For information about what we do with
personal data see our privacy notice
From:
Sent: W
ptember 13, 2023 2:51 PM
To:
'xxxx.xxxxxx@xxxx.xxxxxx.xx'
<an
Cc: Subject:
n plan
Hi Anna,
Thank you for speaking with me and
just now, it’s always great to
connect.
As discussed, I have attached our MoU template and our Collaboration Plan
template. We are by no means strict to these and they are just a helpful
starter/guide. If you have any ideas or styles, you’d like to adopt for the MoU
between the EDPS and ICO we are very open to suggestions. Also, the
Collaboration Plan is not a requirement and we don’t have many of these
active, but they are an additional level of detail we can include in our
organisational relationship if needed.
Also below is a link to our list of MoUs (both national and international):
Working with other bodies | ICO
Our MoUs with the US FTC, Ireland and Malta are below just to give an idea of
flexibility in our final agreement:
MoU US Federal Trade Commission - 2 December 2020 (ico.org.uk)
ico-dpc-ireland-202207.pdf
ico-malta-idpc-signed-mou-23062023.pdf
If you have any questions please feel free to ask as we would be more than
happy to provide any further information. Also if it would be worth us
arranging a further call in the future once you and your colleagues have had
a chance to review the documents, I would be happy to book this in.
Best regards,
Group Manager, International Regulatory
Cooperation Directorate
Information Commissioner’s Office, Wycliffe House,
Water Lane, Wilmslow, Cheshire SK9 5AF
Please consider the environment before printing this
email
For information about what we do with
personal data see our privacy notice
Date: 8 November 2023
Memorandum of Understanding
between:
The Information Commissioner
for
The United Kingdom of Great Britain & Northern
Ireland
- and -
The European Data Protection Supervisor
for Cooperation in the Application of
Laws Protecting Personal Data
Memorandum of Understanding
1. INTRODUCTION
1.1 This Memorandum of Understanding (“
MoU”) establishes a
framework for cooperation between
(I)
The Information Commissioner (the
“
Commissioner”) and
(II) The European Data Protection Supervisor (the “
EDPS”),
together referred to as the “
Participants”. Any reference to the
Commissioner shall include his statutory successors.
1.2 The Participants recognise the nature of the modern society, the
increase in circulation and exchange of personal data across borders,
the increasing complexity of information technologies, and the
resulting need for increased cross-border enforcement cooperation
with the aim of providing consistency and certainty.
1.3 The Participants acknowledge that they have similar functions and
duties concerning the protection of personal data in their respective
jurisdictions.
1.4 The Participants highlight the unique geographical, cultural, and
historical links between their jurisdictions, and the importance of
consulting on, and taking account of, their respective regulatory
activity in order to better protect individuals in the United Kingdom
and in the European Union with respect to data processing falling
under their jurisdictions and enhance compliance with laws protecting
personal data.
1.5 This MoU reaffirms the intent of the Participants to deepen their
existing relations and to promote exchanges to assist each other in
the application of laws protecting personal data.
1.6 This MoU sets out the broad principles of collaboration between the
Participants and the legal framework governing the sharing of
relevant information and intelligence between them.
1.7 Reducing divergences in the regulatory approach taken by the
Participants, when addressing similar issues, benefits public and
private entities, consumers and other stakeholders in their respective
jurisdictions. Whilst having regard to the different laws and
regulations of their respective jurisdictions as well as their statutory
independence, this MOU is intended to avoid divergences and
1
Memorandum of Understanding
promote consistency in the administration of similar data protection
laws.
1.8 The Participants confirm that nothing in this MoU should be
interpreted as imposing a requirement on the participants to co-
operate with each other. In particular, there is no requirement to co-
operate in circumstances which would place either Participant in
breach of their legal responsibilities, including but not limited to:
(a) in the case of the Commissioner: the retained EU law version of
the General Data Protection Regulation ((EU) 2016/679 (“UK
GDPR”)); and
(b) in the case of the EDPS:
(i)
the Regulation (EU) 2018/1725 with regard to the
processing of personal data by the Union institutions,
bodies, offices and agencies (“EUDPR”)
(ii) the EU Regulation 2016/679 of the European Parliament and
of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and
on the free movement of such data (“GDPR”)
1.9 This MoU should not be interpreted as imposing a requirement on
either party to disclose information in circumstances where doing so
would breach their statutory responsibilities. In particular, each party
must ensure that any disclosure of personal data pursuant to these
arrangements fully complies with both the applicable law. The MoU
sets out the legal basis for information sharing, but it is for each
Participant to determine for themselves that any proposed disclosure
is compliant with the law applicable to them.
2. THE ROLE AND FUNCTION OF THE INFORMATION COMMISSIONER
2.1 The Commissioner is a corporation sole appointed under the Data
Protection Act 2018 (the “
DPA 2018”) to act as the UK’s
independent regulator to uphold information rights in the public
interest, promote openness by public bodies and data privacy for
individuals.
2
Memorandum of Understanding
2.2 The Commissioner is empowered to take a range of regulatory action
for breaches of the following legislation (as amended from time to
time):
(a) Data Protection Act 2018 (“DPA 2018”);
(b) EU law version of the General Data Protection Regulation ((EU)
2016/679 (“UK GDPR”);
(c) Privacy and Electronic Communications (EC Directive)
Regulations 2003 (“PECR”);
(d) Freedom of Information Act 2000 (“FOIA”);
(e) Environmental Information Regulations 2004 (“EIR”);
(f)
Environmental Protection Public Sector Information Regulations
2009 (“INSPIRE Regulations”);
(g) Investigatory Powers Act 2016;
(h) Re-use of Public Sector Information Regulations 2015;
(i)
Enterprise Act 2002;
(j)
Security of Network and Information Systems Directive (“NIS
Directive”); and
(k) Electronic Identification, Authentication and Trust Services
Regulation (“eIDAS”).
2.3 The Commissioner has a broad range of statutory duties, including
monitoring and enforcement of data protection laws, and promotion
of good practice and adherence to the data protection obligations by
those who process personal data. These duties sit alongside those
relating to the other enforcement regimes.
2.4 The Commissioner’s regulatory and enforcement powers include:
(a) conducting assessments of compliance with the DPA 2018, UK
GDPR, PECR, eIDAS, the NIS Directive, FOIA and EIR;
(b) issuing information notices requiring individuals, controllers or
processors to provide information in relation to an investigation;
3
Memorandum of Understanding
(c) issuing enforcement notices, warnings, reprimands, practice
recommendations and other orders requiring specific actions by
an individual or organisation to resolve breaches (including
potential breaches) of data protection legislation and other
information rights obligations;
(d) administering fines by way of penalty notices in the
circumstances set out in section 152 of the DPA 2018;
(e) administering fixed penalties for failing to meet specific
obligations (such as failing to pay the relevant fee to the
Commissioner);
(f)
issuing decision notices detailing the outcome of an investigation
under FOIA or EIR;
(g) certifying contempt of court should an authority fail to comply
with an information notice, decision notice or enforcement notice
under FOIA or EIR; and
(h) prosecuting criminal offences before Courts.
2.5 Regulation 31 of PECR, as amended by the Privacy and Electronic
Communications (EC Directive) (Amendment) Regulations 2011, also
provides the Commissioner with the power to serve enforcement
notices and issue monetary penalty notices as above to organisations
who breach PECR. This includes, but is not limited to, breaches in the
form of unsolicited marketing which fall within the ambit of PECR,
including automated telephone calls made without consent, live
telephone calls which have not been screened against the Telephone
Preference Service, and unsolicited electronic messages (Regulations
19, 21 and 22 of PECR respectively).
3. ROLE AND FUNCTIONS OF EDPS
3.1 The EDPS is the European Union (EU) independent data protection
authority established under Regulation (EU) 2018/1725 of the
European Parliament and of the Council of 23 October 2018 on the
protection of natural persons with regard to the processing of
personal data by the Union institutions, bodies, offices and agencies
and on the free movement of such data, and repealing Regulation
(EC) No 45/2001 and Decision No 1247/2002/EC (“EUDPR”).
4
Memorandum of Understanding
3.2 The EDPS powers, duties and tasks are set out in the following
legislation (as amended from time to time):
(a) The General Data Protection Regulation (the “GDPR”)
(b) The EUDPR
(c) The Europol Regulation
(d) The Eurojust Regulation
(e) The EPPO Regulation
(f)
The rules regulating large-scale IT systems at EU level, and
(g) any other Union and Member State act granting the EDPS tasks
or powers in relation to the protection of the individual’s rights
and freedoms with regard to privacy and the processing of
personal data.
3.3 The EDPS has a broad range of tasks which include: monitoring and
enforcing the application of the EUDPR by Union institutions and
bodies; promoting public awareness and the awareness of controllers
and processors of their obligations; handling of complaints;
conducting investigations; advising, on his or her own initiative or on
request, all Union institutions and bodies on legislative and
administrative measures relating to the protection of personal data;
and monitoring the development of information and communication
technologies.
3.4 The EDPS has investigative, corrective, authorisation and advisory
powers that include:
(a) to refer matters to the controller or processor concerned and, if
necessary, to the European Parliament, the Council and the
Commission;
(b) to order the controller or processor to bring processing
operations into compliance with the provisions of the EUDPR;
(c) to impose a temporary or definitive limitation including a ban on
processing;
(d) to impose an administrative fine; and
5
Memorandum of Understanding
(e) to refer the matter to the Court of Justice under the conditions
provided for in the Treaties and to intervene in actions brought
before the Court of Justice.
4. SCOPE OF CO-OPERATION
4.1 The Participants acknowledge that it is in their common interest to
collaborate in accordance with this MoU, in order to:
(a) Ensure that the Participants are able to deliver the regulatory
cooperation necessary to underpin the data-based society and
protect the fundamental rights of citizens of the United Kingdom
and individuals in the European Union respectively, in
accordance with the applicable laws of the Participants’
respective jurisdictions;
(b) Cooperate with respect to the enforcement of their respective
applicable data protection and privacy laws;
(c) Keep each other informed of developments in their respective
jurisdictions having a bearing on this MoU; and
(d) Recognise parallel or joint investigations or enforcement actions
by the Participants as priority issues for co-operation.
4.2 For this purpose, the Participants may jointly identify one or more
areas or initiatives for cooperation. Such cooperation may include:
(a) sharing of experiences and exchange of best practices on data
protection policies, education and training programmes;
(b) sharing of information about respective priorities for regulatory
actions, including policy and enforcement priorities;
(c) implementation of joint research projects and joint publications;
(d) sharing of experiences and lessons learned from regulatory
cooperation and coordination activities at national, regional or
international level.
(e) co-operation in promoting dialogue among data protection
authorities and other digital regulators (including competition
6
Memorandum of Understanding
and consumer protection authorities) to explore synergies and
ensure a consistent application of digital regulations;
(f)
exchange of information (excluding personal data) involving
potential or on-going investigations of organisations in the
respective jurisdictions in relation to a contravention of personal
data protection legislation;
(g) secondment of staff;
(h) mutual assistance or joint investigations into cross border
personal data incidents involving organisations in both
jurisdictions (excluding sharing of personal data);
(i)
convening bilateral meetings at least every six months or as
mutually decided between the Participants; and
(j)
any other areas of cooperation as mutually decided by the
Participants.
4.3 For clarity, it is acknowledged that this MoU does not impose any
obligation on the Participants to share information with each other or
to engage in any other form of cooperation. It is further
acknowledged that a Participant may require that any cooperation is
subject to certain limitations or conditions being agreed between the
Participants. For example, in order to avoid breaching applicable legal
requirements. Any such limitations or conditions will be agreed
between the Participants on a case-by-case basis.
5. NO SHARING OF PERSONAL DATA
5.1 The Participants do not intend that this MoU will cover any sharing of
personal data by the Participants.
5.2 If the Participants wish to share personal data, for example in relation
to any cross border personal data incidents involving organisations in
both jurisdictions, each Participant will consider compliance with its
own applicable data protection laws, which may require the
Participants to enter into a written agreement or further
arrangements governing the sharing of such personal data.
7
Memorandum of Understanding
6. INFORMATION SHARED BY THE UK INFORMATION COMMISSIONER
6.1 Section 132(1) of the DPA 2018 states that the Commissioner can
only share certain information if he has lawful authority to do so,
where that information has been obtained, or provided to, the
Commissioner in the course of, or for the purposes of, discharging the
Commissioner’s functions, relates to an identifiable individual or
business, and is not otherwise available to the public from other
sources.
6.2 Section 132(2) of the DPA 2018 sets out the circumstances in which
the Commissioner will have the lawful authority to share that
information. Of particular relevance when the Commissioner is
sharing information with the EDPS are the following circumstances,
where:
(a) The sharing is necessary for the purpose of discharging the
Commissioner’s functions (section 132(2)(c));and
(b) The sharing is necessary in the public interest, taking into
account the rights, freedoms and legitimate interests of any
person (section 132(2)(f)).
6.3 The Commissioner will therefore be permitted to share information
with the EDPS in circumstances where it has determined that it is
reasonably necessary to do so in furtherance of one of those grounds
outlined at paragraph 6.2 of this MoU. Before the Commissioner
shares any such information with the EDPS, it may be necessary for
the Commissioner to identify the function of the EDPS with which that
information is intended to assist, and assess whether that function of
the EDPS could reasonably be achieved without access to the
particular information in question. Where the Commissioner considers
that any such function could reasonably be achieved without access
to the information, it will not share the information unless it
determines that there are overriding factors which render such
sharing to be lawful and appropriate in all the circumstances.
7. INFORMATION SHARED BY THE EDPS
7.1 The Commissioner's statutory function relates to the legislation set
out at paragraph 2, and this MoU governs information shared by the
EDPS to assist the Commissioner to meet those responsibilities. To
8
Memorandum of Understanding
the extent that any such shared information comprises personal data,
as defined under the UK GDPR and DPA 2018, the EDPS is a Data
Controller in respect of such data and must ensure that it has legal
basis to share it and that doing so would be compliant with the data
protection principles.
7.2 Section 131 of the Data Protection Act 2018 may provide a legal
basis for the EDPS to share information with the Commissioner. Under
this provision, the EDPS is not prohibited or restricted from disclosing
information to the Commissioner by any other enactment or rule of
law provided it is “
information necessary for the discharge of the
Commissioner's functions”.
8. SECURITY AND DATA BREACH REPORTING
8.1 Appropriate security measures will be agreed to protect information
that is shared between the Participants. Such measures will, amongst
other things, require the Participant receiving information (the
“Recipient”) to take into account the sensitivity of the information;
any classification that is applied by the Participant who is sending the
information to the other Participant (the
“Sender”); and any other
factors relevant to protecting the security of the information.
8.2 Where confidential material is shared between the Participants it will
be marked with the appropriate security classification by the Sender.
8.3 Where a Recipient receives information from a Sender, the Recipient
will consult with the Sender and obtain their consent before passing
that information to a third party or using the information in an
enforcement proceeding or court case, save where the Recipient is
prevented from consulting with the Sender or seeking its consent, by
applicable laws or regulations.
8.4 Where confidential material obtained from, or shared by, a Sender is
wrongfully disclosed or used by a Recipient, the Recipient will bring
this to the attention of the Sender without delay.
9
Memorandum of Understanding
9. REVIEW OF THE MOU
9.1 The UK Information Commissioner and the EDPS will monitor the
operation of this MoU and review it if either Participant so requests.
9.2 Any issues arising in relation to this MoU will be notified to the
designated point of contact for each Participant.
9.3 Any amendments to this MoU must be made in writing and signed by
each Participant.
10.
NON-BINDING EFFECT OF THIS MOU AND DISPUTE SETTLEMENT
10.1 This MoU is a statement of intent that does not give rise to legally
binding obligations on the part of either the Commissioner or the
EDPS. The parties have determined that they do not exchange
sufficient quantities of personal data to warrant entering into a
separate data sharing agreement, but this will be kept under review.
10.2 The Participants will settle any disputes or disagreement relating to
or arising from this MoU amicably through consultations and
negotiations in good faith without reference to any international
court, tribunal or other forum.
11.
DESIGNATED CONTACT POINTS
11.1 The following persons will be the designated contact points for the
Participants for matters under this MoU:
Information Commissioner’s
European Data Protection
Office
Supervisor
Name:
Name:
Designation: Head of International Designation:
Regulatory Cooperation
11.2 The above individuals will maintain an open dialogue between each other in
order to ensure that the MoU remains effective and fit for purpose. They
10
Memorandum of Understanding
will also seek to identify any difficulties in the working relationship, and
proactively seek to minimise the same.
11.3 Each Participant may change its designated contact point for the purposes
of this MoU upon notice in writing to the other Participant.
12.
ENTRY INTO EFFECT AND TERMINATION
This MoU will come into effect upon its signature by the Participants and
remain in effect unless terminated by either Participant upon three
months’ written notice to the other Participant.
SIGNATORIES:
For the Information Commissioner For the European Data Protection
for the United Kingdom of Great Supervisor
Britain and Northern Ireland
Name: Mr John Edwards
Name: Mr Wojciech Wiewiórowski
Title: United Kingdom Information Title: European Data Protection
Commissioner
Supervisor
Place: Brussels, Belgium
Place: Brussels, Belgium
Date: 8 November 2023
Date: 8 November 2023
11
Memorandum of Understanding
