Article 62 GDPR: Difference between revisions

From GDPRhub
 
(9 intermediate revisions by 4 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 62 - Joint operations of supervisory authorities'''</center><br />
<center>'''Article 62 - Joint operations of supervisory authorities'''</center>


<span id="1">1.  The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.</span>
<span id="1">1.  The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.</span>
Line 207: Line 207:
== Commentary ==
== Commentary ==


In terms of EU law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operations have intensified, for example, in the area of ​​police cooperation for the cross-border fight against terrorism and crime through the so-called 'Prüm Decision'. Article 17 of the Prüm Decision, on which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, and control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions.
In terms of EU law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operations have intensified, for example, around ​​police cooperation for the cross-border fight against terrorism and crime through the so-called 'Prüm Decision'. Article 17 of the Prüm Decision, on which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, and control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions. The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).<ref>''Peuker'' in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd edition).</ref>
=== (1) The power to conduct joint operations ===
Article 62(1) GDPR provides the legal basis for SAs to conduct joint operations. Joint operations include all the investigative activities within the meaning of [[Article 58 GDPR|Article 58(1) GDPR]] as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. The broad term "''investigation''" includes on-site inspections, access to the controller or processor's business premises, including access to all data processing systems and equipment as appropriate under the applicable national procedural law.<ref>''Peuker'' in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition).</ref> The expression "''where appropriate''" gives the supervisory authorities (“''SA''”) a general power to initiate joint operations whenever necessary.<ref>Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref>


The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).<ref>''Peuker'', in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd ed.</ref>  
=== (2) Right to participate in joint operations and the obligation to invite other supervisory authorities ===
The framework of voluntary cooperation provided for in Article 62(1) GDPR is partly supplemented by Article 62(2) GDPR, which contains several cases in which joint operations become mandatory.<ref>This is a novelty in European administrative cooperation law as ''Peuker'' reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd edition).</ref> In particular, the SA that is competent under Article 56(1) or (4) GDPR shall invite the SAs of the affected Member States to participate in the joint operations and shall respond without delay to the request of a SA to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations. In such cases, the lead SA will invite (or will accept the request of participation of) the SAs of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.


=== (1) Definition of Joint Operations ===
==== Right to participate and its limits ====
Paragraph 1 of Article 62 provides a general framework for joint operations initiated independently by the authorities involved. In fact, authorities can engage in joint operations “where appropriate”.
According to Article 62(2) GDPR, “''a supervisory authority of each of those Member States shall have the right to participate in joint operations''”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.<ref>''Peuker'', in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin numbers 19-20 (Beck 2018, 2nd edition).</ref>


In general, joint operations include all the investigative activities within the meaning of Article 58(1) as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. Joint investigations and enforcement are to be intended as mere but nonetheless essential examples''.'' It follows that other forms of cooperation are possible where needed to perform the tasks of the authorities.
=== (3) Exercising and conferring of powers ===
Article 62(3) GDPR foresees two main forms of joint operations: (i) conferring national powers to a foreign SA; and (ii) authorising a foreign SA to use its own national powers.


The broad term "investigation" also includes on-site inspections, in which the authorities involved refer to the right of access to the business premises, including all data processing systems and equipment of the controller or the processor under the procedural law of the Union.<ref>''Peuker'', in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd ed.) (accessed 23 July 2021)</ref> The expression "where appropriate" seems to give the authorities a general power to initiate joint operations whenever necessary.<ref>Riccio, Scorza, Belisario, ''GDPR e normativa privacy – Commentario'', Article 62, Wolters Kluwer 2018</ref>
==== Conferring national powers to a foreign supervisory authority (SA) ====
If the law of the Member State which is hosting the operations provides so, the host SA may confer powers, including investigative powers, to the visiting SA. In this case, the visiting SA must accept to exercise these powers.


=== (2) Cases where Joint Operations are Mandatory ===
==== Authorising a foreign supervisory authority (SA) to use its national powers ====
The framework of voluntary cooperation provided for in paragraph 1 is partly supplemented by paragraph 2, which contains several hypotheses in which joint operations become mandatory.<ref>This is a novelty in European administrative cooperation law as ''Peuker'' reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd ed.) (accessed 23 July 2021)</ref>
Insofar as the law of the Member State of the host SA permits, a SA may allow the seconding SA’s members or staff to exercise their investigative powers under the law of their own Member State. Since the investigative powers of the SAs are largely harmonized by Article 58(1) GDPR, this second type of joint operations only makes sense if the law of the sending State – based on Article 58(6) GDPR – contains other or more extensive investigative powers than that law of the host country.


In particular, the supervisory authority that is competent under Article 56(1) or (4) shall '''invite''' the supervisory authority of the affected Member States to participate in the joint operations and shall '''respond''' without delay to the request of a supervisory authority to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations.
==== Preservation of national sovereignty ====
No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host SA. In this respect, the seconding SA’s members or staff shall be subject to the Member State law of the host SA.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 61 GDPR, margin number 12 (Beck 2020, 3rd edition).</ref>


In such cases, the lead authority will invite (or will accept the request of participation of) the authorities of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.
=== (4) Responsibility and liability ===
Under Article 62(4) GDPR, when the staff of other SAs are involved, the host SA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to Article 62(1) GDPR (“''in accordance with paragraph 1''”), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude cases of compulsory joint operations under Article 62(2) GDPR, which are reasonably more frequent, from the liability rules. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.


==== Right to Participate and its Limits ====
=== (5) Damages and redress ===
According to Article 62(2), “''a supervisory authority of each of those Member States shall have the right to participate in joint operations''”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.<ref>''Peuker'', in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 19-20 (Beck 2018, 2nd ed.) (accessed 23 July 2021)</ref>  
Article 62(5) GDPR stipulates that in the event that the conduct of the seconding SA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding SA. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the CJEU after obtaining an opinion from the Commission.<ref>''Klabunde'', in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd edition).</ref>  


=== (3) Types of Investigations ===
=== (6) Refrain from requesting reimbursement of damages in other cases ===
Paragraph 3 foresees two main forms of joint operations: conferring national powers to a foreign authority; and authorising a foreign authority to use its own national powers.
Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of Article 62(5) GDPR, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in Article 62(4) GDPR.


==== Conferring National Powers to a Foreign Authority ====
=== (7) Provisional measures and urgency procedure ===
If the law of the Member State which is hosting the operations provides so, the host supervisory authority may confer powers, including investigative powers, to the visiting DPA. In this case, the visiting authority must accept to exercise these powers.
According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part in the joint operations or does not respond promptly to the request of participation, the other SAs may adopt a provisional measure on the territory of their Member State following Article 55 GDPR. In these cases, the consequences seem to be twofold, both of them derogatory to the standard procedure set forth by Article 66 GDPR. First, the SA does not have to prove the urgency required by Article 66(1) GDPR for “normal” urgency cases (in fact, the urgency “''shall be presumed''”). Second, the provisional measure will be subject to an “''urgent binding decision from the Board''”. This second consequence is also exceptional because, as opposed to Article 66(2) GDPR, under which the SA may request either a binding or non-binding decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.
 
==== Authorising a Foreign Authority to Use its Own National Powers ====
In so far as the law of the Member State of the host supervisory authority permits, a supervisory authority may allow the seconding supervisory authority’s members or staff to exercise their investigative powers under the law of their own Member State. Since the investigative powers of the supervisory authorities are largely harmonized by Article 58(1), this second type of joint operations only makes sense if the law of the sending State - based on Article 58(6) - contains other or more extensive investigative powers than that law of the host country.
 
==== Preservation of National Sovereignty ====
No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. In this respect, the seconding supervisory authority’s members or staff shall be subject to the Member State law of the host supervisory authority.<ref>''Dix'', in Kühling, Buchner, GDPR BDSG, Art. 61, Marginal number 12, 3rd edition 2020</ref>
 
=== (4) Responsibility ===
Under paragraph 4, when the staff of other DPAs are involved, the host DPA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to paragraph 1 ('in accordance with paragraph 1'), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude from the liability rules cases of compulsory joint operations under paragraph 2, which are reasonably more frequent. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.
 
=== (5) Damages and Redress ===
Paragraph 5 stipulates that in the event that the conduct of the seconding DPA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding authority. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the CJEU after obtaining an opinion from the Commission.<ref>''Klabunde'', in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd ed.) (accessed 4.8.2021)</ref>
 
=== (6) Exception ===
Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.
 
=== (7) Presumption of Urgency if the Need of Joint Operations is Unduly Ignored ===
According to Paragraph 7, if the lead supervisory does not invite the supervisory authority to take part in the joint operations or does not respond promptly to the request of participation, the other supervisory authorities may adopt a provisional measure on the territory of their Member State following Article 55. In these cases, the consequences seem to be two, both of them derogatory to the standard procedure set forth by Article 66. First, the DPA does not have to prove the urgency required by Article 66(1) for “normal” urgency cases (in fact, the urgency “shall be presumed”). Second, the provisional measure will be subject to an “urgent binding decision from the Board”. This second consequence is also exceptional because, as opposed to Article 66(2), under which the DPA '''may''' request either a '''binding''' or '''non-binding''' decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.
== Decisions ==
== Decisions ==
→ You can find all related decisions in [[:Category:Article 62 GDPR]]
→ You can find all related decisions in [[:Category:Article 62 GDPR]]
Line 257: Line 246:
<references />
<references />


[[Category:Article 62 GDPR]] [[Category:GDPR]]
[[Category:Article 62 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 13:46, 15 January 2024

Article 62 - Joint operations of supervisory authorities
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 62 - Joint operations of supervisory authorities

1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.

3. A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the Member State law of the host supervisory authority.

4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7. Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).

Relevant Recitals

Recital 126: Joint Decision and Enforcement
The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.

Recital 134: Joint Operations
Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.

Commentary

In terms of EU law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operations have intensified, for example, around ​​police cooperation for the cross-border fight against terrorism and crime through the so-called 'Prüm Decision'. Article 17 of the Prüm Decision, on which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, and control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions. The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).[1]

(1) The power to conduct joint operations

Article 62(1) GDPR provides the legal basis for SAs to conduct joint operations. Joint operations include all the investigative activities within the meaning of Article 58(1) GDPR as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. The broad term "investigation" includes on-site inspections, access to the controller or processor's business premises, including access to all data processing systems and equipment as appropriate under the applicable national procedural law.[2] The expression "where appropriate" gives the supervisory authorities (“SA”) a general power to initiate joint operations whenever necessary.[3]

(2) Right to participate in joint operations and the obligation to invite other supervisory authorities

The framework of voluntary cooperation provided for in Article 62(1) GDPR is partly supplemented by Article 62(2) GDPR, which contains several cases in which joint operations become mandatory.[4] In particular, the SA that is competent under Article 56(1) or (4) GDPR shall invite the SAs of the affected Member States to participate in the joint operations and shall respond without delay to the request of a SA to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations. In such cases, the lead SA will invite (or will accept the request of participation of) the SAs of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.

Right to participate and its limits

According to Article 62(2) GDPR, “a supervisory authority of each of those Member States shall have the right to participate in joint operations”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.[5]

(3) Exercising and conferring of powers

Article 62(3) GDPR foresees two main forms of joint operations: (i) conferring national powers to a foreign SA; and (ii) authorising a foreign SA to use its own national powers.

Conferring national powers to a foreign supervisory authority (SA)

If the law of the Member State which is hosting the operations provides so, the host SA may confer powers, including investigative powers, to the visiting SA. In this case, the visiting SA must accept to exercise these powers.

Authorising a foreign supervisory authority (SA) to use its national powers

Insofar as the law of the Member State of the host SA permits, a SA may allow the seconding SA’s members or staff to exercise their investigative powers under the law of their own Member State. Since the investigative powers of the SAs are largely harmonized by Article 58(1) GDPR, this second type of joint operations only makes sense if the law of the sending State – based on Article 58(6) GDPR – contains other or more extensive investigative powers than that law of the host country.

Preservation of national sovereignty

No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host SA. In this respect, the seconding SA’s members or staff shall be subject to the Member State law of the host SA.[6]

(4) Responsibility and liability

Under Article 62(4) GDPR, when the staff of other SAs are involved, the host SA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to Article 62(1) GDPR (“in accordance with paragraph 1”), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude cases of compulsory joint operations under Article 62(2) GDPR, which are reasonably more frequent, from the liability rules. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.

(5) Damages and redress

Article 62(5) GDPR stipulates that in the event that the conduct of the seconding SA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding SA. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the CJEU after obtaining an opinion from the Commission.[7]

(6) Refrain from requesting reimbursement of damages in other cases

Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of Article 62(5) GDPR, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in Article 62(4) GDPR.

(7) Provisional measures and urgency procedure

According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part in the joint operations or does not respond promptly to the request of participation, the other SAs may adopt a provisional measure on the territory of their Member State following Article 55 GDPR. In these cases, the consequences seem to be twofold, both of them derogatory to the standard procedure set forth by Article 66 GDPR. First, the SA does not have to prove the urgency required by Article 66(1) GDPR for “normal” urgency cases (in fact, the urgency “shall be presumed”). Second, the provisional measure will be subject to an “urgent binding decision from the Board”. This second consequence is also exceptional because, as opposed to Article 66(2) GDPR, under which the SA may request either a binding or non-binding decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.

Decisions

→ You can find all related decisions in Category:Article 62 GDPR

References

  1. Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd edition).
  2. Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition).
  3. Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer 2018).
  4. This is a novelty in European administrative cooperation law as Peuker reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd edition).
  5. Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin numbers 19-20 (Beck 2018, 2nd edition).
  6. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 61 GDPR, margin number 12 (Beck 2020, 3rd edition).
  7. Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd edition).