EUROPEAN COMMISSION

Brussels, 4.7.2023

COM(2023) 348 final

2023/0202(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

·Complaints: Complaints are an essential source of information for detecting infringements of data protection rules. DPAs have varying interpretations on requirements for the form of a complaint, the involvement of complainants in the procedure, and the rejection of complaints. For example: a complaint accepted by some DPAs could be rejected by others on the basis that it provides insufficient information; some DPAs afford complainants equal rights to the parties under investigation, while others do not include complainants or involve complainants to a very limited extent; some DPAs adopt a formal decision rejecting all complaints which are not pursued, while other DPAs fail to do so. These differences mean that the treatment of complaints and the involvement of complainants varies depending on where the complaint is lodged, or which DPA is the lead DPA for a given case. As a result, they delay the conclusion of the investigation and the delivery of a remedy for the data subject in cross-border cases. In its resolution on the Commission’s 2020 report on the GDPR, the European Parliament highlighted the need to clarify the position of complainants in the case of cross-border complaints.

·Procedural rights of parties under investigation: The rights of defence of parties under investigation constitute a fundamental principle of Union law to be respected in all circumstances, in particular in procedures which may give rise to high penalties. Given the potential severity of the penalties that may be imposed, parties under investigation for breaches of the GDPR must enjoy guarantees similar to those that are provided for in procedures of a penal character. The procedural rights of parties under investigation, such as the extent of the right to be heard and the right of access to the file, vary substantially across the Member States. The extent to which parties are heard, the timing of the hearing, and the documents that are provided to parties to enable them to exercise their right to be heard are elements on which Member States take varying approaches. These varying approaches are not always compatible with the procedure provided for in Article 60 GDPR, which rests on the presumption that the parties under investigation have exercised their due process rights before the draft decision is tabled by the lead DPA. When a case is submitted to the Board for dispute resolution, the extent to which the parties have been heard on the issues raised in the draft decision and the objections of DPAs concerned may vary. In addition, there is a lack of clarity on the extent to which parties under investigation should be heard during dispute resolution by the Board under Article 65 GDPR. Failure to guarantee the right to be heard may render the decisions of DPAs finding infringements of the GDPR more vulnerable to legal challenge.

·Cooperation and dispute resolution: The cooperation procedure in Article 60 GDPR is broadly sketched. In cross-border cases, DPAs are required to exchange ‘relevant information’ in an endeavour to reach consensus. Once the lead DPA submits a draft decision in the case, other DPAs have the opportunity to raise ‘relevant and reasoned objections’. These objections raise the possibility of dispute resolution (when they are not followed by the lead DPA). While the dispute resolution procedure in Article 65 GDPR is an essential element of ensuring consistent interpretation of the GDPR, it should be reserved for exceptional cases where sincere cooperation between DPAs has not yielded consensus. Experience in the enforcement of the GDPR in cross-border cases shows that there is insufficient cooperation between DPAs prior to the submission of a draft decision by the lead DPA. Lack of sufficient cooperation and consensus-building on key issues in the investigation at this early stage has resulted in the submission of numerous cases to dispute resolution.

There are disparities in the form and structure of relevant and reasoned objections submitted by DPAs concerned during the cross-border cooperation procedure. These differences hinder the efficient conclusion of the dispute resolution procedure and the inclusion of all DPAs concerned in the procedure, in particular DPAs of smaller Member States, which have less resources than the DPAs of larger Member States.

·The GDPR does not provide deadlines for various stages of the cooperation and dispute resolution procedure. In light of the varying complexity of investigations and the discretion of DPAs to investigate infringements of the GDPR, it is not desirable to prescribe deadlines for every stage of the procedure. However, the imposition of deadlines where appropriate will help prevent undue delay in the completion of cases.

·Form of complaints and position of complainants: The proposal provides a form specifying the information required for all complaints under Article 77 GDPR concerning cross-border processing and specifies procedural rules for the involvement of complainants in the procedure, including their right to make their views known. It specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles of the lead DPA and the DPA with which the complaint was lodged in such cases. It recognises the importance and the legality of amicable settlement of complaint-based cases.

·Targeted harmonisation of procedural rights in cross-border cases: The proposal provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the Board, and clarifies the content of the administrative file and the parties’ rights of access to the file. The proposal thereby strengthens the parties’ rights of defence and ensures consistent observance of these rights regardless of which DPA is leading the investigation.

·Streamlining cooperation and dispute resolution: The proposal equips DPAs with the tools necessary to achieve consensus by giving added substance to the requirement for DPAs to cooperate and to share “relevant information” set out in Article 60 GDPR. This Regulation establishes a framework for all DPAs to meaningfully impact a cross-border case by providing their views early in the investigation procedure and making use of all tools provided by the GDPR. Crucially, this will facilitate consensus-building and reduce the likelihood of disagreements later in the procedure, which would require the use of the dispute resolution mechanism. Where there is disagreement between DPAs on the key issue of the scope of the investigation in complaint-based cases, the proposal provides a role for the Board to resolve the disagreement by adopting an urgent binding decision. Involving the Board on this discrete issue provides the lead DPA with the necessary clarity to proceed with the investigation and ensures that the disagreement on the scope of the investigation will not require the use of the Article 65 dispute resolution mechanism.

The proposal lays down detailed requirements for the form and structure of relevant and reasoned objections raised by DPAs concerned, thereby facilitating the effective participation of all DPAs and the targeted and swift resolution of the case.

·The proposal lays down procedural deadlines for the dispute resolution procedure, specifies the information to be provided by the lead DPA when submitting the matter to dispute resolution, and clarifies the role of all actors involved in dispute resolution (lead DPA, DPAs concerned and the Board). In this way, the proposal facilitates the swift completion of the dispute resolution procedure for the parties under investigation and data subjects.

•Consistency with existing policy provisions in the policy area

•Consistency with other Union policies

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Subsidiarity (for non-exclusive competence)

•Proportionality

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

·national administrative procedures, concerning in particular: complaint handling procedures, the admissibility criteria for complaints, the duration of proceedings due to different timeframes or the absence of any deadlines, the moment in the procedure when the right to be heard is granted, the information and involvement of complainants during the procedure;

·interpretations of concepts relating to the cooperation mechanism; and

·the approach to when to start the cooperation procedure, involve DPAs concerned and communicate information to them.

•Stakeholder consultations

·The Board: The Board is composed of the DPAs, the enforcers of the GDPR. It is tasked with, among others tasks, dispute resolution in cross-border cases under the GDPR. As such, the Commission took due account of the Board’s input at all stages of the preparatory process. In the first instance, the proposal responds to the list of issues transmitted to the Commission by the Board in October 2022 identifying aspects of the cross-border enforcement procedure that could be harmonised at EU level. The proposal addresses most of the issues identified by the Board in its list. In certain cases, the Commission decided not to address the issues identified by the Board, in particular where the Commission felt that the issue was already adequately addressed by the GDPR, or that the matter should remain within the discretion of the lead DPA or be determined by national law. In addition, the proposal tackles certain issues beyond those identified by the Board in its list, where the Commission considered this necessary to ensure the smooth functioning of cross-border enforcement and respect for due process rights. The Commission also conducted targeted consultation on aspects of the proposal with subgroups of the Board that deal with cross-border cooperation and enforcement at meetings on 21 March 2023 and 24 April 2023, to avail of the expertise of DPAs dealing with these issues in their daily work. The Board was fully supportive of the Commission taking action in this area and provided valuable input to the Commission at the March and April 2023 meetings.

·The GDPR Multi-stakeholder Expert Group: This expert group was established to assist the Commission with the application of the GDPR. It is composed of representatives from civil society, business, academics and legal practitioners. There was broad support among this group for the Commission taking action in this area through a legislative proposal. A meeting held on 19 October 2022 held a first discussion on the Board’s October 2022 list and a second meeting on 21 April 2023 was used by the Commission to consult on specific aspects of the proposal. Given the wide variety of stakeholders represented in this group, views among stakeholders on particular aspects of the proposal varied. All stakeholders supported the provision of a legal framework for amicable settlement in the proposal. NGOs welcomed the Commission’s intention to harmonise the form of complaints and supported involvement of the complainant in the procedure, noting the wide differences in the treatment of complaints in the Member States. Industry groups representing controllers and processors emphasised the need to afford the parties under investigation the right to be heard and to encourage the resolution of disagreements between DPAs early in the investigation process.

·The Member States GDPR Expert Group: This Expert Group serves as a forum for sharing views and information between the Commission and the Member States on the application of the GDPR. The Commission solicited the views of Member States on the Board’s October 2022 list prior to commencement of the drafting process. Member States were broadly supportive of and welcomed the idea of a proposal for a legislative initiative to enhance cross-border enforcement of the GDPR. However, certain Member States with horizontal procedural rules applicable to all administrative procedures identified possible interference with these rules, in particular with regard to the harmonisation of the rights of parties to be heard and the involvement of complainants in the procedure. Accordingly, the Commission has carefully limited harmonisation of these aspects in the proposal to cross-border cases and to the extent necessary to ensure the smooth functioning of the cooperation and dispute resolution mechanism. The Commission held a dedicated meeting with the Member States GDPR Expert Group on 19 April 2023.

•Collection and use of expertise

•Impact assessment

·DPAs – the initiative will support the cooperation procedure and provide clarity on the arrangements for and timing of cooperation in cross-border cases. This will allow DPAs to make more efficient use of their resources. In addition, by providing DPAs with tools to enhance their cooperation in cross-border cases, the initiative will facilitate consensus-building among DPAs, reducing the number of disagreements and promoting a spirit of cooperation.

·Complainants and data subjects – streamlining cooperation between DPAs when enforcing the GDPR will support the timely completion of investigations. This will help to deal more efficiently with infringements of the GDPR and to deliver a swift remedy for the data subject. In addition, complainants will have the same opportunity to be involved in the procedure in cross-border cases regardless of where the complaint is lodged or which DPA is the lead DPA.

·Parties under investigation – improving cooperation in cross-border cases will help to shorten investigations and ensure the provision of necessary guarantees, such as the right to be heard and to access the file, thereby ensuring protection of the right to good administration (Article 41 of the Charter) and the rights of defence (Article 48 of the Charter) of the parties under investigation. Harmonisation of these rights will also make the final decision more robust.

·Public confidence in the GDPR – the initiative will strengthen public confidence in the GDPR by facilitating a swifter resolution of investigations and reducing the number of disagreements between DPAs in cross-border cases.

•Regulatory fitness and simplification

•Fundamental rights

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Explanatory documents (for directives)

•Detailed explanation of the specific provisions of the proposal

2023/0202 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee 14 ,

Having regard to the opinion of the Committee of the Regions 15 ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)Regulation (EU) 2016/679 of the European Parliament and of the Council 16  establishes a decentralised enforcement system which aims to ensure the consistent interpretation and application of Regulation (EU) 2016/679 in cross-border cases. In cases concerning cross-border processing of personal data, this system requires cooperation between supervisory authorities in an endeavour to reach consensus and, where supervisory authorities cannot reach consensus, provides for dispute resolution by the European Data Protection Board (the Board).

(2)In order to provide for the smooth and effective functioning of the cooperation and dispute resolution mechanism provided for in Articles 60 and 65 of Regulation (EU) 2016/679, it is necessary to lay down rules concerning the conduct of proceedings by the supervisory authorities in cross-border cases, and by the Board during dispute resolution, including the handling of cross-border complaints. It is also necessary for this reason to lay down rules concerning the exercise of the right to be heard by the parties under investigation prior to the adoption of decisions by supervisory authorities and, as the case may be, by the Board. 

(3)Complaints are an essential source of information for detecting infringements of data protection rules. Defining clear and efficient procedures for the handling of complaints in cross-border cases is necessary since the complaint may be dealt with by a supervisory authority other than the one to which the complaint was lodged.

(4)In order to be admissible a complaint should contain certain specified information. Therefore, in order to assist complainants in submitting the necessary facts to the supervisory authorities, a complaint form should be provided. The information specified in the form should be required only in cases of cross-border processing in the sense of Regulation (EU) 2016/679, though the form may be used by supervisory authorities for cases that do not concern cross-border processing. The form may be submitted electronically or by post. The submission of the information listed in that form should be a condition for a complaint relating to cross-border processing to be treated as a complaint as referred to in Article 77 of Regulation (EU) 2016/679. No additional information should be required for a complaint to be deemed admissible. It should be possible for supervisory authorities to facilitate the submission of complaints in a user-friendly electronic format and bearing in mind the needs of persons with disabilities, as long as the information required from the complainant corresponds to the information required by the form and no additional information is required in order to find the complaint admissible.

(5)Supervisory authorities are obliged to decide on complaints within a reasonable timeframe. What is a reasonable timeframe depends on the circumstances of each case and, in particular, its context, the various procedural steps followed by the lead supervisory authority, the conduct of the parties in the course of the procedure and the complexity of the case.

(6)Each complaint handled by a supervisory authority pursuant to Article 57(1), point (f), of Regulation (EU) 2016/679 is to be investigated with all due diligence to the extent appropriate bearing in mind that every use of powers by the supervisory authority must be appropriate, necessary and proportionate in view of ensuring compliance with Regulation (EU) 2016/679. It falls within the discretion of each competent authority to decide the extent to which a complaint should be investigated. While assessing the extent appropriate of an investigation, supervisory authorities should aim to deliver a satisfactory resolution to the complainant, which may not necessarily require exhaustively investigating all possible legal and factual elements arising from the complaint, but which provides an effective and quick remedy to the complainant. The assessment of the extent of the investigative measures required could be informed by the gravity of the alleged infringement, its systemic or repetitive nature, or the fact, as the case may be, that the complainant also took advantage of her or his rights under Article 79 of Regulation (EU) 2016/679. 

(7)The lead supervisory authority should provide the supervisory authority with which the complaint was lodged with the necessary information on the progress of the investigation for the purpose of providing updates to the complainant.

(8)The competent supervisory authority should provide the complainant with access to the documents on the basis of which the supervisory authority reached a preliminary conclusion to reject fully or partially the complaint.

(9)In order for supervisory authorities to bring a swift end to infringements of Regulation (EU) 2016/679 and to deliver a quick resolution for complainants, supervisory authorities should endeavour, where appropriate, to resolve complaints by amicable settlement. The fact that an individual complaint has been resolved through an amicable settlement does not prevent the competent supervisory authority from pursuing an ex officio case, for example in the case of systemic or repetitive infringements of Regulation (EU) 2016/679.  

(10)In order to guarantee the effective functioning of the cooperation and consistency mechanisms in Chapter VII of Regulation (EU) 2016/679, it is important that cross-border cases are resolved in a timely fashion and in line with the spirit of sincere and effective cooperation that underlies Article 60 of Regulation (EU) 2016/679. The lead supervisory authority should exercise its competence within a framework of close cooperation with the other supervisory authorities concerned. Likewise, supervisory authorities concerned should actively engage in the investigation at an early stage in an endeavour to reach a consensus, making full use of the tools provided by Regulation (EU) 2016/679. 

(11)It is particularly important for supervisory authorities to reach consensus on key aspects of the investigation as early as possible and prior to the communication of allegations to the parties under investigation and adoption of the draft decision referred to in Article 60 of Regulation (EU) 2016/679, thereby reducing the number of cases submitted to the dispute resolution mechanism in Article 65 of Regulation (EU) 2016/679 and ultimately ensuring the quick resolution of cross-border cases.

(12)Cooperation between supervisory authorities should be based on open dialogue which allows concerned supervisory authorities to meaningfully impact the course of the investigation by sharing their experiences and views with the lead supervisory authority, with due regard for the margin of discretion enjoyed by each supervisory authority, including in the assessment of the extent appropriate to investigate a case, and for the varying traditions of the Member States. For this purpose, the lead supervisory authority should provide concerned supervisory authorities with a summary of key issues setting out its preliminary view on the main issues in an investigation. It should be provided at a sufficiently early stage to allow effective inclusion of supervisory authorities concerned but at the same time at a stage where the lead supervisory authority’s views on the case are sufficiently mature. Concerned supervisory authorities should have the opportunity to provide their comments on a broad range of questions, such as the scope of the investigation and the identification of complex factual and legal assessments. Given that the scope of the investigation determines the matters which require investigation by the lead supervisory authority, supervisory authorities should endeavour to achieve consensus as early as possible on the scope of the investigation.

(13)In the interest of effective inclusive cooperation between all supervisory authorities concerned and the lead supervisory authority, the comments of concerned supervisory authorities should be concise and worded in sufficiently clear and precise terms to be easily understandable to all supervisory authorities. The legal arguments should be grouped by reference to the part of the summary of key issues to which they relate. The comments of supervisory authorities concerned may be supplemented by additional documents. However, a mere reference in the comments of a supervisory authority concerned to supplementary documents cannot make up for the absence of the essential arguments in law or in fact which should feature in the comments. The basic legal and factual particulars relied on in such documents should be indicated, at least in summary form, coherently and intelligibly in the comment itself.

(14)Cases that do not raise contentious issues do not require extensive discussion between supervisory authorities in order to reach a consensus and could, therefore, be dealt with more quickly. When none of the supervisory authorities concerned raise comments on the summary of key issues, the lead supervisory authority should communicate the preliminary findings provided for in Article 14 within nine months.

(15)Supervisory authorities should avail of all means necessary to achieve a consensus in a spirit of sincere and effective cooperation. Therefore, if there is a divergence in opinion between the supervisory authorities concerned and the lead supervisory authority regarding the scope of a complaint-based investigation, including the provisions of Regulation (EU) 2016/679 the infringement of which will be investigated, or where the comments of the supervisory authorities concerned relate to an important change in the complex legal or technological assessment, the concerned authority should use the tools provided for under Articles 61 and 62 of Regulation (EU) 2016/679.

(16)If the use of those tools does not enable the supervisory authorities to reach a consensus on the scope of a complaint-based investigation, the lead supervisory authority should request an urgent binding decision of the Board under Article 66(3) of Regulation (EU) 2016/679. For this purpose, the requirement of urgency should be presumed. The lead supervisory authority should draw appropriate conclusions from the urgent binding decision of the Board for the purposes of preliminary findings. The urgent binding decision of the Board cannot pre-empt the outcome of the investigation of the lead supervisory authority or the effectiveness of the rights of the parties under investigation to be heard. In particular, the Board should not extend the scope of the investigation on its own initiative.

(17)To enable the complainant to exercise her or his right to an effective judicial remedy under Article 78 of Regulation (EU) 2016/679, the supervisory authority fully or partially rejecting a complaint should do so by means of a decision which may be challenged before a national court.

(18)Complainants should have the opportunity to express their views before a decision adversely affecting them is taken. Therefore, in the event of full or partial rejection of a complaint in a cross-border case, the complainant should have the opportunity to make her or his views known prior to the submission of a draft decision under Article 60(3) of Regulation (EU) 2016/679, a revised draft decision under Article 60(4) of Regulation (EU) 2016/679 or a binding decision of the Board under Article 65(1), point (a), of Regulation (EU) 2016/679. The complainant may request access to the non-confidential version of the documents on which the decision fully or partially rejecting the complaint is based.

(19)It is necessary to clarify the division of responsibilities between the lead supervisory authority and the supervisory authority with which the complaint was lodged in the case of rejection of a complaint in a cross-border case. As the point of contact for the complainant during the investigation, the supervisory authority with which the complaint was lodged should obtain the views of the complainant on the proposed rejection of the complaint and should be responsible for all communications with the complainant. All such communications should be shared with the lead supervisory authority. Since under Article 60(8) and (9) of Regulation (EU) 2016/679 the supervisory authority with which the complaint was lodged has the responsibility of adopting the final decision rejecting the complaint, that supervisory authority should also have the responsibility of preparing the draft decision under Article 60(3) of Regulation (EU) 2016/679.

(20)The effective enforcement of Union data protection rules should be compatible with the full respect of the parties' rights of defence, which constitutes a fundamental principle of Union law to be respected in all circumstances, and in particular in procedures which may give rise to penalties.

(21)In order to effectively safeguard the right to good administration and the rights of defence as enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’), including the right of every person to be heard before any individual measure which would affect him or her adversely is taken, it is important to provide for clear rules on the exercise of this right.

(22)The rules regarding the administrative procedure applied by supervisory authorities when enforcing Regulation (EU) 2016/679 should ensure that the parties under investigation effectively have the opportunity to make known their views on the truth and relevance of the facts, objections and circumstances put forward by the supervisory authority throughout the procedure, thereby enabling them to exercise their rights of defence. The preliminary findings set out the preliminary position on the alleged infringement of Regulation (EU) 2016/679 following investigation. They thus constitute an essential procedural safeguard which ensures that the right to be heard is observed. The parties under investigation should be provided with the documents required to defend themselves effectively and to comment on the allegations made against them, by receiving access to the administrative file.

(23)The preliminary findings define the scope of the investigation and therefore the scope of any future final decision (as the case may be, taken on the basis of a binding decision issued by the Board under Article 65(1), point (a) of Regulation (EU) 2016/679) which may be addressed to controllers or processors. The preliminary findings should be couched in terms that, even if succinct, are sufficiently clear to enable the parties under investigation to properly identify the nature of the alleged infringement of Regulation (EU) 2016/679. The obligation of giving the parties under investigation all the information necessary to enable them to properly defend themselves is satisfied if the final decision does not allege that the parties under investigation have committed infringements other than those referred to in the preliminary findings and only takes into consideration facts on which the parties under investigation have had the opportunity of making known their views. The final decision of the lead supervisory authority is not, however, necessarily required to be a replica of the preliminary findings. The lead supervisory authority should be permitted in the final decision to take account of the responses of the parties under investigation to the preliminary findings, and, where applicable, the revised draft decision under Article 60(5) of Regulation (EU) 2016/679, and the Article 65(1), point (a), decision resolving the dispute between the supervisory authorities. The lead supervisory authority should be able to carry out its own assessment of the facts and the legal qualifications put forward by the parties under investigation in order either to abandon the objections when the supervisory authority finds them to be unfounded or to supplement and redraft its arguments, both in fact and in law, in support of the objections which it maintains. For example, taking account of an argument put forward by a party under investigation during the administrative procedure, without it having been given the opportunity to express an opinion in that respect before the adoption of the final decision, cannot  per se  constitute an infringement of defence rights.

(24)The parties under investigation should be provided with a right to be heard prior to the submission of a revised draft decision under Article 60(5) of Regulation (EU) 2016/679 or the adoption of a binding decision by the Board pursuant to Article 65(1), point (a), of Regulation (EU) 2016/679.  

(25)Complainants should be given the possibility to be associated with the proceedings initiated by a supervisory authority with a view to identifying or clarifying issues relating to a potential infringement of Regulation (EU) 2016/679. The fact that a supervisory authority has already initiated an investigation concerning the subject matter of the complaint or will deal with the complaint in an ex officio investigation subsequent to the receipt the complaint does not bar the qualification of a data subject as complainant. However, an investigation by a supervisory authority of a possible infringement of Regulation (EU) 2016/679 by a controller or processor does not constitute an adversarial procedure between the complainant and the parties under investigation. It is a procedure commenced by a supervisory authority, upon its own initiative or based on a complaint, in fulfilment of its tasks under Article 57(1) of Regulation (EU) 2016/679. The parties under investigation and the complainant are, therefore, not in the same procedural situation and the latter cannot invoke the right to a fair hearing when the decision does not adversely affect her or his legal position. The complainant’s involvement in the procedure against the parties under investigation cannot compromise the right of these parties to be heard.

(26)The complainants should be given the possibility to submit in writing views on the preliminary findings. However, they should not have access to business secrets or other confidential information belonging to other parties involved in the proceedings. Complainants should not be entitled to have generalised access to the administrative file. 

(27)When setting deadlines for parties under investigation and complainants to provide their views on preliminary findings, supervisory authorities should have regard to the complexity of the issues raised in preliminary findings, in order to ensure that the parties under investigation and complainants have sufficient opportunity to meaningfully provide their views on the issues raised.

(28)The exchange of views prior to the adoption of a draft decision involves an open dialogue and an extensive exchange of views where supervisory authorities should do their utmost to find a consensus on the way forward in an investigation. Conversely, the disagreement expressed in relevant and reasoned objections pursuant to Article 60(4) of Regulation (EU) 2016/679, which raise the potential for dispute resolution between supervisory authorities under Article 65 of Regulation (EU) 2016/679 and delay the adoption of a final decision by the competent supervisory authority, should arise in the exceptional case of a failure of supervisory authorities to achieve a consensus and where necessary to ensure the consistent interpretation of Regulation (EU) 2016/679. Such objections should be used sparingly, when matters of consistent enforcement of Regulation (EU) 2016/679 are at stake, since every use of relevant and reasoned objections postpones the remedy for the data subject. Since the scope of the investigation and the relevant facts should be decided prior to the communication of preliminary findings, these matters should not be raised by supervisory authorities concerned in relevant and reasoned objections. They may, however, be raised by supervisory authorities concerned in their comments on the summary of key issues pursuant to Article 9(3), before preliminary findings are communicated to the parties under investigation.

(29)In the interest of the efficient and inclusive conclusion of the dispute resolution procedure, where all supervisory authorities should be in a position to contribute their views and bearing in mind the time constraints during dispute resolution, the form and structure of relevant and reasoned objections should meet certain requirements. Therefore, relevant and reasoned objections should be limited to a prescribed length, should clearly identify the disagreement with the draft decision and should be worded in sufficiently clear, coherent and precise terms.

(30)Access to the administrative file is provided for as a part of the rights of defence and the right to good administration enshrined in the Charter. Access to the administrative file should be provided to the parties under investigation when they are notified of preliminary findings and the deadline to submit their written reply to the preliminary findings should be set.

(31)When granting access to the administrative file, supervisory authorities should ensure the protection of business secrets and other confidential information. The category of other confidential information includes information other than business secrets, which may be considered as confidential, insofar as its disclosure would significantly harm a controller, a processor or a natural person. The supervisory authorities should be able to request that parties under investigation that submit or have submitted documents or statements identify confidential information. 

(32)Where business secrets or other confidential information are necessary to prove an infringement, the supervisory authorities should assess for each individual document whether the need to disclose is greater than the harm which might result from disclosure.

(33)When referring a subject-matter to dispute resolution under Article 65 of Regulation (EU) 2016/679, the lead supervisory authority should provide the Board with all necessary information to enable it to assess the admissibility of relevant and reasoned objections and to take the decision pursuant to Article 65(1), point (a), of Regulation (EU) 2016/679. Once the Board is in receipt of all the necessary documents listed in Article 23, the Chair of the Board should register the referral of the subject-matter in the sense of Article 65(2) of Regulation (EU) 2016/679. 

(34)The binding decision of the Board under Article 65(1), point (a), of Regulation (EU) 2016/679 should concern exclusively matters which led to the triggering of the dispute resolution and be drafted in a way which allows the lead supervisory authority to adopt its final decision on the basis of the decision of the Board while maintaining its discretion.

(35)In order to streamline the resolution of disputes between supervisory authorities submitted to the Board under Article 65(1), points (b) and (c), of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding the documents to be submitted to the Board and on which the Board should base its decision. It is also necessary to specify when the Board should register the submission of the matter to dispute resolution.

(36)In order to streamline the procedure for the adoption of urgent opinions and urgent binding decisions of the Board under Article 66(2) of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding the timing of the request for an urgent opinion or urgent binding decision, the documents to be submitted to the Board and on which the Board should base its decision, to whom the opinion or decision of the Board should be addressed, and the consequences of the opinion or decision of the Board.

(37)Chapters III and IV concern cooperation between supervisory authorities, the procedural rights of parties under investigation and the involvement of complainants. To ensure legal certainty, those provisions should not apply to investigations already under way at the time this Regulation enters into force. They should apply to ex officio investigations opened after the entry into force of this Regulation and to complaint-based investigations where the complaint was lodged after the entry into force of this Regulation. Chapter V provides procedural rules for cases submitted to dispute resolution under Article 65 of Regulation (EU) 2016/679. Also for reasons of legal certainty, this Chapter should not apply to cases that have been submitted to dispute resolution prior to the entry into force of this Regulation. It should apply to all cases submitted to dispute resolution after the entry into force of this Regulation.

(38)The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(2) of Regulation (EU) 2018/1725 and delivered a joint opinion on [ ],

HAVE ADOPTED THIS REGULATION:

Chapter I

General provisions

Article 1

Subject matter

This Regulation lays down procedural rules for the handling of complaints and the conduct of investigations in complaint-based and ex officio cases by supervisory authorities in the cross-border enforcement of Regulation (EU) 2016/679.

Article 2

Definitions

For the purposes of this Regulation the definitions in Article 4 of Regulation (EU) 2016/679 shall apply.

The following definitions shall also apply:

(1)‘parties under investigation’ means the controller(s) and/or processor(s) investigated for alleged infringement of Regulation (EU) 2016/679 related to cross-border processing;

(2)‘summary of key issues’ means the summary to be provided by the lead supervisory authority to supervisory authorities concerned identifying the main relevant facts and the lead supervisory authority’s views on the case;

(3)‘preliminary findings’ means the document provided by the lead supervisory authority to the parties under investigation setting out the allegations, the relevant facts, supporting evidence, legal analysis, and, where applicable, proposed corrective measures;

(4)‘retained relevant and reasoned objections’ means the objections which have been determined by the Board to be relevant and reasoned within the meaning of Article 4(24) of Regulation (EU) 2016/679.

Chapter II

Submission and handling of complaints

Article 3

Cross-border complaints

1.A complaint on the basis of Regulation (EU) 2016/679 that relates to cross-border processing shall provide the information required in the Form, as set out in the Annex. No additional information shall be required in order for the complaint to be admissible.

2.The supervisory authority with which the complaint was lodged shall establish whether the complaint relates to cross-border processing.

3.The supervisory authority with which the complaint was lodged shall determine the completeness of the information required by the Form within one month.

4.Upon assessment of the completeness of the information required by the Form, the supervisory authority with which the complaint was lodged shall transmit the complaint to the lead supervisory authority. 

5.Where the complainant claims confidentiality when submitting a complaint, the complainant shall also submit a non-confidential version of the complaint.

6.The supervisory authority with which a complaint was lodged shall acknowledge receipt of the complaint within one week. This acknowledgement shall be without prejudice to the assessment of admissibility of the complaint pursuant to paragraph 3.

Article 4

Investigation of complaints

While assessing the extent appropriate to which a complaint should be investigated in each case the supervisory authority shall take into account all relevant circumstances, including all of the following:

(a)the expediency of delivering an effective and timely remedy to the complainant;

(b)the gravity of the alleged infringement; 

(c)the systemic or repetitive nature of the alleged infringement.

Article 5

Amicable settlement

A complaint may be resolved by amicable settlement between the complainant and the parties under investigation. Where the supervisory authority considers that an amicable settlement to the complaint has been found, it shall communicate the proposed settlement to the complainant. If the complainant does not object to the amicable settlement proposed by the supervisory authority within one month, the complaint shall be deemed withdrawn.

Article 6

Translations

1.The supervisory authority with which the complaint was lodged shall be responsible for:

(a)translation of complaints and the views of complainants into the language used by the lead supervisory authority for the purposes of the investigation;

(b)translation of documents provided by the lead supervisory authority into the language used for communication with the complainant, where it is necessary to provide such documents to the complainant pursuant to this Regulation or Regulation (EU) 2016/679.

2.In its rules of procedure, the Board shall determine the procedure for the translation of comments or relevant and reasoned objections expressed by supervisory authorities concerned in a language other than the language used by the lead supervisory authority for the purposes of the investigation.

Chapter III

Cooperation under Article 60 of Regulation (EU) 2016/679

Section 1

Reaching consensus within the meaning of Article 60(1) of Regulation (EU) 2016/679

Article 7

Cooperation between supervisory authorities

While cooperating in an endeavour to reach a consensus, as provided for in Article 60(1) of Regulation (EU) 2016/679, supervisory authorities shall use all the means provided for in Regulation (EU) 2016/679, including mutual assistance pursuant to Article 61 and joint operations pursuant to Article 62 of Regulation (EU) 2016/679.

The provisions in this section concern the relations between supervisory authorities and are not intended to confer rights on individuals or the parties under investigation.

Article 8

Relevant information within the meaning of Article 60(1) and (3) of Regulation (EU) 2016/679

1.The lead supervisory authority shall regularly update the other supervisory authorities concerned about the investigation and provide the other supervisory authorities concerned, at the earliest convenience, with all relevant information once available.

2.Relevant information within the meaning of Article 60(1) and (3) of Regulation (EU) 2016/679 shall include, where applicable:

(a)information on the opening of an investigation of an alleged infringement of Regulation (EU) 2016/679;

(b)requests for information pursuant to Article 58(1), point (e) of Regulation (EU) 2016/679;

(c)information of the use of other investigative powers referred to in Article 58(1) of Regulation (EU) 2016/679;

(d)in the case of envisaged rejection of complaint, the lead supervisory authority’s reasons for rejection of the complaint;

(e)summary of key issues in an investigation in accordance with Article 9;

(f)information concerning steps aiming to establish an infringement of Regulation (EU) 2016/679 prior to the preparation of preliminary findings;

(g)preliminary findings;

(h)the response of the parties under investigation to the preliminary findings;

(i)the views of the complainant on the preliminary findings;

(j)in the case of rejection of a complaint, the written submissions of the complainant;

(k)any relevant steps taken by the lead supervisory authority after receiving the response of the parties under investigation to the preliminary findings and prior to submission of a draft decision in the sense of Article 60(3) of Regulation (EU) 2016/679.

Article 9

Summary of key issues

1.Once the lead supervisory authority has formed a preliminary view on the main issues in an investigation, it shall draft a summary of key issues for the purpose of cooperation under Article 60(1) of Regulation (EU) 2016/679.

2.The summary of key issues shall include all of the following elements:

(a)the main relevant facts;

(b)a preliminary identification of the scope of the investigation, in particular the provisions of Regulation (EU) 2016/679 concerned by the alleged infringement which will be investigated;

(c)identification of complex legal and technological assessments which are relevant for preliminary orientation of their assessment;

(d)preliminary identification of potential corrective measure(s).

3.The supervisory authorities concerned may provide comments on the summary of key issues. Such comments must be provided within four weeks of receipt of the summary of key issues.

4.Comments provided pursuant to paragraph 3 shall meet the following requirements:

(a)language used is sufficiently clear and contains precise terms to enable the lead supervisory authority, and, as the case may be, supervisory authorities concerned, to prepare their positions; 

(b)legal arguments are set out succinctly and grouped by reference to the part of the summary of key issues to which they relate;

(c)the comments of the supervisory authority concerned may be supported by documents, which may supplement the comments on specific points.

5.The Board may specify in its rules of procedure restrictions on the maximum length of comments submitted by supervisory authorities concerned on the summary of key issues.

6.Cases where none of the supervisory authorities concerned provided comments under paragraph 3 of this Article shall be considered non-contentious cases. In such cases, the preliminary findings referred to in Article 14 shall be communicated to the parties under investigation within 9 months of the expiry of the deadline provided for in paragraph 3 of this Article.

Article 10

Use of means to reach consensus

1.A supervisory authority concerned shall make a request to the lead supervisory authority under Article 61 of Regulation (EU) 2016/679, Article 62 of Regulation (EU) 2016/679, or both, where, following the comments of supervisory authorities concerned pursuant to Article 9(3), a supervisory authority concerned disagrees with the assessment of the lead supervisory authority on:

(a)the scope of the investigation in complaint-based cases, including the provisions of Regulation (EU) 2016/679 concerned by the alleged infringement which will be investigated;

(b)preliminary orientation in relation to complex legal assessments identified by the lead supervisory authority pursuant to Article 9(2), point (c);

(c)preliminary orientation in relation to complex technological assessments identified by the lead supervisory authority pursuant to Article 9(2), point (c).

2.The request under paragraph 1 shall be made within two months of the expiry of the period referred to in Article 9(3).

3.The lead supervisory authority shall engage with the supervisory authorities concerned on the basis of their comments on the summary of key issues, and, where applicable, in response to requests under Article 61 and 62 of Regulation (EU) 2016/679, in an endeavour to reach a consensus. The consensus shall be used as a basis for the lead supervisory authority to continue the investigation and draft the preliminary findings or, where applicable, provide the supervisory authority with which the complaint was lodged with its reasoning for the purposes of Article 11(2).

4.Where, in a complaint-based investigation, there is no consensus between the lead supervisory authority and one or more concerned supervisory authorities on the matter referred to in Article 9(2), point (b), of this Regulation, the lead supervisory authority shall request an urgent binding decision of the Board under Article 66(3) of Regulation (EU) 2016/679. In that case, the conditions for requesting an urgent binding decision under Article 66(3) of Regulation (EU) 2016/679 shall be presumed to be met.

5.When requesting an urgent binding decision of the Board pursuant to paragraph 4 of this Article, the lead supervisory authority shall provide all of the following: 

(a)the documents referred to in Article 9(2), points (a) and (b);

(b)the comments of the supervisory authority concerned that disagrees with the lead supervisory authority’s preliminary identification of the scope of the investigation.

6.The Board shall adopt an urgent binding decision on the scope of the investigation on the basis of the comments of the supervisory authorities concerned and the position of the lead supervisory authority on those comments. 

Section 2

Full or partial rejection of complaints

Article 11

Hearing of complainant prior to full or partial rejection of a complaint

1.Following the procedure provided for in Article 9 and 10, the lead supervisory authority shall provide the supervisory authority with which the complaint was lodged with the reasons for its preliminary view that the complaint should be fully or partially rejected.

2.The supervisory authority with which the complaint was lodged shall inform the complainant of the reasons for the intended full or partial rejection of the complaint and set a time-limit within which the complainant may make known her or his views in writing. The time-limit shall be no less than three weeks. The supervisory authority with which the complaint was lodged shall inform the complainant of the consequences of the failure to make her or his views known.

3.If the complainant fails to make known her or his views within the time-limit set by the supervisory authority with which the complaint was lodged, the complaint shall be deemed to have been withdrawn.

4.The complainant may request access to the non-confidential version of the documents on which the proposed rejection of the complaint is based.  

5.If the complainant makes known her or his views within the time-limit set by the supervisory authority with which the complaint was lodged and the views do not lead to a change in the preliminary view that the complaint should be fully or partially rejected, the supervisory authority with which the complaint was lodged shall prepare the draft decision under Article 60(3) of Regulation (EU) 2016/679 which shall be submitted to the other supervisory authorities concerned by the lead supervisory authority pursuant to Article 60(3) of Regulation (EU) 2016/679. 

Article 12

Revised draft decision fully or partially rejecting a complaint

1.Where the lead supervisory authority considers that the revised draft decision within the meaning of Article 60(5) of Regulation (EU) 2016/679 raises elements on which the complainant should have the opportunity to make her or his views known, the supervisory authority with which the complaint was lodged shall, prior to the submission of the revised draft decision under Article 60(5) of Regulation (EU) 2016/679, provide the complainant with the possibility to make her or his views known on such new elements.

2.The supervisory authority with which the complaint was lodged shall set a time-limit within which the complainant may make known her or his views.

Article 13

Decision fully or partially rejecting a complaint

When adopting a decision fully or partially rejecting a complaint in accordance with Article 60(8) of Regulation (EU) 2016/679, the supervisory authority with which the complaint was lodged shall inform the complainant of the judicial remedy available to him or her in accordance with Article 78 of Regulation (EU) 2016/679.

Section 3

Decisions addressed to controllers and processors

Article 14

Preliminary findings and reply

1.When the lead supervisory authority intends to submit a draft decision within the meaning of Article 60(3) of Regulation (EU) 2016/679 to the other supervisory authorities concerned finding an infringement of Regulation (EU) 2016/679, it shall draft preliminary findings.

2.The preliminary findings shall present allegations raised in an exhaustive and sufficiently clear way to enable the parties under investigation to take cognisance of the conduct investigated by the lead supervisory authority. In particular, they must set out clearly all the facts and the entire legal assessment raised against the parties under investigation, so that they can express their views on the facts and the legal conclusions the lead supervisory authority intends to draw in the draft decision within the meaning of Article 60(3) of Regulation (EU) 2016/679, and list all the evidence it relies upon.

The preliminary findings shall indicate corrective measures the lead supervisory authority intends to use.

Where the lead supervisory authority intends to impose a fine, it shall list in the preliminary findings the relevant elements on which it relies while calculating the fine. In particular, the lead supervisory authority shall list the essential facts and matters of law which may result in the imposition of the fine and the elements listed in Article 83(2) of Regulation (EU) 2016/679, including any aggravating or mitigating factors it will take into account.

3.The lead supervisory authority shall notify preliminary findings to each of the parties under investigation.

4.The lead supervisory authority shall, when notifying the preliminary findings to the parties under investigation, set a time-limit within which these parties may provide their views in writing. The lead supervisory authority shall not be obliged to take into account written views received after the expiry of that time-limit.

5.When notifying the preliminary findings to the parties under investigation, the lead supervisory authority shall provide those parties with access to the administrative file in accordance with Article 20.

6.The parties under investigation may, in their written reply to preliminary findings, set out all facts and legal arguments known to them which are relevant to their defence against the allegations of the lead supervisory authority. They shall attach any relevant documents as proof of the facts set out. The lead supervisory authority shall, in its draft decision, deal only with allegations, including the facts and the legal assessment based on those facts, in respect of which the parties under investigation have been given the opportunity to comment.

Article 15

Transmission of preliminary findings to complainants

1.Where the lead supervisory authority issues preliminary findings relating to a matter in respect of which it has received a complaint, the supervisory authority with which the complaint was lodged shall provide the complainant with a non-confidential version of the preliminary findings and set a time-limit within which the complainant may make known its views in writing. 

2.Paragraph 1 shall apply also when a supervisory authority, where appropriate, treats several complaints jointly, splits the complaints in several parts or in any other way exercises its discretion concerning the scope of the investigation as set out in preliminary findings.

3.Where the lead supervisory authority considers that it is necessary for the complainant to be provided with documents included in the administrative file in order for the complainant to effectively make known her or his views on the preliminary findings, the supervisory authority with which the complaint was lodged shall provide the complainant with the non-confidential version of such documents when providing the preliminary findings pursuant to paragraph 1.

4.The complainant shall be provided with the non-confidential version of the preliminary findings only for the purpose of the concrete investigation in which the preliminary findings were issued.

5.Before receiving the non-confidential version of preliminary findings and any documents provided pursuant to paragraph 3, the complainant shall send to the lead supervisory authority a confidentiality declaration, where the complainant commits himself or herself not to disclose any information or assessment made in the non-confidential version of preliminary findings or to use those findings for purposes other than the concrete investigation in which those findings were issued.

Article 16

Adoption of final decision

After submitting the draft decision to supervisory authorities concerned pursuant to Article 60(3) of Regulation (EU) 2016/679 and where none of the supervisory authorities concerned has objected to the draft decision within the periods referred to in Article 60(4) and (5) of Regulation (EU) 2016/679, the lead supervisory authority shall adopt and notify its decision under Article 60(7) of Regulation (EU) 2016/679 to the main establishment or single establishment of the controller or processor, as the case may be, and inform the supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds.

Article 17

Right to be heard in relation to revised draft decision

1.Where the lead supervisory authority considers that the revised draft decision within the meaning of Article 60(5) of Regulation (EU) 2016/679 raises elements on which the parties under investigation should have the opportunity to make their views known, the lead supervisory authority shall, prior to the submission of the revised draft decision under Article 60(5) of Regulation (EU) 2016/679, provide the parties under investigation with the possibility to make their views known on such new elements.

2.The lead supervisory authority shall set a time-limit within which the parties under investigation may make known their views.

Section 4

Relevant and reasoned objections

Article 18

Relevant and reasoned objections

1.Relevant and reasoned objections within the meaning of Article 4(24) of Regulation (EU) 2016/679 shall:

(a)be based exclusively on factual elements included in the draft decision; and

(b)not change the scope of the allegations by raising points amounting to identification of additional allegations of infringement of Regulation (EU) 2016/679 or changing the intrinsic nature of the allegations raised.

2.The form and structure of relevant and reasoned objections shall meet all of the following requirements:

(a)the length of each relevant and reasoned objection and the position of the lead supervisory authority on any such objection shall not exceed three pages and shall not include annexes. In cases involving particularly complex legal issues, the maximum length may be increased to six pages, except if specific circumstances justifying a longer length are accepted by the Board;

(b)the disagreement of the supervisory authority concerned with the draft decision shall be stated at the beginning of the relevant and reasoned objection and shall be worded in sufficiently clear, coherent and precise terms to enable the lead supervisory authority, and as the case may be, supervisory authorities concerned, to prepare their positions and to enable the Board to efficiently resolve the dispute;

(c)legal arguments shall be set out and grouped by reference to the operative part of the draft decision to which they relate. Each argument or group of arguments shall generally be preceded by a summary statement.

Chapter IV

Access to the administrative file and treatment of confidential information

Article 19

Content of the administrative file

1.The administrative file in an investigation concerning an alleged infringement of Regulation (EU) 2016/679 consists of all documents which have been obtained, produced and/or assembled by the lead supervisory authority during the investigation.

2.In the course of investigation of an alleged infringement of Regulation (EU) 2016/679, the lead supervisory authority may return to the party from which they have been obtained documents which following a more detailed examination prove to be unrelated to the subject matter of the investigation. Upon return, these documents shall no longer constitute part of the administrative file.

3.The right of access to the administrative file shall not extend to correspondence and exchange of views between the lead supervisory authority and supervisory authorities concerned. The information exchanged between the supervisory authorities for the purpose of the investigation of an individual case are internal documents and shall not be accessible to the parties under investigation or the complainant.

4.Access to relevant and reasoned objections pursuant to Article 60(4) of Regulation (EU) 2016/679 shall be provided in accordance with Article 24. 

Article 20

Access to the administrative file and use of documents

1.The lead supervisory authority shall grant access to the administrative file to the parties under investigation, enabling them to exercise their right to be heard. Access to the administrative file shall be granted after the lead supervisory authority notifies the preliminary findings to the parties under investigation.

2.The administrative file shall include all documents, inculpatory and exculpatory, including facts and documents which are known to the parties under investigation.  

3.The conclusions of the lead supervisory authority in the draft decision under Article 60(3) of Regulation (EU) 2016/679 and the final decision under Article 60(7) of Regulation (EU) 2016/679 may only rely on documents cited in the preliminary findings or on which the parties under investigation had the opportunity to make their views known.

4.Documents obtained through access to the administrative file pursuant to this Article shall be used only for the purposes of judicial or administrative proceedings for the application of Regulation (EU) 2016/679 in the specific case for which such documents were provided.

Article 21

Identification and protection of confidential information

1.Unless otherwise provided in this Regulation, information collected or obtained by a supervisory authority in cross-border cases under of Regulation (EU) 2016/679, including any document containing such information, shall not be communicated or made accessible by the supervisory authority in so far as it contains business secrets or other confidential information of any person.

2.Any information collected or obtained by a supervisory authority in cross-border cases under Regulation (EU) 2016/679, including any document containing such information, is excluded from access requests under laws on public access to official documents as long as the proceedings are ongoing.

3.When communicating preliminary findings to parties under investigation and providing for access to the administrative file on the basis of Article 20, the lead supervisory authority shall ensure that the parties under investigation to whom access is being given to information containing business secrets or other confidential information treat such information with utmost respect for its confidentiality and that such information is not used to the detriment of the provider of the information. Depending on the degree of confidentiality of the information, the lead supervisory authority shall adopt appropriate arrangements to give full effect to the rights of defence of the parties under investigation with due regard for the confidentiality of the information.

4.An entity submitting information that it considers to be confidential shall clearly identify the information which it considers to be confidential, giving reasons for the confidentiality claimed. The entity shall provide a separate non-confidential version of the submission.

5.Without prejudice to paragraph 4, the lead supervisory authority may require the parties under investigation, or any other party which produces documents pursuant to Regulation (EU) 2016/679, to identify the documents or parts of documents which they consider to contain business secrets or other confidential information belonging to them and to identify the parties for which these documents are considered to be confidential.

6.The lead supervisory authority may set a time-limit for parties under investigation and any other party raising a confidentiality claim to:

(a)substantiate their claims for business secrets and other confidential information for each individual document or part of document, statement, or part of statement;

(b)provide a non-confidential version of the documents and statements, in which the business secrets and other confidential information are redacted;

(c)provide a concise, non-confidential, description of each piece of redacted information.

7.If the parties under investigation or any other party fails to comply with paragraphs 4 and 5, the lead supervisory authority may assume that the documents or statements concerned do not contain business secrets or other confidential information.

Chapter V

Dispute resolution

Article 22

Referral to dispute resolution under Article 65 of Regulation (EU) 2016/679

1.If the lead supervisory authority does not follow the relevant and reasoned objections or is of the opinion that the objections are not relevant or reasoned, it shall submit the subject-matter to the dispute resolution mechanism set out in Article 65 of Regulation (EU) 2016/679. 

2.When referring the subject-matter to dispute resolution, the lead supervisory authority shall provide the Board with all of the following documents:

(a)the draft decision or revised draft decision subject to the relevant and reasoned objections;

(b)a summary of the relevant facts;

(c)the preliminary findings; 

(d)view made in writing by the parties under investigation, as the case may be, pursuant to Articles 14 and 17;

(e)views made in writing by complainants, as the case may be, pursuant to Articles 11, 12, and 15;

(f)the relevant and reasoned objections which were not followed by the lead supervisory authority; 

(g)the reasons on the basis of which the lead supervisory authority did not follow the relevant and reasoned objections or considered the objections not to be relevant or reasoned.

3.The Board shall within four weeks of receiving the documents listed in paragraph 2 identify retained relevant and reasoned objections.

Article 23

Registration in relation to a decision under Article 65(1), point (a), of Regulation (EU) 2016/679

The Chair of the Board shall register the referral of a subject-matter to dispute resolution under Article 65(1), point (a), of Regulation (EU) 2016/679 no later than one week after having received all of the following documents:

(a)the draft decision or revised draft decision subject to the relevant and reasoned objections;

(b)a summary of the relevant facts;

(c)view made in writing by the parties under investigation, as the case may be, pursuant to Articles 14 and 17;

(d)views made in writing by complainants, as the case may be, pursuant to Articles 11, 12 and 15;

(e)the retained relevant and reasoned objections;

(f)the reasons on the basis of which the lead supervisory authority did not follow the retained relevant and reasoned objections. 

Article 24

Statement of reasons prior to adoption of decision under Article 65(1), point (a), of Regulation (EU) 2016/679

1.Prior to adopting the binding decision pursuant to Article 65(1), point (a), of Regulation (EU) 2016/679, the Chair of the Board shall, through the lead supervisory authority, provide the parties under investigation and/or, in the case of full or partial rejection of a complaint, the complainant, with a statement of reasons explaining the reasoning the Board intends to adopt in its decision. Where the Board intends to adopt a binding decision requiring the lead supervisory authority to amend its draft decision or revised draft decision, the Board shall decide whether such statement of reasons should be accompanied by the retained relevant and reasoned objections on the basis of which the Board intends to adopt its decision.

2.The parties under investigation and/or, in the case of full or partial rejection of a complaint, the complainant, shall have one week from receipt of the statement of reasons referred to in paragraph 1 to make their views known.

3.The deadline in paragraph 2 shall be extended by one week where the Board extends the period for adoption of the binding decision in accordance with Article 65(2) of Regulation (EU) 2016/679.

4.The period for adoption of the binding decision of the Board provided for in Article 65(2) of Regulation (EU) 2016/679 shall not run during the periods provided for in paragraphs 2 and 3.

Article 25

Procedure in relation to decision under Article 65(1), point (b), of Regulation (EU) 2016/679

1.When referring a subject-matter to the Board under Article 65(1), point (b), of Regulation 2016/679, the supervisory authority referring the subject-matter regarding the competence for the main establishment shall provide the Board with all of the following documents:

(a)a summary of the relevant facts;

(b)the assessment of these facts as far as the conditions of Article 56(1) of Regulation (EU) 2016/679 are concerned;

(c)views made by the controller or processor whose main establishment is the subject of the referral;

(d)the views of other supervisory authorities concerned by the referral;

(e)any other document or information the referring supervisory authority considers relevant and necessary in order to find a resolution on the subject-matter.

2.The Chair of the Board shall register the referral no later than one week after having received the documents referred to in paragraph 1.

Article 26

Procedure in relation to decision under Article 65(1), point (c), of Regulation (EU) 2016/679

1.When referring a subject-matter to the Board under Article 65(1), point (c), of Regulation 2016/679, the supervisory authority referring the subject-matter or the Commission shall provide the Board with all of the following documents:

(a)a summary of the relevant facts;

(b)the opinion, as the case may be, issued by the Board pursuant to Article 64 of Regulation (EU) 2016/679;

(c)the views of the supervisory authority referring the subject-matter or the Commission as to whether, as the case may be, a supervisory authority was required to communicate the draft decision to the Board pursuant to Article 64(1) of Regulation (EU) 2016/679, or a supervisory authority did not follow an opinion of the Board issued pursuant to Article 64 of Regulation (EU) 2016/679.

2.The Chair of the Board shall request the following documents: 

(a)the views of the supervisory authority alleged to have breached the requirement to communicate a draft decision to the Board or to have failed to follow an opinion of the Board;

(b)any other document or information the supervisory authority considers relevant and necessary in order to find a resolution on the subject-matter.

If any supervisory authority declares a need to submit its views on the referred subject-matter, it shall submit those views within two weeks of the referral referred to in paragraph 1.

3.The Chair of the Board shall register the referral no later than one week after having received the documents referred to in paragraphs 1 and 2.

Chapter VI

Urgency procedure

Article 27

Urgent opinions under Article 66(2) of Regulation (EU) 2016/679

1.A request for an urgent opinion of the Board pursuant to Article 66(2) of Regulation (EU) 2016/679 shall be made no later than three weeks prior to the expiry of provisional measures adopted under Article 66(1) of Regulation (EU) 2016/679 and shall contain all of the following items:

(a)a summary of the relevant facts;

(b)a description of the provisional measure adopted on its own territory, its duration and the reasons for adopting it, including the justification of the urgent need to act in order to protect the rights and freedoms of data subjects;

(c)a justification of the urgent need for final measures to be adopted on the territory of the Member State of the requesting supervisory authority, including an explanation of the exceptional nature of circumstances requiring the adoption of the measures concerned.

2.The urgent opinion of the Board shall be addressed to the supervisory authority that submitted the request. It shall be similar to an opinion within the meaning of Article 64(1) of Regulation (EU) 2016/679 and enable the requesting authority to maintain or amend its provisional measure in line with the obligations of Article 64(7) of Regulation (EU) 2016/679.

Article 28

Urgent decisions under Article 66(2) of Regulation (EU) 2016/679

1.A request for an urgent decision of the Board pursuant to Article 66(2) of Regulation (EU) 2016/679 shall be made no later than three weeks prior to the expiry of provisional measures adopted under Articles 61(8), 62(7) or 66(1) of Regulation (EU) 2016/679. That request shall contain all of the following items:

(a)a summary of the relevant facts;

(b)the provisional measure adopted on the territory of the Member State of the supervisory authority requesting the decision, its duration and the reasons for adopting the provisional measures, in particular the justification of the urgent need to act in order to protect the rights and freedoms of data subjects;

(c)information on any investigatory measures taken on its own territory and replies received from the local establishment of the parties under investigation or any other information in the possession of the requesting supervisory authority;

(d)a justification of the urgent need for final measures to be adopted on the territory of the requesting supervisory authority, bearing in mind the exceptional nature of circumstances requiring the adoption of the final measure, or proof that a supervisory authority failed to respond to a request under Article 61(3) or 62(2) of Regulation (EU) 2016/679;

(e)where the requesting authority is not the lead supervisory authority, the views of the lead supervisory authority;

(f)where applicable, the views of the local establishment of the parties under investigation against which provisional measures were taken pursuant to Article 66(1) of Regulation (EU) 2016/679.

2.The urgent decision referred to in paragraph 1 shall be addressed to the supervisory authority that submitted the request and shall enable the requesting authority to maintain or amend its provisional measure.

3.Where the Board adopts an urgent binding decision indicating that final measures should be adopted, the supervisory authority to which the decision is addressed shall adopt such measures prior to the expiry of the provisional measures adopted under Article 66(1) of Regulation (EU) 2016/679.

4.The supervisory authority that submitted the request referred to in paragraph 1 shall notify its decision on the final measures to the establishment of the controller or processor on the territory of its Member State and inform the Board. Where the lead supervisory authority is not the requesting authority, the requesting authority shall inform the lead supervisory authority of the final measure.

5.Where the urgent binding decision indicates that final measures do not urgently need to be adopted, the lead and supervisory authorities concerned shall follow the procedure in Article 60 of Regulation (EU) 2016/679.

Chapter VII

General and final provisions

Article 29

Beginning of time periods and definition of working day

1.Time-limits provided for in or fixed by the supervisory authorities pursuant to Regulation (EU) 2016/679 shall be calculated in accordance with Regulation (EEC, Euratom) No 1182/71 of the Council 17 .

2.Time periods shall begin on the working day following the event to which the relevant provision of Regulation (EU) 2016/679 or this Regulation refers.

Article 30

Transitional provisions

Chapters III and IV shall apply to ex officio investigations opened after the entry into force of this Regulation and to complaint-based investigations where the complaint was lodged after the entry into force of this Regulation.

Chapter V shall apply to all cases submitted to dispute resolution under Article 65 of Regulation (EU) 2016/679 after the entry into force of this Regulation.

Article 31

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

(1)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4.5.2016, p. 1–88.

(2)    Communication from the Commission to the European Parliament and the Council, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (COM/2020/264 final).

(3)    European Parliament resolution of 25 March 2021 on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP)).

(4)     https://edpb.europa.eu/our-work-tools/our-documents/statements/statement-enforcement-cooperation_en  

(5)     https://edpb.europa.eu/system/files/2022-10/edpb_letter_out2022-0069_to_the_eu_commission_on_procedural_aspects_en_0.pdf  

(6)     https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&do=groupDetail.groupDetail&groupID=3537  

(7)     https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&do=groupDetail.groupDetail&groupID=3461  

(8)     https://commission.europa.eu/strategy-documents/commission-work-programme/commission-work-programme-2023_en  

(9)    Communication from the Commission to the European Parliament and the Council, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (COM/2020/264 final).

(10)    Commission staff working document accompanying the document Communication from the Commission to the European Parliament and the Council, Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (SWD(2020) 115 final).

(11)    European Parliament resolution of 25 March 2021 on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP)).

(12)     https://edpb.europa.eu/our-work-tools/our-documents/statements/statement-enforcement-cooperation_en  

(13)     https://edpb.europa.eu/system/files/2022-10/edpb_letter_out2022-0069_to_the_eu_commission_on_procedural_aspects_en_0.pdf  

(14)    OJ C , , p. .

(15)    OJ C , , p. .

(16)    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(17)    Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits (OJ L 124, 8.6.1971, p. 1).

EUROPEAN COMMISSION

Brussels, 4.7.2023

COM(2023) 348 final

ANNEX

to the Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679

ANNEX

(1)    The complaint should be completed and submitted electronically or completed and submitted to the supervisory authority by post.

(2)    For example, passport, driving licence, national ID.

(3)    In the case a complaint is submitted by a body referred to in Article 80 of Regulation (EU) 2016/679, all of the information in point 2 should be provided.