Article 65 GDPR
Legal Text
1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:
- (a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;
- (b) where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;
- (c) where a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In that case, any supervisory authority concerned or the Commission may communicate the matter to the Board.
2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them.
3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair.
4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.
5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6.
6. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.
8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.
10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.
11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.
12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Relevant Recitals
Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.
Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.Commentary
(1) Dispute Resolution Mechanism
Article 65 GDPR enables the EDPB to adopt binding decisions in cases where the supervisory authorities (“SA”) cannot agree on some elements of interpretation of the GDPR: when the lead SA does not follow a reasoned objection of a SA (Article 65(1)(a) GDPR), when there are different views on which SA is the lead SA (“LSA”) (Article 65(1)(b) GDPR), and where a SA is not following an opinion of the EDPB (Article 6(1)(c) GDPR).
(a) No Consensus on Relevant and Reasoned Objections
Article 65(1)(a) GDPR addresses the cases where a consensus could not be reached within the consistency mechanism under Article 60 GDPR. This dispute resolution mechanism shall be activated when a reasoned objection by a concerned SA (“CSA”) is raised and not followed by the LSA. If the LSA does not intend to follow the objection(s) or considers the objection(s) are not relevant and reasoned, the LSA is obliged to refer the case to the EDPB for dispute resolution.
The procedure and scope of Article 65(1)(a) GDPR have also been further developed by the EPDB in Guidelines 03/2021.[1] In particular, the EDPB binding decision should only concern the matters which are subject to the relevant and reasoned objection(s) of the CSAs. The reasoned objection is defined by Article 4(24) GDPR and the notion has been further developed by the EDPB in its Guidelines 09/2020.[2] When a LSA refers a dispute to the EDPB for resolution in accordance with Articles 60(4) and 63 GDPR, the EDPB must first assess whether the objection(s) raised in fact meet the conditions of being relevant and reasoned. In order for an objection to be considered as “relevant”, there must be a direct connection between the objection and the substance of the draft decision at issue. The EDPB refers to some examples where a possible disagreement between the LSA and the CSAs can arise: the existence of a given infringement of the GDPR, the existence of additional or alternative infringements of the GDPR, gaps in the draft decision justifying the need for further investigation, insufficient factual information or reasoning, procedural aspects, or the specific action envisaged by the draft decision.[3]
On 9 November 2020, the EDPB adopted its first decision under the dispute resolution mechanism laid down by Article 65 GDPR.[4] The binding decision seeks to address the dispute which arose following a draft decision issued by the Irish SA as LSA regarding Twitter and the subsequent relevant and reasoned objections expressed by a number of CSAs. As the LSA rejected the objections and/or considered they were not “relevant and reasoned”, it referred the matter to the EDPB in accordance with Art 60 (4) GDPR, thereby initiating the dispute resolution procedure. In this decision, the EDPB confirmed its interpretation of the notion of relevant and reasoned objection under Article 4(24) GDPR, considering that CSAs should show why the draft decision, if it was unchanged, would pose significant risks for the rights and freedoms of data subjects and/or the free flow of data. The majority of the objections raised on the substance and on the failure to impose a reprimand were dismissed on this ground. The EDPB also required the Irish DPA to re-assess the elements to calculate the amount of the fixed fine to be imposed on twitter. The Irish DPA adopted its final decision on 9 December 2020.[5]
A second EDPB decision regarding Twitter on the basis of Article 65(1)(a) GDPR was adopted in July 2021. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as LSA regarding WhatsApp and the subsequent objections expressed by a number of CSAs. The CSAs issued objections pursuant to Art. 60(4) GDPR concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures.[6]
EDPB Guidelines: On this provision, please see Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications
(b) Conflict of Views on the Lead SA
Article 65(1)(b) GDPR provides for a dispute resolution mechanism where SAs do not agree on which one of them is the LSA. Although Recital 136 GDPR only refers to disputes between the SAs (“the Board should be empowered to adopt legally binding decisions where there are disputes between supervisory authorities”), the wording of Article 65(1)(b) GDPR does not exclude other interested parties, such as controllers, processors, or complainants, from the procedure before the EDPB. In its decision regarding Twitter, the EDPB considered that the question of the competence of the LSA falls outside of the scope of Article 65(1)(a) GDPR. This specific issue should be addressed under the specific procedure laid down in Article 65(1)(b) GDPR.[7] One can therefore conclude that Article 65(2) GDPR can be invoked by a controller or a complainant who would not agree with the designation of the LSA.[8] Another question is, at which stage of the procedure this question can be asked. It is possible that the designation of the LSA will only be communicated to the controller or the complainant at a later stage of the procedure, or even together with the final decision on the merits.
(c) Decision After an Opinion of the EDPB Not Requested or Followed by SA
Article 65(1)(c) GDPR concerns the third case where the EDPB can adopt a binding decision: when a SA does not ask the opinion of the EDPB under Article 64 GDPR, or does not follow an opinion of the EDPB adopted as per this last provision. This provision is remarkable since the opinions of the EDPB are not supposed to be binding. However, Article 65(8) GDPR already states that when the SA intends not to follow the opinion of the EDPB, Article 65(1) GDPR shall apply.[9] That means that the opinion might become binding, at the condition that the two-third majority required in principle (see hereunder Article 65(2) GDPR) to adopt a decision under Article 65 GDPR is reached, since Article 64 GDPR only requires a simple majority. The procedure under Article 65(1)(c) GDPR can be triggered by the Commission or any SA (in the sense of Article 4(22) GDPR).
(2) Procedure
The decision shall be adopted by the EDPB within a deadline of one month from the “referral of the subject-matter”. The Rules of Procedure (“RoP”) of the EDPB provide that the decision shall be adopted one month after the Chair and the SA/Commission/EFTA Surveillance authority have decided that the file is complete.[10] The deadline shall be extended by another month taking into account the complexity of the matter, upon decision of the Chair of the EDPB or at the request of at least one third of the members of the EDPB.[11]
During the procedure, the EDPB will have to make sure that the right to be heard is respected. The right to be heard before an administration implements a measure that would adversely affect a person is enshrined in Article 41 CFEU and also included in Article 16 of the European Code of Good Administrative Behaviour and reflected in Article 11 of the RoP of the EDPB. According to the EDPB, “As a result, any of these persons which would be adversely affected by the decision, in particular the controller(s) and/or processor(s) who are addressed by the draft decision of the LSA, as well as any other person which would be adversely affected by the decision, must be afforded the right to be heard in relation to the subject matter which is brought before the EDPB pursuant to Articles 60(4), 63 and 65(1)(a) GDPR”.[12] However, we share the doubts of Hijmans about the compliance of the RoP of the EDPB with Article 41 CFR.[13]
Finally, the decision shall be adopted by a two-third majority of the members. The provision does not say whether the vote shall be made public or not, but it seems that the EDPB does not even provide for the possibility to record the names of the members voting in favour or against a document, since the RoP only refer to the “numerical result of the vote”.[14] The decision shall be reasoned (in accordance with Article 41 CFR) and binding on all SAs concerned and addressed to the LSA.
(3) Extension of the Deadline
When no decision can adopted with a majority of two thirds by the EDPB within the extended period of two months, the EDPB can adopt the decision by simple majority. When the votes are split among the members, the vote of the Chair will be decisive.
(4) SAs Prohibited to Adopt any Measure During the Procedure
SAs shall refrain from adopting any decision concerning the subject-matter during the period during which the EDPB is bound to adopt a decision. However, the GDPR does not say anything about the case where the EDPB does not adopt a decision at all during the said period. It appears that the LSA or the SA concerned could adopt a final decision in such a case.
(5) Notification and Publication of the Decision of the EDPB
The decision adopted by the EDPB should be notified to the SAs concerned (“CSA”), which usually means the LSA and the SA concerned, by the procedure in the case of Article 65(1)(a) GDPR. However, the definition of SA concerned is less clear in the case of a binding decision adopted under Article 65(1)(b) and (c) GDPR. The decision should be published on the website of the EDPB without undue delay, which should mean that the publication should happen on the same day that the final national decision is notified to the controller, the processor or the complainant by the LSA or the CSA.[15] The publication of the decision on the website will trigger the deadline for the controllers, processors and complainants to file an action against the decision of the EDPB before the CJEU, as per Article 263 TFEU.[16]
(6) Adoption of the National Decision(s)
The LSA will adopt the decision within one month after the notification of the decision by the EDPB. Should a decision be adopted by the CSA, they should ideally be adopted simultaneously, and the Chair of the EDPB should be informed thereof, in order to publish the decision on the website of the EDPB on the same day. Indeed, the deadline to appeal the EDPB decision will be triggered on the day of the publication of the decision or the day of the notification, as per Article 263 TFEU.
According to Article 263 TFEU, any legal or natural person can bring an action for annulment before the CJEU against a decision which is of direct and individual concern to them. The deadline to bring the action is two months after the publication (for the controllers, processors and complainants) or the notification of the decision (for the SAs). That means that not only the controller, processor or complainant can challenge the decision of the EDPB but also its members, and in particular the LSA and the CSAs involved in the one-stop-shop procedure.
The decision of the LSA (and in some cases of the CSA) shall refer to the decision of the EDPB, but Article 65(6) GDPR does not specify that the decision of the EDPB should be attached to the national decision. The final national decisions can also be appealed before the national courts, as per Article 78 GDPR which confirms the right to have a judicial remedy against a decision of a SA. Where proceedings are brought against a decision of a SA that was preceded by an opinion or a decision of the Board in the consistency mechanism, the SA shall forward that opinion or decision to the court.[17]
In the context of judicial remedies, national courts that consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the CJEU to give a preliminary ruling on the interpretation of Union law, including the GDPR. In particular, where a decision of a SA implementing a decision of the EDPB is challenged before a national court and the validity of the decision of the EDPB is at issue, that national court must refer the question of validity to the CJEU in accordance with Article 267 TFEU, should it consider the decision invalid.
According to Recital 143 GDPR, however, a national court may not refer a question on the validity of the decision of the EDPB at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if they were directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU. This statement is criticised by Hijmans, especially considering that the scope of the decision of the EDPB is not the same as the scope of the decision of the national SA.[18]
The final decisions of the SA shall be published on the website of the EDPB, as per Article 70(1)(y) GDPR, which requires that the EDPB maintains a publicly available electronic register of decisions of SAs and courts on issues handled in the consistency mechanisms.
Decisions
→ You can find all related decisions in Category:Article 65 GDPR
References
- ↑ EDPB, Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, 13 April 2021 (available here).
- ↑ EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
- ↑ EDPB, Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, 13 April 2021, margin number 70 (available here).
- ↑ EDPB, 9 November 2020, Twitter International Company, Decision 01/2020 (available here).
- ↑ DPC, 9 December 2020, Twitter International Company, Case Reference IN-19-1-1 (available here).
- ↑ Not yet published, since the final decision of the Irish SA has not yet been adopted (see here).
- ↑ EDPB, 9 November 2020, Twitter International Company, Decision 01/2020 (available here).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 65 GDPR, p. 1021 (Oxford University Press 2020).
- ↑ As the CJEU clarified in its judgement in the C-311/18 (Schrems II) (§ 147): “As regards the fact, underlined by the Commissioner, that transfers of personal data to such a third country may result in the supervisory authorities in the various Member States adopting divergent decisions, it should be added that, as is clear from Article 55(1) and Article 57(1)(a) of the GDPR, the task of enforcing that regulation is conferred, in principle, on each supervisory authority on the territory of its own Member State. Furthermore, in order to avoid divergent decisions, Article 64(2) of the GDPR provides for the possibility for a supervisory authority which considers that transfers of data to a third country must, in general, be prohibited, to refer the matter to the European Data Protection Board (EDPB) for an opinion, which may, under Article 65(1)(c) of the GDPR, adopt a binding decision, in particular where a supervisory authority does not follow the opinion issued.”
- ↑ EDPB, Rules of Procedure, 8 October 2020, Articles 11.2, 11.3 and 11.4 (available here).
- ↑ EDPB, Rules of Procedure, 8 October 2020, Article 11.4 (available here).
- ↑ EDPB, Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, (13 April 2021), margin number 99 (available here).
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 65 GDPR, p. 1023 (Oxford University Press 2020).
- ↑ EDPB, Rules of Procedure, 8 October 2020, Article 21.2 (available here).
- ↑ EDPB, Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, (13 April 2021), margin number 57 (available here).
- ↑ See also Recital 143 GDPR.
- ↑ See Article 78(2) GDPR.
- ↑ Hijmans, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 65 GDPR, p. 1025 (Oxford University Press 2020).