The Council, represented by the Polish presidency, and the European Parliament have reached preliminary agreement on a new law to ensure better cooperation between national data protection authorities in the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases.
"This is a big step forward towards better cooperation between national data protection authorities in enforcing citizens' rights under the General Data Protection Regulation. The aim is to deal more quickly with cross-border AVG complaints from citizens or organizations." - Krzysztof Gawkowski, Deputy Prime Minister and Minister of Digitization
The 2 EU legislators agreed on rules to streamline administrative procedures on, for example, the rights of complainants or the admissibility of cases and thus make the enforcement of the AVG, applicable since May 25, 2018, more efficient.
With the new regulation, cross-border AVG complaints from citizens or organizations can be processed more quickly and any follow-up investigations initiated more quickly. This is mainly due to the harmonization of admissibility requirements for cross-border claims The admissibility of a complaint about cross-border data processing is thus assessed in each country on the basis of the same information.
The requirements and procedures for hearing the complainant in case of rejection of a complaint are harmonized in the new regulation, and the regulation provides common rules on the involvement of the complainant in the procedure.
The company or organization under investigation is also given the right to be heard at key points in the proceedings.
The complainant and the company or organization under investigation are given the right to receive the preliminary findings (i.e., prior to the final decision) so that they can express their views on them.
The new rules provide deadlines for completing investigations. The 2 legislators agreed on a general investigation period of 15 months, which can be extended by 12 months for extremely complex cases. In a simple cooperation procedure between national data protection authorities, the investigation must be completed within 12 months.
The Council and the European Parliament agreed on a mechanism to settle complaints faster. This fast-track mechanism allows DPAs to settle a case before the standard procedures for a cross-border complaint are launched, i.e. before other national authorities are involved. This may be the case when the company or organization in question has remedied the breach and the complainant has not objected to the rapid resolution of the complaint.
To avoid lengthy discussions between different data protection authorities on a specific matter, the new law introduces measures to facilitate consensus building. For example, there is an obligation for the lead authority to send a summary of the main issues to their counterparts in the EU. This will ensure that they receive all the necessary information to quickly express their views on the case.
The final text maintains a Council proposal for a simple cooperation procedure, which allows certain additional rules to be omitted in simple cases. This will allow data protection authorities to avoid administrative burdens and act quickly in non-contentious cases, and use the new cooperation rules only in more complex investigations
The preliminary agreement must now be confirmed by the Council and Parliament. The new rules will enter into force after final approval by both institutions.
The AVG, the landmark EU data protection law that harmonizes data protection rights across Europe, established a system of cooperation between national data protection authorities. Those authorities, which are responsible for enforcing the AVG, are required to cooperate when a data protection case is cross-border, such as when the complainant resides in a different Member State than the company under investigation.
In such a cross-border case, one national authority becomes the lead authority in the investigation and must cooperate with its counterparts in other member states.
