Close Menu
    Latest Category
    • Finance
    • Tech
    • EU Law
    • Energy
    • fx
    • About
    • Contact
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Login
    • EU News
    • Focus
    • Guides
    • Press
    • Jobs
    • Events
    • Directory
    EUbusiness.com | EU news, business and politicsEUbusiness.com | EU news, business and politics
    Home»internet

    GDPR Procedural Regulation: stronger enforcement of the GDPR in cross-border cases – guide

    eub2By eub24 July 2023Updated:9 July 2024 internet No Comments5 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email
    — last modified 04 July 2023

    The European Commission proposed on 4 July new rules to support the effectiveness and efficiency of enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. The GDPR Procedural Regulation aims to streamline cooperation between data protection authorities (DPAs), by harmonising some aspects of their administrative procedures in cross-border cases.


    Advertisement


    Does this proposal change data protection rules?

    No. As we have seen, the GDPR works. The Commission’s Procedural Regulation does not affect any substantial elements of the GDPR, such as the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data as set by the GDPR.

    In its 2020 report on the application of the GDPR, the Commission found that procedural differences applied by DPAs hinder the smooth and effective functioning of the GDPR’s cooperation and dispute resolution mechanisms in cross-border cases (i.e. when there are complainants located in more than one Member State).

    The Commission identified that a more harmonised approach on issues such as complaint admissibility, the exercise of due process rights, and the involvement of complainants in the procedure would improve efficiency and results for citizens, businesses and data protection authorities alike. These elements were also identified as important by the European Parliament  and the European Data Protection Board (EDPB).

    Does the proposal change the ‘one-stop-shop’ system?

    No. The regulation fully maintains and supports this system, where individuals and organisations can deal with their local/lead DPA. Individuals reap the benefits of the ‘one-stop-shop’ system every day, by relying on their local DPA to protect their rights, no matter where the organisation processing their data is based. Businesses also benefit from the right to deal with a single Data Protection Authority.

    The proposal complements the GDPR by specifying detailed procedural rules for the cross-border enforcement system – the Regulation will operate within the framework established by the GDPR. It does not alter the procedural steps provided by the GDPR, nor the roles of the actors in the cross-border enforcement procedure – complainants, the lead DPA, DPAs concerned, or the EDPB.

    How do DPAs cooperate on cross-border cases?

    The GDPR is enforced by independent national DPAs, as well as national courts. In cases that involve cross-border processing of personal data (processing that takes place or substantially affects data subjects in more than one Member State) the GDPR’s ‘one-stop-shop’ enforcement system applies. In such cases, the DPA where the entity under investigation is established conducts the investigation in cooperation with other relevant DPAs.

    Under the GDPR, DPAs cooperate in order to reach consensus on the application of the GDPR. Where DPAs are unable to reach consensus in a cross-border case, the GDPR provides for dispute resolution by the European Data Protection Board (EDPB).

    How will DPAs cooperate under this proposal?

    The proposal introduces additional steps in the cooperation between DPAs to facilitate early consensus-building and to reduce disagreements later in the process which would require the use of the dispute resolution mechanism.

    Early in an investigation, the lead DPA must send a ‘summary of key issues’ to their counter-parts concerned in the EU. This summary identifies the main elements subject to investigation and the lead DPA’s views on the case. This will ensure that the DPAs concerned have all the necessary information to provide their views on the case at an early stage.

    Should a DPA disagree with the lead DPA’s assessment, this authority can request a joint operation or mutual assistance mechanism, as provided by the GDPR. Should the DPAs still disagree on the scope of a complaint-based case, the proposal empowers the European Data Protection Board (EDPB) to adopt an urgent binding resolution to resolve such disagreement early in the process.

    What does the proposal mean for complainants?

    Currently, DPAs have fragmented approaches to the notion of a complaint. The proposal harmonises the elements which must be provided by complainants in cross-border cases. The DPA that receives a complaint should be responsible for determining its admissibility.

    The proposal also ensures that complainants will have the same procedural rights in cross-border cases regardless of where the complaint is lodged or which DPA leads the investigation, such as the right to be heard before a decision fully or partially rejecting a complaint, will be adopted.  

    The regulation recognises the usefulness of amicable settlements by DPAs, which  provide speedy resolution.

    Where a DPA follows up on a complaint, complainants will be able to make their views known on the allegations against the controller or processor, and, where necessary, to access documents in the administrative file. The proposal harmonises the right of the complainant to be heard prior to the full or partial rejection of a complaint. It ensures that whenever a complaint is rejected, complainants should be able to challenge the decision in court.

    What does it mean for controllers and processors under investigation?

    Under the new rules, parties under investigation will have the right to be heard at key stages in the procedure, including during dispute resolution by the EDPB. It also clarifies the content of the administrative file and the parties’ rights of access to the file.

    The lead DPA should communicate their ‘preliminary findings’ to such parties, namely the allegations and the supporting evidence. Under the dispute resolution mechanism, the EDPB should allow the parties to exercise their right to be heard before adopting its decision.

    The proposal also lays down detailed rules regarding the treatment of confidential information.

    GDPR Procedural Regulation

    Data protection in the EU (europa.eu)

    EU data protection rules empower citizens (europa.eu)

    EDPB “wish-list” identifying procedures of cooperation between data protection authorities that could be harmonised at EU level

    5th anniversary of the General Data Protection Regulation (europa.eu)

    Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation (europa.eu)

    Source: European Commission

    Add A Comment

    Leave A Reply Cancel Reply

    You must be logged in to post a comment.

    eub2
    • Website

    eub2 is the default publisher for EUbusiness.

    Related Content

    EU calls on Apple to end geo-blocking on media services

    Apple on notice to comply with EU digital market rules

    EU launches legal action against Temu over sale of illegal products

    EU boosts cyber resilience in Europe’s critical digital infrastructure

    EU adopts new cybersecurity law for connected devices

    EU set to invest EUR 865m in 5G, gigabit connectivity

    LATEST EU NEWS

    EU approves EUR 300m for common defence procurement projects

    14 November 2024

    EU proposes e-declaration for the posting of workers

    14 November 2024

    EU calls on Apple to end geo-blocking on media services

    14 November 2024

    EUR/USD touches one year low as Trump takes control of Congress – Euro currency news daily

    14 November 2024

    EU artificial intelligence factories set for 2025

    13 November 2024
    BRIEFING

    Agenda

    This week, COP29 begins in Azerbaijan; finance ministers discuss the EU's annual budget for 2025; and MEPs hold a plenary session on EU-US relations, EU summits, deforestation and COP 29...

    EUbusiness Week

    This week competitiveness and environment ministers will hold informal meetings…

    Eurozone Economic Calendar

    Key economic calendar events for the week 11 to 16 November 2024

    The Week's Top Stories

    This week competitiveness and environment ministers will hold informal meetings…

    Advertisement

    Subscribe to EUbusiness Week

    Get the latest EU news

    Latest Posts

    EU approves EUR 300m for common defence procurement projects

    14 November 2024

    EU proposes e-declaration for the posting of workers

    14 November 2024

    EU calls on Apple to end geo-blocking on media services

    14 November 2024

    EUR/USD touches one year low as Trump takes control of Congress – Euro currency news daily

    14 November 2024

    CONTACT INFO

    • EUbusiness Ltd 117 High Street, Chesham Buckinghamshire, HP5 1DE United Kingdom
    • +44(0)20 8058 8232
    • service@eubusiness.com

    INFORMATION

    • About Us
    • Advertising
    • Contact Info

    Services

    • Privacy Policy
    • Tems
    • EU News

    SOCIAL MEDIA

    Facebook
    eubusiness.com © EUbusiness Ltd 2025
    Design and developed by : Dotsquares

    Type above and press Enter to search. Press Esc to cancel.

    Sign In or Register

    Welcome Back!

    Login below or Register Now.

    Lost password?

    Register Now!

    Already registered? Login.

    A password will be e-mailed to you.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok