General Data Protection Regulation: additional procedural rules relating to the enforcement of the Regulation

The European Parliament adopted by 533 votes to 43, with 68 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR).

Parliament adopted its position at first reading by amending the proposal as follows:

Purpose and scope of application

The Regulation establishes procedural rules for the handling of complaints and the conduct of investigations in complaint-based and ex officio cases by supervisory authorities in the enforcement of Regulation (EU) 2016/679 where those cases concern cross-border processing.

This Regulation aims to ensure that investigations in cases concerning cross-border processing are carried out in accordance with the principle of good administration, in particular that they are carried out impartially, fairly and within a reasonable time. This Regulation, therefore, lays down horizontal principles relating to the procedures in the enforcement of Regulation (EU) 2016/679 for such cases. Thus, in situations involving cross-border processing, supervisory authorities must conduct procedures falling within the scope of the Regulation swiftly and efficiently. The complainant will have the option of communicating only with the supervisory authority to which they lodged their complaint. Furthermore, the handling of a complaint will always result in a decision that is subject to an effective judicial remedy.

Complaints

A complaint is defined as a claim lodged by a data subject with a supervisory authority pursuant to Articles 77 and 80 of the GDPR. The mere reporting of alleged infringements is not to be regarded as a complaint.

To be admissible, a complaint must contain certain specific information (contact details of the perpetrator, description of the violation, etc.) but no additional requirements may be imposed beyond those provided for in the Regulation.

Administrative modalities and requirements of admissibility for complaints under the national law of the supervisory authority with which a complaint has been lodged, such as language, statute of limitations, means of identification, electronic form, specific template or signature, continue to apply.

The complainant should not be required to contact the party under investigation before lodging a complaint in order for that complaint to be admissible. Where the complaint relates to the exercise of a right of the data subject that relies on the data subject concerned making a request to the controller, that request will be made to the controller before the lodging of the complaint.

The supervisory authority with which the complaint has been lodged should determine whether the complaint concerns cross-border processing, transmit admissible complaints to the supervisory authority presumed to be competent to act as lead supervisory authority and inform the complainant thereof. The determination of admissibility of the complaint by the supervisory authority with which the complaint has been lodged should be binding on the lead supervisory authority.

To facilitate the handling of a complaint, supervisory authorities will be able to request supplementary information from the complainant. Where some of the information necessary for a complaint to be deemed admissible is missing, the supervisory authority with which that complaint has been lodged could contact the complainant in order to obtain the missing information, where feasible.

For supervisory authorities to bring a swift end to infringements of Regulation (EU) 2016/679 and to deliver a quick resolution for complainants, supervisory authorities will endeavour, where appropriate, to resolve complaints through an early resolution procedure.

Simple cooperation

Where the lead supervisory authority has formed a preliminary view on the main issues in an investigation, it will be possible for the lead supervisory authority to cooperate with the other supervisory authorities concerned through a simple cooperation procedure. The simple cooperation procedure will be applied on a case-by-case basis, provided that the lead supervisory authority considers that no reasonable doubt exists as to the scope of the investigation and that the legal and factual issues identified do not require additional cooperation that would be required for the purposes of a complex investigation.

When applying the simple cooperation procedure, the lead supervisory authority, before submitting a draft decision, must ensure that, where appropriate, the parties subject to the investigation have the right to be heard and that the complainant has the opportunity to make his or her views known.

The amended text also specifies the relevant information to be exchanged between the lead supervisory authority and the other supervisory authorities concerned.

Summary of key issues

As part of the relevant information on a specific case, the lead supervisory authority will provide the other supervisory authorities concerned with a summary of key issues setting out its preliminary view on the main issues in an investigation. That summary will be provided at a sufficiently early stage to allow for the effective inclusion of the views submitted by the other supervisory authorities concerned.

Time limits for submission of a draft decision

The lead supervisory authority will submit a draft decision pursuant to Article 60(3) of Regulation (EU) 2016/679 within 15 months of the lead supervisory authority confirming its competence. On an exceptional basis, the lead supervisory authority may extend the time limit once, for a period of no longer than 12 months, due to the complexity of the case.

This Regulation provides for rules for situations where the lead supervisory authority is required by national law to engage in subsequent domestic proceedings related to the same case, such as administrative appeal proceedings.