Guidance
EN

Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

Guidelines on relevant and reasoned objection under Regulation 2016/679

European Data Protection Board
View source
Nov 21, 2025 edpb-guidelines-on-relevant-and-reasoned-objection-under-regulation-2016679 Source

Content

Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

Version 2.0

Adopted on 09 March 2021

Version Table

Version 1.0 8 October 2020 Adoption of the Guidelines for public consultation
Version 2.0 9 March 2021 Adoption of the Guidelines after public consultation

Table of contents

1 GENERAL.......................................................................................................................................... 4
2 CONDITIONS FOR A 'RELEVANT AND REASONED' OBJECTION...................................................... 6 CONDITIONS FOR A 'RELEVANT AND REASONED' OBJECTION...................................................... 6
2.1 'Relevant' ............................................................................................................................... 6 'Relevant' ............................................................................................................................... 6
2.2 'Reasoned'.............................................................................................................................. 6 'Reasoned'.............................................................................................................................. 6
3 SUBSTANCE OF THE OBJECTION...................................................................................................... 7 SUBSTANCE OF THE OBJECTION...................................................................................................... 7
3.1 the Existence of an infringement of the GDPR and/or compliance of the envisaged action with GDPR ............................................................................................................................................. 8 Existence of an infringement of the GDPR and/or compliance of the envisaged action with GDPR ............................................................................................................................................. 8
3.1.1 Existence of an infringement of the GDPR...................................................................... 8
Compliance with the GDPR of the action envisaged in the draft decision in relation to Compliance with the GDPR of the action envisaged in the draft decision in relation to
3.2 Significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union 10 Significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union 10
3.2.1 Meaning of 'significance of the risks'........................................................................... 10
3.2.2 Risks to fundamental rights and freedoms of data subjects......................................... 11
3.2.3 Risks to the free flow of personal data within the Union ............................................. 12

The European Data Protection Board

Having regard to Article 70(1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter 'GDPR'),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 1

Having regard to Article 12 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING GUIDELINES

1 GENERAL

  1. Within the cooperation mechanism set out by the GDPR, the supervisory authorities ('SAs') have a duty to 'exchange all relevant information with each other' and cooperate 'in an endeavour to reach consensus'. 2 This duty of cooperation applies to every stage of the procedure, starting with the inception of the case and extending to the whole decision-making process. The achievement of an agreement on the outcome of the case is therefore the ultimate goal of the whole procedure established by Article 60 GDPR. In the situations in which no consensus is reached among the SAs, Article 65 GDPR entrusts the EDPB with the power to adopt binding decisions. However, the exchange of information and the consultation among the Lead Supervisory Authority ('LSA') and the Concerned Supervisory Authorities ('CSAs') often enables an agreement to be reached at the early stages of the case.
  2. According to Article 60(3) and (4) GDPR, the LSA is required to submit a draft decision to the CSAs, which then may raise a relevant and reasoned objection within a specific timeframe (four weeks). 3 Upon receipt of a relevant and reasoned objection, the LSA has two options open to it. If it does not follow the relevant and reasoned objection or is of the opinion that the objection is not reasoned or relevant, it shall submit the matter to the Board within the consistency mechanism. If the LSA, on the contrary, follows the objection and issues the revised draft decision, the CSAs may express a relevant and reasoned objection on the revised draft decision within a period of two weeks.
  3. When the LSA does not follow an objection or rejects it as not relevant or reasoned and therefore submits the matter to the Board according to Article 65(1)(a) GDPR, it then becomes incumbent upon the Board to adopt a binding decision on whether the objection is 'relevant and reasoned' and if so, on all the matters which are the subject of the objection.
  4. Therefore, one of the key elements signifying the absence of consensus between the LSA and the CSAs, is the concept of 'relevant and reasoned objection'. This document seeks to provide guidance with

3 It is possible for the CSAs to withdraw objections previously raised.

respect to this concept and aims at establishing a common understanding of the notion of the terms 'relevant and reasoned', including what should be considered when assessing whether an objection 'clearly demonstrates the significance of the risks posed by the draft decision' (Article 4(24) GDPR).

  1. Article 4(24) GDPR defines 'relevant and reasoned objection' as an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union '.
  2. This concept serves as a threshold in situations where CSAs aim to object to a (revised) draft decision to be adopted by the LSA under Article 60 GDPR. As the unfamiliarity surrounding 'what constitutes relevant and reasoned objection' has the potential to create misunderstandings and inconsistent applications by the supervisory authorities, the EU legislator suggested that the EDPB should issue guidelines on this concept (end of Recital 124 GDPR).
  3. In order to meet the threshold set by Article 4(24) GDPR, a submission by a CSA should in principle explicitly mention each element of the definition in relation to each specific objection. Therefore, the objection aims, first of all, at pointing out how and why, according to the CSA, the draft decision does not appropriately address the situation of infringement of the GDPR, and/or does not envision appropriate action towards the controller or processor in the light of the demonstration of the risks that such draft decision, if left unchanged, would entail for the rights and freedoms of data subjects and for the free flow of personal data in the Union, where applicable . An objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by referring to specific articles/paragraphs or by other clear indications, and showing why such issues are to be deemed 'relevant' as further explained below. The proposals for amendments put forward by the objection should aim to remedy these potential errors.
  4. Indeed, the degree of detail of the objection and the depth of the analysis included therein may be affected by the degree of detail in the content of the draft decision and by the degree of involvement of the CSA in the process leading to the draft decision issued by the LSA. Therefore, the standard of 'relevant and reasoned objection' is grounded on the assumption that the LSA's obligation to exchange all relevant information 4 is complied with, allowing the CSA(s) to have an in-depth understanding of the case and therefore to submit a solid and well-reasoned objection. To this end, the need for each legally binding measure of SAs to 'give the reasons for the measure' (see Recital 129 GDPR) should also be kept in mind. The degree of involvement of the CSA by the LSA in the process leading to the draft decision, if it leads to an insufficient knowledge of all the aspects of the case, can therefore be considered as an element to determine the degree of detail of the relevant and reasoned objection in a more flexible way.
  5. The EDPB would first like to emphasise that the focus of all SAs involved (LSA and CSAs) should be on eliminating any deficiencies in the consensus-finding process in such a way that a consensual draft decision is the result. Whilst acknowledging that raising an objection is not the most preferable tool to remedy an insufficient degree of cooperation in the preceding stages of the one-stop-shop proceeding, the EDPB nevertheless acknowledges that it is an option open to CSAs. This would be a last resort to also remedy (alleged) deficiencies in terms of CSAs' involvement by the LSA in the process that should have led to a consensus-based draft decision, including as regards the legal reasoning and the scope of the investigations carried out by the LSA in respect of the case at hand.

4 As per Article 60(1) GDPR.

  1. The GDPR requires the CSA to justify its position on the LSA's draft decision by submitting an objection that is 'relevant' and 'reasoned'. It is crucial to bear in mind that the two requirements, 'reasoned' and 'relevant', are to be deemed cumulative , i.e. both of them have to be met. 5 Consequently, Article 60(4) requires the LSA to submit the matter to the EDPB consistency mechanism when it is of the opinion that the objection does not meet at least one of the two elements. 6
  2. The EDPB strongly advises the SAs to raise their objections and exchange information through the information and communication system set up for the exchange of information among SAs. 7 They should be clearly marked as such by using the specific dedicated functions and tools.

2 CONDITIONS FOR A 'RELEVANT AND REASONED' OBJECTION

2.1 'Relevant'

  1. In order for the objection to be considered as 'relevant', there must be a direct connection between the objection and the substance of the draft decision at issue . 8 More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR .
  2. Consequently, the objection raised fulfils the criterion of being 'relevant' when, if followed, it would entail a change leading to a different conclusion as to whether there is an infringement of the GDPR or as to whether the envisaged action in relation to the controller or processor, as proposed by the LSA, complies with the GDPR. There must always be a link between the content of the objection and such potential different conclusion as further explained below. While it is possible for the objection to signal a disagreement on both elements, the existence of only one of them would be sufficient to meet the conditions for a relevant objection.
  3. An objection should only be considered relevant if it relates to specific legal and factual content of the LSA's draft decision. Raising abstract or broad concerns or remarks cannot be considered relevant in this context. Likewise, minor disagreements on the wording or regarding the legal reasoning that do not relate to the possible existence of the infringement nor to the compliance of envisaged action in relation to the controller or processor with the GDPR should not be regarded as relevant.
  4. The reasoning underlying the conclusions reached by the LSA in the draft decision can be subject to an objection, but only insofar as such reasoning is linked with the conclusion as to whether there is an infringement, whether the infringement of the GDPR has been correctly identified, or is linked with the compliance of the envisaged action with the GDPR, and to the extent that the whole Article 4(24) threshold as described in this document is met.

2.2 'Reasoned'

  1. In order for the objection to be 'reasoned', 9 it needs to include clarifications and arguments as to why an amendment of the decision is proposed (i.e. the legal / factual mistakes of the LSA's draft decision).

5 See the wording of Article 60(4) GDPR.

7 See the EDPB Rules of Procedure.

It also needs to demonstrate howthe change would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR.

  1. The CSA should provide sound and substantiated reasoning for its objection, in particular, by elaborating on legal arguments (relying on EU law and/or relevant national law, including e.g. legal provisions, case law, guidelines) or factual elements , where applicable. The CSA should present the fact(s) allegedly leading to a different conclusion regarding the infringement of the GDPR by the controller/processor, or the aspect of the draft decision that, in their view, is deficient/erroneous.
  2. Moreover, an objection is 'reasoned' insofar as it is able to 'clearly demonstrate' the significance of the risks posed by the draft decision as described in section 3.2 below. To this end, the objection must put forward arguments or justifications concerning the consequences of issuing the decision without the changes proposed in the objection, and how such consequences would pose significant risks for data subjects' fundamental rights and freedoms, and, where applicable, for the free flow of personal data within the Union.
  3. In order for an objection to be adequately reasoned, it should be coherent, clear, precise and detailed in explaining the reasons for objection . It should set forth, clearly and precisely, the essential elements on which the CSA based its assessment, and the link between the envisaged consequences of the draft decision (if it was to be issued as it is) and the significance of the anticipated risks for data subjects' fundamental rights and freedoms and, where applicable, for the free flow of personal data within the Union . Moreover, the CSA should clearly indicate which parts of the draft decision they disagree with . In cases where the objection is based on the opinion that the LSA failed to fully investigate an important fact of the case, or an additional violation of the GDPR, it would be sufficient for the CSA to present such arguments in a conclusive and substantiated manner.
  4. The CSA(s) must provide all the information (facts, documents, legal arguments) on which they are relying so as to effectively present their argument. This is fundamental in order to delimit the scope of the (potential) dispute. This means that, in principle, the CSA should aim to provide a relevant and reasoned objection in one single submission supported by all the factual and legal arguments as described above. However, within the deadline set forth by Article 60(4) GDPR, the CSA can provide additional information related to and supporting the objection raised, bearing in mind the need to comply with the 'relevant and reasoned' requirements .

Example 1 : The CSA submits a formal objection, but a few days later provides the LSA with additional information through the information and communication system regarding the facts of the case. Such information may only be taken into consideration by the LSA insofar as it is provided within the deadline set forth by Article 60(4) GDPR.

  1. If possible, as a good practice, the objection should include a new wording proposal for the LSA to consider, which in the opinion of the CSA allows remedying the alleged shortcomings in the draft decision. This may serve to clarify the objection better in the relevant context.

3 SUBSTANCE OF THE OBJECTION

  1. The subject matter of the objection may refer to whether there is an infringement of the GDPR and/or to whether the envisaged action in relation of the controller or the processor complies with the GDPR. The type of content will depend on the LSA's draft decision at stake and on the circumstances of the case.

  2. Additionally, the CSA's objection will have to clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union. The existence of an infringement and/or the non-compliance of the envisaged action with the GDPR should be assessed in light of the significance of the risks that the draft decision, if left unchanged, poses to the rights and freedoms of data subjects and, if relevant, the free flow of personal data.

3.1 Existence of an infringement of the GDPR and/or compliance of the envisaged action with the GDPR

3.1.1 Existence of an infringement of the GDPR

  1. In the first case, the substance of the objection will amount to a disagreement between the CSA and the LSA as to whether, in the facts at issue, the activities and processing operations carried out by the controller or processor led to infringement(s) of the GDPR or not, and to which infringement(s) specifically.
  2. In this context, the term 'infringement' should be interpreted as 'an infringement of a given provision of the GDPR'. Therefore, the CSA's objections to the draft decision must be justified and motivated through reference to evidence and facts as exchanged between the LSA and the CSAs (the 'relevant information' referred to in Article 60 GDPR). These requirements should apply to each specific infringement and to each specific provision in question.

Example 2: The draft decision states that the controller infringed Articles 6, 7, and 14 GDPR. The CSA disagrees on whether there is an infringement of Article 7 and 14 and considers that there is an additional infringement of Article 13 GDPR.

Example 3: The CSA argues that LSA did not take into consideration the fact that the household exemption is not applicable to some of the processing operations conducted by a controller and involving the use of CCTV, hence that there is no infringement of the GDPR. In order to justify its objection, the CSA refers to Article 2(2)(c) GDPR, EDPB Guidelines 3/2019 on processing of personal data through video devices, and CJEU case C-212/13 Ryneš.

  1. An objection as to whether there is an infringement of the GDPR may also include a disagreement as to the conclusions to be drawn from the findings of the investigation. For instance, the objection may state that the findings amount to the infringement of a provision of the GDPR other than (and/or in addition to) those already analysed by the LSA's draft decision. However, this is less likely to happen when the obligation for the LSA to cooperate with the CSAs and exchange all relevant information in accordance with Article 60(1) GDPR has been duly complied with in the time preceding the issuance of the draft decision.
  2. In some circumstances, an objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA. For instance, if the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant or resulting from an infringement reported by a CSA, a relevant and reasoned objection may be raised based on the failure of the LSA to properly handle the complaint and to safeguard the rights of the data subject. In this regard, a distinction must be made between, on one hand, own-volition inquiries and, on the other hand, investigations triggered by complaints or by reports on potential infringements shared by the CSAs. In procedures based on a complaint or on an infringement reported by a CSA, the scope of the procedure (i.e. those aspects of data processing which are potentially the subject of a violation) should be defined by the content of the complaint or of the report shared by the CSA: in other words, it should be defined by the aspects addressed by the complaint or report. In own-volition inquiries, the LSA and

CSAs should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally. The same applies in cases where a SA dealing with a complaint or report by another SA takes the view that an own-volition inquiry is also necessary to deal with systematic compliance issues going beyond the specific complaint or report.

  1. As mentioned above, raising an objection should only be considered as a last resort to remedy an allegedly insufficient involvement of the CSA(s) in the preceding stages of the process. The system designed by the legislator suggests that consensus on the scope of the investigation should be reached at an earlier stage by the competent SAs.
  2. The insufficient factual information or description of the case at stake, or the absence or insufficiency of assessment or reasoning (with the consequence that the conclusion of the LSA in the draft decision is not adequately supported by the assessment carried out and the evidence presented, as required in Article 58 GDPR), can also be a matter of objection linked to the existence of an infringement. This is upon the conditions that the whole threshold set forth by Article 4(24) GDPR is met and it is possible that there can be a link between such allegedly insufficient analysis and the finding of an infringement / the envisaged action.
  3. It is possible for a relevant and reasoned objection to raise issues concerning procedural aspects to the extent that they amount to situations in which the LSA allegedly disregarded procedural requirements imposed by the GDPR and this affects the conclusion reached in the draft decision.

Example 4 : The SA of Member State YY is competent to act as LSA for the cross-border processing carried out by the controller CC whose main establishment is in YY. The competent SA of Member State XX informs the LSA (YY) of a complaint lodged with the XX SA substantially affecting data subjects only in XX, pursuant to Article 56(2) and (3) GDPR. The LSA decides to handle the case.

The XX SA decides to submit to the LSA a draft for a decision pursuant to Article 56(4) GDPR. The LSA prepares a draft decision pursuant to Article 60(3) GDPR and submits it to the CSA. The XX SA is of the opinion that the LSA failed to comply with its obligation to take utmost account of the draft submitted by XX SA when preparing its draft decision, pursuant to Article 56(4) GDPR as it does not provide reasoning why it is deviating from the draft for a decision provided by the XX SA.

Subsequently, the XX SA's raises a relevant and reasoned objection in which it puts forward arguments specifying the different conclusion that the draft decision would have reached if the LSA had followed its draft for a decision, in terms of establishing an infringement or determining the actions envisaged vis-à-vis the controller, and with a view to avoiding the demonstrated risks posed to data subject's fundamental rights and freedoms, and, where applicable to the free flow of personal data within the Union.

  1. An objection pursuant to Article 60(4) and Article 65(1)(a) GDPR is without prejudice to the provision of Article 65(1)(b) GDPR. Therefore, a disagreement on the competence of the SA acting as LSA to issue a decision in a specific case should not be raised through an objection pursuant to Article 60(4) GDPR, and falls outside the scope of Article 4(24) GDPR. Unlike the objection pursuant to Article 60(4) GDPR, the EDPB considers the procedure pursuant to Article 65(1)(b) GDPR to be applicable at any stage.

3.1.2 Compliance with the GDPR of the action envisaged in the draft decision in relation to the controller or processor

  1. In this second scenario, the substance of the relevant and reasoned objection amounts to a disagreement regarding the particular corrective measure proposed by the LSA or other action envisaged in the draft decision.

  2. More specifically, the relevant and reasoned objection should explain why the action foreseen in the draft decision is not in line with the GDPR. To this end, the CSA must clearly set out factual elements and/or legal arguments underlying the different assessment of the situation, by indicating which action would be appropriate for the LSA to undertake and include in the final decision.

Example 5 : The controller disclosed sensitive medical data of the complainant to a third party without a legal basis. In the draft decision, the LSA proposed to issue a reprimand, while the CSA provides factual elements showing that the controller is facing broad and systemic issues in its compliance with the GDPR (e.g. it regularly discloses its clients' data to third parties without a legal basis). Therefore it proposes that an order to bring the processing operations into compliance, a temporary ban on the data processing, or a fine should be imposed.

Example 6 : Due to a mistake of one of its employees, the controller published the name, last name and telephone numbers of all its 100.000 clients on its website. These personal data were publicly accessible for two days. As the controller reacted as soon as possible, the mistake was reported, and all the clients were individually informed, the LSA planned to simply issue a reprimand. One CSA however considers that, due to the large scale of the data breach and its possible impact/risk on the private life of the clients, the imposition of a fine would be required.

  1. As enshrined in the last sentence of Article 65 (1)(a) GDPR, the binding decision of the EDPB shall concern all the matters which are the subject of the objection, in particular in case of an infringement. Recital 150 sentence 5 GDPR states that the consistency mechanism may also be used to promote a consistent application of administrative fines. Therefore, it is possible that the objection challenges the elements relied upon to calculate the amount of the fine. If the assessment of the EDPB within this context identifies shortcomings in the reasoning leading to the imposition of the fine at stake, the LSA will be instructed to re-assess the fine and remedy the identified shortcomings. The EDPB's assessment on this matter should be based on common EDPB standards stemming from Article 83(1) and (2) GDPR and the Guidelines on the calculation of administrative fines.

Example 7 : The CSA considers that the level of the fine envisaged by the LSA in the draft decision is not effective, proportionate or dissuasive, as required by Article 83(1) GDPR, taking into account the facts of the case.

  • 3.2 Significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union
  • 3.2.1 Meaning of 'significance of the risks'

  1. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting the fundamental rights and freedoms of data subjects and facilitating the free flow of personal data within the Union (Articles 4(24) and Article 51 and Recital 123 GDPR).

  2. The obligation to demonstrate the significance of the risks posed by the draft decision (e.g. by the measures provided for therein, or by the absence of corrective measures, etc.) for the rights and freedoms of data subjects and, where applicable, for the free flow of data within the Union lies on the CSA . The possibility for CSAs to provide such a demonstration will also rely on the degree of detail of the draft decision itself and of the initial provision of information by the LSA, as highlighted above in paragraph 8.

  3. 'Risk' is mentioned in numerous sections of the GDPR, and previous EDPB guidelines 10 define it as ' a scenario describing an event and its consequences, estimated in terms of severity and likelihood '. Article 4(24) GDPR refers to the need to demonstrate the 'significance' of the risks posed by the draft decision, that is, to show the implications the draft decision would have for the protected values. The CSA will need to do so by advancing sufficient arguments to explicitly show that such risks are substantial and plausible, for the fundamental rights and freedoms of data subjects and, where applicable, for the free flow of data in the Union. The demonstration of the significance of the risks cannot be implied from the legal and/or factual arguments provided by the CSA, but it has to be explicitly identified and elaborated in the objection.

  4. It should be emphasised that while a relevant and reasoned objection needs to always clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects (see Section 3.2.2 below), the demonstration of the risks posed to the free flow of personal data within the European Union is only requested 'where applicable' (see below Section 3.2.3).

3.2.2 Risks to fundamental rights and freedoms of data subjects

  1. The issue at stake concerns the impact the draft decision, as a whole, would have on the data subjects' fundamental rights and freedoms. This may concern the findings the LSA made as to whether the controller or processor infringed the GDPR, and/or the imposition of corrective measures.
  2. The approach to be used when assessing the risk posed by the draft decision is not the same as the one applied by a controller in carrying out a data protection impact assessment ('DPIA') to establish the risk of an intended processing operation. Indeed, the subject matter of the assessment is totally different: namely, the effects produced by the conclusions drawn by the LSA as set out in its draft decision regarding whether an infringement has been committed or not. The conclusions of the LSA may entail taking certain measures (the 'envisaged action'). As said, it is by having regard to the draft decision as a whole that such risks are to be demonstrated by the CSA.
  3. Recital 129 GDPR clarifies that ' [t]he powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time' and that 'each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned '.
  4. Therefore, the evaluation of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects can rely, inter alia , on the appropriateness, necessity, and proportionality of the measures envisaged (or not envisaged) therein as based on the findings related to the existence of an infringement and the possible remedial actions set forth by the controller or processor.
  5. Additionally, the risks at stake may refer to the impact of the draft decision on the fundamental rights and freedoms of the data subjects whose personal data are processed by the controller or processor, but also to the impact on the rights and freedoms of data subjects whose personal data might be processed in the future and to the possible reduction of future infringements of the GDPR, where the facts of the case support it.

Example 8 : The LSA's draft decision concluded that the principle of data minimisation enshrined in Article 5(1)(c) GDPR was not breached by the controller. The CSA brings factual elements and legal arguments in its objection showing that the processing activity carried out by the controller had actually resulted in a breach of Article 5(1)(c) GDPR, and arguing that a reprimand should be issued against the controller. In order to demonstrate the significance of the risks for the fundamental rights and freedoms of data subjects, the CSA argues that the absence of a reprimand for the violation of a fundamental principle would set a dangerous precedent, by failing to signal the need for a correction of the organisation's data processing activities, and would endanger the data subjects whose personal data are and will be processed by the controller.

3.2.3 Risks to the free flow of personal data within the Union

  1. Where the objection also refers to these particular risks, the CSA will need to clarify why it is deemed to be 'applicable'. Additionally, an objection demonstrating risks posed to the free flow of personal data, but not to the rights and freedoms of data subjects, will not be considered as meeting the threshold set by Article 4(24) GDPR.
  2. The need to avoid restricting or prohibiting the free movement of personal data for reasons connected with the protection of natural persons with regard to the processing of personal data is explicitly recalled by the GDPR 11 , which aims to introduce harmonised data protection rules across the EU and enable the free flow of personal data within the Union, while ensuring a high level of protection of natural persons' fundamental rights and freedoms, in particular their right to protection of their personal data.
  3. The risks to the free flow of personal data within the Union may be created by any measures, including decisions of national SAs, which introduce unjustified limitations regarding data storage (e.g. provisions which oblige a controller to store certain information in a particular Member State) and/or the free flow of personal data between Member States (e.g. through suspension of data flows or imposition of temporary or definitive limitation including a ban on processing).
  4. Likewise, the free flow of personal data within the Union may be at risk when expectations are set (or requirements imposed) on how controllers fulfil their obligations under the GDPR, namely in such a way that the actions expected from controllers become tied to a specific region in the EU (e.g. through specific qualifications requirements).
  5. Additionally, the free flow of personal data within the Union may also be hampered if unjustifiably different decisions are issued by SAs in situations that are identical or similar (e.g. in terms of sector or type of processing), as a lack of uniformity would endanger the EU level playing field and create contradictory situations within the EU, and a risk of forum shopping. Account should be taken in this respect of national specificities as permitted by the GDPR with regard to certain sectors such as health care, journalism or archives.

11 GDPR, Article 1(3).

Footnotes

  1. References to 'Member States' made throughout this document should be understood as references to 'EEA Member States'.

  2. Regulation 2016/679, hereinafter 'GDPR', Article 60(1).

  3. Pursuant to Article 60(4) GDPR the lead supervisory authority shall also submit the matter to the consistency mechanism referred to in Article 63 if it does not follow the relevant and reasoned objection.

  4. The Oxford English Dictionary defines 'relevant' as ' bearing on or connected with the matter in hand; closely relating to the subject or point at issue; pertinent to a specified thing ' ("relevant, adj." OED Online , Oxford University Press, June 2020, www.oed.com/view/Entry/161893. Accessed 24 July 2020).

  5. The Oxford English Dictionary defines 'reasoned' as 'characterised by or based on reasoning; carefully studied' ("reasoned, adj.2." OED Online, Oxford University Press, June 2020, www.oed.com/view/Entry/159078. Accessed 24 July 2020).

  6. See e.g. WP 248 rev.01 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is 'likely to result in a high risk' for the purposes of Regulation 2016/67.