Article 62 GDPR
Legal Text
1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.
2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.
3. A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the Member State law of the host supervisory authority.
4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.
5. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.
6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.
7. Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).
Relevant Recitals
Commentary
In terms of EU law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operations have intensified, for example, around police cooperation for the cross-border fight against terrorism and crime through the so-called 'Prüm Decision'. Article 17 of the Prüm Decision, on which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, and control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions. The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).[1]
(1) Definition of joint operations
Joint operations include all the investigative activities within the meaning of Article 58(1) GDPR as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. The broad term "investigation" includes on-site inspections, access to the controller or processor's business premises, including access to all data processing systems and equipment as appropriate under the applicable national procedural law.[2] The expression "where appropriate" seems to give the supervisory authorities (“SA”) a general power to initiate joint operations whenever necessary.[3]
(2) Cases where joint operations are mandatory
The framework of voluntary cooperation provided for in Article 62(1) GDPR is partly supplemented by Article 62(2) GDPR, which contains several cases in which joint operations become mandatory.[4] In particular, the SA that is competent under Article 56(1) or (4) GDPR shall invite the SAs of the affected Member States to participate in the joint operations and shall respond without delay to the request of a SA to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations. In such cases, the lead SA will invite (or will accept the request of participation of) the SAs of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.
Right to participate and its limits
According to Article 62(2) GDPR, “a supervisory authority of each of those Member States shall have the right to participate in joint operations”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.[5]
(3) Types of investigations
Article 62(3) GDPR foresees two main forms of joint operations: (i) conferring national powers to a foreign SA; and (ii) authorising a foreign SA to use its own national powers.
Conferring national powers to a foreign supervisory authority (SA)
If the law of the Member State which is hosting the operations provides so, the host SA may confer powers, including investigative powers, to the visiting SA. In this case, the visiting SA must accept to exercise these powers.
Authorising a foreign supervisory authority (SA) to use its Oon national powers
Insofar as the law of the Member State of the host SA permits, a SA may allow the seconding SA’s members or staff to exercise their investigative powers under the law of their own Member State. Since the investigative powers of the SAs are largely harmonized by Article 58(1) GDPR, this second type of joint operations only makes sense if the law of the sending State – based on Article 58(6) GDPR – contains other or more extensive investigative powers than that law of the host country.
Preservation of national sovereignty
No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host SA. In this respect, the seconding SA’s members or staff shall be subject to the Member State law of the host SA.[6]
(4) Responsibility
Under Article 62(4) GDPR, when the staff of other SAs are involved, the host SA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to Article 62(1) GDPR (“in accordance with paragraph 1”), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude cases of compulsory joint operations under Article 62(2) GDPR, which are reasonably more frequent, from the liability rules. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.
(5) Damages and redress
Article 62(5) GDPR stipulates that in the event that the conduct of the seconding SA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding SA. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the CJEU after obtaining an opinion from the Commission.[7]
(6) Exception
Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of Article 62(5) GDPR, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in Article 62(4) GDPR.
(7) Presumption of urgency if the need of joint operations is unduly ignored
According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part in the joint operations or does not respond promptly to the request of participation, the other SAs may adopt a provisional measure on the territory of their Member State following Article 55 GDPR. In these cases, the consequences seem to be twofold, both of them derogatory to the standard procedure set forth by Article 66 GDPR. First, the SA does not have to prove the urgency required by Article 66(1) GDPR for “normal” urgency cases (in fact, the urgency “shall be presumed”). Second, the provisional measure will be subject to an “urgent binding decision from the Board”. This second consequence is also exceptional because, as opposed to Article 66(2) GDPR, under which the SA may request either a binding or non-binding decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.
Decisions
→ You can find all related decisions in Category:Article 62 GDPR
References
- ↑ Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd edition).
- ↑ Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition).
- ↑ Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer 2018).
- ↑ This is a novelty in European administrative cooperation law as Peuker reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd edition).
- ↑ Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin numbers 19-20 (Beck 2018, 2nd edition).
- ↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 61 GDPR, margin number 12 (Beck 2020, 3rd edition).
- ↑ Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd edition).