The EDPB has adopted its binding decision: when is it notified to the relevant national Data Protection Authorities (DPAs), in which language and what happens next?
Once the EDPB has adopted a binding decision, the EDPB Chair notifies the binding decision to the relevant national Data Protection Authorities (DPAs) without undue delay.
Prior to the notification, the binding decision is translated into the languages of the relevant national DPAs that have to adopt a final decision or take measures at national level on the basis of the binding decision1. Translation and proofreading can take a few weeks. In any case, the English version of the decision is the only authentic language version.
Next step for the relevant Data Protection Authorities (DPAs)
Once the relevant SAs have been notified of the binding decision, a decision has to be adopted at national level to implement the content of the binding decision. This decision will be adopted without undue delay and at the latest one month after the EDPB has notified its decision. For cross-border cases where no consensus was found (Art. 65.1 (a) GDPR), the final decision will be addressed to the controller or processor and, where relevant, to the complainant.
Please see paragraphs 6 and 7 of Art. 11 of the EDPB Rules of Procedure. In exceptional cases, other Concerned Supervisory Authority (CSAs) can request, providing the reasons, an urgent translation in their official EU language(s) no later than at the moment of adoption of the binding decision.
What is the dispute resolution mechanism of Art. 65 GDPR?
When a Lead Supervisory Authority (LSA) issues a draft decision, it consults the Concerned Supervisory Authorities (CSAs), which can express their disagreement with the draft decision by submitting relevant and reasoned objections (RRO) within a period of four weeks (Art. 60.4 GDPR). When none of the CSAs objects, the LSA may proceed to adopt the decision.
In case at least one of the CSAs has expressed an RRO, and if the LSA intends to follow the objection, it shall submit a revised draft decision to all the CSAs. The CSAs then have a period of two weeks (Art. 60.5 GDPR) to express their RROs to the revised draft decision.
However, if the LSA does not intend to follow the objection(s), since no consensus can be reached, the consistency mechanism is triggered. This means that the LSA is obliged to refer the case to the European Data Protection Board (EDPB) and the dispute resolution role of the EDPB is activated (Art. 65.1(a) GDPR).
The dispute resolution mechanism can be triggered in two further cases:
there is a disagreement as to which authority is the LSA (Art. 65.1(b) GDPR);
an SA does not seek the opinion of the EDPB as obliged under Art. 64.1 GDPR or does not follow such an opinion (Art. 64.1 - 2 GDPR) (Art. 65.1(c) GDPR).
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities (DPAs), as well as the DPAs of Iceland, Liechtenstein and Norway (the European Economic Area or EEA).
What is the purpose of the dispute resolution mechanism of Art. 65.1 (a) and (b) GDPR?
The dispute resolution mechanism triggered under Art.65.1 (a) and (b) GDPR contributes to the good functioning of the cooperation mechanism by addressing any disagreements Concerned Supervisory Authorities (CSAs) may have in a given case or if there are conflicting views as to which authority is the Lead Supervisory Authority (LSA). The EDPB will act as a dispute resolution body. It must adopt a decision to address the conflict between the involved Data Protection Authorities (DPAs), which is binding on them (Art. 65 GDPR). The decision is adopted by a two-thirds majority of the members of the Board, and in case a decision cannot be adopted within 2 months, the decision is adopted within the next 2 weeks by a simple majority.
Where can I find documents that were adopted during a recent/the latest EDPB plenary?
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
Once published, recently adopted documents will be listed under “latest publications” on the main page of this website.
You can also find overviews of the documents adopted per plenary on the EDPB news page.
How are the EDPB & EDPS related?
The European Data Protection Supervisor (EDPS) is a Member of the European Data Protection Board. In addition, the EDPS provides the EDPB Secretariat. The Secretariat offers administrative and logistic support to the EDPB, performs analytical work and contributes to the EDPB’s tasks.
Although staff at the Secretariat is employed by the EDPS, staff members only work under the instructions of the Chair of the EDPB.
How does cross-border cooperation work under the GDPR?
The General Data Protection Regulation (GDPR) requires the Data Protection Authority (DPA) of the European Economic Area (EEA) to cooperate closely - under the umbrella of the European Data Protection Board (EDPB) - to ensure the consistent application of the GDPR and the protection of individuals’ data protection rights across the EEA. One of their tasks is to coordinate decision-making in cross-border data processing cases. A processing is cross-border when:
data processing takes place in more than one country;
or it substantially affects or it is likely to substantially affect individuals in more than one country.
Under the so-called one-stop-shop mechanism Art. 60 GDPR, the Lead Supervisory Authority (LSA) acts as the main point of contact for the controller or processor for a given processing, while the Concerned Supervisory Authorities (CSAs) act as the main point of contact for individuals in the territory of their Member State. The LSA is the authority in charge of leading the cooperation process. It will share relevant information with the CSAs, carry out the investigations, prepare the draft decision relating to the case, and cooperate with the other CSAs in an endeavour to reach consensus on this draft decision.
The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority.
The EDPS is responsible for monitoring the processing of personal data by the EU institutions, bodies, offices and agencies (EUIs) as well as providing advice on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Can a Data Protection Authority (DPA) challenge an Art. 65 GDPR decision by the EDPB?
As addressees of the EDPB decisions, the relevant Data Protection Authorities (DPAs) that wish to challenge these decisions can bring an action for annulment before the European Court of Justice (CJEU) within two months of being notified.
No. The EDPB does not handle complaints or conduct investigations. If you believe your data protection rights have been violated you can contact the organisation holding your data, contact your national data protection authority (DPA), or go to a national court.