Overview
This article establishes a process for the European Data Protection Board (EDPB) to resolve disputes among supervisory authorities. Disputes may arise from objections to a lead supervisory authority’s draft decision (Article 60(4)), conflicts over competency, or failure to comply with Board opinions (Article 64). The Board issues binding decisions within 1–2 months, decided by a two-thirds majority, which are binding on all supervisory authorities and published after notification.
Key Principles
Binding Resolution: EDPB decisions are enforceable across all supervisory authorities.
Timely Decision-Making: Decisions are made within 1–2 months of the dispute arising.
Majority Voting: Decisions require a two-thirds majority of Board members.
Transparency: Decisions are published after notification to ensure accountability.
Conflict Management: Mechanism resolves objections, competency disputes, and non-compliance with Board opinions.
Organizational Applicability
This article applies to:
The European Data Protection Board managing disputes between supervisory authorities.
Lead and concerned supervisory authorities subject to dispute resolution.
Controllers and processors affected by decisions from cross-border enforcement disputes.
Teams involved in compliance, legal, and regulatory coordination.
Implementation Requirements
Submit disputes to the EDPB in accordance with Articles 60(4) and 64.
Ensure documentation of objections, competency conflicts, or non-compliance issues.
Implement and enforce the Board’s binding decision across all concerned authorities.
Maintain records of disputes, decisions, and communications for transparency and accountability.
Implementation Guidance
Develop internal procedures for raising and handling disputes with the Board.
Train staff on timelines, submission requirements, and response obligations.
Coordinate with other supervisory authorities to comply with binding decisions.
Periodically review dispute resolution processes to ensure efficiency and compliance.
Periodic Review
Frequency: Annually or as disputes arise.
Responsible Role: Lead Supervisory Authority, Compliance Team, or Legal.
Outcome: Ensure disputes are resolved promptly, decisions are implemented, and cross-border compliance is maintained.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for supervised entities.
Legal Exposure: Challenges or non-compliance with binding Board decisions.
Reputational Damage: Loss of trust in supervisory authorities and cross-border enforcement.
Operational Risk: Delays or conflicts in implementing decisions may disrupt GDPR enforcement.