Cordery

Legal.Compliance.

Resolving data protection complaints under EU GDPR “Amicable Settlement”

What’s this all about?

This brief article looks at what EU guidance says about the resolution of data protection complaints brought by individuals to data protection regulators through so-called “amicable settlement”.

What’s the issue?

Recital 131of EU GDPR states that where data protection complaints are essentially local the relevant local regulator in the EU country “receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of [EU GDPR] should seek an amicable settlement with the [data] controller and, if this proves unsuccessful, exercise its full range of powers”.

EU GDPR does not however address the issue of “amicable settlements” any further, but, late last year the European Data Protection Board (“EDPB”) issued guidance that addresses this issue entitled “Internal EDPB Document 06/2021 on the practical implementation of amicable settlements” (“the guidelines”), which it has not made a publicly available document.

As the EDPB acknowledges, “[g]iven [the] different interpretations and given the differing national laws governing complaint handling and amicable settlements (if at all present), the practical implementation of the instrument of amicable settlements differs considerably among [EU] Member States.” With this in mind, the EDPB guidelines seek to provide best practices for a consistent application of amicable settlements under EU GDPR at national and EU level.

A great portion of the guidelines deals with the technical-legal procedural aspects of the handling of amicable settlement matters (in the cross-border context, including within the EU GDPR One-Stop-Shop regime). This note doesn’t look at these aspects but instead solely focuses on setting out the regulatory thinking about what amicable settlements are all about.

What’s the role of the regulator in an amicable settlement?

The guidelines state that most EU countries see amicable settlements as a kind of “alternative dispute resolution” where, in most cases, the amicable settlement is facilitated where a complaint is lodged with a regulator concerning an alleged violation of EU GDPR, in particular concerning data subjects’ rights, to resolve the case in the data subjects’ favour. In such cases, a settlement is to be reached between the data controller and the data subject, under the supervision of the regulator, which moderates the process acting as a kind of facilitator aimed at settling the complaint.

This said, according to the guidelines, the regulator nevertheless takes an active part in the process as it still has to fulfil its obligations as a regulator and is therefore required to handle the complaint and investigate it, and inform the data subject on the progress or the outcome regarding the complaint. Further, a regulator has the right to further investigate the issue even after an amicable settlement has been reached, albeit in a different or other procedure of its own volition, e.g., if the regulator receives other similar complaints about the same data controller, leading to the conclusion that the controller has not fulfilled its commitment to remedying data protection infringements.

At what stage should an amicable settlement take place?

According to the guidelines, amicable settlements are mainly regarded to be possible at any stage of a proceeding, although some regulators have indicated that they are only possible in the early stages of case consideration, before any other action has been taken.

What’s the subject-matter of an amicable settlement?

According to the guidelines, amicable settlements should in general only be considered possible in cases concerning data subjects’ rights, given that only a data subject can dispose of their own rights as a party to the settlement, although some regulators see this as being subject to their discretion because they have to assess the broader picture of the individual case.

What are the criteria that a regulator should apply when deciding whether to initiate an amicable settlement procedure?

According to the guidelines, in practice, the following general criteria could guide a regulator in taking the decision to initiate an amicable settlement procedure:

  • There is a likelihood for the case to be solved amicably;
  • Only a limited amount of data subjects are affected;
  • Systemic failure is not recognizable;
  • The data protection violation is incidental or accidental;
  • The case involves the processing of a limited amount of personal data;
  • The effects of the violation are not of serious duration and nature (meaning that there are no severe consequences or infringements of freedoms and rights); and,
  • There is no/little societal significance/public interest.

According to the guidelines, in addition to reaching an outcome which is satisfactory for the data subject, amicable settlement is also a tool to achieve compliance with EU GDPR by a data controller. As the guidelines also point out, amicable settlements may not be an appropriate solution for every case.

Is there any guidance on the actually steps to be taken in amicable settlement?

The guidelines set out (in an annex) a checklist of the steps that can be taken when handling cases that might be suitable for an amicable settlement.

Do all countries apply amicable settlement?

The guidelines state that the following fourteen EU countries have indicated that amicable settlements are not possible under their national legislation: Cyprus; the Czech Republic; Denmark; Estonia; Finland; France; Greece; Malta; Poland; Portugal; Slovakia; Slovenia; Spain; and, Sweden.

Takeaway

Whilst amicable settlements may not have received a lot of attention, and whilst their use depends on EU country (also bearing in mind that they don’t apply in fourteen EU countries), it seems that some EU countries like Ireland have relied on them quite extensively notably with regard to complaints about unanswered Subject Access Requests, so it is worth organizations knowing about their existence as an EU GDPR mechanism that they may be subject to.

Resources

We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.

For our other news please see here https://www.corderycompliance.com/news/.

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.