Article 50
International cooperation for the protection of personal data

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 50 keyboard_arrow_down Hide the recitals of the Regulation related to article 50 keyboard_arrow_up

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller

(116) When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.

(123) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

There is no recital in the Directive related to article 50.

The GDPR

In relation to third countries and international organizations, Article 50 requires the Commission and the supervisory authorities to take certain measures in order  to facilitate the application of the data protection principles.

This provision takes into account the recommendation of the Organization for Economic Cooperation and Development (OECD) of 12 June 2007 on the cross-border cooperation in the application of the laws protecting privacy.

These measures are intended to develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data (paragraph 1 (a)); They should then provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms (paragraph 1 (b));

These mechanisms are intended, on the one hand, to engage the relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data (paragraph 1 (c)); and, on the other hand, to promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries (paragraph 1 (d)).

The Directive

The Directive did not envisage the possibility of cooperation between the Member States and non-Union third countries or international organizations.

Potential issues

We do not see a priori any implementation difficulty.

CJEU caselaw

C-230/14 (1 october 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general 

Judgment of the Court

Regulation
1e 2e

Art. 50

In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;

d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

 

 

1st proposal close

Art. 45

1.           In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a)     develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data;

(b)     provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c)     engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;

(d)     promote the exchange and documentation of personal data protection legislation and practice.

2.           For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).

2nd proposal close

Art. 45

1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a) develop international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through (...) complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c) engage relevant stakeholders in discussion and activities aimed at promoting international co-operation in the enforcement of legislation for the protection of personal data;

(d) promote the exchange and documentation of personal data protection legislation and practice.

2. (...)

 

Directive close

Art. 28

(….).

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

54. International co-operation

(1) The Commissioner—

(a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and

(b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive [F1 and the Data Protection Framework Decision].

(2) The [F2 Secretary of State] may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.

(3) The [F2 Secretary of State] may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—

(a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, F3...

(b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order [F4, and

(c) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases falling within the scope of the Data Protection Framework Decision as it applies to that State, of functions of the Commissioner specified in the order. ]

(4) The Commissioner shall also carry out any data protection functions which the [F2 Secretary of State] may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.

(5) The Commissioner shall, if so directed by the [F2 Secretary of State] , provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the [F2 Secretary of State] may direct or approve, on such terms (including terms as to payment) as the [F2 Secretary of State] may direct or approve.

(6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.

(7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—

(a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and

(b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.

(8) In this section—

“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;

[F5 “the Data Protection Framework Decision” means the Council Framework Decision 2008/977/ JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; ]

“data protection functions” means functions relating to the protection of individuals with respect to the processing of personal information. 

54A. Inspection of overseas information systems

(1) The Commissioner may inspect any personal data recorded in—

(a) the Schengen information system,

(b) the Europol information system,

(c) the Customs information system.

(2) The power conferred by subsection (1) is exercisable only for the purpose of assessing whether or not any processing of the data has been or is being carried out in compliance with this Act.

(3) The power includes power to inspect, operate and test equipment which is used for the processing of personal data.

(4) Before exercising the power, the Commissioner must give notice in writing of his intention to do so to the data controller.

(5) But subsection (4) does not apply if the Commissioner considers that the case is one of urgency.

(6) Any person who—

(a) intentionally obstructs a person exercising the power conferred by subsection (1), or

(b) fails without reasonable excuse to give any person exercising the power any assistance he may reasonably require, is guilty of an offence.

(7) In this section—

“the Customs information system” means the information system established under Chapter II of the Convention on the Use of Information Technology for Customs Purposes,

“the Europol information system” means the information system established under Title II of the Convention on the Establishment of a European Police Office,

“the Schengen information system” means the information system established under Title IV of the Convention implementing the Schengen Agreement of 14th June 1985, or any system established in its place in pursuance of any [F2EU] obligation.]

close