Article 53 GDPR: Difference between revisions
No edit summary |
|||
(18 intermediate revisions by 3 users not shown) | |||
Line 185: | Line 185: | ||
== Legal Text == | == Legal Text == | ||
<br / | <br />'''Article 53 - General conditions for the members of the supervisory authority''' | ||
<span id="1">1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:</span> | <span id="1">1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:</span> | ||
Line 209: | Line 209: | ||
==Commentary== | ==Commentary== | ||
Article 53 GDPR regulates | Article 53 GDPR regulates the means of appointment for supervisory authority members ("''SA''"). The provision governs the qualities required to hold office, circumstances relating to the termination of office and the minimum conditions for removal in the event of misconduct. This Article partly integrates [[Article 51 GDPR|Articles 51]], [[Article 52 GDPR|52]] and [[Article 54 GDPR|54 GDPR]], and resultantly its paragraphs are made up of differing characteristics. For instance, some paragraphs are directly applicable as provisions of Union law, while others require legislative intervention by Member States. | ||
=== (1) Authority appointing the members of the supervisory authority (SA) === | === (1) Authority appointing the members of the supervisory authority (SA) === | ||
Given the specificities of Member States' varying constitutional and administrative rules, this provision allows Member States to determine the manner of SA members' appointment in line with their own national frameworks.<ref>For examples, see European Union Agency for Fundamental Rights, 'Elements of independence of the data protection authorities in the EU', p.19 (available [https://www.asktheeu.org/en/request/2398/response/9765/attach/3/21.FRA%20Focus%20Data%20protection%20authorities%20independence%20funding%20and%20staffing%20ATTACHMENT%20FRA%202013%20Focus%20DPA.pdf here]).</ref> Pursuant to [[Article 54 GDPR|Article 54(1)(c) GDPR]], the rules governing the appointment procedure must be legislated for by each Member State. | |||
==== Transparent procedure ==== | ==== Transparent procedure ==== | ||
The procedure regulating appointment must be transparent, irrespective of which public body makes the appointment. This requirement is rooted in the principle of public accountability, and aims to ensure that the public is able to scrutinise the appointment of SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition).</ref> The GDPR does not clarify as to what qualifies as a transparent procedure. However, Commentators have noted that the minimum threshold for transparency, should be in the least, include making the details of the selection process available to the public. In addition, any such procedure should demonstrate that alternative candidates have been considered and evaluated in accordance with the criteria specified by the GDPR.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 4 (NOMOS 2019).</ref> <blockquote><u>Example</u>: Even if the European Data Protection Supervisor (EDPS) is governed by Regulation 2018/1725, rather than by the GDPR, the procedure for the appointment of its president can be considered a good example of a transparent procedure. To a certain degree, this procedure can be a source of inspiration for national SAs. In 2019 the selection process was structured in the following way: | |||
* ''A public call for candidates | * ''A public call for candidates for the Supervisor posts resulted in the most competent applicants being shortlisted by an inter-institutional selection board;'' | ||
* ''Following interviews with the shortlisted candidates, the selection board presented the European Commission with their recommendations for its review and submission to the European Parliament and the Council.'' | * ''Following interviews with the shortlisted candidates, the selection board presented the European Commission with their recommendations for its review and submission to the European Parliament and the Council.'' | ||
* ''Hearings to evaluate the experiences, skills and independence of the candidates took place in the European Parliament. A joint decision of the Parliament and Council was reached following their deliberations.''<ref>https://edps.europa.eu/about-edps/supervisors_en</ref></blockquote> | * ''Hearings to evaluate the experiences, skills and independence of the candidates took place in the European Parliament. A joint decision of the Parliament and Council was reached following their deliberations.''<ref>https://edps.europa.eu/about-edps/supervisors_en</ref></blockquote> | ||
==== Appointing body ==== | ==== Appointing body ==== | ||
Article 53(1) | Article 53(1) names four possible appointing bodies. These are a Member State's (i) parliament, (ii) government, (iii) head of state, or (iv) an independent body entrusted with the appointment under Member State law. | ||
=== (2) Qualification, | If member(s) of the SA are appointed by either the (i) parliament, (ii) government, or (iii) head of state, the appointment should be made based on a proposal by any one of the aforementioned bodies.<ref>Recital 121 GDPR.</ref> While a joint appointment by different branches of state is not foreseen by the GDPR,<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford University Press 2020).</ref> there is no reason to consider a joint appointment as contrary to Article 53(1) GDPR, so long as one of the bodies mentioned above is involved and can effectively determine the result of the final decision. | ||
Article 53(2) GDPR stipulates that each SA member must ("shall") have the qualifications, experience and skills | === (2) Qualification, experience and skills of the member(s) === | ||
Article 53(2) GDPR stipulates that each SA member must ("shall") have the qualifications, experience and skills in the area of personal data protection, required to perform its duties and exercise its powers. In addition to expertise in data protection law, in particularly IT and organisational expertise are of relevance for the work of SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 8 and 9 (C.H. Beck 2020, 3rd Edition).</ref> Also general requirements, such as general requirements foreseen for all employees of the national administration, can be prescribed for members.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 21 (Nomos 2022).</ref> Competence requirements must be provided by law pursuant to [[Article 54 GDPR|Article 54(1)(b) GDPR]]. | |||
These competence requirements serve two purposes. | These competence requirements serve two purposes. The first is to ensure the high quality of SAs' work, and consequently the effectiveness of data protection. The second is to act as a minimum barrier against appointments of a purely political nature, without adequate professional preparation.<ref>''Ziebarth'', in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 18 (Nomos 2018, 2nd edition).</ref> However, Article 53(2) GDPR does not require Member States to test the knowledge of its SAs' members. Moreover, unlike the rules regulating the appointment of members of other institutions such as the Court of Justice and the General Court,<ref>The rules regulating the appointment of the members of the Court of Justice and the General Court establish that its members are to be chosen from 'persons whose independence is beyond doubt’, pursuant to Articles 253 and 254 of the Treaty on the Functioning of the European Union ("''TFEU''"). | ||
For more on this point see ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).</ref> the GDPR does not require that members are to be chosen from individuals whose independence is absolute.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).</ref> | |||
==== Qualifications ==== | ==== Qualifications ==== | ||
The | The qualification requirement refers to a member's educational background, such as the completion of vocational training, a course of study, or the acquisition of additional qualifications and further training certificates in relation to the activities of the SA. The qualification requirement is aimed at ensuring that a potential SA member is able to demonstrate that they have acquired the relevant theoretical knowledge for their position.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).</ref> | ||
==== Experience and skills ==== | |||
The experience requirement necessitates that an SA member must have previously applied what was learned through practical activity.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).</ref> While the term “''skills''” concern the abilities of the applicants relevant to the position, these include both legal and non-legal skills, and it is irrelevant whether they are innate or acquired through experience. | |||
==== Performance of tasks and the exercise of powers ==== | |||
The criteria outlined by the GDPR for the appointment of SA members is directly related to ensuring that an SA is able to effectively perform the tasks and exercise the powers afforded to it under the GDPR.<ref>For more on the SAs' tasks, please refer to [[Article 57 GDPR]] and for their powers please refer to [[Article 58 GDPR]].</ref> These tasks and powers include handling complaints lodged by data subjects, conducting investigations on the application of the GDPR, and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.<ref>See Recital 122 GDPR.</ref> Consequently, an SA's effective functioning is based on the competence of its members, who cannot sufficiently fulfil their duties unless they have the relevant <span id="2">qualifications, experience and skills to do so.</span> | |||
=== (3) End of mandate === | |||
Article 53(3) GDPR regulates the ordinary coming to an end of the SA membership. It sets out three grounds for the ordinary termination of the mandate of a SA member. These are (i) expiry of term of office, (ii) resignation and (iii) compulsory retirement. Anything which falls outside of this exhaustive list cannot justify the end of a member's mandate, for instance the internal re-organisation of an SA.<ref>In this respect, reference should be made to Case C‑288/12, ''Commission v Hungary'', and Case </ref> | |||
The provision's aim of establishing an exhaustive list of grounds for the termination of a member's mandate is an attempt to safeguard the independence of SAs, by limiting the exposure of their members to undue political influence.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> <blockquote> | |||
<u>Case law</u>: In ''Commission v Hungary'', the CJEU held that while the Member States are entitled to restructure their data protection systems and SAs, such restructuring shall not result in a preliminary termination of the mandate of a SA member. Preliminary termination of the SA member’s mandate would unjustifiably interfere with the independence of SAs.<ref>CJEU in case [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-288%252F12&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2428845 C-288/2012 - ''Commission v Hungary''], paragraphs 53 to 59.</ref> | |||
<u>Case law</u>: The ''Garai'' case is also interesting in this regard. While it did not concern a SA, it regarded the early dismissal of the members of the national regulatory authority (NRA) for electronic communications in Spain. The CJEU concluded that the dismissal of the members before the end of their mandates due to the merging between different regulatory bodies was against the requirement of independence of the NRA in the ''<nowiki/>'absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members'.''<ref>[https://curia.europa.eu/juris/document/document.jsf?text=&docid=184670&doclang=EN Case C‑424/15, ''Garai v Administración del Estado''], paragraph 52.</ref></blockquote>Members of SAs can, in addition, be legally employed by SAs. In such cases the conditions for the termination of the employment of members must be in line with the provisions of Article 53 GDPR. However, the rules governing the cessation of employment must be determined by member State's national law, in accordance with [[Article 54 GDPR|Article 54(1)(f) GDPR]]. | |||
==== Expiry of the term of office ==== | |||
Normally, the duties of a SA member end '''in the event of the expiry of the term of office''<nowiki/>'. The term of office is dealt with in [[Article 54 GDPR|Article 54(1) GDPR]], under which Member States are obliged to legislate for through their national laws. The term in office of an SA member also expires in case of death.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).</ref> | |||
==== Resignation and compulsory retirement ==== | |||
SA members can voluntarily decide to end their mandate before the full completion of their term in office. It should be highlighted that resignation should be voluntary, and not influenced by external pressure.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR), Article 53 GDPR, page 890 (Oxford University Press 2020).</ref> | |||
Retirement can be a reason for the premature termination of an SA member's mandate af a SA member, especially in cases of retirement due to age or illness.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).</ref> Rules regulating the retirement of SA members must be provided for through a Member State's national law before an SA member is nominated, in order to comply with the principle of independence.<ref>To this extent, see also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Article 53 GDPR, page 891 (Oxford University Press 2020).</ref> <blockquote><u>Case law</u>: The CJEU established in ''Commission v Hungary,'' that Member States cannot change the rules concerning SA Members' term in office during their term, as this could result in a form of prior compliance, undermining the requirement of independence.<ref>Case [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-288%252F12&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2428845 C-288/12 - ''Commission v Hungary'']</ref></blockquote> | |||
=== | === (4) Dismissal of SA members === | ||
Under Article 53(4) GDPR, an SA member can be dismissed only in two cases. The first of which is in the case of serious misconduct, and the second is if members can no longer fulfil the conditions required for the performance of the duties. These are the two extraordinary reasons for the premature termination of duties of SAs and should be interpreted restrictively. Notably, these grounds are exceptions to the ordinary grounds governing the end of a member's mandate under Article 53(3) GDPR,<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> as grounds for dismissal must be severe enough to justify the intrusion into the general principle of independence of SAs.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 890 (Oxford University Press 2020).</ref> Dismissal entails an involuntary preliminary loss of office | |||
The GDPR does not specify what these two instances entail, nor is clear regarding which authority is responsible for deciding a member's dismissal, or for what procedural safeguards are in place, if any. These elements should be explicitly provided by a Member State's national law and be precise enough to avoid any misleading interpretation or arbitrariness. | |||
The two cases mentioned by Article 53(4) GDPR are contained in several other EU law provisions concerning the dismissal of members of independent bodies. These are Article 247 of the Treaty on the Functioning of the European Union ("''TFEU''"), which regulates the dismissal of members of the Commission, Article 228(2) TFEU with regard to the dismissal of European Ombudsman, and Article 53(5) of Regulation (EU) 2018/1725 dealing with the dismissal of European Data Protection Supervisor.<ref>Other relevant provisions include Articles 11.4 and 14.2 of the Protocol (No 4) to TFEU on the statute of the statute of the European System of Central Banks and of the European Central Bank regarding the members of the executive board of the ECB and governors of national central banks. See also ''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 53 GDPR, margin number 13 (C.H. Beck 2018).</ref> Interpretation of these elements and corresponding provisions by the CJEU may be of relevance for the interpretations of Article 53(4) GDPR. | |||
Article 53( | |||
=== | ==== Serious misconduct ==== | ||
An SA member's actions may amount to serious misconduct, in instances where their actions are deemed incompatible with the duties and obligations of a SA member. These actions could include engaging in criminal activity, the holding of competing offices or engaging in an incompatible occupation.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 13 (Nomos 2019). </ref> For example, [[Article 52 GDPR|Article 52(2) GDPR]] requires SA members to remain free from external influence and [[Article 52 GDPR|Article 52(3) GDPR]] entails a prohibition of incompatible actions. | |||
==== No longer fulfils the conditions ==== | |||
The failure to fulfil the conditions of office refers to the general conditions required by the Member State's law, such as citizenship and general conditions for officials to hold office, or other circumstances that would permanently prevent an SA member from fulfilling their duties.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 27, 28 and 21 (Nomos 2022). </ref> | |||
==== Responsible authority and procedure ==== | |||
The procedure and the responsible authority should allow for an independent decisions regarding the dismissal of an SA member, ensuring that it is by no means politically influenced. For example, courts can be given the competence to decide on the dismissal of SA member. On the other hand, parliaments may not, as a decision on the dismissal of an SA member would be considered political if the deciding body was a Member State's parliament voting by a simple majority.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 30 and 31 (Nomos 2022).</ref> | |||
==Decisions== | ==Decisions== |
Latest revision as of 23:06, 1 April 2024
Legal Text
Article 53 - General conditions for the members of the supervisory authority
1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:
— their parliament;
— their government;
— their head of State; or
— an independent body entrusted with the appointment under Member State law.
2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.
4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.
Relevant Recitals
Commentary
Article 53 GDPR regulates the means of appointment for supervisory authority members ("SA"). The provision governs the qualities required to hold office, circumstances relating to the termination of office and the minimum conditions for removal in the event of misconduct. This Article partly integrates Articles 51, 52 and 54 GDPR, and resultantly its paragraphs are made up of differing characteristics. For instance, some paragraphs are directly applicable as provisions of Union law, while others require legislative intervention by Member States.
(1) Authority appointing the members of the supervisory authority (SA)
Given the specificities of Member States' varying constitutional and administrative rules, this provision allows Member States to determine the manner of SA members' appointment in line with their own national frameworks.[1] Pursuant to Article 54(1)(c) GDPR, the rules governing the appointment procedure must be legislated for by each Member State.
Transparent procedure
The procedure regulating appointment must be transparent, irrespective of which public body makes the appointment. This requirement is rooted in the principle of public accountability, and aims to ensure that the public is able to scrutinise the appointment of SA members.[2] The GDPR does not clarify as to what qualifies as a transparent procedure. However, Commentators have noted that the minimum threshold for transparency, should be in the least, include making the details of the selection process available to the public. In addition, any such procedure should demonstrate that alternative candidates have been considered and evaluated in accordance with the criteria specified by the GDPR.[3]
Example: Even if the European Data Protection Supervisor (EDPS) is governed by Regulation 2018/1725, rather than by the GDPR, the procedure for the appointment of its president can be considered a good example of a transparent procedure. To a certain degree, this procedure can be a source of inspiration for national SAs. In 2019 the selection process was structured in the following way:
- A public call for candidates for the Supervisor posts resulted in the most competent applicants being shortlisted by an inter-institutional selection board;
- Following interviews with the shortlisted candidates, the selection board presented the European Commission with their recommendations for its review and submission to the European Parliament and the Council.
- Hearings to evaluate the experiences, skills and independence of the candidates took place in the European Parliament. A joint decision of the Parliament and Council was reached following their deliberations.[4]
Appointing body
Article 53(1) names four possible appointing bodies. These are a Member State's (i) parliament, (ii) government, (iii) head of state, or (iv) an independent body entrusted with the appointment under Member State law.
If member(s) of the SA are appointed by either the (i) parliament, (ii) government, or (iii) head of state, the appointment should be made based on a proposal by any one of the aforementioned bodies.[5] While a joint appointment by different branches of state is not foreseen by the GDPR,[6] there is no reason to consider a joint appointment as contrary to Article 53(1) GDPR, so long as one of the bodies mentioned above is involved and can effectively determine the result of the final decision.
(2) Qualification, experience and skills of the member(s)
Article 53(2) GDPR stipulates that each SA member must ("shall") have the qualifications, experience and skills in the area of personal data protection, required to perform its duties and exercise its powers. In addition to expertise in data protection law, in particularly IT and organisational expertise are of relevance for the work of SA members.[7] Also general requirements, such as general requirements foreseen for all employees of the national administration, can be prescribed for members.[8] Competence requirements must be provided by law pursuant to Article 54(1)(b) GDPR.
These competence requirements serve two purposes. The first is to ensure the high quality of SAs' work, and consequently the effectiveness of data protection. The second is to act as a minimum barrier against appointments of a purely political nature, without adequate professional preparation.[9] However, Article 53(2) GDPR does not require Member States to test the knowledge of its SAs' members. Moreover, unlike the rules regulating the appointment of members of other institutions such as the Court of Justice and the General Court,[10] the GDPR does not require that members are to be chosen from individuals whose independence is absolute.[11]
Qualifications
The qualification requirement refers to a member's educational background, such as the completion of vocational training, a course of study, or the acquisition of additional qualifications and further training certificates in relation to the activities of the SA. The qualification requirement is aimed at ensuring that a potential SA member is able to demonstrate that they have acquired the relevant theoretical knowledge for their position.[12]
Experience and skills
The experience requirement necessitates that an SA member must have previously applied what was learned through practical activity.[13] While the term “skills” concern the abilities of the applicants relevant to the position, these include both legal and non-legal skills, and it is irrelevant whether they are innate or acquired through experience.
Performance of tasks and the exercise of powers
The criteria outlined by the GDPR for the appointment of SA members is directly related to ensuring that an SA is able to effectively perform the tasks and exercise the powers afforded to it under the GDPR.[14] These tasks and powers include handling complaints lodged by data subjects, conducting investigations on the application of the GDPR, and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.[15] Consequently, an SA's effective functioning is based on the competence of its members, who cannot sufficiently fulfil their duties unless they have the relevant qualifications, experience and skills to do so.
(3) End of mandate
Article 53(3) GDPR regulates the ordinary coming to an end of the SA membership. It sets out three grounds for the ordinary termination of the mandate of a SA member. These are (i) expiry of term of office, (ii) resignation and (iii) compulsory retirement. Anything which falls outside of this exhaustive list cannot justify the end of a member's mandate, for instance the internal re-organisation of an SA.[16]
The provision's aim of establishing an exhaustive list of grounds for the termination of a member's mandate is an attempt to safeguard the independence of SAs, by limiting the exposure of their members to undue political influence.[17]
Case law: In Commission v Hungary, the CJEU held that while the Member States are entitled to restructure their data protection systems and SAs, such restructuring shall not result in a preliminary termination of the mandate of a SA member. Preliminary termination of the SA member’s mandate would unjustifiably interfere with the independence of SAs.[18]
Case law: The Garai case is also interesting in this regard. While it did not concern a SA, it regarded the early dismissal of the members of the national regulatory authority (NRA) for electronic communications in Spain. The CJEU concluded that the dismissal of the members before the end of their mandates due to the merging between different regulatory bodies was against the requirement of independence of the NRA in the 'absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members'.[19]
Members of SAs can, in addition, be legally employed by SAs. In such cases the conditions for the termination of the employment of members must be in line with the provisions of Article 53 GDPR. However, the rules governing the cessation of employment must be determined by member State's national law, in accordance with Article 54(1)(f) GDPR.
Expiry of the term of office
Normally, the duties of a SA member end 'in the event of the expiry of the term of office'. The term of office is dealt with in Article 54(1) GDPR, under which Member States are obliged to legislate for through their national laws. The term in office of an SA member also expires in case of death.[20]
Resignation and compulsory retirement
SA members can voluntarily decide to end their mandate before the full completion of their term in office. It should be highlighted that resignation should be voluntary, and not influenced by external pressure.[21]
Retirement can be a reason for the premature termination of an SA member's mandate af a SA member, especially in cases of retirement due to age or illness.[22] Rules regulating the retirement of SA members must be provided for through a Member State's national law before an SA member is nominated, in order to comply with the principle of independence.[23]
Case law: The CJEU established in Commission v Hungary, that Member States cannot change the rules concerning SA Members' term in office during their term, as this could result in a form of prior compliance, undermining the requirement of independence.[24]
(4) Dismissal of SA members
Under Article 53(4) GDPR, an SA member can be dismissed only in two cases. The first of which is in the case of serious misconduct, and the second is if members can no longer fulfil the conditions required for the performance of the duties. These are the two extraordinary reasons for the premature termination of duties of SAs and should be interpreted restrictively. Notably, these grounds are exceptions to the ordinary grounds governing the end of a member's mandate under Article 53(3) GDPR,[25] as grounds for dismissal must be severe enough to justify the intrusion into the general principle of independence of SAs.[26] Dismissal entails an involuntary preliminary loss of office
The GDPR does not specify what these two instances entail, nor is clear regarding which authority is responsible for deciding a member's dismissal, or for what procedural safeguards are in place, if any. These elements should be explicitly provided by a Member State's national law and be precise enough to avoid any misleading interpretation or arbitrariness.
The two cases mentioned by Article 53(4) GDPR are contained in several other EU law provisions concerning the dismissal of members of independent bodies. These are Article 247 of the Treaty on the Functioning of the European Union ("TFEU"), which regulates the dismissal of members of the Commission, Article 228(2) TFEU with regard to the dismissal of European Ombudsman, and Article 53(5) of Regulation (EU) 2018/1725 dealing with the dismissal of European Data Protection Supervisor.[27] Interpretation of these elements and corresponding provisions by the CJEU may be of relevance for the interpretations of Article 53(4) GDPR.
Serious misconduct
An SA member's actions may amount to serious misconduct, in instances where their actions are deemed incompatible with the duties and obligations of a SA member. These actions could include engaging in criminal activity, the holding of competing offices or engaging in an incompatible occupation.[28] For example, Article 52(2) GDPR requires SA members to remain free from external influence and Article 52(3) GDPR entails a prohibition of incompatible actions.
No longer fulfils the conditions
The failure to fulfil the conditions of office refers to the general conditions required by the Member State's law, such as citizenship and general conditions for officials to hold office, or other circumstances that would permanently prevent an SA member from fulfilling their duties.[29]
Responsible authority and procedure
The procedure and the responsible authority should allow for an independent decisions regarding the dismissal of an SA member, ensuring that it is by no means politically influenced. For example, courts can be given the competence to decide on the dismissal of SA member. On the other hand, parliaments may not, as a decision on the dismissal of an SA member would be considered political if the deciding body was a Member State's parliament voting by a simple majority.[30]
Decisions
→ You can find all related decisions in Category: Article 53 GDPR
References
- ↑ For examples, see European Union Agency for Fundamental Rights, 'Elements of independence of the data protection authorities in the EU', p.19 (available here).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 4 (NOMOS 2019).
- ↑ https://edps.europa.eu/about-edps/supervisors_en
- ↑ Recital 121 GDPR.
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford University Press 2020).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 8 and 9 (C.H. Beck 2020, 3rd Edition).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 21 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 18 (Nomos 2018, 2nd edition).
- ↑ The rules regulating the appointment of the members of the Court of Justice and the General Court establish that its members are to be chosen from 'persons whose independence is beyond doubt’, pursuant to Articles 253 and 254 of the Treaty on the Functioning of the European Union ("TFEU"). For more on this point see Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).
- ↑ For more on the SAs' tasks, please refer to Article 57 GDPR and for their powers please refer to Article 58 GDPR.
- ↑ See Recital 122 GDPR.
- ↑ In this respect, reference should be made to Case C‑288/12, Commission v Hungary, and Case
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
- ↑ CJEU in case C-288/2012 - Commission v Hungary, paragraphs 53 to 59.
- ↑ Case C‑424/15, Garai v Administración del Estado, paragraph 52.
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR), Article 53 GDPR, page 890 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).
- ↑ To this extent, see also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Article 53 GDPR, page 891 (Oxford University Press 2020).
- ↑ Case C-288/12 - Commission v Hungary
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 890 (Oxford University Press 2020).
- ↑ Other relevant provisions include Articles 11.4 and 14.2 of the Protocol (No 4) to TFEU on the statute of the statute of the European System of Central Banks and of the European Central Bank regarding the members of the executive board of the ECB and governors of national central banks. See also Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 53 GDPR, margin number 13 (C.H. Beck 2018).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 13 (Nomos 2019).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 27, 28 and 21 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 30 and 31 (Nomos 2022).