Faster help for individuals – more legal certainty for businesses – better cooperation between authorities

On 4 July, the European Commission adopted a Proposal for a Regulation laying down additional procedural rules for the enforcement of Regulation (EU) 2016/679  – the General Data Protection Regulation (GDPR). The harmonisation of procedural rules and legal clarifications are intended to facilitate the cooperation of national authorities in cross-border cases and to resolve disagreements more quickly. This is because of the hiccups in the enforcement of the rules (click here for further information). This is not least due to the distribution of responsibilities, which leads to the different application of what is actually uniform law. This is particularly visible in cross-border cases.

Data protection should become better

The proposed regulations are aimed at individuals, companies and public authorities. Clarifies what documentation individuals must submit when filing a complaint. For companies, the new rules clarify their fair trial rights. For data protection authorities, the new rules are intended to facilitate cooperation. The result is to ensure the smooth functioning of the cooperation and consistency mechanism introduced by the GDPR, and to improve data protection.

Cooperation and coherence procedures

According to this procedure, the concerned European supervisory authorities - in Germany, these can be federal and state data protection authorities - work together for a uniform application of the law (cooperation). The lead and sole point of contact under the one-stop principle is the authority of the country where a person or company acting across borders (the controller of the potential data breach) has its principal place of business.

The European Data Protection Board decides

If no consensus is reached at European level in the cooperation procedure on the question of the lead or more commonly on the draft decision, the coherence procedure and here specifically the dispute settlement procedure must be carried out. The most common case is where a concerned supervisory authority objects to a draft decision on a potential data protection breach and the lead supervisory authority disagrees. In this case, the decision is taken by the European Data Protection Board (EDPB), in which the European supervisory authorities are entitled to vote with one vote per Member State as well as the European Data Protection Supervisor. To the extent that an objection is successful, the lead supervisory authority shall be instructed to amend the draft resolution accordingly. Formally, therefore, the procedure ends with the lead supervisory authority issuing its own, possibly adapted decision to the controller.

More stringent dispute resolution

Since the entry into force of the GDPR, 711 final decisions have been taken this way and fines amounting to hundreds of millions of euros have been imposed. The figures should not obscure the fact that the joint dispute resolution process needs more clarity and stringency.

To this end, there should be common hearing rights for complainants when their complaints are rejected in whole or in part, as well as rules for their proper participation in the investigation process.

In addition, the data protection authorities should be able to comment on investigations earlier than before. This is to increase their influence on the investigation process and to promote early consensus building. Common deadlines are set for cross-border cooperation and dispute resolution.

The parties under investigation will have the right to be heard at important stages of the proceedings, including during the dispute resolution process by the EDPB. In addition, their rights to inspect files and the contents of the administrative file are specified.

The planned regulations do not change the GDPR. The rights of the data subjects as well as the obligations of the data controllers and processors shall remain unaffected.