The European Council today reached an agreement on a common member states’ position on a new law aimed at improving cooperation between national data protection authorities when they enforce the General Data Protection Regulation (GDPR).
“Data protection is a key fundamental right and the GDPR is the EU’s most powerful tool to safeguard it. Now the EU is taking an important step to make enforcement of this law more efficient,” said Paul Van Tigchelt, Minister of Justice.
The GDPR requires national data protection authorities, responsible for enforcing the GDPR, to cooperate when a data protection case concerns cross-border processing. This is particularly relevant when the complainant resides in a different member state than the company under investigation.
The new regulation will provide tools to speed up the process of handling cross-border complaints filed by citizens or organisations, and any follow-up investigations. This is thanks to the harmonisation of the requirements for a cross-border action to be admissible.
The regulation also clarifies the procedural deadlines and steps of an investigation and for the adoption of a binding opinion by the European Data Protection Board (EDPB), in case of disagreement between data protection authorities.
The Council agreed that throughout the cooperation procedure, national data protection authorities should be able to provide their views to the lead supervisory authority. The new regulation will harmonise the requirements and procedures for the complainant to be heard if a complaint is rejected and provides common rules on the involvement of the complainant in the procedure.
The Council position maintains the general thrust of the proposal but amends the draft regulation in several aspects, including clearer timelines, enhanced and efficient cooperation, and an early resolution mechanism.
“The GDPR is the EU’s landmark data protection law which harmonises data protection rights across Europe. It applies to any organisation that deals with personal data of EU citizens or residents, regardless of where they are based,” said an EU official. “The GDPR has been in application since 25 May 2018. Several reports on the application of the GDPR noted that the handling of cross-border issues was hampered by differences in administrative procedures. The procedural rules in the new regulation will address this concern.”
