In order to ensure the smooth and effective functioning of the cooperation and dispute resolution mechanisms, regulations are now to be adopted at European level and harmonised horizontally. The focus here is also on the handling of complaints from data subjects in cross-border cases, which is particularly relevant for multinational groups and corporations. This is because the relevant procedure has a direct impact on the companies involved in the event of complaints from data subjects (e.g. if they process personal customer data across the group). The Schrems I and II rulings of the ECJ have already shown the scale that complaints can take on, as they temporarily made data transfers to the US almost impossible from a legal perspective. The planned regulation on GDPR enforcement will therefore be examined in more detail in this blog post.
1. Inconsistent procedural requirements
To date, there are no procedural requirements at European level governing cooperation between data protection supervisory authorities in cross-border cases. It is therefore up to the Member States to lay down the details, in particular of the administrative procedures. This leads to considerable differences in national administrative procedures and in the interpretation of legal concepts in the context of cooperation procedures. The European Parliament has therefore called for basic elements of a common administrative procedure for handling complaints in cross-border cases.
2. New procedural requirements from the EU
For this reason, the EU Commission submitted a procedure for a regulation proposal back in July 2023, which is intended to address the identified shortcomings. The Council of Europe recently commented on this proposal and submitted an amendment to the existing draft.
3. Low barriers for complaints by data subjects
According to the proposed provisions, binding requirements for the admissibility of complaints by data subjects will be established. In future, such complaints will only need to include the name and contact details of the complainant, a description of the alleged GDPR infringement and information enabling the controller or processor to be identified. Accordingly, the barriers to filing admissible complaints that supervisory authorities must investigate are set as low as possible, which could lead to an increase in supervisory inquiries at multinational companies.
4. Hearing of companies
The current draft regulation also provides that the supervisory authority responsible for the investigation (the ‘lead’ supervisory authority) must contact any party concerned (e.g. a company) as part of the right to be heard, inform it of the preliminary findings and grant it access to the administrative file. This is intended to give the affected party the opportunity to express its views and defend itself against the allegations made. In this respect, the lead supervisory authority should only deal with allegations in its decision on which the affected parties have had the opportunity to comment. Requests to this effect must be answered with corresponding care, taking particular care not to expand the facts to one’s own disadvantage. This is not always easy to ensure due to the frequently open-ended nature of questions posed by supervisory authorities, but it is essential to observe for procedural tactical reasons.
5. Deadlines for companies to respond
The supervisory authority shall give each party concerned a reasonable period of time to respond, which shall not be less than three weeks but not more than six weeks. This means that companies only have a relatively short time to respond to the request. Processes must therefore be implemented to ensure that this is possible: It must be clear where information relating to (international) processing is stored and which contact persons are authorised and available to provide information. This also requires appropriate substitution rules in the event of planned or unplanned absences.
6. Early resolution of a complaint
In the event of complaints relating to the implementation of data subject requests, it is possible, under certain conditions, to resolve a complaint at an early stage. This is particularly relevant if the authority has established, on the basis of evidence, that an alleged infringement has been remedied. Accordingly, when designing processing operations with a cross-border processing element that is not entirely uncritical, it is advisable to provide for a possible alternative scenario in order to be able to resolve any disputes in this regard at an early stage if necessary. The latter may be appropriate, for example, if a supervisory authority threatens to issue a cease-and-desist order in the event that a transfer to a third country continues. The European Data Protection Board has obtained various legal opinions on the question of how critical the legal situation is in relation to various third countries.
7. Conclusion
Multinational corporate groups and conglomerates should prepare for the upcoming procedural rules at an early stage. Existing processes for dealing with traditional requests for information from authorities can be used as a basis for this.
The most important points briefly summarised
- Procedures for handling data protection complaints involving cross-border issues are currently regulated inconsistently. A new regulation proposal aims to address this issue.
- In particular, the proposed regulation provides for very low barriers to the submission of complaints by data subjects, which could increase the number of admissible data protection complaints and the resulting administrative proceedings.
- Procedures should be implemented to respond quickly and to the extent necessary to requests from supervisory authorities regarding complaints about cross-border processing. Furthermore, possible alternative scenarios should be considered in advance for processing operations involving critical third countries so that these can be implemented at short notice if necessary.
