Article 62 GDPR

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

← Article 62 - Joint operations of supervisory authorities →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 62 - Joint operations of supervisory authorities

1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.

3. A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the Member State law of the host supervisory authority.

4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7. Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).

Relevant Recitals

Recital 126: Joint Decision and Enforcement

The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.

Recital 134: Joint Operations

Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.

Commentary

In terms of EU law, joint operations are not a new phenomenon. Forms of horizontal and vertical cooperation are, in fact, already provided for in other fields of EU law. Joint operations have intensified, for example, around police cooperation for the cross-border fight against terrorism and crime through the so-called 'Prüm Decision'. Article 17 of the Prüm Decision, on which Article 62 GDPR has been partly modelled, regulates common forms of cooperation (e.g. joint patrols with police officers from different Member States, and control, evaluation or observation groups) and allows foreign officials to exercise sovereign powers in the hosting State under certain conditions. The main objective of joint operations is, of course, the joint fulfilment of tasks. However, they also increase transparency, develop mutual trust between the authorities as well as common enforcement standards. Ultimately, they substantially contribute to the coherent enforcement of the GDPR (and any other substantive Union law they are foreseen for).^[1]

(1) The power to conduct joint operations

Article 62(1) GDPR provides the legal basis for SAs to conduct joint operations. Joint operations include all the investigative activities within the meaning of Article 58(1) GDPR as well as joint enforcement measures resulting from the exercise of the powers conferred by the GDPR. The broad term "investigation" includes on-site inspections, access to the controller or processor's business premises, including access to all data processing systems and equipment as appropriate under the applicable national procedural law.^[2] The expression "where appropriate" gives the supervisory authorities (“SA”) a general power to initiate joint operations whenever necessary.^[3]

(2) Right to participate in joint operations and the obligation to invite other supervisory authorities

The framework of voluntary cooperation provided for in Article 62(1) GDPR is partly supplemented by Article 62(2) GDPR, which contains several cases in which joint operations become mandatory.^[4] In particular, the SA that is competent under Article 56(1) or (4) GDPR shall invite the SAs of the affected Member States to participate in the joint operations and shall respond without delay to the request of a SA to participate. The obligation to invite (or accept the request of participation) is triggered if either one of the following conditions is met: (i) the controller or processor has establishments in several Member States or (ii) a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations. In such cases, the lead SA will invite (or will accept the request of participation of) the SAs of the Member States where the controller or processor has an establishment or in which a significant number of data subjects are substantially affected by the processing.

Right to participate and its limits

According to Article 62(2) GDPR, “a supervisory authority of each of those Member States shall have the right to participate in joint operations”. This right, however, is not absolute. According to the prevailing interpretation, participation may be refused if it is (i) disproportionate, (ii) not justified by minimum standards of seriousness or (iii) may have adverse effects on the interests of the hosting State within the meaning of Article 346(1) TFEU.^[5]

(3) Exercising and conferring of powers

Article 62(3) GDPR foresees two main forms of joint operations: (i) conferring national powers to a foreign SA; and (ii) authorising a foreign SA to use its own national powers.

Conferring national powers to a foreign supervisory authority (SA)

If the law of the Member State which is hosting the operations provides so, the host SA may confer powers, including investigative powers, to the visiting SA. In this case, the visiting SA must accept to exercise these powers.

Authorising a foreign supervisory authority (SA) to use its national powers

Insofar as the law of the Member State of the host SA permits, a SA may allow the seconding SA’s members or staff to exercise their investigative powers under the law of their own Member State. Since the investigative powers of the SAs are largely harmonized by Article 58(1) GDPR, this second type of joint operations only makes sense if the law of the sending State – based on Article 58(6) GDPR – contains other or more extensive investigative powers than that law of the host country.

Preservation of national sovereignty

No matter which type of joint operation is adopted, investigative powers may be exercised only under the guidance and in the presence of members or staff of the host SA. In this respect, the seconding SA’s members or staff shall be subject to the Member State law of the host SA.^[6]

(4) Responsibility and liability

Under Article 62(4) GDPR, when the staff of other SAs are involved, the host SA assumes responsibility for their actions, including liability for damages caused by them, under its national law. This provision, however, is considerably ambiguous. In defining liability for damages, it refers to Article 62(1) GDPR (“in accordance with paragraph 1”), which, as mentioned above, governs cases of voluntary joint operations. It would therefore seem to exclude cases of compulsory joint operations under Article 62(2) GDPR, which are reasonably more frequent, from the liability rules. According to the wording of the provision, it would thus appear that in the latter case, liability does not fall upon the host Member State.

(5) Damages and redress

Article 62(5) GDPR stipulates that in the event that the conduct of the seconding SA causes damage to the controller or processor, the host Member State shall be liable for such damage under the same conditions as apply to damage caused by its own staff. In such a case, the host Member State shall have a right of redress against the State of the seconding SA. According to Article 259 TFEU, legal disputes between Member States regarding this compensation can be decided by the CJEU after obtaining an opinion from the Commission.^[7]

(6) Refrain from requesting reimbursement of damages in other cases

Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of Article 62(5) GDPR, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in Article 62(4) GDPR.

(7) Provisional measures and urgency procedure

According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part in the joint operations or does not respond promptly to the request of participation, the other SAs may adopt a provisional measure on the territory of their Member State following Article 55 GDPR. In these cases, the consequences seem to be twofold, both of them derogatory to the standard procedure set forth by Article 66 GDPR. First, the SA does not have to prove the urgency required by Article 66(1) GDPR for “normal” urgency cases (in fact, the urgency “shall be presumed”). Second, the provisional measure will be subject to an “urgent binding decision from the Board”. This second consequence is also exceptional because, as opposed to Article 66(2) GDPR, under which the SA may request either a binding or non-binding decision from the EDPB, in this case, there is no choice: there will be an assessment by the EDPB the outcome of which will be binding.

Decisions

→ You can find all related decisions in Category:Article 62 GDPR

References

↑ Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd edition).
↑ Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition).
↑ Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer 2018).
↑ This is a novelty in European administrative cooperation law as Peuker reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd edition).
↑ Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin numbers 19-20 (Beck 2018, 2nd edition).
↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 61 GDPR, margin number 12 (Beck 2020, 3rd edition).
↑ Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd edition).

[1] Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 7 (Beck 2018, 2nd edition).

[2] Peuker in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition).

[3] Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer 2018).

[4] This is a novelty in European administrative cooperation law as Peuker reports in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin number 13 (Beck 2018, 2nd edition).

[5] Peuker, in Sydow, Europäische Datenschutzgrundverordnung, Article 62 GDPR, margin numbers 19-20 (Beck 2018, 2nd edition).

[6] Dix, in Kühling, Buchner, DS-GVO BDSG, Article 61 GDPR, margin number 12 (Beck 2020, 3rd edition).

[7] Klabunde, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 62 GDPR, margin number 27 (Beck 2018, 2nd edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]