Lobbying by Confederation of European Data Protection Organisations

Confederation of European Data Protection Organisations

CEDPO

The Confederation of European Data Protection Organisations, founded in September 2011, is an European umbrella organisation bringing together national data protection organisations from all over the European Union.

Links

Website Transparency Register Profile

ID: 232686327345-75

Lobbying Activity

Response to Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation

24 Mar 2023

Bonn, Bucharest, Dublin, Lisbon, Madrid, Milan, Paris, The Hague, Vienna, Warsaw CEDPO Statement Brussels, March 24th 2023 Ref: Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation. CEDPO welcomes the Commission's proposal to specify harmonized procedural rules at the EU level relating to the enforcement of the GDPR in cross border cases, as much as national procedural rules so permit. EU procedural rules should aim at ensuring more consistency across EU Member States in the handling of cross border proceedings, irrespective of whether they are initiated ex officio or as a result of complaints from data subjects, the respect of due process rights, including the rights to be heard and the right to access to information for controllers and processors subject, and a fair process. CEDPO would like to emphasize that as stipulated under Art 39.1(e) of the GDPR, data protection officers (DPO), as appointed by controllers and processors, are the primary point of contact for data protection authorities on issues relating to data processing activities. As a consequence, the DPO should be involved by the supervisory authority and, where article 65 GDPR is triggered, by the EDPB, at every step of an enforcement procedure relating to a data processing activity where non-compliance with GDPR is assessed. Supervisory authorities must reach out to the designated DPO at the published or communicated contact details (Art 37.7 of the GDPR). In order to make the GDPR enforcement more optimal in this regard, CEDPO is of the view that enforcement procedural rules should reflect the role of the DPO and provide for the DPO to be informed and involved as a first step as soon as a complaint is made, prior to the commencement of any investigation or enforcement proceedings as well as throughout any such undertaking, unless emergency circumstance justify otherwise, as well as keep him/her involved during the whole procedure, including when EDPBs intervention is required to deal with objections of concerned data protection authorities, either to assess whether they are appropriately motivated or to build a harmonized GDPR construction based on the facts investigated by the Lead Supervisory Authority. This is further reenforced by Art 39 (1) which stipulates DPO cooperation with Supervisory Authorities on any given matter. Furthermore, procedural rules have a bearing and impact on the controllers and processors involved in enforcement proceedings. If these rules were to be specified, they should address a number of questions and clarifications that can be summarized as follows: 1. Remit of LSA, SAs and EDPB. With a view to ensure legal certainty, it would be welcomed to have a clear determination on the scope of activity and involvement of the EDPB, the concerned supervisory authority/ies (SAs) and the lead supervisory authority (LSA) on cross-border cases. Despite the GDPRs language and mechanism (one-stop-shop) in practice, the extent of the SAs and EDPBs respective remits vis a vis the LSA has been unclear, in particular, regarding the process of facts findings; the assessment and establishment of the facts to determine the existence of multi-jurisdictional breaches; the production of evidence and how the remedy action is determined agreed and actioned (e.g. the nature of enforcement action and fining principles); the right to be heard and the integrity of the proceedings and the accountability of the supervisory authorities and the EDPB. 2. Right to be heard of the organization under investigation. The right to be heard for the controller or processor, and other fundamental rights of defense at the EPDB level (and not only at the LSA level), such as the right to present arguments, exchange documents, clarify facts and rebut evidence, and have sufficient time to prepare a defense must be guaranteed. 3. Motivated decisions. EDPB and SAs shall provide detailed reasoning

Read full response