechanism and provide common deadlines for cross-border cooperation and dispute resolution.
[1] The notion of “cross-border processing” is defined in Article 4 (23°) of the GDPR and covers:
a. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;
b. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.