A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Download PDF Print page
Published 24 March 2022
Amicable settlements within the scope of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) are used to facilitate the resolution of data breach complaints. Whilst the GDPR does not define “amicable settlements”, they are, essentially, a form of alternative dispute resolution whereby an authority agrees to take no further action if an organisation deals with a data complaint satisfactorily.
The only reference to amicable settlements can be found in Recital 131 to the GDPR in respect of the handling of local cases in accordance with Article 56(2) GDPR. Recitals to the EU GDPR are not strictly legally binding on their own, however they are there to assist in the understanding of the GDPR and to ensure that privacy law is applied properly.
Under these provisions, Supervisory Authorities (“SAs”), i.e. independent public authorities appointed by each Member State to monitor the application of the GDPR, are able to facilitate the amicable resolution between a data subject and a data controller or processor of a complaint lodged to the SA, or a possible infringement of the GDPR, if the subject matter relates only to the processing activities of the controller or processor in its Member State or substantially affects data subjects only in its Member State. There is, however, nothing in the GDPR to explicitly exclude amicable settlements in other cases.
In addition to acting as a facilitator, the SA must handle and investigate the complaint and keep the data subject updated as to any progress made.
The GDPR does not contain any specific regulations for amicable settlement of cross-border cases. This has resulted in Member States applying their own interpretations, or enacting differing national laws to deal with non-local data breach complaints. As a result, the practical implementation of amicable settlements differs greatly across the EU.
Following complaints from regulators, legislators and campaigners of the inconsistencies seen across EU Member States due to the lack of regulation in this area, the European Data Protection Board (“EDPB”), an independent European body which contributes to the consistent application of data protection rules throughout the EU, produced guidance (the “Guidance”) for implementing amicable settlements. Several EU countries, however, have already indicated that amicable settlements are not possible under their national laws. As such, amicable settlements will not be possible in the following countries: Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Greece, Malta, Poland, Portugal, Slovakia, Slovenia, Spain and Sweden.
The Guidance was adopted by the EDPB on 18 November 2021. The EDPB decided not to publish the Guidance, however the Guidance has been obtained via a Freedom of Information request.
The aim of the Guidance is to reach a satisfactory outcome for data subjects who have been victim to a data breach, as well as to ensure data controllers comply with the GDPR. To achieve this aim, the Guidance sets out best practice procedures to enable a consistent application of the GDPR both at EU and national level in response to complaints from data subjects.
The Guidance covers complaints which are either:
Whilst the Guidance provides for amicable settlements to be used by a Lead SA in cross-border cases, the Lead SA must still follow the Article 60 GDPR cooperation procedure.
In such cases, the complaint receiving SA will pass the complaint on to the Lead SA. The receiving SA will often have carried out some investigations of its own as part of a vetting process to determine whether the amicable settlement procedure would be suitable. Any information and documents gathered during the vetting process should be shared with the Lead SA as part of their own investigation. This ensures that the data subject is heard in the procedure attempted by the Lead SA and ensure compliance with fairness and due process in the investigation. The Lead SA should also bear in mind why amicable settlement could not be reached at the preliminary stage carried out by the SA and consider whether another attempt should be made. The Lead SA’s role is to act as the facilitator of the whole process through the exchange of documents and information with the other SAs.
When a Lead SA decides to proceed with the amicable settlement procedure, a key requirement is to cooperate with the other SAs to reach a consensus. The Lead SA is then able to investigate the matter how it sees fit, including holding formal hearings if necessary, or closing a case on the basis that the information received from the other SAs is sufficient to conclude the matter, with the agreement of all parties involved. Whatever the method or outcome, the Lead SA will need to keep the other SAs in the loop.
In accordance with the cooperation procedure, the Lead SA has discretion to decide whether informal consultation of the SAs would be a beneficial contribution to the procedure so that they can express their views prior to the proposed amicable settlement being drafted by the Lead SA. The Lead SA is required to share the proposed amicable settlement to the other SAs before it is finalised. This should set out the terms of the settlement, including the steps taken by the data controller or processor to satisfy the data subject’s complaint in full. The SAs will have an opportunity to provide comments and raise objections, however this should be considered carefully given that the cooperation procedure should have been followed throughout the investigation and any objections to amicable settlement should therefore have been raised at earlier stages. This is especially the case if a proper exchange of information has taken place. Any objections should therefore only be submitted in exceptional cases and be avoided.
Where no objections are raised, the draft decision becomes binding on the Lead SA and the SAs involved. The Lead SA notifies the decision to the relevant parties involved, including a summary of the relevant facts and grounds.
The following considerations have been suggested for SAs (including Lead SAs) to take into account when deciding whether to go down the amicable settlement route:
The amicable settlement process can be used to resolve a complaint in full, or to partially resolve a complaint, leaving the relevant SA to investigate the issue further and enter into a separate procedure to resolve any outstanding issues.
The aim of the Guidance is to streamline the way in which data breach claims and amicable settlements are handled by SAs as a result of the difference in domestic legislation and approaches throughout the EU.
It is hoped that the Guidance will help eradicate the differences seen in the treatment of data subjects and enforcement action taken against organisations at a national level by having an overarching set of guidelines to follow, resulting in consistent results across the EU Member States. The amicable settlement process intends to lead to fairer outcomes being achieved, however the results of this Guidance, which is yet in its infancy, remains to be seen.
A link to the full EDPB guidance can be accessed here.
London - Walbrook
+44 (0) 20 7894 6925
+44(0)20 7894 6382
By Hans Allnutt, Astrid Hardy
By Patrick Hill, Sonali Malhotra
By Julian Miller, Clare Hughes-Williams
By Patrick Hill, Camilla Elliot
By Patrick Hill
By Hans Allnutt, Camilla Elliot
By Hans Allnutt, Stuart Hunt
By Julian Miller
By Astrid Hardy, Hans Allnutt
By Julian Miller, Tom Evans
By Jade Kowalski, Astrid Hardy
By Louise Gallagher, Katie Anderson