The European Data Protection Board (“EDPB”), has just issued a consultation which aims to clarify and establish a common understanding of the notion of the terms “relevant and reasoned” under the General Data Protection Regulation (“GDPR”). With the cooperation mechanism set out by the GDPR, the supervisory authorities (“SAs”) must ensure that relevant information is exchanged with each other in order to reach consensus.
Article 4(24) of the GDPR defines “relevant and reasoned objection” as:
an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
According the consultation the terms “relevant and reasoned” are evident in situations of exchange of information and consultation among the Lead Supervisory Authorities (“LSAs”) and the Concerned Supervisory Authorities (“CSAs”), with such terms being brought to attention, when the CSAs raise a relevant and reasoned objection within a timeframe of four weeks. In a situation where no consensus is reached between SAs, then Article 65 of the GDPR entrusts the EDPB with the power to adopt binding decisions. The EDPB must then ensure that when adopting a binding decision, it must determine whether the objection is “relevant and reasoned” and if so, on all the matters which are the subject of the objection.
The consultation stresses that objection submitted by a CSA should indicate each part of the draft decision that is considered deficient, erroneous or lacking some necessary elements, either by making reference to specific paragraphs or by other clear indication.
For the objection to be considered as “relevant”, there must be a direct connection between the objection and the draft decision at issue. More specifically, the objection needs to concern either whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR. There must always be a link between the content of the objection and such potential different conclusion, meaning that the objection is only relevant if it relates to the specific legal and factual content of the draft decision
For the objection to be “reasonable”, it must include clarifications and arguments as to why an amendment of the decision is proposed (i.e. the alleged legal/factual mistakes of the draft decision). It also needs to demonstrate how the change would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the action in relation to the controller or processor complies with the GDPR. The CSA should also provide sound reasoning for its objection, in particular, by reference to legal arguments or factual arguments, where applicable. Moreover, an objection is “reasoned” insofar as it is able to “clearly demonstrate” the significance of the risks posed by the draft decision and it must put forward arguments or justifications concerning the consequences of issuing a decision without the changes proposed in the objection and how such consequences would pose significant risks.
The link to the consultation can be found here: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-092020-relevant-and-reasoned-objection_en
News update by Legal Trainee Mr Steve Vella.
For more information or assistance on Data Protection and related issues please contact Dr Ian Gauci and Dr Terence Cassar.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.