EDPB Adopts Article 60 Guidelines

Hunton Andrews Kurth’s Privacy and Cybersecurity

Email

212 309 1223 direct

EDPB Adopts Guidelines on Relevant and Reasoned Objection under Article 60 of the GDPR

by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth - Privacy and Information Security Law Blog-Hunton Andrews Kurth

Thursday, October 15, 2020

Print Mail Download

i

During its 39th plenary session on October 8, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on relevant and reasoned objection under the General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (“LSA”) has a duty to cooperate with other concerned supervisory authorities (“CSAs”) in order to reach a consensus.

Specifically, an LSA is required under Article 60(3) of the GDPR to submit a draft decision to the CSAs, which may then raise a relevant and reasoned objection within a specific timeframe. The Guidelines aim to establish a common understanding of the meaning of ‘relevant and reasoned.’

With respect to the requirement that an objection be “relevant,” the Guidelines require a direct connection between the objection and the draft decision at issue. The Guidelines add: “More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR.”

“Consequently, the objection raised fulfils the criterion of being ‘relevant’ when, if followed, it would entail a change leading to a different conclusion as to whether there is an infringement of the GDPR or as to whether the envisaged action . . . as proposed by the LSA, complies with the GDPR.”

The condition that an objection be “reasoned” requires that it include clarifications and arguments as to why an amendment of the decision is proposed, and demonstrate how the change would lead to a different conclusion with respect to whether there is an infringement of the GDPR or whether the envisioned action complies with the GDPR. The Guidelines emphasize that CSAs should provide sound reasoning by referencing legal arguments or factual arguments, where applicable.

In addition, the Guidelines state: “In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection. It should set forth, clearly and precisely, the essential facts on which the CSA based its assessment, and the link between the envisaged consequences of the draft decision . . . and the significance of the anticipated risks. Moreover, the CSA should clearly indicate which parts of the draft decision they disagree with.”

The EDPB welcomes comments on the Guidelines until November 24, 2020. Comments may be submitted here.