The European Commission has proposed a new regulation to streamline the management of cross-border enforcement of the GDPR. DPAs have sometimes struggled to use the one-stop-shop system because of national procedural tools differing between member states, with basic questions such as what constitutes a complaint, eliciting different answers.
The proposed regulation will address the following key areas:
- The complaint itself. The regulation will seek to harmonise the requirements for the admissibility of a complaint.
- The position of the complainant. The regulation will establish rights for complainants to be heard where their complaints are rejected and in relation to their involvement in the investigation of a complaint.
- The controller’s/processor’s due process rights. The regulation will provide rights in relation to their defence of an enforcement action, such as the right to be heard.
- Streamlining co-operation and dispute resolution. The regulation will provide an opportunity for DPAs to provide their views at an early stage to the lead authority and require the lead authority to send a summary of key issues and its views to the other authorities. It will also provide for the use of GDPR tools such as joint investigations and mutual assistance.
This regulation is designed to complement the GDPR and not to alter it. In part, the hope is surely to circumvent some of the issues seen in the recent Irish Data Protection Commission cases by streamlining the approach and allowing for the airing of differences at an earlier stage of the process. This should save time and money and reduce the need to trigger the EDPB dispute resolution process.
The proposal can be found here.