26 March 2024 – Guest Blog
Asset declaration systems are one of the most powerful tools in combating corruption. However, the effectiveness of asset declarations all depends on their verification. When verifying asset declarations of public officials, access to foreign data is one of the main challenges. The “International Treaty on Exchange of Data for the Verification of Asset Declarations” (the “Treaty”) has been signed already by four countries outside of the European Union (“EU”).
This guest blog by Dr. Tilman Hoppe and Dr. Felix Lüth makes the case why the EU could and should join the Treaty, significantly increasing the capacity of anti-corruption agencies in verifying asset declarations across borders.
- Dr. Tilman Hoppe, LL.M., is a former judge who has supported reforms in more than 40 countries through projects by the Council of Europe, EU, IMF, OECD, UN, World Bank, and others. In 2016, he drafted the “International Treaty on Exchange of Data for the Verification of Asset Declarations” and advised countries in joining it.
- Dr. Felix Lüth is a Legal Researcher with the Global Legal Action Network (GLAN) and focuses on anti-money laundering and asset recovery, among others.
Read the full article in pdf version here.
What is the Treaty about?
Anti-corruption agencies in- and outside the EU hit a wall when checking the wealth situation of public officials in their country: Let’s say, a public official from France owns a seaside property in Montenegro. The French official has not declared that property in her asset declaration, as the money financing the property comes from illicit sources. The French asset declaration body has no access to the property registry in Montenegro and thus cannot check for undeclared assets. So far, as there has been no legal basis for a foreign authority – it would not (and must not) transmit personal data to an inspector of another country.[1] In practice, this is where the check ends. After decades of hitting this wall, practitioners were fed up, and started drafting an international agreement, the “International Treaty on Exchange of Data for the Verification of Asset Declarations”.[2]
The Treaty reflects international best practice, leaning in particular on the “Convention on Mutual Administrative Assistance in Tax Matters” which was developed jointly by the Council of Europe and the OECD in 1988 and has 125 members as of today. The basic rule established by the Treaty is that integrity bodies of two member states may exchange data if it is needed in one country for verifying an asset declaration. The Treaty is not only “open for accession by any State” but also by the “European Union” (Article 14 para. 3 and 4).
Why is the EU envisaged as a key member of the Treaty?
There are five main reasons why Article 14 para. 4 of the Treaty envisages the EU as key member:
- The EU is a prime destination for hiding assets: Five of the globally most important financial hubs [3] are in the EU and its member states are attractive destinations for real estate investments [4] or dual citizenships of corrupt public officials from third countries.[5]
- The EU has a political interest in fighting corruption in its neighbourhood. During the past 15 years, the EU has spent 2.13 billion € on rule of law and anticorruption reforms, including on setting up and improving asset disclosure systems.[6] Spending money on reform projects is not enough – for the asset disclosure systems to work, neighbourhood countries need to be able to check whether their public officials are hiding assets in EU member states.
- Equally, EU countries have an interest in obtaining data. While one can probably assume a larger inflow of “corrupt” money from neighbouring countries into the EU, still, public officials from EU countries who have to hide assets would rather do so in third countries outside the reach of the EU’s “common legal market”. This makes it attractive, for example, for a corrupt Croatian or German public official to invest corrupt money into a seaside property in Albania or Montenegro. Ultimately, EU institutions also have their own interest in obtaining data from abroad, namely for verifying asset declarations by MEPs and Commissioners.[7]
- For decades, the EU has given candidate countries homework in upgrading their rule of law, including concluding a treaty on international data exchange for the verification of asset declarations. However, if the EU only tells others what to do without doing its own homework, it risks losing its political credibility.
- The EU joining the Treaty will boost membership by third countries. So far, four countries have signed the Treaty. It can be argued that interest by third countries will likely increase, as joining the Treaty will then mean gaining access to EU member states’ jurisdictions.
Is the EU competent to join the Treaty?
Under public international law, every State possesses the capacity to conclude international treaties.[8] For EU member states, some of this capacity is conferred to the EU under the EU Treaties (Treaty on the European Union – TEU – and Treaty on the Functioning of the European Union – TFEU).[9] The EU Treaties do not contain an express rule for the conclusion of international treaties. The competence for concluding international treaties follows the general allocation of competences laid down in Articles 2-4 TFEU.[10]
Probably the most obvious basis for the competence of the EU to join the Treaty can be found in Article 3(2) TFEU, which provides that the competence of the EU is exclusive if the conclusion of a Treaty by member states “may affect common rules or alter their scope”.[11] The EU has already enacted legislative measures on matters that can be seen as related to the Treaty. They include in particular instruments on the prevention of the use of the financial system for the purposes of money laundering [12] and on the exchange of data for the purposes of asset tracing, seizure or confiscation.[13] Moreover, the EU has produced an elaborate legal framework on data protection regulating how personal data can be transferred to third parties, including outside the EU.[14]
Asset declarations frequently require the disclosure of beneficial ownership,[15] an aspect regulated in particular by the 4th AML-Directive (EU 2015/849, Chapter III). The European Court of Justice has ruled on both, the public disclosure of beneficial ownership information [16] as well as of asset declarations.[17] Against this background, it seems unlikely to encounter many objections by member states once a formal proposal on the EU joining the Treaty is put on the table.
Accession by the EU would require a decision by the Council, which consists of government representatives of member states.[18] “[A]fter consulting the European Parliament” (Article 218 para. 6 lit. b TFEU), the decision is adopted by “a qualified majority” of the Council (Article 218 para. 8 TFEU). According to its para. 11, Article 218 foresees that a “Member State, the European Parliament, the Council or the Commission may obtain the opinion of the Court of Justice as to whether an agreement envisaged is compatible with the Treaties”. It is hard to imagine what the reasons for requesting such an opinion could be.
Is cross-border data exchange in line with EU data protection standards?
EU data protection standards are set out by the Charter of Fundamental Rights of the EU (CFR), the TFEU and the General Data Protection Regulation (GDPR).
Charter of Fundamental Rights (CFR)
The fundamental right to the protection of personal data stems from Article 8 of the CFR and Article 16 of the TFEU. However, the right to data protection is “not [an] absolute right […], but must be considered in relation to [its] function in society. In this connection, it should also be observed that, under Article 8(2) of the Charter, personal data must, inter alia, be processed ‘for specified purposes and on the […] legitimate basis laid down by law’.”[19] This means that transferring data to another country needs a legal basis and must serve a legitimate purpose in a proportionate manner as it interferes with Article 8 of the CFR.
As explained in an earlier blog, the Treaty solves a significant problem in this respect [20]: Without the Treaty most countries do not have a sufficient legal basis for cross-border data exchange. However, the Treaty itself provides such a basis. It is not only in line with data protection standard but fosters the legality of data exchange in this regard.
Asset declarations serve a legitimate and important public interest. The Court of Justice of the European Union (CJEU) [21] as well as the European Court of Human Rights (ECtHR) [22] have both decided that the processing of data in the context of asset declarations is necessary, proportionate and, thus, in line with fundamental rights. For financial interests located abroad, cross-border exchange of data is necessary as there is no other way of verifying, for example, who the owner of real estate or a company abroad is (as long as registers are not publicly accessible). The CJEU [23] and the ECtHR [24] have both stated that for public servants the right to privacy has lesser weight than for ordinary citizens. All in all, data exchange under the Treaty is in principle in line with the fundamental right to data protection.[25]
At first sight, the right to appeal as per Article 47 CFR might also be relevant in this context. If the public officials (declarants) in the third country are not notified about the planned disclosure of their personal data they cannot legally challenge the rightfulness of that disclosure. However, the right to appeal is restricted to tangible measures taken against the declarant eventually (that is, a notification or sanction for having omitted to declare a foreign asset): The CJEU has decided that the mutual exchange of tax information is a pure administrative procedure and does not thereby confer specific rights on the taxpayer.[26] In any case, public officials from third countries can challenge the verification of their declaration in their home (third) country, including the transfer of data from an EU member state.[27]
General Data Protection Regulation (GDPR)
Applicability of the GDPR
There is no definite decision yet on the applicability of the GDPR to cross-border data exchange for the verification of asset declarations. In principle, cross-border data exchange falls within the scope of the GDPR.
However, the GDPR foresees an exception to its application in its Article 2 para. 2 lit. d “for the purposes of the prevention, investigation, detection or prosecution of criminal offences […], including the safeguarding against and the prevention of threats to public security”. Verifying asset declarations is not a criminal investigation, but rather solely administrative procedure primarily aimed at compliance, comparable to a tax audit. In this regard, the Treaty’s explicit purpose is to provide for an “administrative exchange of information” (Article 1 para. 1).
Still, it could be argued that the verification of asset declarations is ultimately aimed at the prevention of (criminal) corruption offences. After all, although the verification is a purely administrative procedure, it is intended to create an environment in which public officials cannot hide corrupt activities and, thereby, disincentivise to act corruptly in the first place. This perspective is supported by the Treaty, defining its purpose as “to prevent corruption”, and by the United Nations Convention against Corruption, listing asset disclosure among its preventive measures (Article 8 para. 5).
However, much remains unclear regarding this argument. For example, there is an ongoing debate on the interpretation of “criminal offence” and “public security” in Article 2 para. 2 lit. d of the GDPR.[28] So, at the moment it is hard to say, if the CJEU would consider the GDPR to be applicable. If it is, cross-border data exchange under the treaty would have to meet these standards. In this respect, the GDPR differentiates between cross-border transfers within the EU and those outside the EU.
Transfer within EU
Within the EU, the GDPR establishes an equivalent “level of protection of the rights and freedoms of natural persons with regard to the processing of […] data […] in all Member States” and by doing so aims to remove “the obstacles to flows of personal data within the Union”.[29] As a consequence, under Article 1 para. 3 of the GDPR, the “free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” Therefore, data transfers from one to another EU Member State based on the Treaty are governed by and, thus, in line with the GDPR.
Transfer outside EU
The EU legislator has recognised that “[f]lows of personal data to and from countries outside the Union […] are necessary for the expansion of […] international cooperation.”[30] In case of such transfers to third countries, “the level of protection of natural persons ensured in the Union by this Regulation [GDPR] should not be undermined”.[31] To this end, Chapter V of the GDPR foresees three options [32]:
(1) Adequacy decisions (Article 45 para. 1 GDPR):
“A transfer of personal data to a third country […] may take place where the Commission has decided that the third country […] in question ensures an adequate level of protection […].” So far, the European Commission has listed several third countries as having an adequate level of protection, but none from the Balkans or Eastern Europe.[33] Due to the high requirements for adequacy decisions and the effort involved, it is not expected that they will be prevalent in the future.[34]
(2) Appropriate safeguards (Article 46 para. 1 GDPR):
“In the absence of a decision under Article 45(3) [adequacy decision], a controller or processor may transfer personal data to a third country […] only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” For international data exchange between public bodies, Article 46 para. 2 lit. a GDPR calls for an appropriate safeguard in form of “a legally binding and enforceable instrument between public authorities or bodies”.
By its nature, the Treaty is a legally binding instrument. In Article 9 para. 1 of the Treaty, it is made clear that “any information obtained by a Focal Point shall be treated as confidential and protected in the same manner as information obtained under the domestic law”. In addition, the supplying focal point may ask for additional “safeguards […] as required under its domestic law”. Furthermore, the Treaty set out a clear purpose limitation regarding the use of data (asset declaration verification) and only a strictly limited circle of authorities is allowed to use the data in Article 9 para. 2. In this respect the Treaty is modelled almost verbatim after the Council of Europe/OECD “Convention on Mutual Administrative Assistance in Tax Matters” of 1988, on the basis of which tax authorities in EU Member States exchange data with their counterparts in third countries on a daily basis.
In addition, Article 46 para. 1 of the GDPR requires that data subjects must have effective legal remedies available to enforce their rights and to claim compensation in case of violation.[35] The Treaty itself does not foresee such remedies but builds on these rights existing in national legislation.[36] To ensure that data exchange satisfies the requirement of effective remedies, the focal point requesting the data will have to communicate to what extent these legal remedies exist in its legislation and are applicable to data transfers under the Treaty. The focal point providing the data (from an EU member state) would have to request from the receiving focal point compliance with the requirements of the GDPR when receiving the data and effective remedies as foreseen in Article 9 para. 1 of the Treaty. In this case, the data subject, the declarant, could decide on using a legal remedy after being notified about the verification, as regularly foreseen by national legislation.[37]
In its landmark decision “Schrems II”, the CJEU made clear that appropriate safeguards under Article 46 of the GDPR must ensure a “level of [data] protection essentially equivalent to that guaranteed within the European Union” in the receiving country.[38] This means that a focal point of EU member states must ensure that the protection of the supplied data is essentially the same in the requesting third country. Whether or not this is the case, must be evaluated individually for each third country. As with the existence of effective remedies, in cases of an insufficient pre-existing level of data protection in the receiving third country the focal point in the supplying EU member state may request the focal point in the third country to adhere to the GDPR when processing the data (Article 9 para. 1 of the Treaty).
Overall, the Treaty can serve as an appropriate safeguard within the meaning of Article 46 of the GDPR. Where the receiving third country does not already provide effective legal remedies and a level of data protection essentially equivalent to the GDPR, an EU member state can supply data under Article 46 of the GDPR by requesting the receiving focal point to adhere to the GDPR in this regard.
(3) Important reasons of public interest (Article 49 para. 1 lit. d GDPR):
Even without an adequacy decision (Article 45) or an appropriate safeguard (Article 46), the GDPR allows the “transfer […] of personal data to a third country […] [if] the transfer is necessary for important reasons of public interest”. GDPR’s Recital 112 states that the derogation of Article 49 “should in particular apply […] for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities […], or in order to reduce and/or eliminate doping in sport.” By stating that the derogation in particular applies in the given examples, the EU legislator made clear that the list is not exhaustive, and the derogation can also be applied in comparable cases.
In the context of asset declarations, the CJEU stated that “to prevent conflicts of interest and to combat corruption in the public sector, are undeniably objectives of public interest”[39] and that “combating corruption is of great importance within the European Union”.[40] Furthermore, the TFEU defines corruption as “particularly serious crime” (Article 83 para. 1 TFEU). In addition, numerous laws by the EU aim at fighting corruption.[41] Against this background, it seems hard to argue that data exchange for the purpose of preventing corruption through financial disclosure is not a public interest of equal or higher importance than some interests mentioned in Recital 112.
According to Article 49 para. 4 GDPR and its interpretation by the European Data Protection Board (EDPB), “the derogation only applies when it can also be deduced from EU law or the law of the member state […] that such data transfers are allowed for important public interest purposes. […] [I]t is not sufficient that the data transfer is requested (for example by a third country authority) for an investigation which serves a public interest of a third country which, in an abstract sense, also exists in EU or member State law. […] Rather, […] the derogation only applies when it can also be deduced from EU law or the law of the member state […] that such data transfers are allowed for important public interest purposes.”[42] However, by joining the Treaty, the EU legislator would confirm the important public interest and explicitly allow cross-border data exchange under the Treaty. The significance of international treaties in this respect has also been recognised by the EDPB.[43]
One caveat applies in this regard: “Where transfers are made in the usual course of business or practice, the EDPB strongly encourages all data exporters (in particular public bodies) to frame these by putting in place appropriate safeguards in accordance with Article 46 rather than relying on the derogation as per Article 49(1) (d) [GDPR].”[44] The EDPB further calls for data exchanges “tak[ing] place on a large scale and in a systematic manner” not to be based on “the important public interest derogation” but rather on “appropriate safeguards in accordance with Article 46”.[45] Whether or not the CJEU shares this interpretation of Article 49 para. 1 lit. d of the GDPR is not decided yet. In any event, one can probably doubt whether data exchange for verifying asset declarations will actually grow to a large scale and systematic manner between one EU member state and one specific third country.
Interim result
To sum up, it is unclear whether the GDPR is applicable to data exchange under the Treaty. If the GDPR is applicable, EU member states must comply with the specific requirements set out in Chapter V of the GDPR when supplying data to third countries under the Treaty. To this end, the focal point of the member state must request the focal point of the third country to adhere to the GDPR when processing the data or base their occasional transfer of data under Article 49 para. 1 it. d GDPR “for important reasons of public interest”.
Conclusion
The EU could and should join the “International Treaty on Exchange of Data for the Verification of Asset Declarations”. There are many good policy reasons for such a decision as well as solid legal arguments on the EU’s competence to do so. The Treaty as such is also in line with the high standards of data protection in the EU. In particular, its Article 9 para. 1 foresees the possibility that a state providing data may request the same “level of protection of personal data, as required under its domestic law”. This aside, verifying asset declarations serves “important reasons of public interest” under Article 49 para. 1 lit. d GDPR.
At a summit six years ago, representatives from the EU and its member states encouraged “Western Balkans Governments […] to endorse and adopt [the] Regional Anti-Corruption Initiative’s International Treaty on Data Exchange on Asset Disclosure and Conflict of Interest”.[46] Now that four countries have signed the Treaty, it is time for the EU to do its part, starting by formally announcing its readiness to move towards joining the Treaty. This would be a strong boost for the Treaty, for third countries considering membership, and, ultimately, for the effectiveness of asset declaration systems in detecting wealth and interests hidden abroad.
For more information, please contact the author at email hidden; JavaScript is required.
The authors wish to thank David Wellstein for his very valuable comments on an earlier version and his advice on data protection standards.
[1] For further details on the legal gap see: Tilman Hoppe (19 January 2024), International data exchange for asset declarations, https://uncaccoalition.org/international-data-exchange-for-asset-declarations-guest-blog/.
[2] https://rai-see.org/what-we-do/regional-data-exchange-on-asset-disclosure-and-conflict-of-interest/.
[3] Wardle, Mike; Mainelli, Michael (28 September 2023), “The Global Financial Centres Index 34”, https://www.longfinance.net/media/documents/GFCI_34_Report_2022.09.28_v1.0.pdf.
[4] European Parliamentary Research Service (2019), Understanding money laundering through real estate transactions, p. 2, https://www.europarl.europa.eu/cmsdata/161094/7%20-%2001%20EPRS_Understanding%20money%20laundering%20through%20real%20estate%20transactions.pdf.
[5] Transparency International, Ending corrupt abuse of EU golden passports & visas, Those who loot their countries cannot be allowed safe haven in the EU, https://www.transparency.org/en/campaigns/ending-corrupt-abuse-european-union-golden-passports-visas.
[6] European Commission, EU Aid Explorer, https://euaidexplorer.ec.europa.eu/explore/sectors_en: 2.13 billion € spent by the EU on good governance projects in Europe between 2007-2022.
[7] Critically about the state of verifications by EU institutions: Tilman Hoppe (13 Januar 2023), Tougher Integrity Rules for the European Parliament, https://verfassungsblog.de/tougher-integrity-rules-for-the-european-parliament/.
[8] Articles 6 et seq. Vienna Convention on the Law of Treaties, 23 May 1969, United Nations, Treaty Series, vol. 1155, p. 331, https://treaties.un.org/doc/Publication/UNTS/Volume%201155/v1155.pdf.
[9] See Article 5(1) Treaty on the European Union and Article 7 Treaty on the Functioning of the European Union (Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union, OJ C 326, 26.10.2012, pp. 13-390, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012M%2FTXT).
[10] For the distinction between general rules on the allocation of (existing) competences in Articles 2-4 TFEU and rules governing “substantive” conferral of competences in the specific policy areas of the EU Treaties, see Vedder, in: Vedder and Heintschel von Heinegg (eds.), Europäisches Unionsrecht: Handkommentar (Nomos, 2nd edn. 2018), Article 2 para. 9.
[11] Codifying the ERTA doctrine: Klamert, in: Klamert, Kellerbauer and Tomkin (eds.), Commentary on the EU: Treaties and the Charter of Fundamental Rights (Oxford University Press 2019), Article 3 para. 23 with reference to Case 22/70, ERTA. See also Opinion 2/15, FTA Singapore, para 180; Case C-66/13, Green Network, EU:C:2014:2399, para 29; Case C-114/12, Broadcasting Organisations, para 68; Opinion 1/13, Convention on the civil aspects of international child abduction, para 71.
[12] Directive (EU) 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing (OJ L 141, 5 June 2015, p. 73), as extensively amended by the 5th Anti-Money Laundering Directive, Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU,OJ L 156, 19.6.2018, p. 43
[13] Council Decision 2007/845/JHA of 6 December 2007 concerning cooperation between Asset Recovery Offices of the Member States in the field of tracing and identification of proceeds from, or other property related to crime, OJ L 332, 18 December 2007, p. 103-105; Directive 2014/42/EU of the European Parliament and of the Council of 3 April 2014 on the freezing and confiscation of instrumentalities and proceeds of crime in the European Union, OJ L 127, 29 April 2014, p. 39-50; Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 2019 laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA (OJ L 186/122, 11 July 2019, p. 122-137).
[14] “GDPR” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016, p. 1-88, and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4 May 2016, p. 89-131.
[15] See, for example: Moldova, Article 4 Law 133/2016; Ukraine, Article 46 para. 1 no. 5-1 Law on Prevention of Corruption.
[16] C-37/20 and C-601/20, WM and Sovim SA v Luxembourg Business Registers, 22 November 2022, Grand Chamber, https://curia.europa.eu/juris/document/document.jsf?docid=269514&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=2102379.
[17] C-184/20, OT v Vyriausioji tarnybinės etikos komisija, 1 August 2022, Grand Chamber, https://curia.europa.eu/juris/document/document.jsf?text=&docid=263721&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1391320; case note: Tilman Hoppe, Anticorruption, privacy, and (gay) family – The CJEU rules on financial disclosure of public officials (C-184/20), ICL Journal 2023, 433, https://www.degruyter.com/journal/key/icl/17/4/html.
[18] For the procedure in case of mixed agreements (no exclusive competence of the EU) see Marise Cremona, Who Can Make Treaties? The European Union, in: Duncan B. Hollis (ed.), The Oxford Guide to Treaties, 2012, 93-124; Lenaerts a.o., EU Constitutional Law, 2021, chapter 10: External action of the Union, pp. 357, 368, 371.
[19] CJEU (Grand Chamber) of 17 July 2020 – C-311/18, ECLI: EU: C: 2020: 559, Schrems II at para. 172-3, https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3833350.
[20] Tilman Hoppe (above note 1).
[21] See above note 17.
[22] Wypych v Poland, App no 2428/05, 25 October 2005, http://hudoc.echr.coe.int/eng?i=001-71236.
[23] See above note 17.
[24] See above note 22.
[25] Compare the respective finding for the OECD “Convention on Mutual Administrative Assistance in Tax Matters“: Seer/Kargitta, Exchange of information and cooperation in direct taxation, in: Research handbook on European Union taxation law, 489 (507), https://www.kompetenzzentrum-steuerrecht.de/MEDIEN/pdf/Sonstiges/2020/23_Seer_and_Kargitta_from_Panayi_Proof_4.pdf.
[26] Seer/Kargitta (note 25), with reference to CJEU (Grand Chamber) of 22 October 2013 – C-276/12, ECLI: EU: C: 2013: 678, Sabou; 16 May 2017 – C-682/15, ECLI: EU: C: 2017: 373, Berlioz Investment Fund.
[27] See, e.g., Montenegro: Article 40 Law on Prevention of Corruption 2014 (appeal in administrative court), Article 47 para. 5 Personal Data Protection Law 2008; Serbia: Article 80 para. 5 Law on Prevention of Corruption No. 35/2019 (appeal in administrative court), Article 42 Law on Personal Data Protection 2008.
[28] Bäcker, in: BeckOK Datenschutzrecht [Data Protection Law], Wolff/Brink/v. Ungern-Sternberg (eds.), 46th edition, 2023, Art. 2 at no. 25-29 (in German).
[29] GDPR, Recital 10.
[30] GDPR, Recital 101.
[31] GDPR, Recital 101.
[32] For a comprehensive overview see: Bitkom (2017); Processing of Personal Data in Third Countries based on the EU General Data Protection Regulation, https://www.bitkom.org/sites/main/files/file/import/171120-LF-Verarbeitung-personenbezogener-Daten-ENG-online.pdf.
[33] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Candidates for accession, such as Montenegro and Serbia, have already, or are about to assimilate to the GDPR-standard.
[34] Lange/Filip, in: BeckOK Datenschutzrecht [Data Protection Law], Wolff/Brink/v. Ungern-Sternberg (eds.), 46th edition, 1 November 2021, Article 46, preliminary remark (in German).
[35] GDPR, Recital 108.
[36] See, for example: Moldova, Article 27 of Law 133/2011 on data protection (procedure of administrative complaint and court appeal), Article 18 (right to material and moral damages).
[37] See, for example: Moldova, Article 32: “The person subject to the control of assets and personal interests has the right: a) to be informed about the initiation of the control […]”; Ukraine, Article 51-4 para. 4 Law on Prevention of Corruption: “The National Agency shall notify a subject of declaration about the results of lifestyle monitoring within five days after its completion”.
[38] CJEU (Grand Chamber) of 17 July 2020 – C-311/18, ECLI: EU: C: 2020: 559, Schrems II at para. 96. The decision concerned data transfer for commercial purposes between to private companies “pursuant to standard data protection clauses” in a contract as “appropriate safeguards”. However, the argument by the CJEU seems to be transferable to all other appropriate safeguards, see, e.g., Lange/Filip, in: BeckOK Datenschutzrecht [Data Protection Law], Wolff/Brink/v. Ungern-Sternberg (eds.), 46th edition, 1 November 2021, Article 46 no. 2c, preliminary remark (in German).
[39] OT, Case C-184/20, para 75.
[40] OT, Case C-184/20, para 109.
[41] https://home-affairs.ec.europa.eu/policies/internal-security/corruption/eu-legislation-anti-corruption_en.
[42] European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p. 10, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.
[43] European Data Protection Board, Guidelines 2/2018 (note 42) p. 10.
[44] European Data Protection Board, Guidelines 2/2018 (note 42) p. 10.
[45] European Data Protection Board, Guidelines 2/2018 (note 42) p. 10.
[46] Trieste Western Balkan Summit, Joint Declaration Against Corruption, 12 July 2017, https://www.esteri.it/it/sala_stampa/archivionotizie/approfondimenti/2017/07/trieste-western-balkan-summit-joint/.