Article 60 GDPR: Difference between revisions
No edit summary |
(Review) |
||
Line 224: | Line 224: | ||
Under Article 60 GDPR, the “lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other”. However, information exchange shall not constitute the only type of cooperation. Instead, all types of cooperation that are “''in accordance with this article''” are not only permitted but encouraged. | Under Article 60 GDPR, the “lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other”. However, information exchange shall not constitute the only type of cooperation. Instead, all types of cooperation that are “''in accordance with this article''” are not only permitted but encouraged. | ||
Finally, the ''duty to cooperate'' is not one-sided but naturally applies also the other authorities concerned.<ref>''Dix'' in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, | Finally, the ''duty to cooperate'' is not one-sided but naturally applies also the other authorities concerned.<ref>''Dix,'' in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020).</ref> | ||
==== Consensus ==== | ==== Consensus ==== | ||
The lead authority is obliged to reach a ''consensus'' with the other authorities concerned.<ref>The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs | The lead authority is obliged to reach a ''consensus'' with the other authorities concerned.<ref>The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs; see ''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> Supervisory authorities concerned shall therefore be given adequate information and sufficient opportunity to present their legal positions (Article 60(3) GDPR), which, as long as possible, shall be incorporated into the LSA’s final assessment.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).</ref> The above seems confirmed by Recital 125 GDPR, which specifies that “''the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process''”. | ||
==== Information | ==== Information Exchange ==== | ||
The GDPR seems to put a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all supervisory authorities concerned, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the lead supervisory authority is still unclear: the required exchange of information must take place in any case (see [[Article 61 GDPR]] and [[Article 62 GDPR]]). | The GDPR seems to put a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all supervisory authorities concerned, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the lead supervisory authority is still unclear: the required exchange of information must take place in any case (see [[Article 61 GDPR]] and [[Article 62 GDPR]]). | ||
=== (2) The Lead Supervisory Authority may Request Cooperation === | === (2) The Lead Supervisory Authority may Request Cooperation === | ||
According to Paragraph 2, the lead supervisory authority may request other supervisory authorities to provide mutual assistance pursuant to [[Article 61 GDPR]] and conduct joint operations pursuant to [[Article 62 GDPR]]. In fact, before issuing a binding decision, it may (and usually will) be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their territory towards the main branch and the other branches of the controller or processor. Cooperation is also crucial in later procedural steps for “monitoring the implementation of a measure concerning a controller or processor established in another Member State”.<ref>''Polenz'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 ( | According to Paragraph 2, the lead supervisory authority may request other supervisory authorities to provide mutual assistance pursuant to [[Article 61 GDPR]] and conduct joint operations pursuant to [[Article 62 GDPR]]. In fact, before issuing a binding decision, it may (and usually will) be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their territory towards the main branch and the other branches of the controller or processor. Cooperation is also crucial in later procedural steps for “monitoring the implementation of a measure concerning a controller or processor established in another Member State”.<ref>''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (NOMOS 2019).</ref> | ||
=== (3) Draft Decision and Relevant Reasoned Objection === | === (3) Draft Decision and Relevant Reasoned Objection === | ||
Paragraph 3 sets out the practical background of the cooperation mechanism. The lead supervisory authority communicates the relevant information on the matter to the other supervisory authorities concerned and, without delay, provide them with a draft decision for their opinion, which shall be taken into “due account”. In other words, under Article 60(1) GDPR, the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process.<ref>Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities ( | Paragraph 3 sets out the practical background of the cooperation mechanism. The lead supervisory authority communicates the relevant information on the matter to the other supervisory authorities concerned and, without delay, provide them with a draft decision for their opinion, which shall be taken into “due account”. In other words, under Article 60(1) GDPR, the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process.<ref>Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities (paragraphs 3 to 6). The second phase, which consists of the actual decision-making stage (including enforcement, paragraphs 6 to 10); see ''Polenz,'' in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (NOMOS 2019).</ref> | ||
==== CSA’s Objection ==== | ==== CSA’s Objection ==== | ||
Under [[Article 4 GDPR|Article 4(24) GDPR]], any CSA can submit an “objection to a draft decision” which must be “<u>relevant and reasoned</u>” and focus on “as to whether there is an <u>infringement of this Regulation</u>, or whether <u>envisaged action</u> in relation to the controller or processor complies with this Regulation, which clearly demonstrates the <u>significance of the risks</u> posed by the draft decision as regards the <u>fundamental rights and freedoms</u> of data subjects and, where applicable, the <u>free flow of personal data</u> within the Union”.<ref>The EDPB provided guidance for the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''” | Under [[Article 4 GDPR|Article 4(24) GDPR]], any CSA can submit an “objection to a draft decision” which must be “<u>relevant and reasoned</u>” and focus on “as to whether there is an <u>infringement of this Regulation</u>, or whether <u>envisaged action</u> in relation to the controller or processor complies with this Regulation, which clearly demonstrates the <u>significance of the risks</u> posed by the draft decision as regards the <u>fundamental rights and freedoms</u> of data subjects and, where applicable, the <u>free flow of personal data</u> within the Union”.<ref>The EDPB provided guidance for the notion of the terms “''relevant and reasoned''”, including what should be considered when assessing whether an objection “''clearly demonstrates the significance of the risks posed by the draft decision''”. See EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> | ||
An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation of infringement of the GDPR and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors. | An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation of infringement of the GDPR and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors. | ||
===== Relevant ===== | ===== Relevant ===== | ||
For the objection to be considered as “relevant”, there must be a direct connection between the objection and the draft decision at issue. More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. An objection should only be considered relevant if it relates to the specific legal and factual content of the draft decision. Raising only abstract or broad comments or objections cannot be considered relevant in this context.<ref> | For the objection to be considered as “relevant”, there must be a direct connection between the objection and the draft decision at issue. More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. An objection should only be considered relevant if it relates to the specific legal and factual content of the draft decision. Raising only abstract or broad comments or objections cannot be considered relevant in this context.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> | ||
===== Reasoned ===== | ===== Reasoned ===== | ||
Line 251: | Line 251: | ||
The CSA should provide sound reasoning for its objection, particularly by reference to legal arguments (relying on EU law and/or relevant national law and including, e.g. legal provisions, guidelines, case law) or factual arguments, where applicable. The CSA should present the fact(s) allegedly leading to a different conclusion regarding the infringement of the GDPR by the controller/processor or the aspect of the decision that, in their view, is deficient/erroneous. | The CSA should provide sound reasoning for its objection, particularly by reference to legal arguments (relying on EU law and/or relevant national law and including, e.g. legal provisions, guidelines, case law) or factual arguments, where applicable. The CSA should present the fact(s) allegedly leading to a different conclusion regarding the infringement of the GDPR by the controller/processor or the aspect of the decision that, in their view, is deficient/erroneous. | ||
In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued ‘as is’)and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision they disagree with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner. <ref> | In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued ‘as is’)and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision they disagree with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> | ||
===== Infringement of the GDPR ===== | ===== Infringement of the GDPR ===== | ||
The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence (the ‘relevant information’ referred to in Article 60 (3) GDPR) provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed [[Article 6 GDPR|Articles 6, 7, 14 GDPR]], and the CSA disagrees on whether there is an infringement of [[Article 7 GDPR|Article 7, 14 GDPR]] and considers that there is an infringement of [[Article 13 GDPR]]). | The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence (the ‘relevant information’ referred to in Article 60 (3) GDPR) provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed [[Article 6 GDPR|Articles 6, 7, 14 GDPR]], and the CSA disagrees on whether there is an infringement of [[Article 7 GDPR|Article 7, 14 GDPR]] and considers that there is an infringement of [[Article 13 GDPR]]). | ||
In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.<ref> | In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.<ref>EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en here]).</ref> | ||
===== Other Requirements ===== | ===== Other Requirements ===== |
Revision as of 10:33, 25 August 2021
Legal Text
1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
2. The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.
5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.
6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.
7. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Relevant Recitals
Commentary
The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this article in an endeavour to reach consensus. The wording of the provision indicates that a lead supervisory authority has already been identified under Article 56 and that all the requirements set forth therein are met.
(1) The Lead Supervisory Authority Shall Cooperate With the Other Supervisory Authorities Concerned
Article 60(1) GDPR requires the lead authority (“LSA”) to cooperate with the other authorities concerned. As soon as the LSA learns of its responsibility under Article 56(1) GDPR, it must take the initiative and identify the other supervisory authorities concerned (“CSA”).
Under Article 60 GDPR, the “lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other”. However, information exchange shall not constitute the only type of cooperation. Instead, all types of cooperation that are “in accordance with this article” are not only permitted but encouraged.
Finally, the duty to cooperate is not one-sided but naturally applies also the other authorities concerned.[1]
Consensus
The lead authority is obliged to reach a consensus with the other authorities concerned.[2] Supervisory authorities concerned shall therefore be given adequate information and sufficient opportunity to present their legal positions (Article 60(3) GDPR), which, as long as possible, shall be incorporated into the LSA’s final assessment.[3] The above seems confirmed by Recital 125 GDPR, which specifies that “the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process”.
Information Exchange
The GDPR seems to put a particular focus on the information exchange obligation. Effective Union-wide enforcement requires that all supervisory authorities concerned, including the LSA, receive and share all relevant information on cross-border data processing as promptly as possible. The above stays true even when the identity of the lead supervisory authority is still unclear: the required exchange of information must take place in any case (see Article 61 GDPR and Article 62 GDPR).
(2) The Lead Supervisory Authority may Request Cooperation
According to Paragraph 2, the lead supervisory authority may request other supervisory authorities to provide mutual assistance pursuant to Article 61 GDPR and conduct joint operations pursuant to Article 62 GDPR. In fact, before issuing a binding decision, it may (and usually will) be necessary for the lead and the other supervisory authorities concerned to first exercise investigative powers in their territory towards the main branch and the other branches of the controller or processor. Cooperation is also crucial in later procedural steps for “monitoring the implementation of a measure concerning a controller or processor established in another Member State”.[4]
(3) Draft Decision and Relevant Reasoned Objection
Paragraph 3 sets out the practical background of the cooperation mechanism. The lead supervisory authority communicates the relevant information on the matter to the other supervisory authorities concerned and, without delay, provide them with a draft decision for their opinion, which shall be taken into “due account”. In other words, under Article 60(1) GDPR, the LSA must adequately address the positions of the other supervisory authorities and integrate them into the decision-making process.[5]
CSA’s Objection
Under Article 4(24) GDPR, any CSA can submit an “objection to a draft decision” which must be “relevant and reasoned” and focus on “as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.[6]
An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indication and showing why such issues are to be deemed “relevant” as further explained below. Therefore, the objection aims, first of all, at pointing out how and why according to the CSA the draft decision does not appropriately address the situation of infringement of the GDPR and/or does not envision appropriate action towards the controller or processor. The proposals for amendments put forward by the objection should aim to remedy these errors.
Relevant
For the objection to be considered as “relevant”, there must be a direct connection between the objection and the draft decision at issue. More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. An objection should only be considered relevant if it relates to the specific legal and factual content of the draft decision. Raising only abstract or broad comments or objections cannot be considered relevant in this context.[7]
Reasoned
In order for the objection to be “reasoned”, it needs to include clarifications and arguments as to why an amendment of the decision is proposed(i.e. the alleged legal / factual mistakes of the draft decision). It also needs to demonstrate how the change would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR.
The CSA should provide sound reasoning for its objection, particularly by reference to legal arguments (relying on EU law and/or relevant national law and including, e.g. legal provisions, guidelines, case law) or factual arguments, where applicable. The CSA should present the fact(s) allegedly leading to a different conclusion regarding the infringement of the GDPR by the controller/processor or the aspect of the decision that, in their view, is deficient/erroneous.
In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment and the link between the envisaged consequences of the draft decision (if it was to be issued ‘as is’)and the significance of the anticipated risks. Moreover, the CSA should indicate which parts of the draft decision they disagree with. In cases where the objection is based on the opinion that the LSA failed to investigate an essential fact of the case entirely, or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.[8]
Infringement of the GDPR
The CSA’s objections to the draft decision must be justified and motivated through reference to evidence and facts that support the objection, by having regard to the facts and evidence (the ‘relevant information’ referred to in Article 60 (3) GDPR) provided by the LSA. These requirements should apply to each specific infringement and to each specific provision in question (e.g.if the draft decision says that the controller infringed Articles 6, 7, 14 GDPR, and the CSA disagrees on whether there is an infringement of Article 7, 14 GDPR and considers that there is an infringement of Article 13 GDPR).
In some circumstances, the objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to handle the complaint properly and in safeguarding the rights of the data subject.[9]
Other Requirements
For the other requirements foreseen in Article 4(24) GDPR please see the relevant provision in the Commentary.
(4) Objection is Rejected
Following the submission of the draft decision, the concerned supervisory authorities (CSAs) may raise a relevant and reasoned objection within four weeks. If the LSA does not follow the relevant and reasoned objection or believes that the objection is not reasoned or relevant, the matter is referred to the attention of the EDPB which will decide it following Article 63 GDPR and Article 65(1)(a) GDPR. It then becomes incumbent upon the Board to adopt a binding decision on whether the objection is “relevant and reasoned” and, in general, if it meets the requirements outlined in Article 4(24) GDPR.
(5) Objection Is Accepted
Where the lead supervisory authority intends to follow one or more relevant and reasoned objections made by one or more CSAs, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion as foreseen in Paragraph 4. However, in this case, the CSAs only have two weeks to express their opinion.
(6) Agreement on the Draft Decision
Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to agree with that draft decision and shall be bound by it. In this case, the decision becomes final.
(7) Notification of the Final Decision
The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.
(8) Dismissal
By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof. This provision facilitates the data subject who might intend to file an appeal before a national court.
(9) Partial Dismissal
Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter.
On the one hand, the LSA adopts the decision for the part concerning actions about the controller, notifies it to the main establishment or single establishment of the controller or processor on the territory of its Member State and informs the complainant.
On the other hand, the supervisory authority of the complainant adopts the decision for the part concerning dismissal or rejection, notifies it to the complainant and informs the controller or processor.
(10) Enforcement
After being notified of the decision of the LSA according to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance for all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
(11) Urgency procedure
Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 GDPR shall apply.
Exceptional circumstances
You can help us fill this section!
Urgent need
You can help us fill this section!
(12) Forms of Communication: Electronic Means and Standardised Format
The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Decisions
→ You can find all related decisions in Category:Article 60 GDPR
References
- ↑ Dix, in Kühling, Buchner, GDPR BDSG, Article 60 GDPR, margin number 6 (C.H. Beck 2020).
- ↑ The letter of the law seems to put this obligation specifically on the LSA rather than single CSAs; see Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 5 (NOMOS 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 8 (NOMOS 2019).
- ↑ Paragraphs 3 to 10 contain a completely new, relatively complex two-phases decision-making procedure. The first (or preparatory) phase regulates how information, draft decisions and objections are exchanged among authorities (paragraphs 3 to 6). The second phase, which consists of the actual decision-making stage (including enforcement, paragraphs 6 to 10); see Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 60 GDPR, margin number 9 (NOMOS 2019).
- ↑ The EDPB provided guidance for the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision”. See EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
- ↑ EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
- ↑ EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
- ↑ EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).