interactive GDPR 2016/0679 EN

whereas investigative:

• whereas (143) 1

definitions:

• personal data
• processing
• restriction of processing
• profiling
• pseudonymisation
• filing system
• controller
• processor
• recipient
• third party
• consent
• personal data breach
• genetic data
• biometric data
• data concerning health
• main establishment
• representative
• enterprise
• group of undertakings
• binding corporate rules
• supervisory authority
• supervisory authority concerned
• cross-border processing
• relevant and reasoned objection
• information society service
• international organisation

Article 50

International cooperation for the protection of personal_data

In relation to third countries and international_organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a)	develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal_data;

(b)

provide international mutual assistance in the enforcement of legislation for the protection of personal_data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal_data and other fundamental rights and freedoms;

(c)	engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal_data;

(d)	promote the exchange and documentation of personal_data protection legislation and practice, including on jurisdictional conflicts with third countries.

CHAPTER VI

Independent supervisory authorities

Section 1

Independent status

Article 58

Powers

1.   Each supervisory_authority shall have all of the following investigative powers:

(a)	to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

(b)	to carry out investigations in the form of data protection audits;

(c)	to carry out a review on certifications issued pursuant to Article 42(7);

(d)	to notify the controller or the processor of an alleged infringement of this Regulation;

(e)	to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks;

(f)	to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2.   Each supervisory_authority shall have all of the following corrective powers:

(a)	to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b)	to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c)	to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;

(d)	to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e)	to order the controller to communicate a personal_data breach to the data subject;

(f)	to impose a temporary or definitive limitation including a ban on processing;

(g)	to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19;

(h)	to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i)	to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j)	to order the suspension of data flows to a recipient in a third country or to an international_organisation.

3.   Each supervisory_authority shall have all of the following authorisation and advisory powers:

(a)	to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

(b)	to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data;

(c)	to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

(d)	to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

(e)	to accredit certification bodies pursuant to Article 43;

(f)	to issue certifications and approve criteria of certification in accordance with Article 42(5);

(g)	to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(h)	to authorise contractual clauses referred to in point (a) of Article 46(3);

(i)	to authorise administrative arrangements referred to in point (b) of Article 46(3);

(j)	to approve binding_corporate_rules pursuant to Article 47.

4.   The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5.   Each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6.   Each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

Article 62

Joint operations of supervisory authorities

1.   The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2.   Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory_authority of each of those Member States shall have the right to participate in joint operations. The supervisory_authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory_authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory_authority to participate.

3.   A supervisory_authority may, in accordance with Member State law, and with the seconding supervisory_authority's authorisation, confer powers, including investigative powers on the seconding supervisory_authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory_authority permits, allow the seconding supervisory_authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory_authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory_authority. The seconding supervisory_authority's members or staff shall be subject to the Member State law of the host supervisory_authority.

4.   Where, in accordance with paragraph 1, staff of a seconding supervisory_authority operate in another Member State, the Member State of the host supervisory_authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5.   The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory_authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6.   Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7.   Where a joint operation is intended and a supervisory_authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).

Section 2

Consistency