EDPB Guidelines on Amicable Settlements: Key Points
The European Data Protection Board (EDPB) has released guidelines on how supervisory authorities (SAs) should handle amicable settlements under GDPR. Here are the key takeaways:
What is an Amicable Settlement?
- A process where data protection authorities facilitate resolution of complaints between data subjects and controllers
- Aims to achieve compliance with GDPR while satisfying both parties’ interests
- Most suitable for cases involving:
- Limited number of data subjects
- Non-systematic violations
- Incidental/accidental breaches
- Limited personal data
- Non-serious violations
Key Principles
- Not all EU countries allow amicable settlements (14 countries explicitly don’t permit them)
- Can be used in both local cases and cross-border processing scenarios
- Must respect principles of good administration and due process
- Should lead to swift resolution while maintaining high level of data protection
Cross-border Cases
In One-Stop-Shop (OSS) mechanism:
- Lead Supervisory Authority (LSA) must keep Concerned Supervisory Authorities (CSAs) informed
- Settlement requires formal decision under Article 60 GDPR
- CSAs must be consulted before finalizing settlement
- LSA remains “sole interlocutor” with the controller
Important Considerations
- Settlement doesn’t prevent further investigation if systemic issues are discovered
- Can be partial – some aspects of complaint may require formal investigation
- Must be documented and communicated properly to all parties
- Should include proof of compliance from controller and satisfaction from data subject
These guidelines represent a significant step toward harmonizing how data protection authorities handle complaints across the EU, while maintaining flexibility to account for national legal frameworks and specific case circumstances.
