Article 60 GDPR: Difference between revisions
Line 187: | Line 187: | ||
<br /><center>'''Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned'''</center><br /> | <br /><center>'''Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned'''</center><br /> | ||
<span id="1">1. | <span id="1">1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.</span> | ||
<span id="2">2. | <span id="2">2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.</span> | ||
<span id="3">3. | <span id="3">3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.</span> | ||
<span id="4">4. | <span id="4">4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.</span> | ||
<span id="5">5. | <span id="5">5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.</span> | ||
<span id="6">6. | <span id="6">6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.</span> | ||
<span id="7">7. | <span id="7">7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.</span> | ||
<span id="8">8. | <span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span> | ||
<span id="9">9. | <span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span> | ||
<span id="10">10. | <span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span> | ||
<span id="11">11. | <span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span> | ||
<span id="12">12. | <span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span> | ||
== Relevant Recitals== | == Relevant Recitals== | ||
Line 229: | Line 229: | ||
=== Administrative assistance === | === Administrative assistance === | ||
According to | According to Paragraph 2, the lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62. This is especially important in later procedural steps. Before issuing a binding decision, it may be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their own territory towards the main branch and the other branches of the controller or processor.<ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (1st edition 2019)</ref> | ||
=== Procedure === | === Procedure === | ||
Line 236: | Line 236: | ||
The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views. In other words, in accordance with Article 60(1), the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process which eventually results in a draft decision on the case. | The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views. In other words, in accordance with Article 60(1), the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process which eventually results in a draft decision on the case. | ||
According | According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs,which then may raise a relevant and reasoned objection within a specific time frame (four weeks). Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks. | ||
When | When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a)GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “''relevant and reasoned''” and if so, on all the matters which are the subject of the objection. | ||
==== | ==== CSAs' Objection ==== | ||
Article 4(24) GDPR | Under Article 4(24) GDPR, any CSA can submit an "''objection to a draft decision''" which must be “'''''relevant and reasoned'''''” and focus on "''as to whether there is an '''infringement of this Regulation''', or whether '''envisaged action''' in relation to the controller or processor complies with this Regulation, which clearly demonstrates the '''significance of the risks''' posed by the draft decision as regards the '''fundamental rights and freedoms''' of data subjects and, where applicable, the '''free flow of personal data''' within the Union''”.<ref>The EDPB provided guidance with respect to the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''” (Article 4(24) GDPR). See, EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 (8.10.2020) ([https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202009_relevant_and_reasoned_obj_en.pdf available here])</ref> | ||
===== Relevant and reasoned ===== | |||
An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication, and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation of infringement of the GDPR and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors. | |||
====== Relevant ====== | |||
In order for the objection to be considered as “relevant”, there must be adirect connection betweenthe objection and the draft decision at issue6.More specifically,the objection needs toconcerneitherwhetherthere is aninfringement of the GDPRorwhethertheenvisaged action in relation to thecontroller or processor complies with theGDPR. An objection should only be consideredrelevant if it relates to the specific legal and factual content ofthe draft decision.Raising only abstract orbroad comments or objections cannot be consideredrelevant in this context. | |||
====== Reasoned ====== | |||
In order for the objection to be “reasoned”7,it needs to include clarificationsandargumentsas towhyan amendment of the decision is proposed(i.e. theallegedlegal / factualmistakes of the draftdecision). It also needs to demonstratehowthe change would lead to a different conclusionas to whether there is an infringement of the GDPR orwhetherthe envisaged action in relation to thecontroller or processorcomplieswith the GDPR. | |||
TheCSA should provide sound reasoning for its objection,in particular, by reference tolegalarguments(relying on EU law and/or relevant national lawand including e.g. legal provisions,guidelines, case law)orfactual arguments,where applicable. The CSA should present the fact(s)allegedly leading to a different conclusionregardingthe infringement of the GDPR by thecontroller/processor, or the aspect of the decisionthat, in their view, is deficient/erroneous. | |||
In order for an objection to be adequately reasoned, it should becoherent,clear, precise and detailedin explaining the reasons for objection.It should set forth,clearly andprecisely, theessential factsonwhich the CSA based its assessment,and thelink between the envisaged consequences of the draftdecision(if it was to be issued ‘as is’)and the significance of the anticipated risks.Moreover,theCSAshouldclearly indicate which parts of thedraft decisionthey disagreewith.In cases where theobjection is based on the opinion that the LSA failed to fully investigate an important fact of the case,or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments ina conclusive and substantiatedmanner | |||
===== Infringement of the GDPR ===== | |||
theCSA’sobjections tothe draft decisionmust be justified and motivatedthrough reference to evidence andfactsthat support the objection,by having regard to thefacts andevidence(the ‘relevant information’ referred to in Article 60.3) provided by the LSA. Theserequirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringedArticles6, 7, and 14 GDPR, and the CSA disagreesonwhether there is an infringement ofArticle7 and 14 and considers that there is an infringement ofArticle13 GDPR). | |||
In some circumstances, the objection could go as far as identifying gaps in the draft decision justifyingthe need for further investigation by the LSA.For instance, if the investigation carried out by the LSAunjustifiably fails tocover some of the issues raised by the complainantor resulting from aninfringement reported by a CSA, a relevant and reasoned objection may be raised based on the failureof the LSA to properly handle the complaint and in safeguarding the rights of the data subject. | |||
===== Compliance of the envisaged action ===== | |||
===== Significance of the risks ===== | |||
====== Fundamental rights and freedom ====== | |||
====== Free flow of personal data ====== | |||
=== Final decision === | === Final decision === |
Revision as of 12:07, 20 May 2021
Legal Text
1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.
5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.
6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Relevant Recitals
You can help us fill this section!
Commentary
The Lead Supervisory Authority cooperates with the other Authorities Concerned
The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this article in an endeavour to reach consensus. The wording of the provision indicates that a lead supervisory authority has already been identified under Article 56 and that all the requirements set forth therein are met.
Cooperation
Article 60(1) obliges the lead authority to cooperate with the other authorities concerned. As soon as it learns of its responsibility under Article 56(1), the lead authority must take the initiative and, as far as it can, investigate which other supervisory authorities in the Member States could be concerned. Article 60 provides for means and specific guidelines on how the cooperation should take place. However, this catalog is not exhaustive; rather, all types of cooperation that are “in accordance with this article” are not only permitted but encouraged. Finally, the duty to cooperate is not one-sided, but naturally applies also the other authorities concerned. [1]
Consensus
The lead authority is obliged to seek consensus with the other authorities concerned. The black-letter of the law seems to put this obligation specifically on the LSA and not on the other authorities concerned. [2] Above all, this requires that the supervisory authorities concerned are given sufficient opportunity to present their own legal positions in the procedure pursuant to Article 60(3) GDPR and that their positions are incorporated into the final assessment by the lead supervisory authority.[3] The above seems to be confirmed by Recital 125 which specifies that "the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process".
Information exchange
The obligation to cooperate is particularly specified in an obligation to provide information to one another. Effective Union-wide enforcement of the Regulation requires that all supervisory authorities concerned, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the lead supervisory authority is still unclear: the required exchange of information must take place in any case.
Administrative assistance
According to Paragraph 2, the lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62. This is especially important in later procedural steps. Before issuing a binding decision, it may be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their own territory towards the main branch and the other branches of the controller or processor.[4]
Procedure
Paragraphs 3 to 10 contain a completely new, relatively complex decision-making procedure. This can be divided into two phases: a preparatory phase in which information, drafts and objections are exchanged (Paragraphs 3 to 6) and the actual decision-making stage (Paragraphs 6 to 9). Finally, Paragraph 10 regulates the implementation by those responsible and contract processors.[5]
The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views. In other words, in accordance with Article 60(1), the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process which eventually results in a draft decision on the case.
According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs,which then may raise a relevant and reasoned objection within a specific time frame (four weeks). Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks.
When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a)GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “relevant and reasoned” and if so, on all the matters which are the subject of the objection.
CSAs' Objection
Under Article 4(24) GDPR, any CSA can submit an "objection to a draft decision" which must be “relevant and reasoned” and focus on "as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.[6]
Relevant and reasoned
An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication, and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation of infringement of the GDPR and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors.
Relevant
In order for the objection to be considered as “relevant”, there must be adirect connection betweenthe objection and the draft decision at issue6.More specifically,the objection needs toconcerneitherwhetherthere is aninfringement of the GDPRorwhethertheenvisaged action in relation to thecontroller or processor complies with theGDPR. An objection should only be consideredrelevant if it relates to the specific legal and factual content ofthe draft decision.Raising only abstract orbroad comments or objections cannot be consideredrelevant in this context.
Reasoned
In order for the objection to be “reasoned”7,it needs to include clarificationsandargumentsas towhyan amendment of the decision is proposed(i.e. theallegedlegal / factualmistakes of the draftdecision). It also needs to demonstratehowthe change would lead to a different conclusionas to whether there is an infringement of the GDPR orwhetherthe envisaged action in relation to thecontroller or processorcomplieswith the GDPR.
TheCSA should provide sound reasoning for its objection,in particular, by reference tolegalarguments(relying on EU law and/or relevant national lawand including e.g. legal provisions,guidelines, case law)orfactual arguments,where applicable. The CSA should present the fact(s)allegedly leading to a different conclusionregardingthe infringement of the GDPR by thecontroller/processor, or the aspect of the decisionthat, in their view, is deficient/erroneous.
In order for an objection to be adequately reasoned, it should becoherent,clear, precise and detailedin explaining the reasons for objection.It should set forth,clearly andprecisely, theessential factsonwhich the CSA based its assessment,and thelink between the envisaged consequences of the draftdecision(if it was to be issued ‘as is’)and the significance of the anticipated risks.Moreover,theCSAshouldclearly indicate which parts of thedraft decisionthey disagreewith.In cases where theobjection is based on the opinion that the LSA failed to fully investigate an important fact of the case,or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments ina conclusive and substantiatedmanner
Infringement of the GDPR
theCSA’sobjections tothe draft decisionmust be justified and motivatedthrough reference to evidence andfactsthat support the objection,by having regard to thefacts andevidence(the ‘relevant information’ referred to in Article 60.3) provided by the LSA. Theserequirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringedArticles6, 7, and 14 GDPR, and the CSA disagreesonwhether there is an infringement ofArticle7 and 14 and considers that there is an infringement ofArticle13 GDPR).
In some circumstances, the objection could go as far as identifying gaps in the draft decision justifyingthe need for further investigation by the LSA.For instance, if the investigation carried out by the LSAunjustifiably fails tocover some of the issues raised by the complainantor resulting from aninfringement reported by a CSA, a relevant and reasoned objection may be raised based on the failureof the LSA to properly handle the complaint and in safeguarding the rights of the data subject.
Compliance of the envisaged action
Significance of the risks
Fundamental rights and freedom
Free flow of personal data
Final decision
The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
Dismissal
By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
Partial dismissal
Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
Enforcement
After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
Urgency procedure
The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Decisions
→ You can find all related decisions in Category:Article 60 GDPR
References
- ↑ Dix in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, Margin number 6 (Beck 3rd edition 2020)
- ↑ Polenz in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (1st edition 2019)
- ↑ Polenz in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (1st edition 2019)
- ↑ Polenz in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (1st edition 2019)
- ↑ Polenz in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (1st edition 2019)
- ↑ The EDPB provided guidance with respect to the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision” (Article 4(24) GDPR). See, EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 (8.10.2020) (available here)