Download the Gartner Market Guide for Consent and Preference Management
Access now
Skip to content

GDPR Procedural Regulation: Four enforcement problems and four proposed solutions

Posted: July 28, 2023

Even the General Data Protection Regulation (GDPR)’s most devoted supporters concede one problem with the law: Enforcement.

The GDPR’s “one-stop-shop” process, designed to systematize coordination among data protection authorities (DPAs) in cross-border complaints, has led to a bottleneck of data protection complaints and some in-fighting among regulators.

The proposed GDPR Procedural Regulation is the Commission’s attempt to fix cross-border GDPR enforcement. Here are four cross-border enforcement problems identified by the Commission and four proposed solutions to fix them.

 

Problem 1: DPAs have different rules for complaints

 

The GDPR was designed to make data protection law more uniform across the EU. However, DPAs have set up different complaint procedures, leading to inconsistencies for data subjects across the member states.

For example:

  • A complaint accepted by one DPA might be rejected by another, perhaps because the complainant has not provided enough information.
  • Some DPAs do not involve complainants in the complaints process, while others treat all parties equally.
  • Some DPAs reject complaints on an informal basis, while others adopt a formal decision in every case (whether or not a complaint is fully investigated).

 

Proposed solution: Standardized complaints procedure

 

The Commission’s proposal would create a new procedure for cross-border complaints, including a standard form that must be used when submitting a cross-border complaint.

As long as the complainant provides all the information requested in the form, the complaint will be investigated.

The proposal also sets out new requirements for DPAs when investigating GDPR complaints.

 

Problem 2: Inconsistent rights among parties to a complaint

 

The Commission suggests that different member states provide different rights for parties to complaints under the GDPR. For example:

  • The right of each party to be heard.
  • The timing of the hearing.
  • The right to access documents.

This is a particular problem for cross-border complaints, as the DPA cooperation process assumes that all parties have been heard before a draft decision is considered by the EDPB.

 

Proposed solution: Harmonized procedural rights

 

The Commission’s proposal suggests standardizing the involvement of parties to a complaint, including during the EDPB dispute resolution process.

The proposal would also standardize the contents of a complaint file and set out who has access to the file.

 

Problem 3: DPAs are not cooperating

 

The Commission suggests that DPAs are not endeavoring to resolve disputes before moving to the GDPR’s dispute resolution process. Essentially, the Commission seems to think that DPAs are moving to adopt “binding decisions” too early.

The dispute resolution process should be used in exceptional cases—once all DPAs have had the opportunity to submit “relevant information” and have attempted to arrive at a consensus.

 

Proposed solution: Streamlined cooperation process

 

The proposal sets out a new cooperation and consistency process that ultimately aims to reduce the number of binding decisions. The reforms include:

  • A stronger requirement for DPAs to cooperate.
  • Clearer rules around submitting “relevant information” in cross-border cases.
  • A new procedure for the EDPB to adopt an urgent decision while an investigation is underway.

 

Problem 4: The dispute resolution process is inefficient

 

Although the Commission clearly aims to reduce the reliance on the GDPR’s dispute resolution procedure, the proposal also notes that some problems arise when the dispute resolution procedure is underway, including:

  • The process is slow (the Commission does not say this but implies it).
  • DPAs have inconsistent ways of contributing to the process.
  • DPAs from smaller member states can be under-represented.

 

Proposed solution: Reformed dispute resolution procedure

 

The proposal aims to tighten up the dispute resolution procedure including by providing:

  • New detailed requirements around the form and structure of “relevant and reasoned objections”.
  • Deadlines by which parts of the dispute resolution procedure should be completed.
  • Clearer roles for various parties in the procedure (the lead DPA, concerned DPAs, and the EDPB).
Cassie GDPR guide

Want to learn more about GDPR compliance?

If your company processes the personal data of European Union residents, then it’s essential to understand the regulations around GDPR compliance. Read our comprehensive guide to understand the key challenges and opportunities of GDPR compliance.

Download guide

You might also like to read:

Backbone Of The GDPR

The Article 5 Principles: The Backbone of the GDPR

The Article 5 Principles: The Backbone of the GDPR

The GDPR’s “principles of data processing” underpin all the law’s other provisions—get the principles right, and you’ll have a solid foundation for properly implementing every obligation relevant to your business.

Read blog
Google Analytics and the GDPR

Google Analytics and GDPR: What’s the problem?

Google Analytics and GDPR: What’s the problem?

We explore the potential GDPR violations by Google Analytics, reviewing data protection concerns and potential solutions.

Read blog