The EDPB (European Data Protection Board) has published guidelines on the process for resolving disputes under data protection law.
It hopes its advice will “clarify the application of the relevant provisions of the GDPR (General Data Protection Regulation)” while emphasising the EDPB’s competence in the final binding decision.
The guidelines relate to Article 65(1)(a) of the GDPR, which contains the dispute resolution mechanism in cases involving cross-border processing of personal data.
It states that the EDPB must issue a binding decision when there are conflicting views among LSAs (lead supervisory authorities) and CSAs (concerned supervisory authorities) in individual cases.
Specifically, the legislation applies when the LSA issues a draft decision and received objections from CSAs that it either doesn’t follow or deems not relevant and reasoned.
This often relates to the merits of a complaint and whether the organisation in question has breached the GDPR. However, conflicts can also arise in how to address compliance failures, with enforcement action and fines often being questioned.
When will this apply?
The EDPB’s guidance states that any binding decision it makes will relate only to matters that are the subject of the relevant and reasoned objection. As a result, the first part of the process will be to assess whether an objection meets those criteria, as set out in Article 4(24) of the GDPR.
This might refer to any specific infringement of the GDPR that “clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.
Elsewhere, the guidelines clarify the applicable procedural safeguards and remedies for disputes in line with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and the EDPB Rules of Procedure.
The guidance addresses the right to be heard, the right of access, and the duty for the EDPB to provide justifications for its decisions.
In addition, its rules don’t apply to dispute resolutions by the EDPB in cases where there are conflicting views on which supervisory is competent for the main establishment, as outlined in Article 61(1)(b) of the GPDR.
Likewise, they don’t apply to dispute resolutions when a competent supervisory authority does not request the opinion of the EDPB in the cases referred to in Article 64 or doesn’t follow the EDPB’s opinion under Article 64.
What does this all mean?
The publication of these guidelines is the latest move towards greater clarity in the way the GDPR is interpreted and enforced.
In the five years since the Regulation took effect, lawmakers have had to overcome many obstacles. Until recently, fines have been slow to arrive, there have been countless appeals and supervisory authorities have been overrun by complaints.
These sorts of challenges are natural for a legislation with such a significant material and physical scope. It’s meant that lawmakers have focused on compliance guidance for organisations as they get to grips with the new rules, with comparatively few fines being handed out.
As Andrea Jelenik, the chair of the EDPB, told a recent panel discussion at the IAPP 2023 Global Privacy Summit:
When we started from scratch we had to give guidance because everyone wanted to have guidance because the elephant in the room in 2018 was the GDPR. Everybody was thinking now it’s done. No, it was the start of a really big journey.
But with the teething stage out of the way, there is now a greater emphasis on regulation. In the same discussion, Jelenik said that organisations now “have to show that they’re compliant and if they’re not, they will be fined”.
The EDPB’s guidance smooths out regulatory investigation and intends to create a consistent and effective way to handle complications in this process.
For organisations, this guidance should be taken as a sign that they must maintain discipline with GDPR compliance. It’s becoming increasingly hard to get away with lax practices, because investigations are proceeding faster and enforcement action is more regular.
You must therefore ensure that you implement and maintain appropriate data protection measures. If you’re looking for tips or advice on how to do that, IT Governance is here to help. We have been at the forefront of GDPR compliance solutions since its inception.
In the past five years:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.