Explanatory Memorandum to COM(2023)348 - Additional procedural rules relating to the enforcement of Regulation (EU) 2016/679

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)348 - Additional procedural rules relating to the enforcement of Regulation (EU) 2016/679.
source COM(2023)348
date 04-07-2023


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Effective enforcement of EU data protection rules is a prerequisite to ensuring the protection of the right to protection of personal data enshrined in Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU).

Independent national data protection authorities (DPAs) have been tasked with enforcing Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR)1 since its entry into application in 2018. The ‘one-stop-shop’ decentralised enforcement system aims to ensure consistent interpretation and application of the GDPR while preserving the principle of proximity, where individuals have the possibility to contact their local DPA and receive an answer. This systems requires cooperation between DPAs in ‘cross-border’ cases. In such cases, the ‘lead’ DPA (the DPA of the main establishment of the controller or processor under investigation) conducts the investigation, and is required to cooperate with other ‘concerned’ DPAs in an endeavour to reach consensus by engaging in a dialogue in a spirit of sincere and effective cooperation. The lead DPA must exercise its competence within a framework of close cooperation with DPAs concerned. Where DPAs are unable to reach consensus in a cross-border case, the GDPR provides for dispute resolution, on specific matters raised by so-called ‘relevant and reasoned objections’, by the European Data Protection Board (the Board), which is composed of the heads of the DPA of each Member State and the European Data Protection Supervisor and which includes the participation of the Commission.

In its report following two years of the application of the GDPR, the Commission noted that further progress was needed to make the handling of cross-border cases more efficient and harmonised across the EU.2 The report noted important differences in national administrative procedures and interpretations of concepts in the GDPR cooperation mechanism. In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament urged the Commission to assess whether national administrative procedures hinder the full effectiveness of cooperation under Article 60 of the GDPR as well as its effective implementation.3 The European Parliament called on the Board to establish basic elements of a common administrative procedure to handle complaints in cross-border cases under the cooperation established under Article 60 of the GDPR. In 2020, the Board launched a reflection on improving cooperation between DPAs in cross-border cases culminating in the adoption of a statement on enforcement cooperation in April 2022 which committed to identify a list of procedural aspects that could be further harmonised in EU law.4 In October 2022 the Board transmitted this list to the Commission.5

This proposal draws on the Commission’s 2020 report on the GDPR, the Board’s October 2022 list, and conclusions the Commission has drawn from monitoring the enforcement of the GDPR since its entry into application, from the GDPR Multi-stakeholder Expert Group6 and from the GDPR Member States Expert Group7, as well as the comments the Commission has received in response to a Call for Evidence launched in February 2023. It is part of the Commission Work Programme 20238 (under the general heading “A new push for European Democracy”).

The consistent application of the GDPR depends on the effective functioning of the GDPR cross-border enforcement system. Procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms in cross-border cases. These differences also have important consequences for the rights of the parties under investigation and complainants (as data subjects). Ensuring the GDPR is enforced properly is a prerequisite for securing public trust in the broader digitalisation process and for guaranteeing a level playing field for all entities processing personal data.

The proposal aims to tackle problems in the following areas:

- Complaints: Complaints are an essential source of information for detecting infringements of data protection rules. DPAs have varying interpretations on requirements for the form of a complaint, the involvement of complainants in the procedure, and the rejection of complaints. For example: a complaint accepted by some DPAs could be rejected by others on the basis that it provides insufficient information; some DPAs afford complainants equal rights to the parties under investigation, while others do not include complainants or involve complainants to a very limited extent; some DPAs adopt a formal decision rejecting all complaints which are not pursued, while other DPAs fail to do so. These differences mean that the treatment of complaints and the involvement of complainants varies depending on where the complaint is lodged, or which DPA is the lead DPA for a given case. As a result, they delay the conclusion of the investigation and the delivery of a remedy for the data subject in cross-border cases. In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament highlighted the need to clarify the position of complainants in the case of cross-border complaints.

- Procedural rights of parties under investigation: The rights of defence of parties under investigation constitute a fundamental principle of Union law to be respected in all circumstances, in particular in procedures which may give rise to high penalties. Given the potential severity of the penalties that may be imposed, parties under investigation for breaches of the GDPR must enjoy guarantees similar to those that are provided for in procedures of a penal character. The procedural rights of parties under investigation, such as the extent of the right to be heard and the right of access to the file, vary substantially across the Member States. The extent to which parties are heard, the timing of the hearing, and the documents that are provided to parties to enable them to exercise their right to be heard are elements on which Member States take varying approaches. These varying approaches are not always compatible with the procedure provided for in Article 60 GDPR, which rests on the presumption that the parties under investigation have exercised their due process rights before the draft decision is tabled by the lead DPA. When a case is submitted to the Board for dispute resolution, the extent to which the parties have been heard on the issues raised in the draft decision and the objections of DPAs concerned may vary. In addition, there is a lack of clarity on the extent to which parties under investigation should be heard during dispute resolution by the Board under Article 65 GDPR. Failure to guarantee the right to be heard may render the decisions of DPAs finding infringements of the GDPR more vulnerable to legal challenge.

- Cooperation and dispute resolution: The cooperation procedure in Article 60 GDPR is broadly sketched. In cross-border cases, DPAs are required to exchange ‘relevant information’ in an endeavour to reach consensus. Once the lead DPA submits a draft decision in the case, other DPAs have the opportunity to raise ‘relevant and reasoned objections’. These objections raise the possibility of dispute resolution (when they are not followed by the lead DPA). While the dispute resolution procedure in Article 65 GDPR is an essential element of ensuring consistent interpretation of the GDPR, it should be reserved for exceptional cases where sincere cooperation between DPAs has not yielded consensus. Experience in the enforcement of the GDPR in cross-border cases shows that there is insufficient cooperation between DPAs prior to the submission of a draft decision by the lead DPA. Lack of sufficient cooperation and consensus-building on key issues in the investigation at this early stage has resulted in the submission of numerous cases to dispute resolution.

There are disparities in the form and structure of relevant and reasoned objections submitted by DPAs concerned during the cross-border cooperation procedure. These differences hinder the efficient conclusion of the dispute resolution procedure and the inclusion of all DPAs concerned in the procedure, in particular DPAs of smaller Member States, which have less resources than the DPAs of larger Member States.

- The GDPR does not provide deadlines for various stages of the cooperation and dispute resolution procedure. In light of the varying complexity of investigations and the discretion of DPAs to investigate infringements of the GDPR, it is not desirable to prescribe deadlines for every stage of the procedure. However, the imposition of deadlines where appropriate will help prevent undue delay in the completion of cases.

The proposal aims to address these issues by specifying procedural rules for certain stages of the investigation process in cross-border cases, thereby supporting the smooth functioning of the GDPR cooperation and dispute resolution mechanisms. In particular, the proposal tackles the problems identified above in the following ways:

- Form of complaints and position of complainants: The proposal provides a form specifying the information required for all complaints under Article 77 GDPR concerning cross-border processing and specifies procedural rules for the involvement of complainants in the procedure, including their right to make their views known. It specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles of the lead DPA and the DPA with which the complaint was lodged in such cases. It recognises the importance and the legality of amicable settlement of complaint-based cases.

- Targeted harmonisation of procedural rights in cross-border cases: The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the Board, and clarifies the content of the administrative file and the parties’ rights of access to the file. The proposal thereby strengthens the parties’ rights of defence and ensures consistent observance of these rights regardless of which DPA is leading the investigation.

- Streamlining cooperation and dispute resolution: The proposal equips DPAs with the tools necessary to achieve consensus by giving added substance to the requirement for DPAs to cooperate and to share “relevant information” set out in Article 60 GDPR. This Regulation establishes a framework for all DPAs to meaningfully impact a cross-border case by providing their views early in the investigation procedure and making use of all tools provided by the GDPR. Crucially, this will facilitate consensus-building and reduce the likelihood of disagreements later in the procedure, which would require the use of the dispute resolution mechanism. Where there is disagreement between DPAs on the key issue of the scope of the investigation in complaint-based cases, the proposal provides a role for the Board to resolve the disagreement by adopting an urgent binding decision. Involving the Board on this discrete issue provides the lead DPA with the necessary clarity to proceed with the investigation and ensures that the disagreement on the scope of the investigation will not require the use of the Article 65 dispute resolution mechanism.

The proposal lays down detailed requirements for the form and structure of relevant and reasoned objections raised by DPAs concerned, thereby facilitating the effective participation of all DPAs and the targeted and swift resolution of the case.

- The proposal lays down procedural deadlines for the dispute resolution procedure, specifies the information to be provided by the lead DPA when submitting the matter to dispute resolution, and clarifies the role of all actors involved in dispute resolution (lead DPA, DPAs concerned and the Board). In this way, the proposal facilitates the swift completion of the dispute resolution procedure for the parties under investigation and data subjects.

Consistency with existing policy provisions in the policy area

The proposal complements the GDPR by specifying procedural rules for key stages of the investigation process established by the GDPR. It does not affect the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data as set out by the GDPR.

The proposal builds on the basic principles of the GDPR concerning complaints, cooperation and dispute resolution, and supplements these provisions with targeted additions to enhance the effectiveness and efficiency of enforcement in cross-border cases.

Consistency with other Union policies

The proposal is fully consistent and compatible with existing Union policies in other areas.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The legal basis for the proposal is Article 16 of the Treaty on the Functioning of the European Union (TFEU).

Article 16 TFEU empowers the European Parliament and the Council to lay down rules regarding the protection of individuals with regard to the processing of personal data and the free movement of such data. The proposal concerns the enforcement of the GDPR in cross-border cases. The objective of such enforcement is to ensure the right of data subjects to protection of their personal data. As such, Article 16 TFEU is the appropriate legal basis for the proposal.

Subsidiarity (for non-exclusive competence)

The EU is best placed to act because the proposal relates to an existing procedure established by the GDPR that involves the DPAs of several EU Member States and the European Data Protection Board (an EU body). Accordingly, the problems identified above cannot be solved by EU Member States acting alone.

Proportionality

This proposal ensures an appropriate balance between meeting the objective of ensuring the smooth functioning of cross-border enforcement of the GDPR while not unduly interfering with national legal systems.

The proposal aims to ensure the smooth functioning of the cooperation and dispute resolution mechanism established by the GDPR. Accordingly, the proposal concerns only cross-border cases under the GDPR. Such cases involve DPAs of several EU Member States and the Board.

The extent to which parties under investigation are heard and the involvement of complainants in the administrative procedure are currently covered by national procedural rules. These elements influence the way an investigation is conducted from beginning to end. As such, targeted harmonisation of the right to be heard and the involvement of complainants at key stages in the procedure and only in cross-border cases is essential in order to achieve the objective of the proposal – to streamline cross-border enforcement – and does not go beyond what is necessary in the circumstances. Crucially, the right of parties under investigation to be heard already applies to investigations carried out by DPAs under the GDPR, since the right to be heard is an essential element of the rights of defence and the right to good administration as guaranteed by the Charter. Likewise, the complainant must be informed on the progress of her or his complaint under Article 77(2) GDPR. The proposal mainly harmonises and frames the modalities of these procedural steps.

Choice of the instrument

A regulation is the appropriate instrument for the proposal. The proposal supplements a procedure laid down in an existing regulation, the GDPR. It aims to tackle the issue of diverging procedural approaches by DPAs by harmonising certain aspects of the administrative procedure applied by DPAs when enforcing the GDPR. Accordingly, a regulation (which is directly applicable in the Member States) is necessary to reduce legal fragmentation and ensure the degree of harmonisation required to guarantee the smooth functioning of the cooperation and consistency mechanisms established by the GDPR and to provide legal certainty to complainants, parties under investigation and DPAs. A directive, which affords the Member States discretion as to how to achieve the desired results, would not ensure the degree of harmonisation necessary to achieve the objectives of the proposal.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

In its report following two years of the application of the GDPR, the Commission noted that further progress was needed to make the handling of cross-border cases more efficient and harmonised across the EU.9 In a staff working document accompanying the report,10 the Commission identified the need to tackle differences in the following areas:

- national administrative procedures, concerning in particular: complaint handling procedures, the admissibility criteria for complaints, the duration of proceedings due to different timeframes or the absence of any deadlines, the moment in the procedure when the right to be heard is granted, the information and involvement of complainants during the procedure;

- interpretations of concepts relating to the cooperation mechanism; and

- the approach to when to start the cooperation procedure, involve DPAs concerned and communicate information to them.

In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament urged the Commission to assess whether national administrative procedures hinder the full effectiveness of cooperation under Article 60 of the GDPR as well as its effective implementation.11 The European Parliament called on the Board to establish basic elements of a common administrative procedure to handle complaints in cross-border cases under the cooperation established under Article 60 of the GDPR. In 2020, the Board launched a reflection on improving cooperation between DPAs in cross-border cases. Following this reflection,12 in October 2022 the Board transmitted to the Commission a list identifying procedural aspects of the cooperation between DPAs that could be harmonised at EU level.13

In the report following two years of the application of the GDPR, the Commission noted that there had not yet been any examples of dispute resolution at Board level. Since the publication of the report in 2020, the Board has adopted eight binding decisions under Article 65(1)(a) GDPR. The Commission’s participation in the Board has allowed it to draw lessons regarding the functioning of the dispute resolution mechanism. In particular, the Commission’s assessment is that the expediency of the investigation could be improved and dispute resolution could be avoided by increasing the level of cooperation between DPAs prior to the submission of a draft decision by the lead DPA.

Stakeholder consultations

The preparation of the proposal rests on input from a wide range of stakeholders. There was broad agreement among stakeholders that more could be done to improve the efficiency of cross-border enforcement of the GDPR.

In particular, the Commission received input on the proposal from the following channels:

- The Board: The Board is composed of the DPAs, the enforcers of the GDPR. It is tasked with, among others tasks, dispute resolution in cross-border cases under the GDPR. As such, the Commission took due account of the Board’s input at all stages of the preparatory process. In the first instance, the proposal responds to the list of issues transmitted to the Commission by the Board in October 2022 identifying aspects of the cross-border enforcement procedure that could be harmonised at EU level. The proposal addresses most of the issues identified by the Board in its list. In certain cases, the Commission decided not to address the issues identified by the Board, in particular where the Commission felt that the issue was already adequately addressed by the GDPR, or that the matter should remain within the discretion of the lead DPA or be determined by national law. In addition, the proposal tackles certain issues beyond those identified by the Board in its list, where the Commission considered this necessary to ensure the smooth functioning of cross-border enforcement and respect for due process rights. The Commission also conducted targeted consultation on aspects of the proposal with subgroups of the Board that deal with cross-border cooperation and enforcement at meetings on 21 March 2023 and 24 April 2023, to avail of the expertise of DPAs dealing with these issues in their daily work. The Board was fully supportive of the Commission taking action in this area and provided valuable input to the Commission at the March and April 2023 meetings.

- The GDPR Multi-stakeholder Expert Group: This expert group was established to assist the Commission with the application of the GDPR. It is composed of representatives from civil society, business, academics and legal practitioners. There was broad support among this group for the Commission taking action in this area through a legislative proposal. A meeting held on 19 October 2022 held a first discussion on the Board’s October 2022 list and a second meeting on 21 April 2023 was used by the Commission to consult on specific aspects of the proposal. Given the wide variety of stakeholders represented in this group, views among stakeholders on particular aspects of the proposal varied. All stakeholders supported the provision of a legal framework for amicable settlement in the proposal. NGOs welcomed the Commission’s intention to harmonise the form of complaints and supported involvement of the complainant in the procedure, noting the wide differences in the treatment of complaints in the Member States. Industry groups representing controllers and processors emphasised the need to afford the parties under investigation the right to be heard and to encourage the resolution of disagreements between DPAs early in the investigation process.

- The Member States GDPR Expert Group: This Expert Group serves as a forum for sharing views and information between the Commission and the Member States on the application of the GDPR. The Commission solicited the views of Member States on the Board’s October 2022 list prior to commencement of the drafting process. Member States were broadly supportive of and welcomed the idea of a proposal for a legislative initiative to enhance cross-border enforcement of the GDPR. However, certain Member States with horizontal procedural rules applicable to all administrative procedures identified possible interference with these rules, in particular with regard to the harmonisation of the rights of parties to be heard and the involvement of complainants in the procedure. Accordingly, the Commission has carefully limited harmonisation of these aspects in the proposal to cross-border cases and to the extent necessary to ensure the smooth functioning of the cooperation and dispute resolution mechanism. The Commission held a dedicated meeting with the Member States GDPR Expert Group on 19 April 2023.

The Commission also held bilateral meetings on the proposal on request, with NGOs, national authorities and industry representative organisations.

The Commission published a call for evidence from 24 February to 24 March 2023 and received 73 responses. The Commission received feedback from a wide variety of stakeholders, including NGOs and industry associations.

The Commission has taken due account of the feedback of all stakeholders in the preparation of the proposal.

Collection and use of expertise

The proposal takes into account the range of input received from stakeholders during the preparatory process, in particular the expertise provided by the Board, the GDPR Multi-stakeholder Expert Group, and the Member States GDPR Expert Group.

The proposal also relies on the case law of the Court of Justice of the European Union (CJEU), in particular case law concerning the operation of the cooperation and consistency mechanism in the GDPR, as well as case law concerning the right to be heard and the right to good administration in Article 41 of the Charter.

Impact assessment

An impact assessment was not carried out for the proposal. The proposal does not affect the rights of data subjects, the obligations of data controllers and processors, nor the lawful grounds for processing personal data as set by the GDPR.

The proposal complements the GDPR in a targeted way by specifying procedural rules for the cross-border enforcement procedure established by Chapter VII GDPR. In this way, the proposal operates within the procedural framework established by the GDPR.

As such, the impact of the proposal will be limited to enhancing the functioning of the cross-border enforcement procedure laid down by the GDPR. The proposal does not alter the roles of the actors in this procedure – complainants, the lead DPA, DPAs concerned, and the Board – which are laid down in the GDPR. Therefore, the proposal will not lead to significant economic, environmental, or social impacts, or entail significant spending.

Harmonisation of these procedural aspects will have a positive impact for DPAs, complainants, parties under investigation and public confidence in the GDPR:

- DPAs – the initiative will support the cooperation procedure and provide clarity on the arrangements for and timing of cooperation in cross-border cases. This will allow DPAs to make more efficient use of their resources. In addition, by providing DPAs with tools to enhance their cooperation in cross-border cases, the initiative will facilitate consensus-building among DPAs, reducing the number of disagreements and promoting a spirit of cooperation.

- Complainants and data subjects – streamlining cooperation between DPAs when enforcing the GDPR will support the timely completion of investigations. This will help to deal more efficiently with infringements of the GDPR and to deliver a swift remedy for the data subject. In addition, complainants will have the same opportunity to be involved in the procedure in cross-border cases regardless of where the complaint is lodged or which DPA is the lead DPA.

- Parties under investigation – improving cooperation in cross-border cases will help to shorten investigations and ensure the provision of necessary guarantees, such as the right to be heard and to access the file, thereby ensuring protection of the right to good administration (Article 41 of the Charter) and the rights of defence (Article 48 of the Charter) of the parties under investigation. Harmonisation of these rights will also make the final decision more robust.

- Public confidence in the GDPR – the initiative will strengthen public confidence in the GDPR by facilitating a swifter resolution of investigations and reducing the number of disagreements between DPAs in cross-border cases.

Regulatory fitness and simplification

Contents

1.

Not applicable


Fundamental rights

By facilitating the swift resolution of cross-border cases, the proposal supports the right of data subjects to protection of their personal data under Article 8 of the Charter and the right to an effective remedy under Article 47 of the Charter.

By harmonising the right of parties under investigation to be heard and to access the file, the proposal ensures the parties’ rights to good administration under Article 41 of the Charter and rights of defence under Article 48 of the Charter are observed.

4. BUDGETARY IMPLICATIONS

This proposal will not have any substantial budgetary implications.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The Commission will monitor the application of the Regulation together with its ongoing monitoring of the application of the GDPR.

Explanatory documents (for directives)

2.

Not applicable


Detailed explanation of the specific provisions of the proposal

Chapter I defines the subject of the regulation and sets out the definitions used throughout the instrument. The definitions used in the GDPR apply to the proposal. The proposal addresses only the cross-border enforcement of the GDPR.

Chapter II provides detailed rules on the submission and handling of complaints. It prescribes a form specifying the information required for cross-border complaints submitted on the basis of Article 77 GDPR and provides factors for DPAs to take into account when considering the extent appropriate to investigate a complaint. The provision of a common form for all cross-border complaints simplifies the complaint procedure for data subjects and removes the fragmented approaches to the concept of a complaint. Article 3 requires DPAs to provide the complainant with an acknowledgement of the complaint. Article 5 provides a legal framework for the amicable settlement of complaints to facilitate the use of amicable settlement by DPAs and to clarify the legal implications of amicable settlement for complainants and DPAs. Article 6 provides detailed rules regarding the translation of documents during cross-border cooperation.

Chapter III concerns cooperation between supervisory authorities in cross-border cases.

Section 1 provides additional tools for DPAs to reach consensus in cross-border cases. It specifies that ‘relevant information’ to be shared by supervisory authorities during cross-border cooperation should include certain documents and that these documents should be shared at the DPA’s earliest convenience. This provision ensures that DPAs concerned will have all information required to provide their views on the investigation to the lead DPA.

Article 9 provides that once the lead DPA has formed a preliminary view on the investigation, it shall send a ‘summary of key issues’ identifying the main findings of fact and the lead DPA’s views on the case to DPAs concerned. The purpose of the summary of key issues is to allow DPAs concerned to meaningfully impact the course of the investigation at an early stage by providing their views on the lead DPA’s assessment. This will help DPAs to resolve disagreements regarding, for example, the legal assessment or, in complaint-based cases, the scope of the investigation, at an early stage, thus reducing the likelihood of dispute resolution later in the procedure. Where there is no agreement at this stage regarding the scope of the investigation in complaint-based cases, or the complex legal or technological assessment undertaken by the lead DPA, Article 10 requires the DPA that disagrees with the lead DPA to make a request to the lead DPA under Article 61 (mutual assistance) or 62 (joint operations) of the GDPR. This provision ensures that DPAs will make use of all tools provided by the GDPR to resolve differences on key issues during the cooperation procedure. Where DPAs cannot come to agreement on the scope of the investigation in complaint-based cases, Article 10 provides that the lead DPA shall request an urgent binding decision of the Board pursuant to Article 66(3) GDPR. In this case, the urgent need to act shall be presumed to be met. This provision ensures that the disagreement on scope will be resolved in a quick and efficient manner, providing the lead DPA with the necessary clarity to proceed with the investigation.

Section 2 of Chapter III provides detailed rules regarding the full or partial rejection of complaints. These provisions ensure that the DPA with which the complaint was lodged has the information required to enable it to adopt the decision rejecting a complaint, and that a decision rejecting a complaint is adopted in all cases where the complaint is not pursued or withdrawn. The complainant is also provided with the opportunity to make her or his views known prior to the full or partial rejection of the complaint.

Section 3 of Chapter III harmonises the right of parties under investigation to be heard. It provides that the lead DPA shall submit to the parties under investigation its preliminary findings, setting out the objections raised, the relevant facts, supporting evidence, legal analysis, and, where applicable, proposed corrective measures. The preliminary findings will allow parties under investigation to fully understand the allegations made and to respond to those allegations, ensuring observance of their rights of defence. Article 15 provides that complainants will be given the possibility to submit in writing observations on the preliminary findings. Article 17 provides that the parties under investigation shall have the opportunity to provide their views where the lead DPA intends to submit a revised draft decision in light of relevant and reasoned objections expressed by DPAs concerned.

Section 4 of Chapter III lays down detailed requirements for the form and structure of relevant and reasoned objections raised by DPAs concerned, thereby facilitating the effective participation of all DPAs and the swift resolution of the case.

Chapter IV lays down detailed rules regarding access to the file and the treatment of confidential information. These provisions provide clarity on the documents that should form part of the administrative file in cross-border cases and the moment in which access to the file is provided to the parties under investigation.

Chapter V specifies procedural rules for the dispute resolution procedure set out in Article 65 GDPR. Article 22 specifies the information to be provided by the lead DPA to the Board when submitting a matter to dispute resolution. It specifies deadlines and arrangements for determination of the admissibility of relevant and reasoned objections by the Board. Article 24 provides for the hearing of the parties under investigation, or, in the case of rejection of a complaint, the complainant, prior to the binding decision of the Board under Article 65(1)(a) GDPR. By clarifying the roles of all actors and providing deadlines for certain procedural steps, these provisions will facilitate the swift and efficient conclusion of the dispute resolution procedure.

Articles 25 and 26 lay down detailed arrangements for the submission of matters to dispute resolution under Article 65(1)(b) and (c) GDPR.

Chapter VI lays down detailed procedural rules for the urgency procedure in Article 66 GDPR.

Chapter VII contains final provisions of the regulation, which concern deadlines, transitional provisions, and the entry into force of the regulation.