Considerations on COM(2023)348 - Additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)348 - Additional procedural rules relating to the enforcement of Regulation (EU) 2016/679. |
|---|---|
| document | COM(2023)348 |
| date | July 4, 2023 |
(2) In order to provide for the smooth and effective functioning of the cooperation and dispute resolution mechanism provided for in Articles 60 and 65 of Regulation (EU) 2016/679, it is necessary to lay down rules concerning the conduct of proceedings by the supervisory authorities in cross-border cases, and by the Board during dispute resolution, including the handling of cross-border complaints. It is also necessary for this reason to lay down rules concerning the exercise of the right to be heard by the parties under investigation prior to the adoption of decisions by supervisory authorities and, as the case may be, by the Board.
(3) Complaints are an essential source of information for detecting infringements of data protection rules. Defining clear and efficient procedures for the handling of complaints in cross-border cases is necessary since the complaint may be dealt with by a supervisory authority other than the one to which the complaint was lodged.
(4) In order to be admissible a complaint should contain certain specified information. Therefore, in order to assist complainants in submitting the necessary facts to the supervisory authorities, a complaint form should be provided. The information specified in the form should be required only in cases of cross-border processing in the sense of Regulation (EU) 2016/679, though the form may be used by supervisory authorities for cases that do not concern cross-border processing. The form may be submitted electronically or by post. The submission of the information listed in that form should be a condition for a complaint relating to cross-border processing to be treated as a complaint as referred to in Article 77 of Regulation (EU) 2016/679. No additional information should be required for a complaint to be deemed admissible. It should be possible for supervisory authorities to facilitate the submission of complaints in a user-friendly electronic format and bearing in mind the needs of persons with disabilities, as long as the information required from the complainant corresponds to the information required by the form and no additional information is required in order to find the complaint admissible.
(5) Supervisory authorities are obliged to decide on complaints within a reasonable timeframe. What is a reasonable timeframe depends on the circumstances of each case and, in particular, its context, the various procedural steps followed by the lead supervisory authority, the conduct of the parties in the course of the procedure and the complexity of the case.
(6) Each complaint handled by a supervisory authority pursuant to Article 57(1), point (f), of Regulation (EU) 2016/679 is to be investigated with all due diligence to the extent appropriate bearing in mind that every use of powers by the supervisory authority must be appropriate, necessary and proportionate in view of ensuring compliance with Regulation (EU) 2016/679. It falls within the discretion of each competent authority to decide the extent to which a complaint should be investigated. While assessing the extent appropriate of an investigation, supervisory authorities should aim to deliver a satisfactory resolution to the complainant, which may not necessarily require exhaustively investigating all possible legal and factual elements arising from the complaint, but which provides an effective and quick remedy to the complainant. The assessment of the extent of the investigative measures required could be informed by the gravity of the alleged infringement, its systemic or repetitive nature, or the fact, as the case may be, that the complainant also took advantage of her or his rights under Article 79 of Regulation (EU) 2016/679.
(7) The lead supervisory authority should provide the supervisory authority with which the complaint was lodged with the necessary information on the progress of the investigation for the purpose of providing updates to the complainant.
(8) The competent supervisory authority should provide the complainant with access to the documents on the basis of which the supervisory authority reached a preliminary conclusion to reject fully or partially the complaint.
(9) In order for supervisory authorities to bring a swift end to infringements of Regulation (EU) 2016/679 and to deliver a quick resolution for complainants, supervisory authorities should endeavour, where appropriate, to resolve complaints by amicable settlement. The fact that an individual complaint has been resolved through an amicable settlement does not prevent the competent supervisory authority from pursuing an ex officio case, for example in the case of systemic or repetitive infringements of Regulation (EU) 2016/679.
(10) In order to guarantee the effective functioning of the cooperation and consistency mechanisms in Chapter VII of Regulation (EU) 2016/679, it is important that cross-border cases are resolved in a timely fashion and in line with the spirit of sincere and effective cooperation that underlies Article 60 of Regulation (EU) 2016/679. The lead supervisory authority should exercise its competence within a framework of close cooperation with the other supervisory authorities concerned. Likewise, supervisory authorities concerned should actively engage in the investigation at an early stage in an endeavour to reach a consensus, making full use of the tools provided by Regulation (EU) 2016/679.
(11) It is particularly important for supervisory authorities to reach consensus on key aspects of the investigation as early as possible and prior to the communication of allegations to the parties under investigation and adoption of the draft decision referred to in Article 60 of Regulation (EU) 2016/679, thereby reducing the number of cases submitted to the dispute resolution mechanism in Article 65 of Regulation (EU) 2016/679 and ultimately ensuring the quick resolution of cross-border cases.
(12) Cooperation between supervisory authorities should be based on open dialogue which allows concerned supervisory authorities to meaningfully impact the course of the investigation by sharing their experiences and views with the lead supervisory authority, with due regard for the margin of discretion enjoyed by each supervisory authority, including in the assessment of the extent appropriate to investigate a case, and for the varying traditions of the Member States. For this purpose, the lead supervisory authority should provide concerned supervisory authorities with a summary of key issues setting out its preliminary view on the main issues in an investigation. It should be provided at a sufficiently early stage to allow effective inclusion of supervisory authorities concerned but at the same time at a stage where the lead supervisory authority’s views on the case are sufficiently mature. Concerned supervisory authorities should have the opportunity to provide their comments on a broad range of questions, such as the scope of the investigation and the identification of complex factual and legal assessments. Given that the scope of the investigation determines the matters which require investigation by the lead supervisory authority, supervisory authorities should endeavour to achieve consensus as early as possible on the scope of the investigation.
(13) In the interest of effective inclusive cooperation between all supervisory authorities concerned and the lead supervisory authority, the comments of concerned supervisory authorities should be concise and worded in sufficiently clear and precise terms to be easily understandable to all supervisory authorities. The legal arguments should be grouped by reference to the part of the summary of key issues to which they relate. The comments of supervisory authorities concerned may be supplemented by additional documents. However, a mere reference in the comments of a supervisory authority concerned to supplementary documents cannot make up for the absence of the essential arguments in law or in fact which should feature in the comments. The basic legal and factual particulars relied on in such documents should be indicated, at least in summary form, coherently and intelligibly in the comment itself.
(14) Cases that do not raise contentious issues do not require extensive discussion between supervisory authorities in order to reach a consensus and could, therefore, be dealt with more quickly. When none of the supervisory authorities concerned raise comments on the summary of key issues, the lead supervisory authority should communicate the preliminary findings provided for in Article 14 within nine months.
(15) Supervisory authorities should avail of all means necessary to achieve a consensus in a spirit of sincere and effective cooperation. Therefore, if there is a divergence in opinion between the supervisory authorities concerned and the lead supervisory authority regarding the scope of a complaint-based investigation, including the provisions of Regulation (EU) 2016/679 the infringement of which will be investigated, or where the comments of the supervisory authorities concerned relate to an important change in the complex legal or technological assessment, the concerned authority should use the tools provided for under Articles 61 and 62 of Regulation (EU) 2016/679.
(16) If the use of those tools does not enable the supervisory authorities to reach a consensus on the scope of a complaint-based investigation, the lead supervisory authority should request an urgent binding decision of the Board under Article 66(3) of Regulation (EU) 2016/679. For this purpose, the requirement of urgency should be presumed. The lead supervisory authority should draw appropriate conclusions from the urgent binding decision of the Board for the purposes of preliminary findings. The urgent binding decision of the Board cannot pre-empt the outcome of the investigation of the lead supervisory authority or the effectiveness of the rights of the parties under investigation to be heard. In particular, the Board should not extend the scope of the investigation on its own initiative.
(17) To enable the complainant to exercise her or his right to an effective judicial remedy under Article 78 of Regulation (EU) 2016/679, the supervisory authority fully or partially rejecting a complaint should do so by means of a decision which may be challenged before a national court.
(18) Complainants should have the opportunity to express their views before a decision adversely affecting them is taken. Therefore, in the event of full or partial rejection of a complaint in a cross-border case, the complainant should have the opportunity to make her or his views known prior to the submission of a draft decision under Article 60(3) of Regulation (EU) 2016/679, a revised draft decision under Article 60(4) of Regulation (EU) 2016/679 or a binding decision of the Board under Article 65(1), point (a), of Regulation (EU) 2016/679. The complainant may request access to the non-confidential version of the documents on which the decision fully or partially rejecting the complaint is based.
(19) It is necessary to clarify the division of responsibilities between the lead supervisory authority and the supervisory authority with which the complaint was lodged in the case of rejection of a complaint in a cross-border case. As the point of contact for the complainant during the investigation, the supervisory authority with which the complaint was lodged should obtain the views of the complainant on the proposed rejection of the complaint and should be responsible for all communications with the complainant. All such communications should be shared with the lead supervisory authority. Since under Article 60(8) and (9) of Regulation (EU) 2016/679 the supervisory authority with which the complaint was lodged has the responsibility of adopting the final decision rejecting the complaint, that supervisory authority should also have the responsibility of preparing the draft decision under Article 60(3) of Regulation (EU) 2016/679.
(20) The effective enforcement of Union data protection rules should be compatible with the full respect of the parties' rights of defence, which constitutes a fundamental principle of Union law to be respected in all circumstances, and in particular in procedures which may give rise to penalties.
(21) In order to effectively safeguard the right to good administration and the rights of defence as enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’), including the right of every person to be heard before any individual measure which would affect him or her adversely is taken, it is important to provide for clear rules on the exercise of this right.
(22) The rules regarding the administrative procedure applied by supervisory authorities when enforcing Regulation (EU) 2016/679 should ensure that the parties under investigation effectively have the opportunity to make known their views on the truth and relevance of the facts, objections and circumstances put forward by the supervisory authority throughout the procedure, thereby enabling them to exercise their rights of defence. The preliminary findings set out the preliminary position on the alleged infringement of Regulation (EU) 2016/679 following investigation. They thus constitute an essential procedural safeguard which ensures that the right to be heard is observed. The parties under investigation should be provided with the documents required to defend themselves effectively and to comment on the allegations made against them, by receiving access to the administrative file.
(23) The preliminary findings define the scope of the investigation and therefore the scope of any future final decision (as the case may be, taken on the basis of a binding decision issued by the Board under Article 65(1), point (a) of Regulation (EU) 2016/679) which may be addressed to controllers or processors. The preliminary findings should be couched in terms that, even if succinct, are sufficiently clear to enable the parties under investigation to properly identify the nature of the alleged infringement of Regulation (EU) 2016/679. The obligation of giving the parties under investigation all the information necessary to enable them to properly defend themselves is satisfied if the final decision does not allege that the parties under investigation have committed infringements other than those referred to in the preliminary findings and only takes into consideration facts on which the parties under investigation have had the opportunity of making known their views. The final decision of the lead supervisory authority is not, however, necessarily required to be a replica of the preliminary findings. The lead supervisory authority should be permitted in the final decision to take account of the responses of the parties under investigation to the preliminary findings, and, where applicable, the revised draft decision under Article 60(5) of Regulation (EU) 2016/679, and the Article 65(1), point (a), decision resolving the dispute between the supervisory authorities. The lead supervisory authority should be able to carry out its own assessment of the facts and the legal qualifications put forward by the parties under investigation in order either to abandon the objections when the supervisory authority finds them to be unfounded or to supplement and redraft its arguments, both in fact and in law, in support of the objections which it maintains. For example, taking account of an argument put forward by a party under investigation during the administrative procedure, without it having been given the opportunity to express an opinion in that respect before the adoption of the final decision, cannot per se constitute an infringement of defence rights.
(24) The parties under investigation should be provided with a right to be heard prior to the submission of a revised draft decision under Article 60(5) of Regulation (EU) 2016/679 or the adoption of a binding decision by the Board pursuant to Article 65(1), point (a), of Regulation (EU) 2016/679.
(25) Complainants should be given the possibility to be associated with the proceedings initiated by a supervisory authority with a view to identifying or clarifying issues relating to a potential infringement of Regulation (EU) 2016/679. The fact that a supervisory authority has already initiated an investigation concerning the subject matter of the complaint or will deal with the complaint in an ex officio investigation subsequent to the receipt the complaint does not bar the qualification of a data subject as complainant. However, an investigation by a supervisory authority of a possible infringement of Regulation (EU) 2016/679 by a controller or processor does not constitute an adversarial procedure between the complainant and the parties under investigation. It is a procedure commenced by a supervisory authority, upon its own initiative or based on a complaint, in fulfilment of its tasks under Article 57(1) of Regulation (EU) 2016/679. The parties under investigation and the complainant are, therefore, not in the same procedural situation and the latter cannot invoke the right to a fair hearing when the decision does not adversely affect her or his legal position. The complainant’s involvement in the procedure against the parties under investigation cannot compromise the right of these parties to be heard.
(26) The complainants should be given the possibility to submit in writing views on the preliminary findings. However, they should not have access to business secrets or other confidential information belonging to other parties involved in the proceedings. Complainants should not be entitled to have generalised access to the administrative file.
(27) When setting deadlines for parties under investigation and complainants to provide their views on preliminary findings, supervisory authorities should have regard to the complexity of the issues raised in preliminary findings, in order to ensure that the parties under investigation and complainants have sufficient opportunity to meaningfully provide their views on the issues raised.
(28) The exchange of views prior to the adoption of a draft decision involves an open dialogue and an extensive exchange of views where supervisory authorities should do their utmost to find a consensus on the way forward in an investigation. Conversely, the disagreement expressed in relevant and reasoned objections pursuant to Article 60(4) of Regulation (EU) 2016/679, which raise the potential for dispute resolution between supervisory authorities under Article 65 of Regulation (EU) 2016/679 and delay the adoption of a final decision by the competent supervisory authority, should arise in the exceptional case of a failure of supervisory authorities to achieve a consensus and where necessary to ensure the consistent interpretation of Regulation (EU) 2016/679. Such objections should be used sparingly, when matters of consistent enforcement of Regulation (EU) 2016/679 are at stake, since every use of relevant and reasoned objections postpones the remedy for the data subject. Since the scope of the investigation and the relevant facts should be decided prior to the communication of preliminary findings, these matters should not be raised by supervisory authorities concerned in relevant and reasoned objections. They may, however, be raised by supervisory authorities concerned in their comments on the summary of key issues pursuant to Article 9(3), before preliminary findings are communicated to the parties under investigation.
(29) In the interest of the efficient and inclusive conclusion of the dispute resolution procedure, where all supervisory authorities should be in a position to contribute their views and bearing in mind the time constraints during dispute resolution, the form and structure of relevant and reasoned objections should meet certain requirements. Therefore, relevant and reasoned objections should be limited to a prescribed length, should clearly identify the disagreement with the draft decision and should be worded in sufficiently clear, coherent and precise terms.
(30) Access to the administrative file is provided for as a part of the rights of defence and the right to good administration enshrined in the Charter. Access to the administrative file should be provided to the parties under investigation when they are notified of preliminary findings and the deadline to submit their written reply to the preliminary findings should be set.
(31) When granting access to the administrative file, supervisory authorities should ensure the protection of business secrets and other confidential information. The category of other confidential information includes information other than business secrets, which may be considered as confidential, insofar as its disclosure would significantly harm a controller, a processor or a natural person. The supervisory authorities should be able to request that parties under investigation that submit or have submitted documents or statements identify confidential information.
(32) Where business secrets or other confidential information are necessary to prove an infringement, the supervisory authorities should assess for each individual document whether the need to disclose is greater than the harm which might result from disclosure.
(33) When referring a subject-matter to dispute resolution under Article 65 of Regulation (EU) 2016/679, the lead supervisory authority should provide the Board with all necessary information to enable it to assess the admissibility of relevant and reasoned objections and to take the decision pursuant to Article 65(1), point (a), of Regulation (EU) 2016/679. Once the Board is in receipt of all the necessary documents listed in Article 23, the Chair of the Board should register the referral of the subject-matter in the sense of Article 65(2) of Regulation (EU) 2016/679.
(34) The binding decision of the Board under Article 65(1), point (a), of Regulation (EU) 2016/679 should concern exclusively matters which led to the triggering of the dispute resolution and be drafted in a way which allows the lead supervisory authority to adopt its final decision on the basis of the decision of the Board while maintaining its discretion.
(35) In order to streamline the resolution of disputes between supervisory authorities submitted to the Board under Article 65(1), points (b) and (c), of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding the documents to be submitted to the Board and on which the Board should base its decision. It is also necessary to specify when the Board should register the submission of the matter to dispute resolution.
(36) In order to streamline the procedure for the adoption of urgent opinions and urgent binding decisions of the Board under Article 66(2) of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding the timing of the request for an urgent opinion or urgent binding decision, the documents to be submitted to the Board and on which the Board should base its decision, to whom the opinion or decision of the Board should be addressed, and the consequences of the opinion or decision of the Board.
(37) Chapters III and IV concern cooperation between supervisory authorities, the procedural rights of parties under investigation and the involvement of complainants. To ensure legal certainty, those provisions should not apply to investigations already under way at the time this Regulation enters into force. They should apply to ex officio investigations opened after the entry into force of this Regulation and to complaint-based investigations where the complaint was lodged after the entry into force of this Regulation. Chapter V provides procedural rules for cases submitted to dispute resolution under Article 65 of Regulation (EU) 2016/679. Also for reasons of legal certainty, this Chapter should not apply to cases that have been submitted to dispute resolution prior to the entry into force of this Regulation. It should apply to all cases submitted to dispute resolution after the entry into force of this Regulation.
(38) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered a joint opinion on [ ].