Guidelines 06/2022 on the practical implementation of amicable settlements

Guidelines 06/2022 on the practical implementation of amicable settlements

Version 2.0

Adopted on 12 May 2022

Version history

Version 2.0	12 May 2022	Adoption of Guidelines 06/2022 Only minor editorial adjustments were made in comparison to Version 1.0, for the purpose of publication.
Version 1.0	18 November 2021	Adoption of Internal EDPB Document 06/2021 The EDPB members decided to discuss the publication of the document after a period of 6 months, allowing the EDPB members to gain experience from practice during that time

Table of contents

1	SCOPE AND AIM .............................................................................................................................. 4	SCOPE AND AIM .............................................................................................................................. 4
2	DEFINITION OF THE TERM 'AMICABLE SETTLEMENT'.................................................................... 5	DEFINITION OF THE TERM 'AMICABLE SETTLEMENT'.................................................................... 5
2.1	General context....................................................................................................................... 5
2.2	GDPR	context........................................................................................................................... 6
2.3	The aim of amicable settlements in general...........................................................................	8
3	GENERAL LEGAL ANALYSIS .............................................................................................................. 9	GENERAL LEGAL ANALYSIS .............................................................................................................. 9
3.1	The power to reach an amicable settlement as one of the powers vested in SAs ................. 9	The power to reach an amicable settlement as one of the powers vested in SAs ................. 9
3.2	The amicable settlement procedure in the OSS context ...................................................... 10	The amicable settlement procedure in the OSS context ...................................................... 10
	3.2.1 Amicable settlement achieved by the complaint-receiving CSA in the preliminary vetting phase................................................................................................................................. 10	3.2.1 Amicable settlement achieved by the complaint-receiving CSA in the preliminary vetting phase................................................................................................................................. 10
3.2.2	Amicable settlement attempted by the LSA ................................................................. 11	Amicable settlement attempted by the LSA ................................................................. 11
3.2.3	Cases under Article 56(2) .............................................................................................. 15	Cases under Article 56(2) .............................................................................................. 15
4	LEGAL CONSEQUENCES AND PRACTICAL RECOMMENDATIONS .................................................. 16	LEGAL CONSEQUENCES AND PRACTICAL RECOMMENDATIONS .................................................. 16
4.1 Application of the principle of good the OSS	4.1 Application of the principle of good the OSS	administration to the amicable settlement procedure in context................................................................................................................................. 16
4.2	4.2	The cooperation procedure following an amicable settlement achieved by the LSA .......... 17
4.3	4.3	Amicable settlement in Article 56(2) cases........................................................................... 18
Annex 1: RELEVANT STEPSWHEN HANDLING A CASE VIA AMICABLE SETTLEMENT............................ 19	Annex 1: RELEVANT STEPSWHEN HANDLING A CASE VIA AMICABLE SETTLEMENT............................ 19	Annex 1: RELEVANT STEPSWHEN HANDLING A CASE VIA AMICABLE SETTLEMENT............................ 19
Annex 2: COUNTRIES WHERE AMICABLE SETTLEMENTS ARE NOT POSSIBLE IN ACCORDANCE WITH THE NATIONAL LEGISLATION................................................................................................................. 22	Annex 2: COUNTRIES WHERE AMICABLE SETTLEMENTS ARE NOT POSSIBLE IN ACCORDANCE WITH THE NATIONAL LEGISLATION................................................................................................................. 22	Annex 2: COUNTRIES WHERE AMICABLE SETTLEMENTS ARE NOT POSSIBLE IN ACCORDANCE WITH THE NATIONAL LEGISLATION................................................................................................................. 22

The European Data Protection Board

Having regard to Article 70(1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter 'GDPR'),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 ,

Having regard to Article 12 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING GUIDELINES

1 SCOPE AND AIM

1. Practice has shown that many supervisory authorities (hereinafter 'SAs') apply the instrument of amicable settlement when dealing with complaints. It is as well noticeable that there are diverse variations of amicable settlements and that they are therefore handled differently by SAs due to differing domestic legislations. The GDPR uses the term 'amicable settlement' only in Recital 131 in reference to the handling of local cases under Article 56(2) GDPR, but does not explicitly limit the possibilities to facilitate such local cases. The resulting lacuna in regulation of amicable settlements for non-local cases has been filled in divergent ways, some by way of Member State law, others by way of interpretation. Given these different interpretations and given the differing national laws governing complaint handling and amicable settlements (if at all present), the practical implementation of the instrument of amicable settlements differs considerably among Member States.
2. The powers of the SAs should be exercised in accordance with specific requirements in their Member State procedural law. This applies also to the handling of cases. However, national procedural law must comply with the principles of equivalence and effectiveness and may hence not render excessively difficult or practically impossible the exercise of the rights conferred by EU law (i.e. the GDPR). Through these Guidelines, the EDPB therefore seeks to provide best practices for a consistent application of the GDPR at national and EU level, to the extent appropriate for the application of the instrument of amicable settlement, taking into account the various national procedural legislations - insofar as such an instrument has been implemented explicitly - the procedure of the OSS mechanism under the GDPR, and the technical environment (IMI).
3. Cases handled by SAs can have origins other than complaints, for example cases based on media reports or ex officio investigations. However, the present guidance will address the practical

implementation of amicable settlements only for cases that originated as a complaint from a data subject since the possibility of a settlement postulates the existence of a dispute between two entities, in this case the complaint lodged by a data subject against a data controller (see also paragraph 2.1 below). Furthermore, such complaints can be divided into (i) national cases without cross-border character, (ii) cases where the OSS mechanism applies because the case is cross-border in nature, and (iii) cross-border cases that are handled locally pursuant to Article 56(2) GDPR. Again, even though practice shows that amicable settlements are a possible course of action for all situations, the present guidance will mainly address those complaints that are cross-border in nature.

2 DEFINITION OF THE TERM 'AMICABLE SETTLEMENT'

2.1 General context

4. The GDPR does not define the meaning of the term 'amicable settlement' and only refers to this expression in Recital 131. 2 The most relevant meanings of 'settlement' are 'an arrangement' and 'an official agreement intended to resolve a dispute or conflict'.The Oxford English Dictionary explains the adjective 'amicable' as 'characterised by friendliness and absence of discord'.
5. The way amicable settlements are defined more generally in the legal profession and throughout other international documents provides some preliminary guidance for determining the definition of amicable settlements. For example, the International Chamber of Commerce ('ICC') provides a range of dispute resolution procedures that may be considered 'amicable settlements'. 3 The principle amicable settlement procedure at the ICC appears to be mediation, which is described as a 'flexible and consensual technique in which a neutral facility helps the parties reach a negotiated settlement of their disputes.' According to the ICC, such settlements achieved through mediation are contractually binding and widely enforceable. The World Trade Organization ('WTO') uses amicable settlements as 'mutually agreed solutions', which constitutes a 'negotiated solution' between the involved parties that allows for swift and tailored solution of a dispute. 4 Moreover, the European Union Intellectual Property Office ('EUIPO') refers to amicable settlements as a 'process outside of the court resulting in

4 Wolfgang Alschner, Amicable Settlements of WTO Disputes: Bilateral Solutions in a Multilateral System, World Trade Review, Volume 13 (1), 2014, p. 65-102.

a solution negotiated between the parties […] through mediation'. 5 The European Consumer Center ('ECC') also refers to amicable settlements 6 as a form of 'alternative dispute resolution procedures', as laid down in the Directive on alternative dispute resolution for consumer disputes 7 , as procedures that are 'provided by neutral out-of-court bodies such as conciliators, mediators, arbitrators, the ombudsman and complaints boards', 8 and in which 'consumers and businesses attempt to resolve a dispute jointly […] by hearing both parties, examining the legal situation, discussing possible solutions and finally making a proposal for arbitration'. 9

6. All in all, it appears that amicable settlements generally refer to alternative dispute resolutions through proceedings that result in the cordial closure of a case. Whereas a settlement between the parties is the outcome, the proceeding itself follows an amicable approach. The procedures can range from party-to-party negotiations to formal mediations and even facilitated conciliation practices.

2.2 GDPR context

7. In the context of complaint handling by data protection authorities, most Member States see amicable settlements as a process of 'alternative dispute resolution'. In most cases, the amicable settlement is facilitated where a complaint is lodged with the SA concerning the alleged violation of the GDPR, in particular concerning data subjects' rights, to resolve the case in the data subjects' favour. In such cases, the settlement is to be reached between the controller and the data subject, under the supervision of the SA, which moderates the course of events. Thus, the SA acts as a sort of facilitator of the process aimed at settling the complaint. The SA, unlike an actual 'mediator', takes an active part in the proceeding as it still has to fulfil its obligations as SA and is therefore required to handle the complaint, to investigate the subject matter of the complaint with its specifics to an appropriate extent, and to inform the data subject on the progress or the outcome regarding the complaint.
8. Given the relative silence of the GDPR on amicable settlements, which alternative dispute resolution process is followed and the requirements and conditions that govern that process, will largely depend on each particular Member State's law and policy. An analysis of standing practice shows that, when dealing with amicable settlements, the majority of the national legal systems include the receiving SA, the controller (or processor) and the data subject in the proceeding, as well as, if applicable, also the Lead Supervisory Authority (LSA).
9. It should be noted that in some Member States, the data subject is not a party to the administrative

proceedings against the controller. In such Member States, the SA may use a similar dispute resolution process to what is described in these Guidelines and close a case if it deems that the controller has fulfilled the claims, but without hearing the data subject. Such resolution processes will however not be addressed in these Guidelines.

10. Amicable settlements are mainly regarded to be possible at any stage of a proceeding, even though some SAs indicate that they are only possible in the early stages of case consideration, before any other action has been taken. In some Member States, amicable settlements are only applicable in local cases, due to the fact that the GDPR uses this term only in Recital 131, where an approach by the Concerned Supervisory Authority (CSA) in local cases is described accordingly. However, the majority of the SAs declare the instrument of an amicable settlement permissible in any kind of cases, regardless of their cross-border or otherwise local nature.
11. Regarding Recital 131, the scope for such agreements is limited to cases in which the CSA receiving the complaint finds that the concrete subject matter or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged, or (likely) does not substantially affect data subjects in other Member States. The choice whether to seek an amicable settlement should then include, as the Recital states, (i) the specific processing carried out in the territory of the Member State or with regard to data subjects on the territory of that Member State, (ii) processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State, or (iii) processing that has to be assessed taking into account relevant legal obligations under Member State law. Legislations explicitly allowing amicable settlements, on the other hand, may not be limited to these requirements.
12. In principle, the choice whether an amicable settlement may or may not be pursued depends on Member State law and/or the discretion of the SA involved. Regarding the criteria on the basis of which cases may be considered appropriate for amicable resolution, such criteria could on the one hand include the manner in which the SA has come to know of the case. The procedure of an amicable settlement could therefore only be deemed applicable in cases where a complaint has been lodged.
13. Amicable settlements should in general only be considered possible in cases concerning the data subjects' rights laid down in Articles 12 et seq. of the GDPR, given that only then the data subject can dispose of his or her own rights as a party to the settlement. However, with due regard to national legislation of individual Member States, such decision is subject to the discretion of the SA as it has to assess the broader picture of the individual case.
14. On the other hand, the factual circumstances of the case could be decisive. Such special circumstances under which it is determined whether an amicable settlement may or may not be conducted can be governed by national regulations, whereas the GDPR remains silent on the matter (apart from Recital 131). In practice, the following general criteria could guide the SA in taking the decision to initiate an amicable settlement procedure: There is a likelihood for the case to be solved amicably at all; only a limited amount of data subjects is affected and whether or not there is a systemic failure

recognisable; 10 the data protection violation is incidental or accidental (in the sense of negligence); the case involves the processing of a limited number of personal data; the effects of the violation are not of serious duration and nature (meaning that there are no severe consequences or infringements of freedoms and rights). Moreover, the likelihood of further violations in the future might be a determining factor. In addition, the broader societal significance and public interest of enforcement action on the part of the SA, also in light of any identified areas of special vigilance, as well as the extent to which an SA is able to take effective and efficient action can be decisive.

Example 1:

A controller or processor accepts to provide any information requested by a supervisory authority to resolve a complaint, such as clear proof that it has complied with Articles 33 and 34 of the GDPR in case of a personal data breach. The reason why the request was not fulfilled right away (in line with Article 12 GDPR) was based on a discrepancy in the internal communication process.

15. Notwithstanding, it is important to note that any SA has the right to further investigate the issue even after an amicable settlement has been reached, albeit in a different or other procedure on own volition. The authority may continue the proceedings ex officio if, for example, it considers that a fine should be imposed or receives other similar complaints about the same controller, leading to the conclusion that the controller has not fulfilled their commitment to remedy data protection violation(s), or if the complaint and/or the investigations reveal other, possibly systemic infringements that may have wider consequences or impacts on other data subjects. The same applies when the amicable settlement concerns only parts of a complaint, whereas other or additional issues of the case are handled otherwise. Furthermore, an amicable resolution does not preclude the data subject from reverting to the SA, should it turn out (later) that the data controller did not comply with their resolution as agreed. These circumstances should be communicated in a clear and transparent way to the controller and to the complainant before an amicable settlement is reached.

Example 2:

The data subject makes a complaint that a controller is seeking a passport as a means of identification in order to delete an account held by the data subject on the controller's platform. The SA deems the individual complaint suitable for attempted amicable settlement, in that the data subject may be satisfied if the demand for a passport is rescinded, and the account deleted. However, the SA opens an own-volition inquiry in to the controller's policies around data processing in respect of platform accounts, in order to ensure that the controller brings its policies into compliance with the provisions of the GDPR.

2.3 The aim of amicable settlements in general

16. In addition to reaching an outcome which is satisfactory for the data subject, amicable settlements are tools to achieve compliance with the GDPR by the controller. In case a complaint is lodged because a

10 Cf. Example 2 below regarding this criterion.

controller has not fulfilled the data subject rights pursuant to Articles 12 to 22 GDPR, the enforcement of data subject rights can be expedited by an amicable arrangement between the actors. The yardstick against which the successful amicable resolution of the complaint is measured should include two elements: on the one hand, the satisfaction of the data subject achieved in the specific case in relation to the specific issues raised in the complaint and, on the other hand, where applicable and required by national law, the proof provided by the controller to the SA that it has met the data subject's requests and complied with the applicable data protection requirements. However, the SA should determine in practice, and by having regard to the circumstances of the case and to the given cooperation with other SAs involved in the case, whether the amicable settlement is enough to achieve full compliance with the GDPR in the light of the legal issues surrounding or arising from the individual complaint against the individual controller.

17. Thus, amicable settlements should be understood broadly as one of the options for an SA to address data subjects' complaints and ensure the protection of data subject rights. At the same time, it must be recognized that amicable settlements may not be an appropriate solution for every case. While it is for the SAs themselves to determine whether an amicable settlement may or may not be pursued in a given case, such assessment must be carried out on the basis of structured, uniform, transparent and explainable criteria, such as the ones mentioned in paragraph 12 et seq., and taking into account provisions of national law, where existent.
18. The SA's corrective powers are of paramount importance for the enforcement and maintenance of the high level of protection which the GDPR seeks to create for all data subjects, who are often in a difficult or even dependent position vis-à-vis the controller. Resolving a dispute through the procedure of amicable settlements with an SA handling the process comparable to a facilitator can then be a way to address and handle such imbalance and to find a solution that is acceptable for each party, especially the data subject as regards the fulfilment of his or her rights.

3 GENERAL LEGAL ANALYSIS

3.1 The power to reach an amicable settlement as one of the powers vested in SAs

19. An amicable settlement procedure finds its legal basis in the tasks directly conferred on SAs by the GDPR (Article 57(1)(a) and (f) GDPR) and additionally in the powers granted to SAs by a national law within the framework of Article 58(6) GDPR, where this exists.
20. In the first case, Article 57(1)(a) and (f) GDPR generally apply, providing sound foundations for a SA to seek all possible avenues to 'handle' complaints (see paragraph 1(f) of Article 57) and 'enforce' (see paragraph 1(a) of Article 57) the application of the Regulation as appropriate. Article 57(1)(f) read in conjunction with Article 77 and 78 implies an individual right to have every complaint (if admissible) handled and investigated to the extent necessary to reach an outcome appropriate to the nature and circumstances of that complaint. However, it falls within the discretion of each competent supervisory authority to decide the extent to which a complaint should be investigated. An outcome could e.g. be

that the parties to the complaint through the intervention of the SA have settled the case amicably.

21. SAs may, in the second scenario, be empowered by Member States to exercise additional powers pursuant to national law, as per Article 58(6) GDPR. The specifics of operational case handling matters for a SA (including a LSA) to reach an amicable resolution are to be found in these national provisions.

3.2 The amicable settlement procedure in the OSS context

22. In order to assess the role of the amicable settlement in the context of the OSS procedure, reference can be made in the first place to the rationale of such procedure as set out in Article 60(1) GDPR. As clarified in the EDPB Guidelines 02/2022 on the application of Article 60 GDPR 11 , 'Article 60(1) lays down basic and overarching principles, which apply throughout the entire cooperation between SAs. In accordance with the wording of this Article, the key concepts of the cooperation procedure consist of 'an endeavour to reach consensus' and the obligation to 'exchange all relevant information'.' Furthermore, '[…] these obligations are to be complied with by the LSA and every CSA (mutual obligation).'

3.2.1 Amicable settlement achieved by the complaint-receiving CSA in the preliminary vetting phase

23. The EDPB wishes to point out that although amicable settlement is only mentioned in the context of Recital 131, seeking for an amicable settlement may also be a good practice when an SA is handling a case that does not fulfil the conditions laid down by Article 56.2 GDPR, depending on the national procedural legislation.
24. Recital 131 as such does not prevent the CSA receiving a complaint from attempting, as part of the preliminary vetting, to seek such a settlement in addition to establishing the 'fully" cross-border nature of that complaint. Nevertheless, the specific approach may depend on whether the controller has an establishment on the territory of that receiving SA or not. As already clarified in Section 2, an inherent feature of amicable settlement is the mutual satisfaction of the parties involved, most particularly the complainant. If this is the case and the CSA can objectify such a satisfaction in advance, in the vetting phase of the complaint, after e.g. the controller complied with the data subjects rights request to the satisfaction of both the data subject and the receiving SA, the receiving SA should no longer inform the LSA of the case through an Article 56 IMI notification, as the object of the complaint is no longer present. Accordingly, there is no need to start an OSS procedure by uploading the case to the IMI.
25. According to Recital 125 the LSA is generally competent for adopting any legally binding decision on the relevant controller or processor in an OSS context. Moreover, under Article 56(6) GDPR, the LSA is the 'sole interlocutor' of the controller/processor for the cross-border processing in question. Therefore, the receiving SA should communicate the case and outcome to the LSA at an appropriate

time, for instance on a quarterly basis (i.e.: through the voluntary mutual assistance), in line with the cooperation requirement that is inherent in the whole OSS mechanism, in order for the LSA to be able to take any action it deems appropriate in respect of the given controller.

26. This means that the LSA should be kept informed about the successful amicable settlements achieved by the CSA in such a preliminary phase, also in aggregate format. More specific guidance in this respect is provided in Section 4 below ('Recommendations').
27. Needless to say, there are cases where the settlement achieved by the CSA with the controller/processor may be only a partial one, i.e. not all the requests are granted, so that the involvement of the LSA becomes indispensable with a view to providing all the remedies envisaged by the GDPR to the data subject.
28. LEGAL CONSEQUENCES: The amicable settlement that a CSA is empowered to achieve as part of the preliminary vetting activity in respect of the received complaint may make it unnecessary to initiate an Article 60 procedure insofar as the settlement achieved is to the full satisfaction of the parties involved. If this is not the case and due to the principle to the right to good administration in Art. 41 EUChFR which also applies to OSS cases, the LSA should then consider the reasons why the amicable settlement could not be reached within the preliminary phase by the CSA and decide whether another attempt could lead to a conclusion of the complaint within a reasonable time.

3.2.2 Amicable settlement attempted by the LSA

29. Where the LSA decides to attempt an amicable settlement after receiving the case, a key requirement to be met stems, once again, from the rationale of the OSS cooperation procedure, i.e. the need for CSAs and LSA to cooperate in an endeavour to reach consensus.
30. It is important to state that the EDPB acknowledges that, in any stage of the proceeding, the LSA is at liberty to give a formal hearing to the data subject (through the complaint-receiving CSA as interlocutor) and, with the agreement of all parties involved (e.g. the data subject, the controller, the CSA(s) and possibly third parties), to close a case after the alleged infringement has been rectified even in the absence of specific domestic regulation. The LSA may do so if it considers the information gathered from the case investigations sufficient to bring the case to such form of closure. This form of settlement could be understood as a due diligence approach due to the margin of discretion in determining the conditions and requirements in case handling, as it provides a solution that enables SAs to maintain the high level of protection that the GDPR seeks to create by recognising that some cases can be solved efficiently by facilitating interaction between the parties. It can carry advantages for the complainant, whose rights under the GDPR are vindicated swiftly, as well as for the controller, who is provided the opportunity to bring its behaviour into compliance with the GDPR.
31. This means that the LSA should be mindful of the need to keep the CSAs in the loop at all stages of the proceeding. Indeed, whilst the LSA is unquestionably the sole interlocutor for the controller involved

(see, again, Article 56(6) GDPR), the complainant has his or her one-stop-shop in the competent CSA that received his or her complaint.

32. This mutual exchange of information is also a means to ensure compliance with due process and the right of the complainant to be heard in the procedure attempted by the LSA, partly with a view to submitting his or her views on top of the information already provided by the CSA. This is where the LSA's role is key in acting as the facilitator of the whole process through the exchange of information and documents with the CSA. It should also be recalled that the LSA's discretion in handling the complaint by way of an attempt at achieving an amicable settlement between the data subject and the controller is bound to be impacted by the information and documents exchanged under Article 60(1) GDPR, especially if the CSA has already unsuccessfully attempted such an amicable settlement in the vetting phase.
33. Indeed, the LSA choosing the amicable settlement as a way to resolve the dispute with the controller should be mindful of the likelihood for such an approach to lead to a successful outcome, i.e. to the vindication of the data subject's rights, in the light of all the relevant circumstances, including the expectations of the CSA that has transferred the complaint to it under the requirements of Article 56(1) GDPR. Where a CSA communicates under Article 60(1), in particular, that such an attempt has already been made unsuccessfully in the vetting phase, whether on account of the data subject's refusal to accept the settlement with the controller or on account of the controller's failure to reply to the CSA's invitation to comply with the data subject's request, the LSA should consider very carefully whether a new attempt to settle the complaint amicably does serve the interests of the data subjects, and data protection law in general. A more formalised approach in which the LSA exerts all its authority vis-à-vis the controller also under Article 58 GDPR might be the preferable action. The same applies if the CSA has made no such attempt prior to transferring the complaint to the LSA, on whatever grounds, and has accordingly communicated nothing in this respect to the LSA. In both cases, the attention paid by the LSA to the likelihood for success of the amicable settlement option will enable the LSA to select the most appropriate way for tackling the case at hand, reducing unnecessary administrative burden and avoiding the risk of resource intensive OSS procedures to address the concerns and doubts, or even the reasoned and relevant objections, of the CSA(s).
34. If the LSA comes to the conclusion that an amicable settlement is appropriate in the case at hand, it will have to consider that the settlement is part of an OSS procedure and will have to act accordingly. The EDPB has already clarified in the Article 60 Guidelines, that 'in order to facilitate the reaching of consensus, the information should be shared at a moment where it is still possible for the LSA to take on board the viewpoints of the CSAs. This […] should prevent CSAs from being presented with accomplished facts, for example because certain stages of the proceedings may be precluded under national law.' 12
35. In the context of an amicable settlement procedure, this means that the LSA is expected to share the

proposed settlement with the CSA(s) prior to finalising it, pursuant to Article 60(3), first sentence. As pointed out by the EDPB in the Article 60 Guidelines, '[…] the CSAs' involvement in the cooperation procedure is not limited to the right to express a relevant and reasoned objection pursuant to Article 60(4). In particular, before the creation of the draft decision the CSAs should be able to contribute to the overall procedure and may express their views also before the creation of the draft decision.' 13

36. Clearly it is left to the LSA's discretion, in light of all the factors mentioned in the foregoing paragraphs, to establish whether an informal consultation of the CSA(s) is indeed necessary in the case at hand. As recalled above in paragraphs 12 et seq., the features of the complaint lending itself to be settled amicably may arguably enable the LSA and the CSA, based also on the information exchanged beforehand under Article 60(1) at the time the complaint is transferred to the LSA, to already form their views as to the possibility of settling the complaint to the full satisfaction of the complainant by removing the cause of the dispute at its root. In such a case, the LSA may well determine that the settlement of the complaint can be directly the subject of the draft decision to be submitted under Article 60(3) GDPR. Where the CSA communicated that no settlement was achieved successfully by it in the vetting phase or that it simply did not attempt any settlement prior to transferring the case to the LSA, the LSA should conversely be mindful of the consensus objective of the OSS procedure and seek such an informal consultation of the CSA(s) beforehand to assess whether an (or another) attempt could lead to a conclusion of the complaint in a reasonable manner.

37. Ultimately, the LSA will be required to submit a draft decision to the CSAs setting out the terms of the settlement (including the steps demonstrably taken by the data controller/processor to grant the requests made by the complainants to their full satisfaction) in accordance with Article 60(3) GDPR. As clarified in the Article 60 guidance, the LSA is required to submit a draft decision to the CSAs in all cases, also when complaints are withdrawn by the complainant after the Article 60 procedure has been initiated or where no material (final) decision is issued according to national law. 14 The same applies when cases are (only) deemed to be withdrawn, e.g. following national law. In such a case, the draft decision serves as a final coordination between all supervisory authorities involved in the OSS procedure. 15

38. As stated above, the draft decision will serve to consolidate the settlement achieved by the LSA with the agreement of the CSAs. It will be a 'sui generis' decision finding that the complaint has been settled by the LSA with the mutual satisfaction of the parties involved (particularly data subject, data controller), whereby such satisfaction will have to be signalled in line with the requirements of the LSA's national law, and that the handling of the case will be terminated accordingly. Indeed, the complaint is neither dismissed nor rejected by the LSA, but it is not granted either; the amicable settlement achieved represents from this standpoint a different outcome to terminate the complaint handling procedure in the OSS context by way of an agreement between the parties that eliminates the cause of the litigation through the action taken by the LSA.

39. With the formal submission of such an instrument as necessitated by the OSS procedure for legal certainty and transparency reasons, the 4-week period for reactions by the CSA(s) pursuant to Article 60(4) GDPR will start. In this respect, it should be emphasized that if proper exchange of information took place before the submission of the draft decision as explained in the foregoing paragraphs, and the CSA(s) never indicated any doubts that the complaint could be settled amicably, also in the spirit of cooperation, they should carefully consider whether they intend to raise objections to the finding of the achieved settlement.

40. This is not to say that CSAs are barred from raising reasoned and relevant objections in these situations; however, the whole rationale of an amicable settlement lies in achieving substantiated satisfaction of the data subject (and the controller) timely and on the basis of a mutual agreement whose chance of success in the OSS context is gauged by the LSA in the light of several factors as recalled above. All in all, reasoned and relevant objections should be exceptional in amicable settlement cases, if the consensus objective has been taken into due account by the LSA in handling the procedure; thus, rounds of revised draft decisions and/or dispute resolutions could (and should) be avoided.

41. If there are no (longer) reasoned and relevant objections, the procedure leads to the situation under Article 60(6), i.e. the draft decision will become binding on the LSA and the CSAs. Subsequently, as per Article 60(7), the lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be including a summary of the relevant facts and grounds. The CSA with which the complaint had been lodged shall inform the complainant on the decision.

42. It was explained in paragraph 15 above that the amicable settlement is not intended necessarily to cover the whole of the subject matter of a complaint, i.e. there may be parts of a complaint that the LSA does not find amenable to being settled amicably. As already pointed out in paragraphs 33 et seq., this would probably require that LSA to carefully consider whether an amicable settlement is at all appropriate even for the other parts. Nevertheless, should the LSA find that it is appropriate to settle certain parts of a complaint and proceed with handling the remaining queries by way of a 'standard' (i.e. non-amicable) approach, this will clearly reflect on the whole procedure and its outcome.

43. The different options at issue in such a composite situation will have to be represented to the CSAs prior to uploading the draft decision, which will then have to contain reasoning as to which aspects of the complaint were settled finally by way of the amicable settlement and which aspects led the LSA to dismiss or reject, or else grant, the data subject's requests. For the latter aspects (i.e. partial rejection/dismissal), the subsequent steps of the OSS procedure will be regulated by Article 60(9) GDPR. The LSA may also decide that those other parts of the complaint will need to be investigated further, and may therefore propose different solutions to the CSA(s), including the opening of a separate own volition procedure for those parts; this will have to be referenced clearly in the information accompanying the draft decision as well.

Example 3:

In a complaint received and vetted by the CSA the data subject alleges that the controller did not reply to his request to exercise his right of access to his personal data under Article 15 GDPR and accordingly did not enable him to request rectification under Article 16 GDPR of what he believes is inaccurate information held concerning him. The CSA did not attempt to settle the complaint amicably. The LSA receiving the complaint from the CSA considers that there is room for attempting an amicable settlement in light of the relevant features; it then informs the CSA of its intention to do so and receives the assent of the CSA (which will have contacted the complainant in this respect). The LSA contacts the controller and invites it to comply with the requests. The controller complies with the access request, however it does not intend to rectify the information held on the complainant on account of a payment claim that is pending against the complainant on the basis of such information. The LSA submits a draft decision to the CSA containing a short description of the case, the proposed settlement of the access request and the relevant terms; at the same time, the LSA informs the CSA that a separate case will be opened to investigate the rejection of the complainant's rectification request by the controller. In the absence of reasoned and relevant objections by the CSA, the LSA will adopt the decision on the amicable settlement of the access request and notify it to the controller whilst the CSA will inform the complainant thereof in pursuance of Article 60(7), second sentence, of the GDPR.

3.2.3 Cases under Article 56(2)

44. A derogation from the OSS rule is represented by the so-called 'local case' situation under Article 56(2) GDPR. Reference can be made in this respect, as already pointed out 16 , to Recital 131 which mentions the 'amicable settlement' in connection with cross-border 'processing activities' having local impact.
45. Indeed, Recital 131 has to be taken also into account if the case has been found to be handled locally, i.e. by the CSA that has received the complaint, under Article 56(2). Underpinning the options that SAs have when it comes to case handling in such cases, Recital 131 serves as an interpretation aid. CSAs are expressly invited to seek amicable settlement ('should seek an amicable settlement with the controller') when there is a case with sole local as well as minor impacts. Thus, Recital 131 suggests that a CSA should preferably seek an amicable settlement in 'local cases' (if at all feasible, again in the light of the conditions set out in paragraphs 11 and 12).
46. As already pointed out, since cooperation in the OSS context is aimed at reaching 'consensus' and requires that 'all relevant information' be exchanged between CSA and LSA, the LSA must be informed of the settlements achieved, if any, as the 'systemic' features of the infringement or non-compliance underlying the complaint can only be assessed in full by the LSA.
47. The EDPB recalls, whilst the complainant may be satisfied with the settlement, in particular because access was granted in full, their data were rectified as requested, or erasure of their data took place, that settlement as reached by the CSA does not exhaust the remedies available to the LSA. Indeed, irrespective of whether an amicable settlement has been reached, the LSA has the option of initiating

16 See paragraphs 23 and 24.

an official investigation (ex officio) in this case, whereupon the entire OSS procedure is then activated in accordance with Article 60 GDPR. The LSA may decide in all cases to investigate and take corrective measures, including fines, against that controller's main establishment in cases of repeated infringements or of non-compliance with data subjects' requests as communicated, inter alia, by other CSAs in similar circumstances.

48. In the context of an Article 56(2) procedure, the CSA should provide relevant information to the LSA as well as consider mutual assistance, and should put in place measures for effective cooperation, including information on the outcome of the settlement and/or of the results of the exercise of its full range of powers under Article 56(5) GDPR.

4 LEGAL CONSEQUENCES AND PRACTICAL RECOMMENDATIONS

4.1 Application of the principle of good administration to the amicable settlement procedure in the OSS context

49. The amicable settlement procedure in the context of the OSS as outlined above 17 should be read in light of the general principle of the right to good administration - and in line with the general principle of due process as recalled in Recital 129 and Article 58(4) GDPR: That is to say, the amicable settlement procedure, being applied by an SA empowered to deploy this type of administrative remedy, should respect the principle of good administration and due process in all cases. 18
50. When it receives a complaint, the CSA, in the first step, has to clarify its specific role 19 according to Articles 55 and 56 GDPR. The importance of the 'vetting' phase following the submission of a complaint to an SA should be emphasized in this respect 20 , regardless of the route or pathway that the particular case takes afterwards as the relevant elements shall be included in the file from an early date.
51. In the second step, the case in question must also be considered from the point of view of the parties involved, namely the data subject who lodged the complaint, the controller(s) and possible processor(s). Their relationship and the nature of the complaint will determine whether an amicable settlement can lead to a solution, namely the controller's compliance with the GDPR and satisfaction of the data subject. Last but not least, the outcome of such procedures for each SA and the legal consequences for the parties involved will have to be examined in more detail to assess whether a case is in the end suitable for an amicable settlement.

17 See Part 3 'General legal analysis'.

19 Lead or concerned Supervisory Authority ex Art. 56(1) GDPR.

18 Which entails, as a minimum, the right of every person to be heard, before any individual measure which would affect him or her adversely is taken; the right of every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy; the obligation of the administration to give reasons for its decisions.

52. If an amicable settlement is reached to the full satisfaction of all the parties concerned (objectified in the manner recommended in the preceding section) within the preliminary vetting process (aimed also, though not exclusively, to assess the applicability of Article 56(2) GDPR), the CSA where the complaint was lodged should not pass on the complaint to the assumed LSA (e.g., through an Article 56 IMI notification), as the object of the complaint is no longer present (cf. paragraph 24).
53. However, the receiving SA should communicate the case and the outcome to the LSA at an appropriate time, for instance on a quarterly basis (e.g., through the Voluntary Mutual Assistance procedure). This is meant to enable the LSA to fully discharge its role as 'sole interlocutor' (for all intents and purposes) of the controller/processor at issue (see Article 56(6) GDPR). If the CSA, in the course of the preliminary vetting phase, does not manage to achieve an amicable settlement at all or only a settlement regarding parts of the complaint lodged with it and notified to the LSA, this information regarding the unsuccessful settlement should in any case be passed on to the LSA being unquestionably 'relevant information' in the sense of Article 60(1) GDPR.

4.2 The cooperation procedure following an amicable settlement achieved by the LSA

54. The amicable settlement procedure should respect the conditions recalled, in particular, in the GDPR (Article 60, Recitals 129 and 143) as it has to result in a decision by the competent SA (the LSA, in an OSS context), after this decision has been found within the cooperation procedure. Reference should be made in this regard to the analysis on the rationale and contents of the draft decision to be submitted by the LSA, as contained in the Article 60 Guidance 21 (see paragraphs 109-111 in particular).

55. Accordingly, the amicable settlement achieved in the OSS context regarding a complaint requires a decision by the LSA in accordance with Article 60(3) GDPR as this is an obligation imposed on the LSA in all cross-border processing cases. It will be a 'sui generis' decision finding that the complaint has been settled by the LSA with the mutual satisfaction of the parties involved (particularly data subject, data controller).

56. An amicable settlement could be considered as the use of some of the SA's powers which do not imply the corrective powers referred to in Article 58(2). Nevertheless, as stated above (see paragraphs 15 and 43), depending on national law the LSA might not be prevented from using such powers even in amicable settlement cases.

57. Accordingly, the draft decision should include the following information:

58. o that the complaint was settled amicably, in whole or in part,

59. o the reasons underlying the decision to seek an amicable settlement in the specific case,

60. o the scope of the amicable settlement in light of the overall issues addressed in the complaint,

61. o that the handling of the specific complaint will be terminated.

62. The draft decision may also indicate that the alleged infringement was remedied and how this was done.

63. Furthermore, if applicable, the draft decision and/or the relevant information given to the CSA(s) may include information about any intended corrective measures, which may especially be the case when the amicable settlement was only reached in part.

64. In all cases the LSA should inform the data subject of the consequences of the amicable settlement in a comprehensive way, in particular that the settlement will result in termination of the handling of the complaint. This information on the scope of the amicable settlement and its consequences must be conveyed by way of the CSA, which is the key interlocutor for the data subject in the whole process. To that end, the informal procedures developed as part of the IMI-mechanisms can be used, in particular an Art. 60 'Informal Consultation' procedure or an Art. 61 'Voluntary Mutual Assistance' procedure can be launched by the LSA in order to convey the proposed outcome of the case and obtain views from the CSAs involved before moving to the formal circulation of a draft decision.

65. As in the majority of Member States an amicable settlement applies only to the parties to the complaint (data subject, controller/processor, and, if applicable, also SA), and the controller or processor commits to a remedy of the infringement and the implementation of measures to ensure compliance with the GDPR, the scope of the settlement may only cover parts of the complaint. In this case, the remaining parts are subject to the LSA's further investigation and decision.

4.3 Amicable settlement in Article 56(2) cases

62. Regarding amicable settlements in cases where a CSA handles a complaint under Article 56(2) (i.e., as a local case) 22 , the SA should be mindful of the need for transparency and consistency that underlies the whole OSS system, and should therefore take care to provide regular (if aggregate) information to other SAs regarding such cases.
63. In particular, the CSA should inform the LSA about the settlement (if any) as outcome of the local case, through the IMI system. Since the settlement may only cover part of the complaint handled locally by the CSA, the CSA may take additional (including corrective) measures with regard to such remaining parts that have not been settled to the satisfaction of the parties in the manner described above. The CSA must inform the complainant according to Article 77(2) that the remaining parts of the complaint will be processed.

ANNEX 1: RELEVANT STEPS WHEN HANDLING A CASE VIA AMICABLE SETTLEMENT

64. The following check list intends to describe the concrete steps when handling cases that may be suitable for an amicable settlement. The check list is therefore not to be understood in the sense of a 'yes/no' chart showing different consequences, but rather as an overview of the concrete different stages in the proceeding as well as of the relevant steps to take as a best practice. While section 1) is to recall the basic facts of the case, not ticking one of the boxes in sections 2) to 5) could lead to the authority having to take further steps.

Checklist: Steps in handling a case via amicable settlement

1) Background of the case

• GLYPH<UNKNOWN> How has the proceeding been started?

• • Complaint □

• • Media reports, ex officio investigations, etc. □

• • Hints from third persons concerned □

• GLYPH<UNKNOWN> What is the nature of the case?

• • Local case (Article 56(2) and Recital 131 GDPR) □

• • Cross-border processing case □

• GLYPH<UNKNOWN> Case suitable for amicable settlement, because (cf. paragraph 14)

• o limited amount of data subjects affected □

• o systemic failure not recognisable □

• o incidental or accidental data protection violation □

• o limited number of personal data □

• o effects of the violation not of serious duration/nature □

• o likelihood of further violations in the future □

• o no/little societal significance/public interest □

• o …

2) Early Cooperation with other SAs (where applicable)

• GLYPH<UNKNOWN> Effects of any action already taken in the procedure (e.g. for the LSA, if applicable: Has the CSA already attempted an amicable

settlement in the preliminary vetting?)

……………………………………………………………………………………………………………………

• GLYPH<UNKNOWN> LSA consulted (where applicable) □

• • Translated Version of complaint □

• • Previous communication between data subject and controller □

• • Other important information □

• GLYPH<UNKNOWN> Other CSA(s) consulted □

• • Translated Version of complaint □

• • Other important information □

3) Consultation of all concerned parties at an early stage

• GLYPH<UNKNOWN> Data subject □

• • General information according to Article 77(2) GDPR provided □

• • General interest in an amicable resolution □

• • No other reasons for specific treatment of the case □

• • This information has been shared with the involved CSA and, where applicable, the LSA □

• GLYPH<UNKNOWN> Controller/processor □

• • An official hearing has taken place □

• • The controller/processor is willing to establish compliance to legal requirements □

• • There is a chance to gain compliance within an appropriate time frame □

• • This information has been shared with the involved CSA and, where applicable, the LSA (e.g. via informal consultation) □

• GLYPH<UNKNOWN> Third party (where applicable) □

• • No rights of a third party affected □

• • There are no rights of third parties precluding an agreement (e.g. because granting the complainant's request for access impacts the data protection rights of a third party) □

4) Has an amicable settlement been reached?

• GLYPH<UNKNOWN> Satisfaction of the data subject demonstrated □

• • The infringement for which you have been notified is remedied □

• • No objections from the data subject □

• • The data subject came back to you in an appropriate time frame □

• GLYPH<UNKNOWN> The controller/processor provided proof of compliance □

• GLYPH<UNKNOWN> Where applicable: The LSA/CSA was provided with this information □

5) Does the final decision comply with Article 60 GDPR (in OSS cases)?

• GLYPH<UNKNOWN> The decision contains all relevant information (cf. paragraphs 57 et seq.) □

• GLYPH<UNKNOWN> The (if applicable: revised) draft decision has been circulated via IMI □

• • The draft decision has been sent □

• • There have been no reasoned and relevant objections □

• There have been reasoned and relevant objections, but all of them could be overcome □

• GLYPH<UNKNOWN> The final decision has been circulated via IMI

• The controller/processor has been notified of the decision □

• The data subject has been informed of the decision □

ANNEX 2: COUNTRIES WHERE AMICABLE SETTLEMENTS ARE NOT POSSIBLE IN ACCORDANCE WITH THE NATIONAL LEGISLATION

65. The following countries have indicated that amicable settlements are not possible in accordance with their national legislation:
66. -Cyprus
67. -Czech Republic
68. -Denmark
69. -Estonia
70. -Finland
71. -France
72. -Greece
73. -Malta
74. -Poland
75. -Portugal
76. -Slovakia
77. -Slovenia
78. -Spain
79. -Sweden

---

Footnotes

1. References to 'Member States' made throughout these Guidelines should be understood as references to 'EEA Member States'.

2. Recital 131 : ' 1 Where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States, the supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of this Regulation should seek an amicable settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. 2 This should include: specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or processing that has to be assessed taking into account relevant legal obligations under Member State law. '

3. https://iccwbo.org/dispute-resolution-services/mediation/icc-international-centre-for-adr/.

4. EUIPO, Decision No. 2013-3 of the Presidium of the Board of Appeal of 5 July 2013 on the amicable settlement of disputes ('Decision on Mediation'), https://euipo.europa.eu/ohimportal/en/mediation#.

5. https://europa.eu/youreurope/citizens/consumers/consumers-dispute-resolution/informal-disputeresolution/index\_en.htm

6. Directive 2013/11/EU on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC

7. https://europa.eu/youreurope/citizens/consumers/consumers-dispute-resolution/out-of-courtprocedures/index\_en.htm

8. E.g. the German equivalent website https://www.evz.de/einkaufen-internet/odr-adr/beratungschlichtung.html

9. Paragraphs 37 and 38 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

10. Paragraph 55 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

11. Paragraph 93 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

12. Paragraph 99 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

13. Paragraph 100 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

14. See WP244 rev. 01 and paragraph 50 of the EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

15. EDPB Guidelines 02/2022 on the application of Article 60 GDPR.

16. Under Article 56(5) GDPR, the CSA 'shall handle [the case] according to Articles 61 and 62', i.e. by exercising its full powers (also pursuant to Article 56(1) GDPR).