Article 62 of GDPR: Joint Operations of Supervisory Authorities
Article 62 of GDPR outlines the mechanics of how supervisory authorities can conduct joint operations and jointly implement measures or take enforcement measures related to GDPR.
Joint operations (Article 62(1) GDPR)
Supervisory authorities can act jointly with respect to an investigation or to handle a matter.
It’s up to the supervisory authorities to determine when it is appropriate to make a joint effort in handling a matter.
Supervisory authority’s right to participate jointly (Article 62(2) GDPR)
In some cases, GDPR grants a right to the supervisory authority to participate jointly in a matter.
A supervisory authority can exercise its right to jointly participate in an effort in the following scenarios:
- When the data processor or data controller has its establishment
- Where an important number of data subjects in its territory are affected or may be affected
The competent supervisory authority can even invite other supervisory authorities to participate jointly in the required operations.
Delegation of power to seconding supervisory authority (Article 62(3) GDPR)
A competent supervisory authority may delegate powers to the seconding supervisory authority with regards to the matter being handled.
The delegation of power may also include investigative powers based on the laws applicable to the seconding supervisory authority.
If there is a delegation of investigative powers, the seconding supervisory authority can exercise that power under the guidance and in the presence of a member or staff of the competent supervisory authority.
Supervisory authority’s liability (Article 62(4) GDPR)
When a seconding supervisory authority staff operates in another EU member state, the host supervisory authority or the competent supervisory authority will be responsible for the actions or damages caused by the seconding supervisory staff.
Damages caused by supervisory authority staff (Article 62(5) GDPR)
The EU member state will compensate damages when someone suffers damage in its territory
The member state of the seconding supervisory authority whose staff had caused the damages will reimburse the EU member state for any sums paid to compensate a person for damages.
Damages in the context of a joint operation (Article 62(6) GDPR)
In the event of a joint operation, GDPR requires that the EU member states refrain from requesting reimbursement for damages further to Article 62(4).
Supervisory authority refusal to act (Article 62(7) GDPR)
When a supervisory authority is intended to participate in a joint operation and does not respond to a request made under Article 62(2), the other supervisory authorities may adopt measures within their own territory and trigger the urgency procedure and require a binding decision from the European Data Protection Board.
Recitals applicable to Article 62 of GDPR
Relevant Recitals: 126, 134
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 62 or relevant recitals
GDPR Text: Article 62 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)