menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Turkey) language
Contact our local member in Turkey mail_outline
Visit the website of CBL Law office account_balance

arrow_backPrevious Article
Article 62
Next Articlearrow_forward

Joint operations of supervisory authorities

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 62 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 62 keyboard_arrow_up

Key words related to article 62

Show the recitals of the Regulation related to article 62 keyboard_arrow_down Hide the recitals of the Regulation related to article 62 keyboard_arrow_up

(134) Each supervisory authority should, where appropriate, participate in joint operations with other supervisory authorities. The requested supervisory authority should be obliged to respond to the request within a specified time period.

There is no recital in the Directive related to article 62.

The GDPR

Article 56 organizes the joint operations of various natures between national authorities, such as joint investigations or joint repressive measures. A supervisory authority of each of those Member States shall have the right to participate in joint operations where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State and are likely to be substantially affected by processing operations.

The competent supervisory authority pursuant to Article 56 (1) or (2) shall invite the supervisory authority of each relevant Member States to take part in the joint operations and shall respond without delay to the request of participation by a supervisory authority.

Paragraph 3 also addresses the possible conferral of powers: a supervisory authority may entrust powers on the seconding supervisory authority's members or staff involved in joint operations or allow the seconding supervisory authority's members or staff of the Member State of origin to exercise their investigative powers. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority (Art. 62 (3).

Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations (paragraph 4) and the Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full (paragraph 5). However, in the case of joint operations, without prejudice to the exercise of its rights vis-à-vis third parties, each Member State shall refrain from requesting reimbursement from another Member State in relation to damage suffered (paragraph 6).

In other words, the host country is always required to compensate the third party damage as a result of a joint operation, be they their own staff or staff of the supervisory authority of another Member State without prejudice to its rights against third parties. The Member State whose staff have caused damage as part of a joint operation, shall reimburse the host Member State for any amounts that the latter had to pay to third parties.

Where a joint operation is intended and a supervisory authority does not, within one month, comply with its obligation laid down in paragraph 2, the other supervisory authorities may adopt a provisional measure in the territory of the Member State (paragraph 7). In that case, the urgent need to act under Article 66 shall be presumed met and require an urgent binding decision from the European Data Protection Board pursuant to Article 66 (2).

The Directive

Pursuant to Article 28 (6) of the Directive, each authority may be requested to exercise its powers by an authority of another Member State. However, the implementation of joint operations by several control authorities was not covered by the Directive.

Potential issues

We do not see  a priori  any specific implementation difficulties.

arrow_back Previous ArticleArticle 62Next Article arrow_forward
arrow_back Previous ArticleArticle 62 Next Article arrow_forward
arrow_back Previous Article Article 62 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-230/14 (1 october 2015) - Weltimmo

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general 

Judgment of the Court

C-645/19 (15 June 2021) - Facebook Ireland Ltd e.a. c. Gegevensbeschermingsautoriteit

1) Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

2) Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller or processor with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.

3) Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.

4) Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regards the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.

5) Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

Opinion of Advocate General

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 62 Next Article arrow_forward
Regulation
1e 2e

Art. 62

1.   The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2.   Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. The supervisory authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory authority to participate.

3.   A supervisory authority may, in accordance with Member State law, and with the seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the Member State law of the host supervisory authority.

4.   Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5.   The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6.   Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7.   Where a joint operation is intended and a supervisory authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).
1st proposal close

Art. 56

1.           In order to step up co-operation and mutual assistance, the supervisory authorities shall carry out joint investigative tasks, joint enforcement measures and other joint operations, in which designated members or staff from other Member States' supervisory authorities are involved.

2.           In cases where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in the joint investigative tasks or joint operations, as appropriate. The competent supervisory authority shall invite the supervisory authority of each of those Member States to take part in the respective joint investigative tasks or joint operations and respond to the request of a supervisory authority to participate in the operations without delay.

3.           Each supervisory authority may, as a host supervisory authority, in compliance with its own national law, and with the seconding supervisory authority’s authorisation, confer executive powers, including investigative tasks on the seconding supervisory authority’s members or staff involved in joint operations or, in so far as the host supervisory authority’s law permits, allow the seconding supervisory authority’s members or staff to exercise their executive powers in accordance with the seconding supervisory authority’s law. Such executive powers may be exercised only under the guidance and, as a rule, in the presence of members or staff from the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the host supervisory authority's national law. The host supervisory authority shall assume responsibility for their actions.

4.           Supervisory authorities shall lay down the practical aspects of specific co-operation actions.

5.           Where a supervisory authority does not comply within one month with the obligation laid down in paragraph 2, the other supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1).

6.           The supervisory authority shall specify the period of validity of a provisional measure referred to in paragraph 5. This period shall not exceed three months. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to the Commission and shall submit the matter in the mechanism referred to in Article 57.
2nd proposal close

Art. 56

1. The supervisory authorities may, where appropriate, conduct joint operations, including joint investigations and joint enforcement measures in which members or staff from other Member States' supervisory authorities are involved.

2. In cases where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in the joint operations, as appropriate. The competent supervisory authority shall invite the supervisory authority of each of those Member States to take part in the joint operations concerned and respond without delay to the request of a supervisory authority to participate.

3. A supervisory authority may, in compliance with its own Member State law, and with the seconding supervisory authority’s authorisation, confer powers, including investigative powers on the seconding supervisory authority’s members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory authority permits, allow the seconding supervisory authority’s members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the host supervisory authority's national law. (…)

 3a. Where, in accordance with paragraph 1, staff of a seconding supervisory authority are operating in another Member State, the Member State of the host supervisory authority shall be liable for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

3b. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse the latter in full any sums it has paid to the persons entitled on their behalf.

3c. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 3b, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement of damages it has sustained from another Member State.

4. (…)

5. Where a joint operation is intended and a supervisory authority does not comply within one month with the obligation laid down in the second sentence of paragraph 2, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 51(1).

6. The supervisory authority shall specify the period of validity of a provisional measure referred to in paragraph 5, which shall not exceed three months. The supervisory authority shall, without delay, communicate such a measure, together with its reasons for adopting it, to the European Data Protection Board (…) in accordance with the consistency mechanism referred to in Article 57
Directive close

Art. 28

(….).

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.
Turkey
compare_arrows

Turkey close

arrow_back Previous ArticleArticle 62 Next Article arrow_forward
close

2016 - www.itiplaw.eu.