Article 62 GDPR: Difference between revisions

From GDPRhub
m (Undo revision 17761 by GB (talk))
Tag: Undo
Line 202: Line 202:


== Relevant Recitals==
== Relevant Recitals==
{{Recital/126 GDPR}}{{Recital/134 GDPR}}
{{Recital/126 GDPR}}
{{Recital/134 GDPR}}


== Commentary ==
== Commentary ==

Revision as of 16:25, 4 August 2021

Article 60 - Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 62 - Joint operations of supervisory authorities


1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.

3. A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the Member State law of the host supervisory authority.

4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7. Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).

Relevant Recitals

Recital 126: Joint Decision and Enforcement
The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.

Recital 134: Joint Operations
Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.

Commentary

In terms of European law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operatations have intensified, for example, in the area of ​​police cooperation for the cross-border fight against terrorism and crime through the so-called Prüm Decision. [Article 17 of the Prüm Decision, which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions.]

The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).[1]

(1) Definition of joint operations

Paragraph 1 of Article 62 provides a general framework for joint operations initiated independently by the authorities involved. In fact, authorities can engage in joint operations “where appropriate”.

In general, joint operations include all the investigative activities within the meaning of Article 58(1) as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. Joint investigations and enforcement are to be intended as mere but nonetheless most essential examples. It follows that other forms of cooperation are possible where needed to perform the tasks of the authorities.

The broad term of investigation also includes on-site inspections, in which the authorities involved refer to the right of access to the business premises, including all data processing systems and equipment of the controller or the processor under the procedural law of the Union.[2] The expression ‘where appropriate’ seems to give the authorities a general power to initiate joint operations whenever necessary.[3]

(2) Cases where joint operations are mandatory

The framework of voluntary cooperation provided for in paragraph 1 is partly supplemented by paragraph 2, which contains several hypotheses in which joint operations become mandatory.[4]

In particular, the supervisory authority that is competent under Article 56(1) or (4) shall invite the supervisory authority of the affected Member States to participate in the joint operations and shall respond without delay to the request of a supervisory authority to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations.

In such cases, the lead authority will invite (or will accept the request of participation of) the authorities of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.

Right to participate and its limits

According to Article 62(2), “a supervisory authority of each of those Member States shall have the right to participate in joint operations”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.[5]

(3) Types of investigations

Paragraph 3 foresees two main forms of joint operations.

Conferring national powers to a foreign authority

If the law of the Member State which is hosting the operations provides so, the host supervisory authority may confer powers, including investigative powers, to the visiting DPA. In this case, the visiting authority must accept to exercise these powers.

Authorizing a foreign authority to use its own national powers

In so far as the law of the Member State of the host supervisory authority permits, a supervisory authority may allow the seconding supervisory authority’s members or staff to exercise their investigative powers under the law of their won Member State. Since the investigative powers of the supervisory authorities are largely harmonized by Article 58(1), this second type of joint operations only makes sense if the law of the sending State - based on Article 58(6) - contains other or more extensive investigative powers than that law of the host country.

Preservation of national sovereignty

No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. In this respect, the seconding supervisory authority’s members or staff shall be subject to the Member State law of the host supervisory authority.[6]

(4) Responsibility

Under paragraph 4, when the staff of other DPAs are involved, the host DPA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to paragraph 1 ('in accordance with paragraph 1'), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude from the liability rules cases of compulsory joint operations under paragraph 2, which are reasonably more frequent. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.

(5) Damages and redress

Paragraph 5 stipulates that in the event that the conduct of the hosted DPA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding authority. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the ECJ after obtaining an opinion from the Commission.[7]

(6) Exception

Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

(7) Presumption of urgency if the need of joint operations is unduly ignored

According to Paragraph 7, if the LSA does not invite the supervisory authority to take part in the joint operations or does not respond promptly to the request of participation, the other supervisory authorities may adopt a provisional measure on the territory of their Member State following Article 55. In these cases, the consequences seem to be two, both of them derogatory to the standard procedure set forth by Article 66. First, the DPA does not have to prove the urgency required by Article 66(1) for “normal” urgency cases (in fact, the urgency “shall be presumed”). Second, the provisional measure will be subject to an “urgent binding decision from the Board”. This second consequence is also exceptional because, as opposed to Article 66(2), under which the DPA may request either a binding or non-binding decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.

Decisions

→ You can find all related decisions in Category:Article 62 GDPR

References

  1. Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd ed.
  2. Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd ed.) (accessed 23 July 2021)
  3. Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62, Wolters Kluwer 2018
  4. This is a novelty in European administrative cooperation law as Peuker reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd ed.) (accessed 23 July 2021)
  5. Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 19-20 (Beck 2018, 2nd ed.) (accessed 23 July 2021)
  6. Dix, in Kühling, Buchner, GDPR BDSG, Art. 61, Marginal number 12, 3rd edition 2020
  7. Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd ed.) (accessed 4.8.2021)