The General Data Protection Regulation is set to replace the Data Protection Directive effective May 25, 2018. The GDPR is directly applicable in each Member State and will lead to a greater degree of data protection harmonization across EU nations. The GDPR empowers data subjects to seek judicial relief for damages and file administrative complaints with supervisory authorities. The GDPR’s consistency mechanisms – encouraging supervisory authorities to cooperate and agree on infringement decisions, empowering the European Data Protection Board for dispute resolution, making final decisions binding – will ease burdens on controllers and processors doing business across Member States by offering more efficient enforcement solutions. This map consolidates the GDPR’s enforcement provisions into a visual tool, illustrating how supervisory authorities may pursue complaints administratively. The final installment of the IAPP’s Top 10 operational impacts of the
GDPR series discusses the consequences for GDPR violations in more depth.
To view this chart on mobile screens please use landscape view or please download this pdf.
To use the map, click any process step for more information.
Data subjects can initiate complaints with courts of the appropriate Member State and with the supervisory authority of the Member State where they reside, where they work, or where the infringement occurred. This leaves open the possibility that a controller or processor could face both judicial and administrative proceedings for infringing the Regulation. (Article 77(1))
Data subjects may pursue judicial remedies against a supervisory authority, controller or processor to obtain compensation for any damages. Judicial actions are without prejudice to any other administrative or non-judicial remedy. (Articles 78, 79, & 82)
Data subjects may initiate a complaint in court against a supervisory authority when the supervisory authority does not handle a filed complaint or does not inform the data subject of the status of the complaint within three months. (Article 78)
Data subjects may initiate a complaint against a controller or processor in the courts of the Member State where it has an establishment when they believe lack of compliance by the controller or processor has infringed on their rights under the Regulation. (Article 79)
Data subjects may lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy when the data subject considers that the processing of personal data relating to them infringes the Regulation. (Article 77)
WAS THE COMPLAINT INITIATED WITH LEAD OR NON-LEAD SUPERVISORY AUTHORITY?
Because complaints can be filed by data subjects and supervisory authorities in Member States other than where the controller or processor has its main establishment, one must determine whether the complaint was filed with the “lead” supervisory authority or a “non-lead” supervisory authority. The lead supervisory authority is the supervisory authority of the Member State where the controller or processor has its main establishment or its only establishment. (Article 56) [see Article 4(16) and Recital (36)]. All others are referred to here as non-lead supervisory authorities.
A supervisory authority is competent to deal with a complaint if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. (Article 56(2)) But first, it must notify the lead supervisory authority, which has three weeks to decide whether to delegate the case to the originating supervisory authority or to keep the case. (Article 56(3))
LEAD DELEGATES THE CASE AND NON-LEAD ISSUES DECISION
The supervisory authority processes the case according to Articles 61 and 62 requiring cooperation with any other concerned supervisory authorities and according to the specific rule for joint investigations and enforcement actions. (Article 56(5))
The lead must notify the controller or processor of the final decision. (Article 56(6))
The non-lead must notify the complainant of the final decision. (Article 77)
When the complaint is dismissed or rejected, the non-lead notifies the complainant; it is unclear whether the non-lead also notifies the controller.
If the lead takes the case, the non-lead can submit a draft decision to the lead which takes "utmost account" of the draft and coordinates with the lead and any other "concerned" supervisory authorities to prepare a decision. (Articles 56 & 60) That decision must be jointly agreed upon or it will be referred to the European Data Protection Board. (Article 60)
The lead must notify the controller or processor of the final decision. (Article 60) The non-lead must notify the complainant of the final decision. (Articles 77 & 60) When a complaint is dismissed or rejected in whole, the non-lead notifies the controller or processor and complainant of the dismissal or rejection. (Article 60(8)) When a complaint is dismissed or rejected in part, the non-lead notifies the controller or processor and complainant of the part concerning dismissal or rejection, and the lead notifies the controller or processor and complainant of the part concerning a decision. (Article 60(9))
DECISION IS NOT JOINTLY AGREED UPON AND EDPB RESOLVES ANY DISPUTES
If the decision is not jointly agreed upon, the European Data Protection Board resolves any disputes and issues a binding decision. (Articles 63, 64 & 65)
The lead must notify the controller or processor of the final decision. (Article 60) The non-lead must notify the complainant of the final decision. (Articles 77 & 60) When a complaint is dismissed or rejected in whole, the non-lead notifies the controller or processor and complainant of the dismissal or rejection. (Article 60(9))
When a complaint is dismissed or rejected in part, the non-lead notifies the controller or processor and complainant of the part concerning dismissal or rejection, and the lead notifies the controller or processor and complainant of the part concerning a decision. (Article 60(9))
The lead supervisory authority cooperates with any other "concerned" supervisory authorities to prepare a decision. (Article 60) That decision must be jointly agreed upon or it will be referred to the European Data Protection Board. (Article 60)
DECISION IS NOT JOINTLY AGREED UPON AND EDPB RESOLVES ANY DISPUTES
If the decision is not jointly agreed upon, the European Data Protection Board resolves any disputes and issues a binding decision. (Articles 63, 64 & 65)