On 4 July 2023, the European Commission presented a proposal for a regulation aimed at establishing new procedural rules to facilitate the application of Regulation (EU) 2016/679 (GDPR) on the protection of personal data in cross-border cases, i.e. in cases where the affected individuals are located in more than one Member State, with the consequent involvement of several supervisory authorities.
The proposal intends to establish and facilitate the cooperation between data protection authorities from the beginning of the procedure and thereby to reduce the potential for disagreements between them.
The new regulation should therefore set out new procedural rules for all authorities applying the GDPR, and should also clarify the rights of the parties involved in all cases where a supervisory authority is investigating a possible breach of data protection rules.
In particular, the regulation shall harmonise the requirements for cross-border complaints and, inter alia, provide for adequate guarantees of involvement of individuals in the procedure, granting them the right to be heard if their complaint is rejected. For companies, on the other hand, the new regulation clarifies their rights of defence in the event of potential GDPR breaches, guaranteeing both controllers and processors the right to be heard during the procedure.
Among the various innovations is the introduction of an obligation for the leading Data Privacy Supervisory Authority in the proceeding to share its “summary of key issues” with the involved parties, wherein the main aspects of the investigation are indicated and the position of the Authority on the case is set out, in order to allow the involved parties to express their views at an early stage and to avoid disagreements. The said procedure would facilitate the consensus among the authorities involved from the very beginning of the procedure, allowing a quicker and more efficient resolution of cross-border cases.