Article 60 GDPR: Difference between revisions

From GDPRhub
(Added EDPB guidelines Article 60(3) and (4) GDPR)
 
(24 intermediate revisions by 3 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned'''</center>
<center>'''Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned'''</center>


<span id="1">1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.</span>
<span id="1">1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.</span>
Line 217: Line 217:


== Commentary ==
== Commentary ==
Article 60 GDPR introduces Chapter VII of the GDPR under the heading “''Cooperation and consistency''” and, in particular, Section 1 of that Chapter, headed “''Cooperation''”. Specifically, Article 60 GDPR regulates the cooperation procedure between the various supervisory authorities (“SA”) in case the rules of Article 56 GDPR apply. In such cases, the SA of the place where the controller's or processor's main establishment is located assumes the role of directing and coordinating the decision-making procedure. In doing so, the lead supervisory authority (''LSA'') shall cooperate with the other supervisory authorities concerned in accordance with the principles and rules provided by Article 60 and more generally throughout Chapter VII. The wording of the provision indicates that a LSA has already been identified under Article 56 GDPR and that all the requirements set forth therein are met.  
Article 60 GDPR introduces Chapter VII of the GDPR under the heading “''Cooperation and consistency''” and, in particular, Section 1 of that Chapter, headed “''Cooperation''”. Article 60 GDPR provides for uniform supervision of controllers and processors in the event of cross-border processing and that cross-border enforcement decisions are agreed upon jointly by all the supervisory authorities concerned (''"CSAs"''), while they are formally adopted by a single supervisory authority ("SA") that cooperates with the SAs of the other Member States concerned and takes due account of their views. <ref>''Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 60 GDPR, p. 956 (Oxford University Press 2020).</ref>


=== (1) The Lead Supervisory Authority Shall Cooperate With the Other Supervisory Authorities Concerned ===
Article 60 GDPR regulates the co-decision making procedure to be followed in cross-border cases ([[Article 56 GDPR|Article 56(1) GDPR]]). It specifies the rules of procedure that follows after the lead supervisory authority (''"LSA"'') has been identified under the competence-establishing provision of [[Article 56 GDPR|Article 56(1) GDPR]]. In such cases, the LSA, i.e. the SA of the place where the controller's or processor's main or sole establishment is located in the EEA, assumes the role of directing and coordinating the decision-making procedure. In doing so, the LSA has to cooperate with the other CSA in accordance with the principles and rules provided by Article 60 GDPR and more generally throughout Chapter VII. The cooperation procedure, in the event of a complaint-based investigation, ends with the decision of a SA which either (i) finds a violation of the GDPR by the controller or processor and orders the infringment to be remedied and thereby at the same time grants or partialy grants the complaint or (ii) rejects or dismisses the complaint or parts thereof.<ref>''Peuker,'' in Sydow, Marsch, DS-GVO/BDSG, Article 60 GDPR, margin number 2 (Nomos 2022).</ref> In addition to relevant provisions of the GDPR, national procedural rules apply for any matter that is not regulated by the GDPR.
 
Case law: [[CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit|C-645/19]], paras 51-53 
 
A draft procedural regulation has been proposed by the Commission to further specify the rules on cooperation between SAs in the one-stop-shop mechanism with the aim to address the shortcomings of the current regulation.  <blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022022-application-article-60-gdpr_en Guidelines 02/2022 on the application of Article 60 GDPR] </blockquote>
 
=== (1) Duty to cooperate and exchange information ===
The ultimate aim of the cooperation procedure under Article 60 GDPR is to adopt a uniform decision for data processing operations of a cross-border nature. The task of directing or, rather, coordinating the decision-making procedure falls to the LSA. In practice, this translates into three essential (though not exclusive) obligations.
The ultimate aim of the cooperation procedure under Article 60 GDPR is to adopt a uniform decision for data processing operations of a cross-border nature. The task of directing or, rather, coordinating the decision-making procedure falls to the LSA. In practice, this translates into three essential (though not exclusive) obligations.


Firstly, as soon as the LSA learns of its responsibility under Article 56(1) GDPR, it must take the initiative and identify the other concerned supervisory authorities (“''CSA''). In doing so, it is necessary to verify the main elements of the processing and to understand which Member States are likely to be affected by it. In this perspective, it is necessary to verify, for example, in which Member States the data subjects whose rights may be violated are located and/or the locations of the controller's or processor's establishments.
==== Cooperation between LSA and CSA ====
As soon as the LSA learns of its responsibility under [[Article 56 GDPR|Article 56(1) GDPR]], it must take the initiative and identify the other ''CSA''.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020, 3rd Edition).</ref> In doing so, it is necessary to verify the main elements of the processing and to understand which Member States are likely to be affected by it. In this perspective, it is necessary to verify, for example, in which Member States the data subjects whose rights may be violated are located and/or the locations of the controller's or processor's establishments.
 
==== Exchange of information ====
After composing the “''decision-making group''”, the LSA is obliged to “''cooperate''” with all other CSA and to facilitate the sharing of information necessary for the decision-making process (“''exchange'' ''all relevant information with each other''”).<ref>The duty to cooperate, it is argued, is not one-sided but naturally applies also the CSAs. ''Dix,'' in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020).</ref> Article 60 GDPR puts a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all CSAs, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The duty of exchange of information exists even when the identity of the LSA is still unclear as the required exchange of information must take place in any case under [[Article 61 GDPR]] and [[Article 62 GDPR]].
 
==== Endeavor to reach consensus ====
The LSA should act in a consensus-building manner. It must endeavor to reach a “''consensus''” with the other CSA.<ref>The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs; see ''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> CSAs must therefore be given adequate information and sufficient opportunity to present their legal positions (Article 60(3) GDPR), which, as long as possible, is to be incorporated into the LSA’s final assessment.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> The LSA must not limit itself to taking into account the views of the other CSA only within the framework of a draft decision (Article 60(3) GDPR), but should work towards a consensual approach with the other CSA from the start of the procedure.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 60 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref> The above is confirmed by Recital 125 GDPR, which specifies that “''the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process''”. However, Article 60(1) GDPR is not obliging the LSA to reach a consensus with the other CSAs.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 60 GDPR, margin number 5 (Nomos 2019).</ref> If a consensus cannot be reached, the dispute resolution mechanism under [[Article 65 GDPR]] in connection with [[Article 63 GDPR]] is triggered (Article 60 (4) GDPR).  


Secondly, after composing the “''decision-making group''”, the LSA is obliged to “''cooperate''” with all other authorities and to facilitate the sharing of information necessary for the decision-making process. (“''exchange'' ''all relevant information with each other''”).<ref>The duty to cooperate, it is argued, is not one-sided but naturally applies also the CSAs. ''Dix,'' in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020).</ref> Article 60 GDPR puts a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all CSAs, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the LSA is still unclear as the required exchange of information must take place in any case under Article 61 GDPR and Article 62 GDPR.
=== (2) Cooperation and joint operations ===
Article 60(2) GDPR clarifies that also in cross-border cases the LSA and CSAs have to cooperate pursuant to [[Article 61 GDPR]] and [[Article 62 GDPR]]. Before issuing a binding decision, it might (and usually will) be necessary for the LSA and the CSAs to exercise investigative powers in their territory to establish the facts of the case. To that end, the LSA can request other CSAs to provide mutual assistance pursuant to [[Article 61 GDPR]] and conduct joint operations pursuant to [[Article 62 GDPR]]. Once the decision has been adopted, it must be ensured that it is actually complied with. Therefore, cooperation can also be requested after the decision has been adopted for “''monitoring the implementation of a measure concerning a controller or processor established in another Member State''”.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (NOMOS 2019).</ref>  


Finally, when all the elements for the decision have been gathered, the LSA is obliged to reach a “''consensus''” with the other authorities concerned.<ref>The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs; see ''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> CSAs shall therefore be given adequate information and sufficient opportunity to present their legal positions (Article 60(3) GDPR), which, as long as possible, shall be incorporated into the LSA’s final assessment.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> The above seems confirmed by Recital 125 GDPR, which specifies that “''the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process''”.
=== (3) Duty of lead supervisory authority (LSA) to communicate the relevant information and submit a draft decision ===
Article 60(3) GDPR sets out the procedural background of the cooperation mechanism.<ref>Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities (paragraphs 3 to 6). The second phase, which consists of the actual decision-making stage (including enforcement, paragraphs 6 to 10); see ''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (NOMOS 2019).</ref> The LSA communicates the relevant information on the matter to the other CSAs and, without delay, provides them with a draft decision for their opinion, which have to be taken into ''due account''. It follows that the LSA must adequately address the positions of the other SAs and integrate them into the decision-making process. The LSA has no clear timeline or set deadlines that it would have to follow. In praxis this means that it is no execption if cross-border procedures take several years.


=== (2) The Lead Supervisory Authority may Request Cooperation ===
=== (4) Objection by supervisory authority concerned (CSA) and procedure where it is not followed ===
Article 60(2) GDPR presents two further forms of cooperation between the various authorities involved. First, before issuing a binding decision, it may (and usually will) be necessary for the LSA and the CSAs to exercise investigative powers in their territory towards the main branch and the other branches of the controller or processor. To that end, the LSA may request other CSAs to provide mutual assistance pursuant to Article 61 GDPR and conduct joint operations pursuant to Article 62 GDPR. Second, cooperation may also be requested in later procedural steps for “''monitoring the implementation of a measure concerning a controller or processor established in another Member State''”.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (NOMOS 2019).</ref> Once the decision has been adopted, it must also be ensured that it is actually complied with. In this sense, the local CSAs closest to the place of the breach must verify that the controller or processor complies with the content of the decision and brings data processing into compliance with the GDPR.  
Under Article 60(4) GDPR any CSA can object to the draft decision drawn up and provided by the LSA pursuant to Article 60(3) GDPR, if they do not agree with it. The objection has to be relevant and reasoned to be considered. CSAs have 4 weeks to exemine the draft decision and epress their reasoned objections, if any.


=== (3) Draft Decision and Relevant Reasoned Objection ===
If the LSA does not follow the relevant and reasoned objection(s) from a CSA or believes that the objection(s) is not reasoned or relevant, the matter is referred to the attention of the European Data Protection Board (''"EDPB"'') which will decide it following [[Article 63 GDPR]] and [[Article 65 GDPR|Article 65(1)(a) GDPR]]. It then becomes incumbent upon the EDPB to adopt a binding decision on whether the objection is “''relevant and reasoned''” and, in general, if it meets the requirements outlined in [[Article 4 GDPR|Article 4(24) GDPR]].
Article 60(3) GDPR sets out the procedural background of the cooperation mechanism.<ref>Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities (paragraphs 3 to 6). The second phase, which consists of the actual decision-making stage (including enforcement, paragraphs 6 to 10); see ''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (NOMOS 2019).</ref> The LSA communicates the relevant information on the matter to the other CSAs and, without delay, provides them with a draft decision for their opinion, which shall be taken into “''due account''”. In other words, under Article 60(1) GDPR, the LSA must adequately address the positions of the other SAs and integrate them into the decision-making process.


==== CSA’s Objection ====
==== Relevant and reasoned objection by CSA ====
Under Article 4(24) GDPR, any CSA can submit an “''objection to a draft decision''” which must be “''relevant and reasoned''” and focuses on “''whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union''”.<ref>The EDPB provided guidance for the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''”. See EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “''relevant''” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors.
What constitutes a relevant and reasoned objection is defined in Article 4(24) GDPR stipulating that it is an objection to a draft decision as to “''whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union''”.<ref>The EDPB provided guidance for the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''”. See EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “''relevant''” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors.


===== Relevant =====
===== Relevant =====
Line 247: Line 261:
In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued “as is”) and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision it disagrees with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or on an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020, pp. 5-6 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref>
In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued “as is”) and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision it disagrees with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or on an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020, pp. 5-6 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref>


===== Infringement of the GDPR =====
The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence<ref>The "''relevant information''" referred to in Article 60(3) GDPR.</ref> provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed [[Article 6 GDPR|Articles 6, 7, 14 GDPR]], and the CSA disagrees on whether there is an infringement of [[Article 7 GDPR|Article 7, 14 GDPR]] and considers that there is an infringement of [[Article 13 GDPR]]). In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref><blockquote><u>EDPB Guidelines:</u> On this provision there is are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en the Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679]</blockquote>


=== (4) Objection is Rejected ===
The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence<ref>The "''relevant information''" referred to in Article 60(3) GDPR.</ref> provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed [[Article 6 GDPR|Articles 6, 7, 14 GDPR]], and the CSA disagrees on whether there is an infringement of [[Article 7 GDPR|Article 7, 14 GDPR]] and considers that there is an infringement of [[Article 13 GDPR]]). In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref><blockquote><u>EDPB Guidelines:</u> On this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en the Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679]</blockquote>
If the LSA does not follow the relevant and reasoned objection(s) or believes that the objection(s) is not reasoned or relevant, the matter is referred to the attention of the EDPB which will decide it following [[Article 63 GDPR]] and [[Article 65 GDPR|Article 65(1)(a) GDPR]]. It then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “''relevant and reasoned''” and, in general, if it meets the requirements outlined in [[Article 4 GDPR|Article 4(24) GDPR]].<blockquote><u>EDPB Guidelines:</u> On this provision there is are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en the Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679]</blockquote>


=== (5) Objection Is Accepted ===
=== (5) Procedure where objection is accepted ===
Where the LSA intends to follow one or more relevant and reasoned objections made by one or more CSAs, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion as foreseen in Article 60(4) GDPR. However, in this case, the CSAs only have two weeks to express their opinion.
Where the LSA intends to follow one or more relevant and reasoned objections made by one or more CSAs, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion as foreseen in Article 60(4) GDPR. However, in this case, the CSAs only have two weeks to express their opinion.


=== (6) Agreement on the Draft Decision ===
=== (6) Legal fiction of agreement in absence of an objection ===
Where none of the other CSAs has objected to the draft decision submitted by the LSA within the period referred to in Article 60(4) and (5) GDPR, the LSA and the CSAs shall be deemed to agree with that draft decision and shall be bound by it. In this case, the decision becomes final.
Where none of the other CSAs has objected to the draft decision submitted by the LSA within the period referred to in Article 60(4) and (5) GDPR, the LSA and the CSAs shall be deemed to agree with that draft decision and shall be bound by it. In this case, the decision becomes final.


=== (7) Notification of the Final Decision ===
=== (7) Notification of the final decision ===
The LSA shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and inform the other CSAs and the EDPB about the decision, including a summary of the relevant facts and grounds. The SA with which a complaint has been lodged shall inform the complainant on the decision.  
The LSA shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and inform the other CSAs and the EDPB about the decision, including a summary of the relevant facts and grounds. The SA with which a complaint has been lodged shall inform the complainant on the decision.  


=== (8) Dismissal ===
=== (8) Adoption of decision where the complaint is rejected in full ===
By derogation from Article 60(7) GDPR, where a complaint is dismissed or rejected, the SA with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof. This provision facilitates the data subject who might intend to file an appeal before a national court.
By derogation from Article 60(7) GDPR, where a complaint is dismissed or rejected, the SA with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof. This provision facilitates the data subject who might intend to file an appeal before a national court.


=== (9) Partial Dismissal ===
=== (9) Adoption of decision where the complaint is partially rejected ===
Where the LSA and the CSAs agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. On the one hand, the LSA adopts the decision for the part concerning actions about the controller, notifies it to the main establishment or single establishment of the controller or processor on the territory of its Member State and informs the complainant. On the other hand, the SA of the complainant adopts the decision for the part concerning dismissal or rejection, notifies it to the complainant and informs the controller or processor.  
Where the LSA and the CSAs agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. On the one hand, the LSA adopts the decision for the part concerning actions about the controller, notifies it to the main establishment or single establishment of the controller or processor on the territory of its Member State and informs the complainant. On the other hand, the SA of the complainant adopts the decision for the part concerning dismissal or rejection, notifies it to the complainant and informs the controller or processor.  


=== (10) Enforcement ===
=== (10) Controller's obligation to comply with the decision and notification obligation ===
After being notified of the decision of the LSA according to Article 60(7) and (9) GDPR, the controller or processor shall take the necessary measures to ensure compliance for all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the LSA, which shall inform the other CSAs.
After being notified of the decision of the LSA according to Article 60(7) and (9) GDPR, the controller or processor shall take the necessary measures to ensure compliance for all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the LSA, which shall inform the other CSAs.


=== (11) Urgency procedure ===
=== (11) Provisional measures and urgency procedure ===
Where, in exceptional circumstances, a CSA has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 GDPR shall apply.
Where, in exceptional circumstances, a CSA has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 GDPR shall apply.


=== (12) Forms of Communication: Electronic Means and Standardised Format ===
=== (12) Forms of communication: Electronic means and standardised format ===
The LSA and the other CSAs shall supply the information required under Article 60 GDPR to each other by electronic means, using a standardised format. Since May 2018, “''the Board and DPAs have been using the IMI case registry, in which cases with a cross-border component are normally logged in.45 In due course the European Commission is empowered to draw up a standardised format (see Article 61(9)).46 The existence of a standardised format may partially alleviate the administrative burdens and costs linked with the exchange of documents (e.g. translations), which may nonetheless remain substantial''”.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 969 (Oxford University Press 2020).</ref>
The LSA and the other CSAs shall supply the information required under Article 60 GDPR to each other by electronic means, using a standardised format. Since May 2018, “''the Board and DPAs have been using the IMI case registry, in which cases with a cross-border component are normally logged in.45 In due course the European Commission is empowered to draw up a standardised format (see Article 61(9)).46 The existence of a standardised format may partially alleviate the administrative burdens and costs linked with the exchange of documents (e.g. translations), which may nonetheless remain substantial''”.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 969 (Oxford University Press 2020).</ref>



Latest revision as of 16:04, 18 March 2024

Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned

1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.

10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.

Relevant Recitals

Recital 124: Lead Supervisory Authority and Cooperation
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

Recital 125: Competences of the Lead Supervisory Authority
The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. Where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.

Recital 130: Cooperation if the Complaint has been Lodged with a Supervisory Authority which is not the Lead Supervisory Authority
Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely cooperate with the supervisory authority with which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.

Commentary

Article 60 GDPR introduces Chapter VII of the GDPR under the heading “Cooperation and consistency” and, in particular, Section 1 of that Chapter, headed “Cooperation”. Article 60 GDPR provides for uniform supervision of controllers and processors in the event of cross-border processing and that cross-border enforcement decisions are agreed upon jointly by all the supervisory authorities concerned ("CSAs"), while they are formally adopted by a single supervisory authority ("SA") that cooperates with the SAs of the other Member States concerned and takes due account of their views. [1]

Article 60 GDPR regulates the co-decision making procedure to be followed in cross-border cases (Article 56(1) GDPR). It specifies the rules of procedure that follows after the lead supervisory authority ("LSA") has been identified under the competence-establishing provision of Article 56(1) GDPR. In such cases, the LSA, i.e. the SA of the place where the controller's or processor's main or sole establishment is located in the EEA, assumes the role of directing and coordinating the decision-making procedure. In doing so, the LSA has to cooperate with the other CSA in accordance with the principles and rules provided by Article 60 GDPR and more generally throughout Chapter VII. The cooperation procedure, in the event of a complaint-based investigation, ends with the decision of a SA which either (i) finds a violation of the GDPR by the controller or processor and orders the infringment to be remedied and thereby at the same time grants or partialy grants the complaint or (ii) rejects or dismisses the complaint or parts thereof.[2] In addition to relevant provisions of the GDPR, national procedural rules apply for any matter that is not regulated by the GDPR.

Case law: C-645/19, paras 51-53

A draft procedural regulation has been proposed by the Commission to further specify the rules on cooperation between SAs in the one-stop-shop mechanism with the aim to address the shortcomings of the current regulation.

EDPB Guidelines: on this Article, please see Guidelines 02/2022 on the application of Article 60 GDPR

(1) Duty to cooperate and exchange information

The ultimate aim of the cooperation procedure under Article 60 GDPR is to adopt a uniform decision for data processing operations of a cross-border nature. The task of directing or, rather, coordinating the decision-making procedure falls to the LSA. In practice, this translates into three essential (though not exclusive) obligations.

Cooperation between LSA and CSA

As soon as the LSA learns of its responsibility under Article 56(1) GDPR, it must take the initiative and identify the other CSA.[3] In doing so, it is necessary to verify the main elements of the processing and to understand which Member States are likely to be affected by it. In this perspective, it is necessary to verify, for example, in which Member States the data subjects whose rights may be violated are located and/or the locations of the controller's or processor's establishments.

Exchange of information

After composing the “decision-making group”, the LSA is obliged to “cooperate” with all other CSA and to facilitate the sharing of information necessary for the decision-making process (“exchange all relevant information with each other”).[4] Article 60 GDPR puts a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all CSAs, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The duty of exchange of information exists even when the identity of the LSA is still unclear as the required exchange of information must take place in any case under Article 61 GDPR and Article 62 GDPR.

Endeavor to reach consensus

The LSA should act in a consensus-building manner. It must endeavor to reach a “consensus” with the other CSA.[5] CSAs must therefore be given adequate information and sufficient opportunity to present their legal positions (Article 60(3) GDPR), which, as long as possible, is to be incorporated into the LSA’s final assessment.[6] The LSA must not limit itself to taking into account the views of the other CSA only within the framework of a draft decision (Article 60(3) GDPR), but should work towards a consensual approach with the other CSA from the start of the procedure.[7] The above is confirmed by Recital 125 GDPR, which specifies that “the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process”. However, Article 60(1) GDPR is not obliging the LSA to reach a consensus with the other CSAs.[8] If a consensus cannot be reached, the dispute resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR).

(2) Cooperation and joint operations

Article 60(2) GDPR clarifies that also in cross-border cases the LSA and CSAs have to cooperate pursuant to Article 61 GDPR and Article 62 GDPR. Before issuing a binding decision, it might (and usually will) be necessary for the LSA and the CSAs to exercise investigative powers in their territory to establish the facts of the case. To that end, the LSA can request other CSAs to provide mutual assistance pursuant to Article 61 GDPR and conduct joint operations pursuant to Article 62 GDPR. Once the decision has been adopted, it must be ensured that it is actually complied with. Therefore, cooperation can also be requested after the decision has been adopted for “monitoring the implementation of a measure concerning a controller or processor established in another Member State”.[9]

(3) Duty of lead supervisory authority (LSA) to communicate the relevant information and submit a draft decision

Article 60(3) GDPR sets out the procedural background of the cooperation mechanism.[10] The LSA communicates the relevant information on the matter to the other CSAs and, without delay, provides them with a draft decision for their opinion, which have to be taken into “due account”. It follows that the LSA must adequately address the positions of the other SAs and integrate them into the decision-making process. The LSA has no clear timeline or set deadlines that it would have to follow. In praxis this means that it is no execption if cross-border procedures take several years.

(4) Objection by supervisory authority concerned (CSA) and procedure where it is not followed

Under Article 60(4) GDPR any CSA can object to the draft decision drawn up and provided by the LSA pursuant to Article 60(3) GDPR, if they do not agree with it. The objection has to be relevant and reasoned to be considered. CSAs have 4 weeks to exemine the draft decision and epress their reasoned objections, if any.

If the LSA does not follow the relevant and reasoned objection(s) from a CSA or believes that the objection(s) is not reasoned or relevant, the matter is referred to the attention of the European Data Protection Board ("EDPB") which will decide it following Article 63 GDPR and Article 65(1)(a) GDPR. It then becomes incumbent upon the EDPB to adopt a binding decision on whether the objection is “relevant and reasoned” and, in general, if it meets the requirements outlined in Article 4(24) GDPR.

Relevant and reasoned objection by CSA

What constitutes a relevant and reasoned objection is defined in Article 4(24) GDPR stipulating that it is an objection to a draft decision as to “whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.[11] An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors.

Relevant

For the objection to be considered as “relevant”, there must be a direct connection between the objection and the draft decision at issue. More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. An objection should only be considered relevant if it relates to the specific legal and factual content of the draft decision. Raising only abstract or broad comments or objections cannot be considered relevant in this context.[12]

Reasoned

In order for the objection to be “reasoned”, it needs to include clarifications and arguments as to why an amendment of the decision is proposed (i.e. the alleged legal/factual mistakes of the draft decision). It also needs to demonstrate how the change would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR.

The CSA should provide sound reasoning for its objection, particularly by reference to legal arguments (relying on EU law and/or relevant national law and including e.g. legal provisions, guidelines, case law) or factual arguments, where applicable. The CSA should present the fact(s) allegedly leading to a different conclusion regarding the infringement of the GDPR by the controller/processor or the aspect of the decision that, in their view, is deficient/erroneous.

In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued “as is”) and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision it disagrees with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or on an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.[13]


The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence[14] provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed Articles 6, 7, 14 GDPR, and the CSA disagrees on whether there is an infringement of Article 7, 14 GDPR and considers that there is an infringement of Article 13 GDPR). In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.[15]

EDPB Guidelines: On this provision there are the Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

(5) Procedure where objection is accepted

Where the LSA intends to follow one or more relevant and reasoned objections made by one or more CSAs, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion as foreseen in Article 60(4) GDPR. However, in this case, the CSAs only have two weeks to express their opinion.

(6) Legal fiction of agreement in absence of an objection

Where none of the other CSAs has objected to the draft decision submitted by the LSA within the period referred to in Article 60(4) and (5) GDPR, the LSA and the CSAs shall be deemed to agree with that draft decision and shall be bound by it. In this case, the decision becomes final.

(7) Notification of the final decision

The LSA shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and inform the other CSAs and the EDPB about the decision, including a summary of the relevant facts and grounds. The SA with which a complaint has been lodged shall inform the complainant on the decision.

(8) Adoption of decision where the complaint is rejected in full

By derogation from Article 60(7) GDPR, where a complaint is dismissed or rejected, the SA with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof. This provision facilitates the data subject who might intend to file an appeal before a national court.

(9) Adoption of decision where the complaint is partially rejected

Where the LSA and the CSAs agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. On the one hand, the LSA adopts the decision for the part concerning actions about the controller, notifies it to the main establishment or single establishment of the controller or processor on the territory of its Member State and informs the complainant. On the other hand, the SA of the complainant adopts the decision for the part concerning dismissal or rejection, notifies it to the complainant and informs the controller or processor.

(10) Controller's obligation to comply with the decision and notification obligation

After being notified of the decision of the LSA according to Article 60(7) and (9) GDPR, the controller or processor shall take the necessary measures to ensure compliance for all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the LSA, which shall inform the other CSAs.

(11) Provisional measures and urgency procedure

Where, in exceptional circumstances, a CSA has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 GDPR shall apply.

(12) Forms of communication: Electronic means and standardised format

The LSA and the other CSAs shall supply the information required under Article 60 GDPR to each other by electronic means, using a standardised format. Since May 2018, “the Board and DPAs have been using the IMI case registry, in which cases with a cross-border component are normally logged in.45 In due course the European Commission is empowered to draw up a standardised format (see Article 61(9)).46 The existence of a standardised format may partially alleviate the administrative burdens and costs linked with the exchange of documents (e.g. translations), which may nonetheless remain substantial”.[16]

Decisions

→ You can find all related decisions in Category:Article 60 GDPR

References

  1. Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 60 GDPR, p. 956 (Oxford University Press 2020).
  2. Peuker, in Sydow, Marsch, DS-GVO/BDSG, Article 60 GDPR, margin number 2 (Nomos 2022).
  3. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020, 3rd Edition).
  4. The duty to cooperate, it is argued, is not one-sided but naturally applies also the CSAs. Dix, in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020).
  5. The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs; see Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).
  6. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).
  7. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 60 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  8. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 60 GDPR, margin number 5 (Nomos 2019).
  9. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (NOMOS 2019).
  10. Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities (paragraphs 3 to 6). The second phase, which consists of the actual decision-making stage (including enforcement, paragraphs 6 to 10); see Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (NOMOS 2019).
  11. The EDPB provided guidance for the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision”. See EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
  12. EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020, p. 5 (available here).
  13. EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020, pp. 5-6 (available here).
  14. The "relevant information" referred to in Article 60(3) GDPR.
  15. EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
  16. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 969 (Oxford University Press 2020).