Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679

Paragraph 3.1.2 Compliance of the action envisaged in the draft decision in relation to the controller orprocessor with the GDPR

32. In this second scenario, the content of the relevant and reasoned objection amounts to a disagreement regarding the particular corrective measure proposed or other action envisaged in the draft decision.

33. More specifically, the relevant and reasoned objection should explain why the action foreseen in the draft decision is not in line with the provisions of the GDPR. To this end, the CSA must clearly set out its factual and/or legal arguments underlying the different assessment of the situation, by indicating which action would be appropriate for the LSA to undertake and include in the final decision.

Example 1: The controller disclosed sensitive medical data of the complainant to a third party without a legal basis. In the draft decision, the LSA proposed to issue a reprimand, while the CSA provides factual arguments showing that the controller is facing broad and systemic issues in its compliance with the GDPR (e.g. it regularly discloses the clients’ data to third parties). Therefore, it proposes that the order to bring processing operations into compliance/a temporary ban on data processing or a fine should be imposed.

Example 2: Due to a mistake of one of its employees, the controller published the name, last name and telephone numbers of all its 100.000 clients on its website. These personal data were publicly accessible for two days. As the controller reacted as soon as possible, the mistake was reported,  andall the clients were individually informed, the LSA planned to issue a reprimand. One CSA however considers that, due to the large scale of the data breach and its possible impact/risk on the private life of the clients, the imposition of a fine would be required.

34. As enshrined in the last sentence of Art. 65 (1)(a) the binding decision of the EDPB shall concern all the matters which are subject of the objection, in particular in case of an infringement. Recital 150 sentence 5 states that the consistency mechanism may also be used to promote a consistent application of administrative fines. Therefore, it is possible that the objection challenges the elements relied upon to calculate the amount of the fine. If the assessment identifies causal shortcomings, the LSA will be instructed to remit the fine, by eliminating the shortcomings within a given financial framework appropriate to the case. This assessment should be based on common EDPB standards stemming from Art. 83(1) and (2) GDPR and the Guidelines on the calculation of administrative fines.

Example: The CSA considers that the level of the fine envisaged by the LSA in the draft decision is not effective, proportionate or dissuasive, as required by Article 83 (1) GDPR, taking account of the facts of the case.