Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Section 2.8  Supervision mechanisms

51. In order to make sure that all obligations created under the international agreement are fulfilled, the international agreement should provide for independent supervision monitoring the proper application of the agreement and interferences with the rights provided under the agreement.

52. First, the agreement should provide for internal supervision ensuring compliance with the agreement. Each party to the agreement should conduct periodic internal checks of the procedures put in place and of the effective application of the safeguards provided in the agreement. Moreover, it could be provided that a party to the agreement can also request from another party to the agreement to conduct such a review. Each party conducting a review should communicate the results of the checks to the other party(ies) to the agreement. Ideally, such communication should also be made to the independent oversight mechanism governing the agreement.

53. More generally, the agreement should require that parties respond to inquiries from the other party concerning the effective implementation of the safeguards in the agreement and inform the other party without delay if they are unable to effectively implement the safeguards in the agreement for any reason. For this case the international agreement should foresee the possibility for the transferring public body to suspend or terminate the transfer of personal data under the international agreement to the receiving public body until such time as the receiving public body informs the transferring public body that it is again able to act consistent with the safeguards. The transferring body should notify the suspension or termination to the competentnational SA.

54. Secondly, the agreement must provide for independent supervision in charge of ensuring that the parties comply with the provisions set out in the agreement. This follows directly from the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR) as well as the corresponding case law.

55. The Court of Justice of the European Union (ECJ), has, since 2015, reiterated the necessity of having an independent redress and supervision mechanism. Likewise, the European Court of Human Rights (ECtHR) has frequently highlighted in its rulings that any interference with the right to respect for private life as enshrined in Article 8 ECHR needs to be subject to an effective, independent and impartial oversight system.

56. The agreement could, for example, invoke oversight by a competent supervisory authority, if there is one in the country of the public body receiving the EEA personal data, even if the GDPR does not specify that the competent supervisory authority needs to be the external oversight body.

57. In the absence of a supervisory authority specifically in charge with the supervision of data protection law in the third country or at the international organisation, the need for an independent, effective and impartial supervisory oversight mechanism needs to be fulfilled by other means. The type of independent supervision mechanism put in place may depend on the case at hand.

58. The agreement could, for example, refer to existing oversight bodies in the third country other than a supervisory authority in the area of data protection. In addition, if no external independent oversight can be ensured from a structural or institutional point of view, e.g. for certain international organisations, oversight could be guaranteed through functionally autonomous mechanisms. The latter should be a body that, while not external itself, carries out its functions independently, i.e. free from instructions, with sufficient human, technical and financial resources, etc. Moreover, the agreement could include the voluntary commitment of the receiving party to cooperate with the EEA SAs.