Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679

Paragraph 3.2.1  Meaning of “significance of the risks”

35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data within the Union (Articles 4(24),51 GDPR and Recital 123).

36. The obligation to demonstrate the significance of the risk posed by the draft decision (e.g. by the measures provided for therein, by the absence corrective measures, etc.) for rights and freedoms of data subjects and/or the free flow of data lies on the CSA.The possibility for CSAs to provide such a demonstration will also rely on the degree of detail of the draft decision itself and of the previous exchange of information, as highlighted above.

37. “Risk” is mentioned in numerous sections of the GDPR and previous EDPB guidelines define it as “a scenario describing an event and its consequences, estimated in terms of severity and likelihood”. Article 4 (24) GDPR refers to the need to demonstrate the “significance” of the risks posed by the draft decision, that is, to show the implications the draft decision would have for the protected values. The CSA will need to do so by advancing sufficient arguments to show that such risks are substantial and plausible.

38. While a relevant and reasoned objection needs to always clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects (see Section 3.2.2), the demonstration of risks posed to the free flow of personal data within the European Union is only requested “where applicable” (see below paragraph 3.2.3).