Luxembourg, 13 June 2024
The Council today reached an agreement on a common member states’ position on a new law which will improve cooperation between national data protection authorities when they enforce the General Data Protection Regulation (GDPR).
Data protection is a key fundamental right and the GDPR is the EU’s most powerful tool to safeguard it. Now the EU is taking an important step to make enforcement of this law more efficient.
Paul Van Tigchelt, Minister of Justice
The GDPR requires national data protection authorities, which are responsible for enforcing the GDPR, to cooperate when a data protection case concerns cross-border processing. This is the case for instance when the complainant resides in a different member state than the company under investigation.
Swift handling of cross-border complaints and improved cooperation
Once adopted, the regulation will provide tools to speed up the process of handling cross-border complaints filed by citizens or organisations, and any follow-up investigations. This is notably thanks to the harmonisation of the requirements for a cross-border action to be admissible. Wherever in the EU a citizen files a complaint relating to cross-border data processing, the admissibility will be judged on the basis of the same information.
It also clarifies the procedural deadlines and procedural steps of an investigation and for the adoption of a binding opinion by the European Data Protection Board (EDPB), the organisation which brings together all national data protection authorities, in case of disagreement between data protection authorities.
The Council agreed that throughout the cooperation procedure, national data protection authorities should be able to provide their views to the lead supervisory authority and that cooperation tools provided by the GDPR should be used in order to aim at consensus early on in investigations.
Rights of complainants and parties under investigation
The new regulation will harmonise the requirements and procedures for the complainant to be heard if a complaint is rejected and provides common rules on the involvement of the complainant in the procedure.
The right to be heard for the company or organisation that is being investigated is also ensured at key stages throughout the procedure, including during dispute resolution by the EDPB.
Main elements Council position
The Council position maintains the general thrust of the proposal but amends the draft regulation in the following aspects:
- clearer timelines: Member states introduce specific timelines that intend to speed up the cooperation process
- enhanced and efficient cooperation: The Council supports the new enhanced cooperation procedure between data protection authorities but also provides the option of not applying all additional rules when a case is more simple and straightforward. This allows data protection authorities to avoid administrative burden and to act swiftly on non-contentious cases and take advantage of the newly introduced additional cooperation rules for more complex investigations
- early resolution mechanism: The Council introduces an early resolution mechanism which allows authorities to resolve a case prior to initiating the standard procedures for handling a cross-border complaint. This can be the case when the company or organisation in question has addressed the infringement or when an amicable settlement to the complaint has been found
Next steps
Today’s adoption of a general approach will allow the Council to start negotiations with the European Parliament, which has agreed its position in April 2024, in order to agree on a final legislative text.
Background
The GDPR is the EU’s landmark data protection law which harmonises data protection rights across Europe. It applies to any organisation that deals with personal data of EU citizens or residents, regardless of where they are based.
The GDPR has put in place a system of cooperation between national data protection bodies that on the one hand ensures a consistent application of the law throughout the EU and on the other hand allows a complainant to deal with its local data protection authority. In cross-border cases one national authority will take on the role of lead authority in the investigation. However, the lead authority is required to cooperate with its peers from other member states.
The GDPR has been in application since 25 May 2018. Several reports on the application of the GDPR noted that the handling of cross-border issues was hampered by differences in administrative procedures. The procedural rules in the new regulation will address this concern.
- Data protection in the EU (background information)
- Regulation laying down procedural rules relating to the enforcement of the General Data Protection Regulation (general approach), 24 May 2024