Comments on the draft of the EDPB “Guidelines 03/2021 on the application of Article 65 (1)(a) GDPR”

May 28, 2021

The Czech Data Protection Association sent the following comments on the draft of the EDPB “Guidelines 03/2021 on the application of Article 65 (1)(a) GDPR”:

We are grateful for the opportunity to present our comments to the recently published EDPB draft Guidelines 03/2021. 

We appreciate that this document deals in detail with the EDPB’s procedure in proceedings under Article 65 of the GDPR, where the proper establishment of process rules contributes to increasing legal certainty of all persons concerned. 

In general, we would like to point out that it could be very helpful to explain why the EDPB has decided to incorporate certain procedural provisions directly related to its activities into these guidelines, instead of being part of the binding Rules of Procedure under Article 72 (2) of the GDPR. It should be noted that the GDPR itself does not clearly envisage the issuance of similar guidelines[1] and is likely to assume that the procedural rules of the EDPB itself will be completely regulated in its rules of procedure.

The above mentioned applies in particular to “The right to be heard” under Article 5 of the proposal and “Access to the file” under Article 6. Both rights are essential to maintain the rules of due process. Therefore, we would like to propose to consider enshrining the procedures carried out by the EDPB itself directly in the EDPB’s Rules of Procedure (this applies, for example, to paragraph 108) as it could help to increase legal certainty of concerned subjects. Only the rules concerning the preparatory activities of LSA or CSA on a national level could then be addressed by these guidelines. With incorporating of these issues in the Rules of Procedure, specific procedural practices could also be clarified, as some of the rules set out in Articles 5 and 6 of the proposal still appear to be somewhat general and could be complemented by more specific requirements for deadlines and procedure (see e.g. paragraph 104 or paragraph 108).

In this context, it could be appropriate to consider whether some of the wording used in the context of the above mentioned rights should  be more unambiguous so as to better guarantee the rights of the concerned subjects (e.g. the wording “is expected” in paragraph 106, “may” in point 108, etc.). 

Given the unifying role of the EDPB’s decision-making under Article 65, we further recommend considering whether the EDPB should explicitly allow the submission of amicus curiae opinions (without being obliged to take them into account or deal with them in its decision). We believe that especially in the first years of the application of the GDPR and Article 65, such an opportunity for the professional public to express their opinion could be beneficial for the decision-making of the EDPB. We believe that Article 11 (2) of the Rules of Procedure allows such a procedure.

We are grateful for the opportunity to provide our comments on the draft Guidelines and hope that our comments might contribute to bringing practical feedback on a draft document we find in general very useful.  

JUDr. Vladan Rámiš, Ph.D.         Mgr. František Nonnemann        Mgr. Alice Selby, LLM, Ph.D, CIPP/E

Chairman of the Committee       Member of the Committee           Member of the Committee


[1] Perhaps except for the guidelines under Article 70 (1) (e), which, in our view, however, are aimed primarily at other cases.

Recent news

Online threats in the context of GDPR

Online threats in the context of GDPR

In the modern way of communicating and doing business, an increasing number of individuals encounter various hacker attempts of online fraud. From the first naive messages full of grammar and spelling mistakes from some princes and princesses from exotic geographical locations, who see in you the right person through whom they can transfer their multi-million dollar inheritance, today’s hacking attempts have become sophisticated in every possible way and spread in almost all areas.

read more
Cities trapped by GDPR

Cities trapped by GDPR

Cities and municipalities in the Czech Republic have approached the obligations arising from the right to the protection of personal data differently. If we look away from those who have only formally secured DPOs position and rely on the absence of fines, we come to a smaller group of those with an honest approach and a genuine effort to secure a range of responsibilities. But they often fail in many situations.

read more
Starting up: The DAME 2022 Data Protection Media Award

Starting up: The DAME 2022 Data Protection Media Award

The competition initiated by the Professional Association of Data Protection Officers in Germany (BvD) is entering its sixth round. Media professionals and creative minds can submit their contributions on the topic of data privacy from now until December 5.

read more