Version 2.1 – Adopted on 24 May 2023
Version history
| Version 1.0 | 13 April 2021 | Adoption of the Guidelines for public consultation |
|---|---|---|
| Version 2.0 | 24 May 2023 | Adoption of the Guidelines after public consultation |
| Version 2.1 | 15 July 2024 | Editorial corrections |
Executive summary
Article 65(1)(a) GDPR is a dispute resolution mechanism meant to ensure the correct and consistent application of the GDPR in cases involving cross-border processing of personal data. It aims to resolve conflicting views among the LSA(s) and CSA(s) on the merits of the case, in particular whether there is an infringement of the GDPR or not, in order to ensure the correct and consistent application of the GDPR in individual cases. These Guidelines clarify the application of the dispute resolution procedure under Article 65(1)(a) GDPR.
Article 65(1)(a) GDPR requires the EDPB issues a binding decision whenever a Lead Supervisory Authority (LSA) issues a draft decision and receives objections from Concerned Supervisory Authorities (CSAs) that either it does not follow or it deems to be not relevant and reasoned.
These Guidelines clarify the applicable legal framework and main stages of the procedure, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. The Guidelines also clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. In accordance with Article 65(1)(a) GDPR, the EDPB binding decision shall concern all the matters which are the subject of the relevant and reasoned objection. Consequently, the EDPB will first assess whether the objection(s) raised meet the “relevant and reasoned” standard set in Article 4(24) GDPR. Only for the objections meeting this threshold, the EDPB will take a position on the merits of the substantial issues raised. The Guidelines analyse examples of objections signalling disagreements between the LSA and CSA(s) on specific matters and clarify the EDPB’s competence in each case.
The Guidelines also clarify the applicable procedural safeguards and remedies, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. In particular, these Guidelines address the right to be heard, the right of access to the file, the duty for the EDPB to provide reasoning for its decisions, as well as a description of the available judicial remedies.
These Guidelines do not concern dispute resolution by the EDPB in cases where: (1) there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment (Article 65(1)(b) GDPR); or (2) a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64 (Article 65(1)(c) GDPR).
