Recitals

Regulation (EU) 2016/679 of the European Parliament and of the Council establishes a decentralised enforcement system, which aims to ensure the consistent interpretation and application of that Regulation in cases concerning cross-border processing. In such cases, the decentralised enforcement system requires cooperation between supervisory authorities in an endeavour to reach consensus. Where supervisory authorities cannot reach consensus, Regulation (EU) 2016/679 provides for dispute resolution by the European Data Protection Board (the ‘Board’).

In order to provide for the smooth and effective functioning of the cooperation mechanism and the dispute resolution mechanism provided for in Articles 60 and 65 of Regulation (EU) 2016/679, respectively, it is necessary to lay down rules concerning the conduct of proceedings by the supervisory authorities in cases concerning cross-border processing, and by the Board during dispute resolution, including the handling of complaints. For that reason, it is also necessary to lay down rules concerning the exercise of the right to be heard prior to the adoption of decisions by supervisory authorities and, as the case may be, by the Board.

In the absence of Union rules governing the matter, it is for each Member State, in accordance with the principle of procedural autonomy of Member States, to lay down the detailed rules of administrative and judicial procedures intended to ensure a high level of protection of rights that individuals derive from Union law. The procedural law of each Member State should therefore apply to the supervisory authorities insofar as this Regulation does not harmonise a matter, and as long as such national procedural rules do not impede the principles of effectiveness and equivalence of Union law.

This Regulation aims to ensure that investigations in cases concerning cross-border processing are carried out in accordance with the principle of good administration, in particular that they are carried out impartially, fairly and within a reasonable time. This Regulation, therefore, lays down some horizontal principles relating to the procedures in the enforcement of Regulation (EU) 2016/679 for such cases.

Complaints are an essential source of information for detecting infringements of data protection rules. Information provided by a complainant as part of the complaint lodged or when making his or her views known can include arguments and evidence that can help progress the investigation. Establishing clear and efficient procedures for the handling of complaints in cases concerning cross-border processing is necessary since it is possible that the complaint is dealt with by a supervisory authority other than the one with which the complaint has been lodged.

A complaint should be understood as a claim lodged by a data subject with a supervisory authority in accordance with Article 77(1) or Article 80 of Regulation (EU) 2016/679. The mere reporting of alleged infringements which do not concern the processing of personal data relating to the data subject, requests for advice from controllers or processors or general requests regarding the application of Regulation (EU) 2016/679, either from controllers, processors or natural persons, is not to be regarded as a complaint.

In order for a complaint concerning cross-border processing to be admissible, it should contain specified information. No information additional to that specified in this Regulation should be required for such a complaint to be admissible. Administrative modalities and requirements of admissibility for complaints under the national law of the supervisory authority with which a complaint has been lodged, such as language, statute of limitations, means of identification, electronic form, specific template or signature, continue to apply.

The contact details of the person lodging the complaint could include a postal address, place of residence and, where available, an email address. The fact that a complainant is a natural person who is not in a position to exercise his or her right to lodge a complaint without the assistance of a legal representative, for example because he or she is a child or because he or she has a disability or vulnerability, and, therefore, exercises his or her rights through another person, such as a parent, legal guardian or family member, provided that such representation is permitted under national law, needs to be clearly identified at the point in time at which the complaint is lodged.

Where the complaint is lodged by a not-for-profit body, organisation or association referred to in Article 80 of Regulation (EU) 2016/679, proof that the body, organisation or association has been properly constituted in accordance with the law of a Member State should be provided, together with the name and contact details of such body, organisation or association as well as proof that such body, organisation or association is acting on the basis of a mandate of the data subject. The modalities and procedures for such proof are determined in accordance with the law of the Member State of the supervisory authority with which the complaint has been lodged.

The complainant should not be required to contact the party under investigation before lodging a complaint in order for that complaint to be admissible. Where the complaint relates to the exercise of a right of the data subject that relies on the data subject concerned making a request to the controller, that request should be made to the controller before the lodging of the complaint.

The supervisory authority with which the complaint has been lodged should determine, by way of a preliminary conclusion, whether the complaint concerns cross-border processing, the supervisory authority presumed to be competent to act as lead supervisory authority in accordance with Article 56(1) of Regulation (EU) 2016/679, and whether Article 56(2) of that Regulation applies. Where an early resolution procedure has not been initiated, the supervisory authority with which the complaint has been lodged should transmit admissible complaints to the supervisory authority presumed to be competent to act as lead supervisory authority and inform the complainant thereof. The determination of admissibility of the complaint by the supervisory authority with which the complaint has been lodged should be binding on the lead supervisory authority.

It is important that supervisory authorities facilitate the submission of all required information by the complainant, for example by providing templates or electronic forms, taking into account relevant guidance of the Board. Supervisory authorities can facilitate the submission of complaints in a user-friendly electronic format and bearing in mind the needs of persons with disabilities, as long as the information required from the complainant corresponds to the specified information required. No additional information should be required in order to find the complaint admissible.

In order to facilitate the handling of a complaint, supervisory authorities should be able to request supplementary information from the complainant. Where some of the information necessary for a complaint to be deemed admissible is missing, the supervisory authority with which that complaint has been lodged could contact the complainant in order to obtain the missing information, where feasible. Where a complaint is inadmissible, the supervisory authority should declare it inadmissible and inform the complainant of the missing information within the deadline provided for by this Regulation, to allow that complainant to submit an admissible complaint.

Where, following receipt of an admissible complaint concerning cross-border processing from a supervisory authority, the lead supervisory authority requires additional information from the complainant in order to allow for the full investigation of the complaint, the supervisory authority with which the complaint has been lodged should assist the lead supervisory authority, including by contacting the complainant to seek the required information if needed.

Where the lead supervisory authority initiates an investigation on the basis of a complaint, the parties under investigation should be informed without delay about the lodging of that complaint and of its main elements. The provision of such information by the lead supervisory authority could however be postponed for as long as necessary to protect the integrity of the investigation and allow for the effective conduct of investigative measures.

In order to guarantee the effective functioning of the cooperation and consistency mechanisms in Chapter VII of Regulation (EU) 2016/679, it is important that cases concerning cross-border processing be resolved in a timely manner and in line with the spirit of sincere and effective cooperation that underlies Article 60 of Regulation (EU) 2016/679. The lead supervisory authority should exercise its competence within a framework of close cooperation with the other supervisory authorities concerned. Likewise, supervisory authorities concerned should actively engage in an investigation at an early stage in an endeavour to reach consensus, making full use of the tools provided by Regulation (EU) 2016/679. It is important that the cooperation between supervisory authorities be based on open dialogue which allows supervisory authorities concerned to meaningfully impact the course of the investigation by sharing their experiences and views with the lead supervisory authority, with due regard for the margin of discretion enjoyed by each supervisory authority. Supervisory authorities should conduct procedures in an expedient and efficient manner and should cooperate with each other in a sincere and effective manner, including by providing support where necessary and responding to requests without delay.

Supervisory authorities should decide on complaints within a reasonable timeframe. For this reason, this Regulation lays down time limits. What is a reasonable timeframe depends on the circumstances of each case and, in particular, its context, the various procedural steps followed by the lead supervisory authority, the conduct of the parties under investigation and the complainant in the course of the procedure and the complexity of the case. In order to effectively protect the fundamental rights and freedoms of data subjects in relation to the processing of personal data, it is important that complaints be handled in an efficient and expedient manner. Depending on the circumstances of a case, the time required to handle a complaint could be shorter than the time limit provided for in this Regulation. Efficient cooperation between the lead supervisory authority and the other supervisory authorities concerned can also have a positive impact on the expedient handling of cases.

A complainant should have the possibility to communicate exclusively with the supervisory authority with which the complaint of that complainant has been lodged. That possibility does not prevent the complainant from communicating directly with another supervisory authority, including the lead supervisory authority.

It is important to consider the personal data processed and the situation of the data subject, for example where a complaint relates to the processing of personal data of children.

The lead supervisory authority should provide the supervisory authority with which the complaint has been lodged with the necessary information on the progress of the investigation for the purpose of providing updates to the complainant.

In order for supervisory authorities to bring a swift end to infringements of Regulation (EU) 2016/679 and to deliver a quick resolution for complainants, supervisory authorities should endeavour, where appropriate, to resolve complaints through an early resolution procedure in accordance with this Regulation. For that purpose, the supervisory authority should establish whether the infringement alleged in the complaint has been brought to an end in a manner that renders the complaint devoid of purpose. Member States are not required to introduce new procedures under national law to allow their supervisory authorities to resolve a complaint through an early resolution procedure.

A complaint should be resolved through an early resolution procedure only where the complainant has not submitted a timely objection to the finding that the alleged infringement has been brought to an end and that the complaint is therefore devoid of purpose. The early resolution of a complaint should therefore apply to cases where the complainant is duly able to assess the proposed outcome.

The early resolution of a complaint can be particularly useful to expeditiously resolve complaints concerning infringements of the rights of the data subject under Chapter III of Regulation (EU) 2016/679 to the satisfaction of the complainant. That early resolution should allow the supervisory authority with which the complaint has been lodged or the lead supervisory authority to establish, on the basis of preliminary engagement with the controller and provided that supporting evidence has been obtained, that the complaint is devoid of purpose.

The early resolution of a complaint through an early resolution procedure should be without prejudice to the exercise by the lead supervisory authority of its powers in accordance with Regulation (EU) 2016/679 on the same subject matter, for example in the case of systemic or repetitive infringements of that Regulation.

Where the lead supervisory authority to which the complaint has been transmitted considers that a complaint can be resolved through an early resolution procedure, a draft decision pursuant to Article 60(3) of Regulation (EU) 2016/679 should be submitted to the other supervisory authorities concerned, with a view to adopting a final decision in accordance with Article 60(7) of Regulation (EU) 2016/679 establishing that the alleged infringement has been brought to an end and that the complaint, or part of the complaint, has been resolved by the lead supervisory authority. The draft decision submitted could therefore be simplified and limited to information that the complaint has been resolved, in whole or in part, through an early resolution procedure, indicating the reasons underlying the decision and the scope of the resolution, and confirming that the complaint is therefore devoid of purpose. In such cases, the lead supervisory authority should directly submit its draft decision to the other supervisory authorities concerned, without having to draft and circulate a summary of key issues or preliminary findings.

Where the lead supervisory authority has formed a preliminary view on the main issues in an investigation, it should be possible for the lead supervisory authority to cooperate with the other supervisory authorities concerned through a simple cooperation procedure. The simple cooperation procedure should be applied on a case-by-case basis, provided that the lead supervisory authority considers that no reasonable doubt exists as to the scope of the investigation and that the legal and factual issues identified do not require additional cooperation that would be required for the purposes of a complex investigation, in particular where those issues can be addressed on the basis of the characteristics of the case and previous decisions in similar cases. In addition, it is important that existing case-law and guidelines adopted by the Board on the alleged infringements of Regulation (EU) 2016/679 to be investigated be also taken into account by the lead supervisory authority in considering that consensus on the main elements of a case is likely to be reached. In principle, the simple cooperation procedure does not apply where the case raises systemic or recurring problems in several Member States, concerns a general legal issue with regard to the interpretation, application or enforcement of Regulation (EU) 2016/679, is related to the intersection of data protection with other legal fields, affects a large number of data subjects in several Member States, or is related to a large number of complaints in several Member States or where there might be a high risk to the rights and freedoms of data subjects.

Where the lead supervisory authority intends to apply the simple cooperation procedure, it should inform the other supervisory authorities concerned of its intention and provide all relevant information concerning the characteristics of the case and the complaint, including the main relevant facts and the alleged infringement to be investigated. Where the simple cooperation procedure is applied, the lead supervisory authority should continue cooperating with the other supervisory authorities concerned and submit a draft decision within the time limits provided for in this Regulation.

Where a supervisory authority is required to take certain procedural steps within specified time limits, the purpose of those time limits is to ensure that the procedure progresses and concludes within a reasonable time. Those time limits do not preclude supervisory authorities from taking the required procedural steps after their expiry. It is therefore necessary to ensure that taking such procedural steps after the expiry of their corresponding time limits cannot be considered grounds for the illegality or invalidity of the procedural step in question or of the final decision.

The lead supervisory authority should be able to extend the time limit for submitting a draft decision. Such extensions should be applied only on an exceptional basis due to the complexity of a case. The other supervisory authorities concerned should be informed and have the opportunity to submit objections to the extension, which should be taken into account by the lead supervisory authority when determining whether to apply an extension to the time limit and, where applicable, the duration of that extension.

Where the lead supervisory authority extends the time limit for submitting a draft decision, the other supervisory authorities concerned should be able to inform the lead supervisory authority of their assessment that there is a need to act in order to protect the rights and freedoms of data subjects. Where the lead supervisory authority has been informed of such an assessment, and does not submit a draft decision within the extended time limit, the urgent need to act as referred to in Article 66(1) of Regulation (EU) 2016/679 should be presumed to be met. Notwithstanding that possibility, the urgency procedure remains available to supervisory authorities subject to the conditions set out in Article 66 of Regulation (EU) 2016/679.

In order to ensure that proceedings are conducted in an efficient manner, without prejudice to the procedural autonomy of Member States, it is preferable that remedies against procedural steps taken by supervisory authorities only be available in conjunction with a remedy against a final decision, unless the procedural step in itself irreversibly affects the rights of the party under investigation or the complainant, irrespective of the final decision.

It is particularly important for supervisory authorities to reach consensus on key aspects of the case as early as possible and prior to the adoption of the draft decision referred to in Article 60 of Regulation (EU) 2016/679.

The exchange of relevant information between the lead supervisory authority and the other supervisory authorities concerned is an important element to support the spirit of sincere and effective cooperation. That exchange, and the timely provision of specific information by the lead supervisory authority, is a continuous process throughout the course of an investigation and the documents and details required can vary depending on the complexity of the case. Depending on the stage of the investigation and the circumstances of a case, relevant information could include, inter alia, the exchange of correspondence with the controller or the data subject with respect to a complaint or investigation, the preparatory documents for an audit or inspection, or a preliminary technical or legal assessment by the lead supervisory authority as a result of a specific step in its investigation.

While the lead supervisory authority should provide any relevant information to the other supervisory authorities concerned without delay after that information becomes available, the other supervisory authorities concerned should also proactively make available any relevant information deemed useful to assess the legal and factual elements of a case. The exchange of relevant information should support the swift and effective cooperation between supervisory authorities and can, in certain cases, be supported by summaries, extracts or copies of documents in order to facilitate a swift understanding of a case, while allowing for complementary information to be provided where necessary. In order to facilitate the effective and appropriate exchange of relevant information between supervisory authorities, the Board should be able to specify the modalities and requirements for the exchange of such information.

As part of the relevant information on a specific case, the lead supervisory authority should provide the other supervisory authorities concerned with a summary of key issues setting out its preliminary view on the main issues in an investigation. That summary should be provided at a sufficiently early stage to allow for the effective inclusion of the views submitted by the other supervisory authorities concerned but at the same time at a stage where the lead supervisory authority has sufficient elements to form its views on the case, where necessary by means of preliminary analysis and possible initial investigative measures. The summary of key issues should also include, where applicable, the preliminary identification of potential corrective measures where the lead supervisory authority has sufficient elements to form a preliminary view on those measures, in particular when the provisions of Regulation (EU) 2016/679 concerned by the alleged infringement can be easily identified at an early stage.

Supervisory authorities concerned should have the opportunity to provide their comments on the summary of key issues, including on a broad range of matters such as the scope of the investigation, the identification of the alleged infringements and the identification of factual and legal issues relevant for the investigation. Given that the scope of the investigation determines the matters which require investigation by the lead supervisory authority, supervisory authorities should endeavour to reach consensus as early as possible on the scope of the investigation.

In the interest of effective inclusive cooperation between the lead supervisory authority and all the other supervisory authorities concerned, it is important that the summary of key issues and the comments of supervisory authorities concerned be concise and worded in sufficiently clear and precise terms to be easily understandable to all supervisory authorities. The legal arguments should be grouped by reference to the part of the summary of key issues to which they relate. The summary of key issues and the comments of supervisory authorities concerned can be supplemented by additional documents. However, a mere reference in the comments of a supervisory authority concerned to supplementary documents cannot make up for the absence of the essential arguments in law or in fact which are to feature in the comments. The basic legal and factual particulars relied on in such documents need to be indicated, at least in summary form, coherently and intelligibly in the comment itself.

Supervisory authorities should be able to use all means necessary to reach consensus in a spirit of sincere and effective cooperation. Where there is a divergence in opinion between the lead supervisory authority and the other supervisory authorities concerned regarding the scope of a complaint-based investigation, including the provisions of Regulation (EU) 2016/679 concerned by the alleged infringement which is to be investigated, or where the comments of the supervisory authorities concerned relate to an important change in the complex legal or factual assessment, or to the preliminary identification of potential corrective measures, the supervisory authorities concerned can use the tools provided for under Articles 61 and 62 of Regulation (EU) 2016/679.

Regulation (EU) 2016/679 enables the supervisory authority to request an urgent binding decision from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act in order to protect the rights and freedoms of data subjects. Under this Regulation, where, following the use of the means set out in this Regulation, the supervisory authorities fail to reach consensus on the scope of a complaint-based investigation, the conditions referred to in Article 66(3) of Regulation (EU) 2016/679 to request an urgent binding decision should be presumed to be met and the lead supervisory authority should request an urgent binding decision of the Board. The urgent binding decision of the Board on the scope of a complaint-based investigation cannot pre-empt the outcome of the investigation of the lead supervisory authority or the effectiveness of the right to be heard of the parties under investigation.

Procedural rights should be conferred on a complainant to the extent that his or her rights and freedoms as a data subject are concerned. Procedural steps laid down in this Regulation, relating to cooperation between supervisory authorities, do not confer rights on a complainant or on parties under investigation. Therefore, this Regulation clarifies which provisions on procedural steps do not confer rights on individuals or parties under investigation, or do not limit those rights.

Complainants should have the opportunity to make their views known before a decision adversely affecting them is taken. Therefore, in the event of full or partial rejection or dismissal of a complaint in a case concerning cross-border processing, the complainant should have the opportunity to make her or his views known prior to the submission of a draft decision under Article 60(3) of Regulation (EU) 2016/679, a revised draft decision under Article 60(5) of that Regulation or a binding decision of the Board under Article 65(1), point (a), of that Regulation.

It is necessary to clarify the division of responsibilities between the lead supervisory authority and the supervisory authority with which the complaint has been lodged in the case of a full or partial rejection or dismissal of a complaint in a case concerning cross-border processing. As the point of contact for the complainant during the investigation, the supervisory authority with which the complaint has been lodged should provide the complainant with an opportunity to make his or her views known on the proposed full or partial rejection or dismissal of the complaint and that authority should be responsible for all communication with the complainant. All such communication should be transmitted to the lead supervisory authority. Since under Article 60(8) and (9) of Regulation (EU) 2016/679 the supervisory authority with which the complaint has been lodged has the responsibility of adopting the final decision fully or partially rejecting or dismissing the complaint, the lead supervisory authority should prepare the draft decision under Article 60(3) of Regulation (EU) 2016/679, in cooperation with the supervisory authority with which the complaint has been lodged. That cooperation includes the possibility to request the assistance of the supervisory authority with which the complaint has been lodged in preparing such a draft.

The effective enforcement of Union data protection rules should be compatible with the full respect for the rights of defence of the parties under investigation, which constitutes a fundamental principle of Union law to be respected in all circumstances, and those rights are of particular importance in procedures which could give rise to penalties.

In order to effectively safeguard the right to good administration and the rights of defence as enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’), it is important to provide for clear rules on the exercise of the right of every person to be heard before any individual measure which would affect him or her adversely is taken.

The rules regarding the administrative procedure applied by supervisory authorities when enforcing Regulation (EU) 2016/679 should ensure that the parties under investigation effectively have the opportunity to make known their views on the truth and relevance of the facts and circumstances alleged and the objections put forward by the supervisory authority throughout the procedure, thereby enabling them to exercise their rights of defence. The preliminary findings set out the preliminary position on the alleged infringement of Regulation (EU) 2016/679 following an investigation. They thus constitute an essential procedural safeguard that ensures that the right to be heard is observed. The parties under investigation should be provided with the documents required to defend themselves effectively and to comment on the allegations made against them, by receiving access to the administrative file.

These rules should be without prejudice to the possibility for supervisory authorities to grant further access to the administrative file in order to hear the views of any of the parties under investigation or of the complainant in the course of the proceedings, in accordance with national law of the lead supervisory authority.

The preliminary findings define the scope of the investigation and therefore the scope of any future final decision, as the case may be, taken on the basis of a binding decision issued by the Board under Article 65(1), point (a), of Regulation (EU) 2016/679 which can be addressed to controllers or processors. The preliminary findings should be, even if succinct, sufficiently clear to enable the parties under investigation to properly identify the nature of the alleged infringement of Regulation (EU) 2016/679. The obligation to give the parties under investigation all the information necessary to enable them to properly defend themselves is satisfied if the final decision does not allege that the parties under investigation have committed infringements other than those referred to in the preliminary findings and takes into consideration only facts on which the parties under investigation have had the opportunity of making their views known. The final decision of the lead supervisory authority does not, however, need to be a replica of the preliminary findings. The lead supervisory authority should be permitted in the final decision to take account of the responses of the parties under investigation to the preliminary findings, and, where applicable, to the revised draft decision under Article 60(5) of Regulation (EU) 2016/679. The lead supervisory authority should be able to carry out its own assessment of the facts and the legal arguments put forward by the parties under investigation in order either to reject the arguments when the lead supervisory authority finds them to be unfounded or to supplement and redraft its findings, both in fact and in law, in support of the arguments which it maintains. For example, taking account of an argument put forward by a party under investigation during the administrative procedure, without it having been given the opportunity to express an opinion in that respect before the adoption of the final decision, cannot per se constitute an infringement of rights of defence.

This Regulation provides for rules for situations where the lead supervisory authority is required by national law to engage in subsequent domestic proceedings related to the same case, such as administrative appeal proceedings.

The parties under investigation should be provided with a right to be heard prior to the submission of a revised draft decision under Article 60(5) of Regulation (EU) 2016/679 or the adoption of a binding decision by the Board under Article 65(1), point (a), of that Regulation. New legal elements include relevant and reasoned objections where those objections contain legal assessments different from those proposed by the lead supervisory authority in the draft decision submitted pursuant to Article 60(4) of Regulation (EU) 2016/679.

Complainants should be given the possibility to be associated with the proceedings initiated by a supervisory authority with a view to identifying or clarifying issues relating to a potential infringement of Regulation (EU) 2016/679. The fact that a supervisory authority has already initiated an investigation concerning the subject matter of the complaint or will deal with the complaint in an investigation subsequent to the receipt of the complaint does not bar the qualification of a data subject as complainant. An investigation by a supervisory authority of a possible infringement of Regulation (EU) 2016/679 by a controller or processor is a procedure commenced by a supervisory authority, upon its own initiative or based on a complaint, in fulfilment of its tasks under Article 57(1) of that Regulation. The parties under investigation and the complainant are not in the same procedural situation, and it is essential to safeguard the rights of defence of the party under investigation. The parties under investigation and the complainant can invoke the fundamental right to be heard when the decision adversely affects their legal position.

Complainants should be given the possibility to submit in writing their views on the preliminary findings to the extent that those views relate to their complaint concerning the processing of their personal data. However, they should not have access to trade secrets or other confidential information belonging to the parties under investigation or third persons.

When setting deadlines for parties under investigation and complainants to provide their views on preliminary findings, it is important that supervisory authorities have regard to the complexity of the issues raised in preliminary findings, in order to ensure that the parties under investigation and complainants have sufficient opportunity to meaningfully provide their views on the issues raised.

The exchange of views between supervisory authorities prior to the submission of a draft decision involves an open dialogue and an extensive exchange of views where supervisory authorities should do their utmost to reach consensus on the way forward in an investigation. Conversely, disagreement expressed in relevant and reasoned objections pursuant to Article 60(4) of Regulation (EU) 2016/679, which raise the potential for dispute resolution between supervisory authorities under Article 65 of that Regulation and delay the adoption of a final decision by the competent supervisory authority, should only arise in the case of a failure of supervisory authorities to reach consensus and where necessary to ensure the consistent interpretation of Regulation (EU) 2016/679. Such objections should be used when matters of consistent enforcement of Regulation (EU) 2016/679 are at stake.

In the interest of the efficient and inclusive conclusion of the dispute resolution procedure, where all supervisory authorities should be in a position to contribute their views and bearing in mind the time constraints during dispute resolution, the form and structure of relevant and reasoned objections should meet certain requirements.

Access to the administrative file is provided for as a part of the rights of defence and the right to good administration enshrined in the Charter. Access to the administrative file should be provided to the parties under investigation when they are notified of preliminary findings and the deadline to submit their written reply to the preliminary findings should be set.

When granting access to the administrative file to the parties under investigation and the complainant, supervisory authorities should ensure the protection of trade secrets and other confidential information. The category of other confidential information includes information other than trade secrets, which might be considered as confidential in accordance with Union and national law, insofar as its disclosure would significantly harm a controller, a processor or a natural or legal person. Confidential information should in particular include information that is known only to a limited number of persons and the disclosure of which is liable to cause serious harm to the person who provided it or to third persons, and where the interests liable to be harmed by the disclosure of such information are, objectively, worthy of protection. The supervisory authorities should be able to request that parties under investigation that submit or have submitted documents or statements identify confidential information.

Where trade secrets or other confidential information are necessary to prove an infringement, the supervisory authorities should assess for each individual document in a proportionate manner whether the need to disclose is greater than the harm which might result from disclosure.

Access to documents included in the administrative file on the basis of access to public documents is to be provided in accordance with Member States’ national law. In this regard, it is important that the integrity of the decision-making process is protected until the final decision is adopted by the competent supervisory authority.

It is important that the Board facilitate access to decisions adopted in accordance with the cooperation and consistency mechanisms, by making the text of the final decisions adopted by national supervisory authorities available online through easily accessible registers. In accordance with applicable national law, supervisory authorities can redact names, any other information that allows for the identification of parties under investigation or the complainant, and other information that is protected under applicable Union and national law.

It is important that the provision to the complainant of a version of the final decision in accordance with this Regulation remain without prejudice to the possibility for a supervisory authority to decide whether to make the decision public as part of its corrective powers.

When referring subject matter to dispute resolution under Article 65 of Regulation (EU) 2016/679, the lead supervisory authority should provide the Board with all the necessary documents and information to enable it to assess the admissibility of relevant and reasoned objections and to adopt the decision under Article 65(1), point (a), of that Regulation. Once the Board is in possession of all the necessary documents and information, the Chair of the Board should register the referral of the subject matter in accordance with Article 65(2) of Regulation (EU) 2016/679.

The binding decision of the Board under Article 65(1), point (a), of Regulation (EU) 2016/679 should concern exclusively matters which led to the triggering of the dispute resolution and be drafted in a way which allows the lead supervisory authority to adopt its final decision on the basis of the decision of the Board.

In order to streamline the resolution of disputes between supervisory authorities submitted to the Board under Article 65(1), points (b) and (c), of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding documents and information to be submitted to the Board and on which the Board should base its decision. It is also necessary to specify when the Board should register the referral of the matter to dispute resolution.

In order to streamline the procedure for the adoption of urgent opinions and urgent binding decisions of the Board under Article 66(2) of Regulation (EU) 2016/679, it is necessary to specify procedural rules regarding the timing of requests for an urgent opinion or urgent binding decision and the documents and information to be submitted to the Board and on which the Board should base its decision.

Regulation (EU) 2016/679 provides that the data subject has a right to an effective judicial remedy where a competent supervisory authority does not handle a complaint. This Regulation does not create new judicial remedies in addition to those already established by Regulation (EU) 2016/679, nor does it limit the application of the judicial remedies established by that Regulation. Certain provisions of this Regulation have particular importance for the timely delivery of the final decision by the supervisory authorities when handling complaints. When determining whether a supervisory authority has handled a complaint, consideration should be given to whether certain time limits laid down in this Regulation and in Regulation (EU) 2016/679 have been met by the supervisory authority. In making that determination, it is essential to safeguard the right of the complainant to have his or her complaint handled within a reasonable time. The provisions of this Regulation are without prejudice to the possibility of providing for remedies in national law for the party under investigation, in view of its right to have its affairs handled within a reasonable time.

The implementation of this Regulation requires adequate digital tools supporting the rapid and secure exchange of information. It is important that an appropriate secure common electronic tool be available for all data protection authorities, taking into account the experience gained in using existing tools. It is also important that resources needed for the implementation of such an electronic tool be provided and that such tool facilitate the collection and consolidation by the Board of enforcement statistics on cases concerning cross-border processing.

Chapters III and IV of this Regulation concern cooperation between supervisory authorities, the procedural rights of parties under investigation and the involvement of complainants. To ensure legal certainty, those provisions should not apply to ongoing investigations at the time this Regulation enters into force. They should apply to investigations opened after 15 months from the date of entry into force of this Regulation and to complaint-based investigations where the complaint was lodged after 15 months from the date of entry into force of this Regulation. Chapters V and VI of this Regulation provide for procedural rules for cases referred to dispute resolution under Article 65 of Regulation (EU) 2016/679 and for requests for an urgent opinion or urgent binding decision under Article 66 of Regulation (EU) 2016/679. For reasons of legal certainty, those chapters should not apply to cases that have been referred to dispute resolution prior to the entry into force of this Regulation. They should apply to all cases referred to dispute resolution after 15 months from the date of entry into force of this Regulation.

The European Data Protection Supervisor and the Board were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered a joint opinion on 19 September 2023,