Article 58 GDPR: Difference between revisions
(Review) |
|||
(19 intermediate revisions by 5 users not shown) | |||
Line 185: | Line 185: | ||
== Legal Text == | == Legal Text == | ||
<br /><center>'''Article 58 - Powers'''</center | <br /><center>'''Article 58 - Powers'''</center> | ||
<span id="1">1. Each supervisory authority shall have all of the following investigative powers:</span> | <span id="1">1. Each supervisory authority shall have all of the following investigative powers:</span> | ||
Line 252: | Line 252: | ||
== Relevant Recitals== | == Relevant Recitals== | ||
{{Recital/132 GDPR}} | |||
{{Recital/129 GDPR}} | |||
{{Recital/164 GDPR}} | |||
== Commentary == | ==Commentary== | ||
Article 58 GDPR standardises the powers that supervisory authorities (“''SAs''”) can use in performing their tasks under [[Article 57 GDPR]]. The provision includes a comprehensive catalogue of investigative, corrective and advisory powers. Such powers result directly from the GDPR and therefore do not need implementation by member states’ law. Under [[Article 70 GDPR|Article 70(1)(k) GDPR]], the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers.<ref>Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers. See, ''Zavadil'', in Knyrim, DatKomm, Article 58 GDPR, margin number 3 (Manz 2021).</ref> In this regard, all the SA’s powers are important. However, under Article 83(5)(e) GDPR, non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR, may result in the highest fines possible.<ref>''Feiler, Forgó,'' EU-DSGVO, Article 83 GDPR, margin number 17 (Verlag Österreich 2016).</ref> It seems, therefore, that the legislator considers some of the powers described in Article 58 GDPR to be crucial for the functioning of SAs and, in turn, the entire GDPR system. | |||
=== | ===(1) Investigative powers=== | ||
A necessary step to enforcing the GDPR and handling data subjects’ complaints is the possibility of carrying out investigations. Article 58(1) GDPR differentiates between different types of investigative powers. This powers are needed to establish the facts of a case.<ref>''Georgieva/Schmidl'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 58 GDPR, p. 945 (Oxford University Press 2020).</ref> Only on the basis of a comprehensive clarification of the facts of the case the SA is in a position to exercise its corrective powers under Article 58(2) GDPR or its authorisation powers under Article 58(3) GDPR.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).</ref> SAs can combine several invegistative powers according to the needs of the investigation. To grant an example, the SA may link the data protection audit to further powers under paragraph 1, such as the access powers to obtain access to personal data processed, to information and to the premesis under Article 58(1)(e)(f) GDPR. | |||
=== | ====(a) Order the controller to provide information==== | ||
Article 58 GDPR | The SA can instruct the controller, processor and, if applicable, the representative to provide all information that is necessary for the performance of their tasks. The obligation to provide the information relates to all information (knowledge) that is at ones disposal in any form, e.g. in written, visual, audio or data processing form, as well as data stored or accessible in other information media. It is intended to prevent that only individual pieces of information are provided to the SA during the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> Information includes the personal data processed, but also the information on the purpose, nature and methods of processing, origin and recipients of the data, contracts, certifications. In cases of cross-border processing information and evidence may also be important as to which of several establishments is the main establishment ([[Article 56 GDPR]] in connection with [[Article 4 GDPR|Article 4(16) GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 14 (Nomos 2022).</ref> | ||
In this | Information can be provided, for example, by transmitting documents to the SA, submitting written statements or replying to questionnaires. In addition to this, [[Article 30 GDPR|Article 30(4) GDPR]] stipulates that the controller or processor or, if applicable, the representative shall make the record of processing activities available to the SA on request.<ref>''Zavadil'', in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).</ref> | ||
Example: xxx | |||
Where the controller or processor would incriminate themselves by providing certain information and thus be subject to sanctions, they can invoke their right to refuse information based on the rule of law clause in Article 58(4) GDPR (see bellow) and the privilege against self-incrimination (''nemo tenetur'' principle).<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition). See also ''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 12 (2nd Edition, C.H. Beck 2018).</ref> | |||
Example: xxxx | |||
==== ( | ====(b) Carry out data protection audits ==== | ||
The SAs can carry out investigations in the form of audits of data protection and of data security.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).</ref> An audit implies that a comprehensive qualitative examination of the effectiveness of procedures is conducted.<ref>''Selmayr,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 13 (C.H. Beck 2018).</ref> In this context SAs can take different measures to analyse processing operations on personal data at a controller or processor, such as access to documents, the examination of hardware and software used, networks, databases, applications, interfaces, as well as the testing of security measures found or the evaluation of data records.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 14 (Nomos 2019).</ref> | |||
The initial version of Article 58 GDPR limited the scope of the audit to the business premises of the controller. After the Corrigendum of the GDPR,<ref>Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679R%2802%29 here]).</ref> however, the term “''business premises''” was replaced by “''premises''”. It follows that private rooms, where at least a part of the processing takes place, are also included.<ref>''Zavadil'', in Knyrim, DatKomm, Article 58 GDPR, margin number 17 f. (Manz 2021).</ref> | |||
==== ( | ====(c) Review certifications ==== | ||
Under Article 58(1)(c) GDPR a SA can review certifications issued in accordance with [[Article 42 GDPR|Article 42(7) GDPR]] when they are being renewed as well as the activities of accredited certification bodies within the meaning of [[Article 43 GDPR|Article 43(1) GDPR]]. During the review the SA is exemining whether the requirements of certification are still met.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 15 (Nomos 2019).</ref> | |||
==== ( | ==== (d) Notifify the controller of an alleged infringement==== | ||
In accordance with Article 58(1)(d) GDPR, a SA can inform a controller or processor about an alleged – i.e. possible, but not yet determined – infringement of the GDPR ('Regulation'). Such a notice can be given, for example, directly in connection with a data protection audit, a data subject’s complaint or official information from another SA. The notice establishes a presumption of a violation of the GDPR, which, however, can be rejected by the controller or the processor.<ref>''Selmayr,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 16 (C.H. Beck 2018).See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 16 (Nomos 2019).</ref> This appears to be a constructive and proportional approach which gives controllers and processors a chance to know the provisional understanding of the SA and react accordingly, making submissions and/or bringing the processing into compliance, if a violation exists. | |||
=== ( | ====(e) Obtain access to personal data and all relevant information==== | ||
The | The powers of investigation of the SAs also include a right of access to personal data and information in accordance with Article 58(1)(e) GDPR. This includes the right to directly access personal data, inspect internal documents, databases and procedures, and therefore is wider and more incisive than the right to (request and) obtain information under Article 58(1)(a) GDPR. SAs can obtain access to documents and systems on site and/or to connect into the processing systems.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 30 (Nomos 2022).</ref> SAs are also authorised to record the technical and organisational background of data processing, which means that all documents on procedures and security documentation are subject to access, including technical information on systems which do not yet process personal data, but which may enable a link with or to personal data.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 17 (Nomos 2019).</ref> Controllers and processors must cooperate with the SA during the inspection ([[Article 31 GDPR]]). However, if the cooperation yields a violation of the ''nemo tenetur'' principle (privilege against self-incrimination), it seems possible for the investigated party to lawfully refuse such cooperation.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 35 GDPR, margin number 14 (C.H. Beck, 36th edition).</ref> Failure to provide access can pursuant to [[Article 83 GDPR|Article 83(5)(e) GDPR]] result in an administrative fine of up to 20 000 000 EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. | ||
==== ( | ====(f) Obtain access to premises including equipment and means==== | ||
Finally, data protection SAs – similarly to the Commission and the national competition authorities in EU antitrust proceedings – are given the power to search the controller’s (or processor’s) premises in accordance with Article 58(1)(f) GDPR. The search is not restricted to the business premises but a judge’s authorization is indispensable with regard to the inviolability of the home and comparable places.<ref>See ''Körffer'', in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2021). Also following the Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679R%2802%29 here]).</ref> The term “premises” includes all data processing systems and all data processing devices. Member States might adopt special provisions in relation to controllers or processors that are subject to an obligation of professional secrecy or other equivalent obligations of secrecy with regard to SAs authorisation to access under Article 58(1)(e)(f) GDPR ([[Article 90 GDPR|Article 90(1) GDPR]]). <blockquote>Example: The Norvegian SA enters the premises and is granted access to the data base of a Norvegian company during an investigation. </blockquote> | |||
===(2) Corrective powers === | |||
The corrective powers provided for in Article 58(2) GDPR enable the SAs to restore GDPR-compliant conditions in the event of violations. For this purpose, Article 58(2) GDPR builds a system of powers which should be proportionally used having in mind the type of the envisaged violation and the risks for the data subjects. | |||
{{Quote-CJEU|“Where, following its investigation, such an authority finds an infringement of the provisions of that regulation, it is required to react appropriately in order to remedy the shortcoming found. To that end, Article 58(2) of that regulation lists the various corrective measures that the supervisory authority may adopt [...].”|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|57}} | |||
The GDPR leaves the SA a discretion as to the manner in which it must remedy any violation found. Thus, the SA must determine which action is appropriate and necessary, and must do so taking into consideration all the circumstances of the specific case as well as its responsibility to ensure that the GDPR is fully enforced with all due diligence.<ref>CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 37 (available [[CJEU - C-768/21 - Land Hessen|here]]). </ref> In doing so, a SA has to decide at its due discretion whether exercising a milder remedial power (e.g. a warning) is sufficient to ensure the application and enforcement of the GDPR, or whether a more profound measure (e.g. a ban of on a processing activity) should be administered. | |||
The | |||
SAs are generally required to take action and use one or more of the corrective powers provided for in Article 58(2) GDPR whenever it is necessary to remedy a violation or when it is appropriate to ensure that that regulation is fully enforced. However, in exceptional cases SAs might have discretion whether to exercise corrective powers. This is might be the case when the GDPR violation has already been remedied and the processing of personal data is already brought into compliance with the GDPR. Additionally, such non-action must not undermine the consistent and high level of protection of personal data through strong enforcement of the GDPR.<ref>CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 38 and 46 (available [[CJEU - C-768/21 - Land Hessen|here]]).</ref> | |||
{{Quote-CJEU|"In that regard, it cannot be ruled out that, exceptionally and in the light of the particular circumstances of the specific case, the supervisory authority may refrain from exercising a corrective power even though a breach of personal data has been established. That could be the case, inter alia, where the breach established has not continued, for example where the controller, which had, in principle, implemented appropriate technical and organisational measures within the meaning of Article 24 of the GDPR, has, as soon as it became aware of that breach, taken appropriate and necessary measures to ensure that that breach is brought to an end and does not recur, in view of its obligations under, inter alia, Article 5(2) and Article 24 of that regulation."|CJEU - C-768/21 - Land Hessen|43}} | |||
The SA's decision whether and how to use its corrective powers is subject to full judicial review in accordance with Article 79 GDPR.<ref>CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 49 (available [[CJEU - C-768/21 - Land Hessen|here]]). </ref> | |||
Article | |||
[[Article 83 GDPR|Article 83(5)(e) and Article 83(6) GDPR]] stipulate that non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows can be punished with up to €20,000,000 EUR or in the case of an undertaking, up to 4 % of the total worldwide annual turnover. | |||
==== ( | ====(a) Issue warnings==== | ||
The | The mildest expression of the authority’s powers is the warning. The SA issues it if an intended processing operation is “''likely''” to violate the GDPR. A warning can be issued in cases where the processing has not started yet but is "intended". There are no specifics as to the form of the warning. It follows that it can be issued in writing or orally (although a formal approach appears sensible). The controller can react to a warning by redesigning the intended processing operation in a manner that makes it compliant with the law.<ref>''Selmayr,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 19 (C.H. Beck 2018).</ref><blockquote>Example: The Danish SA issues a written warning to a Danish company that their intended data base is likely to violate the GDPR unless they they implement measures to mitigate risks, such as data encryption, after the Danish company seems to be ignoring the written advice provided in prior consultations under Article 36 GDPR, and plans to proceed with the intended processing without implementing all the adjustments that the Danish SA had identified as necessary.</blockquote> | ||
====(b) Issue reprimands==== | |||
If the SA identifies a violation of the GDPR, it may, under Article 58(2)(b) GDPR, issue a reprimand to a controller or a processor. Contrary to what happens in case of a warning, the reprimand indicates that one (or more rarely, several) violation of the GDPR has already occurred and has been established by the SA. The SA will issue a reprimand if the threshold for imposing a fine has not yet been reached. For these reasons, scholars have defined the reprimand as the “''little sister of the fine''” or compared it to a “yellow card” from the SA.<ref>''Martini, Wenze''l, „Gelbe Karte“ von der Aufsichtsbehörde: Die Verwarnung als datenschutzrechtliches Sanktionenhybrid, in PinG, 5 (2017), p. 92-96.</ref> However, if a reprimand is disregarded, the SA can respond by exercising more stringent remedial powers and taking into account the conduct as a factor for a possible administrative fine ([[Article 83 GDPR]]). | |||
Example: xxxx | |||
=== ( | ==== (c) Order to comply with data subject’s requests==== | ||
Article 58(2)(c) GDPR serves as a second-level remedy in case a controller or processor violates the rights of the data subject. Should that happen, the SA can then instruct the controller or the processor to comply with the data subject’s request, such as with regard to the right to access ([[Article 15 GDPR]]), rectification ([[Article 16 GDPR]]), erasure ([[Article 17 GDPR]]), restriction ([[Article 18 GDPR]]), notification ([[Article 19 GDPR]]) or data portability (Article 20 GDPR). In these cases, the SA acts through an “''order''”.<ref name=":0">''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 30 and 31 (Nomos 2019).</ref><blockquote>Example: The Bavarian SA orders a company to provide to the complainant a full copy of all of her data that they are processing within 10 days after it has received the order.</blockquote> | |||
====(d) Order to bring processing in compliance with the GDPR==== | |||
The SA can instruct the controller or processor to bring processing operations in line with the GDPR. Adjusment of processing to become GDPR compliant can be required in a specific manner and within a specific period of time. The order must always be sufficiently specific in terms of content. The controller must be able to understand what is required of them, so that they can act accordingly. If there are several options for bringing the processing in compliance with the requirements of the GDPR, the order must be written in a manner that the controller will be in a position to choose any of the options. The order must not be restricted to a certain option in such situations for reasons of proportionality. If, for example, several equally efficient encryption methods exist according to the state of the art, it must be examined whether the order can leave the choice of the specific method to the controller.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 34 (Nomos 2019).</ref> Otherwise, there is no limit to the type of instruction. The wording of the law appears to authorise any request that could serve the scope of (re-)establishing GDPR compliance. Measures include, for example, instructions to take technical and organisational measures within the meaning of [[Article 32 GDPR]], to appoint a data protection officer according to [[Article 37 GDPR]], to create and maintain a record of processing activities according to [[Article 30 GDPR]], to regulate the relationship with a processor by means of a contract or other binding legal act ([[Article 28 GDPR|Article 28(3) GDPR]]), to change the alignment of surveillance cameras, or to change the use of pre-formulated consent within the meaning of [[Article 7 GDPR]].<ref>''Körffer'', in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 20 (C.H. Beck 2021).</ref> | |||
Example: xxxx | |||
====(e) Order communication of a data breach to the data subject==== | |||
According to Article 58(2)(e) GDPR of the GDPR, the SA can instruct the controller to immediately notify persons affected by a data breach which triggers the notification obligations under [[Article 33 GDPR]] and [[Article 34 GDPR]]. This provision is closely connected to [[Article 34 GDPR|Article 34(4) GDPR]] that clarifies that the SA can require the controller to comunicate a personal data breach to a data subject, if it considers that the data breach is resulting in a high risk. The order is always addressed to the controller as controllers are obliged to inform data subjects of a data breach also, if the data breach occured on the side of the processor ([[Article 33 GDPR|Article 33(1)(2) GDPR]]).<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 36 (Nomos 2019).</ref> | |||
Example: xxx | |||
====(f) Impose a limitation or a ban on processing==== | |||
The SA can also order a limitation or ban on data processing in accordance with Article 58(2)(f) GDPR. The limitation on data processing can be temporary or permanent. A ban does not only limit but prohibits processing completely. In case of a ban the limitation not only concern certain data, processing purposes or a certain duration, but the processing as a whole is prohibited. For example, a ban of processing will be ordered if certain processing with a specific service provider cannot be organised in compliance with the GDPR.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin numbers 38 and 39 (Nomos 2019).</ref> | |||
- | These measures are strict and should be considered only as long as and to the extent that it is necessary and proportionate. In particularly, in the case of a ban as a particularly invasive measure, the SA must always check whether milder, equally suitable means are available, such as a limitation of processing. A ban on processing should be the last resort.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 26 (C.H. Beck 2020, 3rd Edition).</ref> At the same time, however, the ban will be a proportionate or sometimes even the only effective means, in particular in cases where it is impossible for the controller or processor to establish legal compliance for a processing operation. For example, if the processing takes place without a legal basis ([[Article 6 GDPR]]), the conditions for consent in accordance with [[Article 7 GDPR]] cannot be met in relation to the processing operation or no suitable technical and organisational measures in accordance with [[Article 32 GDPR]] can be implemented in accordance with the state of the art. Moreover, it is at the discretion of the SA whether it prefers an immediate remedy to a delayed adjustment.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin numbers 39-41 (Nomos 2019).</ref> | ||
- | A ban is to be considered also when controller or processor has shown a particularly disrespectful conduct, as it happens when a previous warning, reprimand or order has been issued and the recipient has disregarded it.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 24 (2nd Edition, C.H. Beck 2018).</ref> For example, the Norvegian SA imposed a temporary ban on processing of data for behavioral advertising on Facebook and Instagram for Noway, after Meta failed to comply with the decison of the Irish SA adopted under the Article 60 GDPR mechanism and bring cross-border processing for behavioral advertising on Facebook and Instagram in line with the GDPR within the set time limit.<ref>The order of the Norvegian SA on urgent and provisional measures - Meta, dated 14 June 2023, is available [https://www.datatilsynet.no/en/news/aktuelle-nyheter-2023/temporary-ban-of-behavioural-advertising-on-facebook-and-instagram/ here]. The decision establsihing the infringment of the GDPR by Meta in respect of behavoral advertising on Facebook of the Irish SA is available [https://edpb.europa.eu/system/files/2023-01/facebook-18-5-5_final_decision_redacted_en.pdf here].</ref> Both decisions are under appeal. The ban was extended to the whole EU/EEA by a EDPB Urgent Binding Decision adopted under [[Article 66 GDPR]] instructing the Irish SA as the LSA to take, within two weeks, final measures regarding Meta and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire EEA.<ref>Decisions are not available yet. The notification about the adopted measueres on EDPB level is available [https://edpb.europa.eu/news/news/2023/edpb-urgent-binding-decision-processing-personal-data-behavioural-advertising-meta_en here].</ref> | ||
In general, the unlawfulness of the processing is a condition for a limitation or ban of processing by a SA. However, in exceptional cases where the (un)lawfulness is not yet established (certain), but the risk for the data subjects is high, presumably unlawful processing can be limited or banned until the question of lawfulness of such processing has been clarified.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 56 (Nomos 2022).</ref> | |||
=== ( | ====(g) Order to rectify or erase personal data ==== | ||
Article 58(2)(g) GDPR authorises the SA to order a correction or deletion of data ([[Article 16 GDPR]], [[Article 17 GDPR]]) or a restriction of data processing ([[Article 18 GDPR]]), provided that the conditions for the measure laid down in respective Article are fulfilled. The SA can intervene ex officio. A prior request of the data subject or a complaint is not necessary.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 42 (Nomos 2019).</ref> In addition, the SA can order that the controller has to notify the recipients of data that the data has been rectified, erased or the processing thereof had been restricted ([[Article 17 GDPR|Article 17(2) GDPR]] and [[Article 19 GDPR]]). The addressee of the order is always the controller, as the rights listed in Article 58(2)(g) GDPR apply only to controllers.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 27 (C.H. Beck 2020, 3rd Edition).</ref> | |||
=== ( | ==== (h) Withdraw a certification ==== | ||
If a SA comes to the conclusion that the prerequisites of a previously issued certification are no longer met, it might, in accordance with [[Article 42 GDPR|Article 42(7) GDPR]], revoke the certification. If the certification is granted by a certification body, the SA can do so in accordance with Article 58(2) GDPR and instruct the body to revoke the certification or not to issue it. Correspondingly, [[Article 43 GDPR|Article 43(1) GDPR]] provides for an obligation of the certification bodies to inform the SA in order to allow it to exercise its powers before the body issues or renews a certificate.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 44 (Nomos 2019).</ref> Under [[Article 43 GDPR|Article 43(2)(c) GDPR]] every certification body must have their own procedures for review and revocation of certifications. The aim of this provision is that the SA intervenes in the event that it has justified doubts about the independence and credibility of a certification body so that procedures, products and services can no longer benefit from the sales-promoting effect of the certification.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 26 (2nd Edition, C.H. Beck 2018).</ref> | |||
=== (6) Additional | ====(i) Impose an administrative fine ==== | ||
According to | The most renowned (although probably not most important) remedy introduced by the GDPR is the imposition of a fine under Article 58(2) GDPR in conjunction with [[Article 83 GDPR]]. Their amount, which can go to up to EUR 20 million or, if superior, up to 4 % of the undertaking’s total worldwide annual turnover, is determined taking into account the type of violation ([[Article 83 GDPR|Article 83(4)(5) GDPR]]) as well as other qualitative factors listed in [[Article 83 GDPR|Article 83(2) GDPR]], in particular according to the type, gravity and duration of the infringement. The SA can, but does not have to, impose fines for violations. The relevant decision is at the discretion of the SA, whereby the considerations mentioned in [[Article 83 GDPR]] are to be taken into account. The fine can be imposed in addition to or instead of further remedial measures within the meaning of Article 58(2)(a)-(h) GDPR.<ref>As ''Zavadil'' clarifies, the Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive; ''Zavadil'', in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).</ref> | ||
Case law: Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive.<ref>xxxx</ref> | |||
====(j) Order suspension of data flows to a recipient in a third country==== | |||
A final remedy is provided for in Article 58(2)(j) GDPR. According to this, a SA can order the suspension of data transfer to a third country or to an international organisation if the third country or international organisation concerned does not or no longer offers an appropriate level of protection within the meaning of [[Article 45 GDPR]]. | |||
=== (3) Advisory powers === | |||
The authorisation and advisory powers in Article 58(3) GDPR supplement the investigative and corrective measures SAs are afforded with. Article 58(3) GDPR lists all those cases in which authorisation or approval from a SA is a prerequisite for acting in accordance with the GDPR. In these cases, the SA carries out a prior check in order to preventively ensure the application and enforcement of the GDPR. In detail, this concerns the following powers (cf. Article 58(3)(c)-(j) GDPR): Approval of processing that is particularly risky for the fundamental data protection right, provided that a member state has made use of the optional specification clause ([[Article 36 GDPR|Article 36(5) GDPR]]); Opinion on and approval of drafts for rules of conduct in accordance with [[Article 40 GDPR|Article 40(5) GDPR]] and, where relevant, [[Article 64 GDPR|Article 64(1)(b) GDPR]]; Accreditation of certification bodies in accordance with [[Article 43 GDPR]]; Issuing of certifications in accordance with Article 42(5), if relevant, in accordance with [[Article 64 GDPR|Article 64(1)(c) GDPR]]; Standard contractual clauses in accordance with [[Article 28 GDPR|Article 28(8) GDPR]] and, if the case, [[Article 46 GDPR|Article 46(2) GDPR]]; Approval of standard contractual clauses for international data transfer in accordance with [[Article 46 GDPR|Article 46(3)(a) GDPR]] and [[Article 64 GDPR|Article 64(1)(e) GDPR]]; Approval of administrative agreements for international data transfer in accordance with [[Article 46 GDPR|Article 46(3) (b) GDPR]]; Approval of binding corporate rules in accordance with [[Article 47 GDPR]]. | |||
===(4) Appropriate safeguards=== | |||
In the absence of a uniform European administrative procedural law, the powers of the SAs must in principle be exercised in accordance with the national procedural law of the respective member state. National procedural law must meet certain requirements; in particular, it must provide for due process and effective judicial remedies.<ref>''Körffer'', in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 31 (C.H. Beck 2021).</ref> | |||
===(5) Supervisory authorities (SAs) in courts=== | |||
Article 58(5) GDPR contains an opening clause that must be filled out by the legislators of the member states. According to this, SAs must always have the power to bring violations of the GDPR to court. Specifying national legal provisions must decide whether a SA itself has a right of action or whether it has to involve the national judicial authorities, which in turn have to initiate judicial proceedings. The GDPR allows the member states to insert the enforcement powers of the national SAs into the national legal system. | |||
===(6) Additional powers provided by national law === | |||
According to Article 58(6) GDPR, each member state can stipulate that its SA receives further powers in addition to those mentioned in paragraphs 1-3, provided that this not impair the effective implementation of Chapter VII of the GDPR on cooperation and coherence. Based on the express wording of paragraph 6, it can be assumed that the SAs may be given additional powers, but that the existing powers may not be restricted. A contrary view cannot be derived from any other provision of the GDPR.<ref>''Zavadil'', in Knyrim, DatKomm, Article 58 GDPR, margin number 56 (Manz 2021).</ref> | |||
== Decisions == | == Decisions == | ||
→ You can find all related decisions in [[:Category:Article 58 GDPR]] | → You can find all related decisions in [[:Category:Article 58 GDPR]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:GDPR Articles]] | [[Category:GDPR Articles]] |
Latest revision as of 14:41, 1 October 2024
Legal Text
1. Each supervisory authority shall have all of the following investigative powers:
- (a) to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
- (b) to carry out investigations in the form of data protection audits;
- (c) to carry out a review on certifications issued pursuant to Article 42(7);
- (d) to notify the controller or the processor of an alleged infringement of this Regulation;
- (e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
- (f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
2. Each supervisory authority shall have all of the following corrective powers:
- (a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
- (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
- (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;
- (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
- (e) to order the controller to communicate a personal data breach to the data subject;
- (f) to impose a temporary or definitive limitation including a ban on processing;
- (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
- (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
- (j) to order the suspension of data flows to a recipient in a third country or to an international organisation.
3. Each supervisory authority shall have all of the following authorisation and advisory powers:
- (a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;
- (b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
- (c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
- (d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
- (e) to accredit certification bodies pursuant to Article 43;
- (f) to issue certifications and approve criteria of certification in accordance with Article 42(5);
- (g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
- (h) to authorise contractual clauses referred to in point (a) of Article 46(3);
- (i) to authorise administrative arrangements referred to in point (b) of Article 46(3);
- (j) to approve binding corporate rules pursuant to Article 47.
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Relevant Recitals
Commentary
Article 58 GDPR standardises the powers that supervisory authorities (“SAs”) can use in performing their tasks under Article 57 GDPR. The provision includes a comprehensive catalogue of investigative, corrective and advisory powers. Such powers result directly from the GDPR and therefore do not need implementation by member states’ law. Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers.[1] In this regard, all the SA’s powers are important. However, under Article 83(5)(e) GDPR, non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR, may result in the highest fines possible.[2] It seems, therefore, that the legislator considers some of the powers described in Article 58 GDPR to be crucial for the functioning of SAs and, in turn, the entire GDPR system.
(1) Investigative powers
A necessary step to enforcing the GDPR and handling data subjects’ complaints is the possibility of carrying out investigations. Article 58(1) GDPR differentiates between different types of investigative powers. This powers are needed to establish the facts of a case.[3] Only on the basis of a comprehensive clarification of the facts of the case the SA is in a position to exercise its corrective powers under Article 58(2) GDPR or its authorisation powers under Article 58(3) GDPR.[4] SAs can combine several invegistative powers according to the needs of the investigation. To grant an example, the SA may link the data protection audit to further powers under paragraph 1, such as the access powers to obtain access to personal data processed, to information and to the premesis under Article 58(1)(e)(f) GDPR.
(a) Order the controller to provide information
The SA can instruct the controller, processor and, if applicable, the representative to provide all information that is necessary for the performance of their tasks. The obligation to provide the information relates to all information (knowledge) that is at ones disposal in any form, e.g. in written, visual, audio or data processing form, as well as data stored or accessible in other information media. It is intended to prevent that only individual pieces of information are provided to the SA during the investigation.[5] Information includes the personal data processed, but also the information on the purpose, nature and methods of processing, origin and recipients of the data, contracts, certifications. In cases of cross-border processing information and evidence may also be important as to which of several establishments is the main establishment (Article 56 GDPR in connection with Article 4(16) GDPR).[6]
Information can be provided, for example, by transmitting documents to the SA, submitting written statements or replying to questionnaires. In addition to this, Article 30(4) GDPR stipulates that the controller or processor or, if applicable, the representative shall make the record of processing activities available to the SA on request.[7]
Example: xxx
Where the controller or processor would incriminate themselves by providing certain information and thus be subject to sanctions, they can invoke their right to refuse information based on the rule of law clause in Article 58(4) GDPR (see bellow) and the privilege against self-incrimination (nemo tenetur principle).[8]
Example: xxxx
(b) Carry out data protection audits
The SAs can carry out investigations in the form of audits of data protection and of data security.[9] An audit implies that a comprehensive qualitative examination of the effectiveness of procedures is conducted.[10] In this context SAs can take different measures to analyse processing operations on personal data at a controller or processor, such as access to documents, the examination of hardware and software used, networks, databases, applications, interfaces, as well as the testing of security measures found or the evaluation of data records.[11]
The initial version of Article 58 GDPR limited the scope of the audit to the business premises of the controller. After the Corrigendum of the GDPR,[12] however, the term “business premises” was replaced by “premises”. It follows that private rooms, where at least a part of the processing takes place, are also included.[13]
(c) Review certifications
Under Article 58(1)(c) GDPR a SA can review certifications issued in accordance with Article 42(7) GDPR when they are being renewed as well as the activities of accredited certification bodies within the meaning of Article 43(1) GDPR. During the review the SA is exemining whether the requirements of certification are still met.[14]
(d) Notifify the controller of an alleged infringement
In accordance with Article 58(1)(d) GDPR, a SA can inform a controller or processor about an alleged – i.e. possible, but not yet determined – infringement of the GDPR ('Regulation'). Such a notice can be given, for example, directly in connection with a data protection audit, a data subject’s complaint or official information from another SA. The notice establishes a presumption of a violation of the GDPR, which, however, can be rejected by the controller or the processor.[15] This appears to be a constructive and proportional approach which gives controllers and processors a chance to know the provisional understanding of the SA and react accordingly, making submissions and/or bringing the processing into compliance, if a violation exists.
(e) Obtain access to personal data and all relevant information
The powers of investigation of the SAs also include a right of access to personal data and information in accordance with Article 58(1)(e) GDPR. This includes the right to directly access personal data, inspect internal documents, databases and procedures, and therefore is wider and more incisive than the right to (request and) obtain information under Article 58(1)(a) GDPR. SAs can obtain access to documents and systems on site and/or to connect into the processing systems.[16] SAs are also authorised to record the technical and organisational background of data processing, which means that all documents on procedures and security documentation are subject to access, including technical information on systems which do not yet process personal data, but which may enable a link with or to personal data.[17] Controllers and processors must cooperate with the SA during the inspection (Article 31 GDPR). However, if the cooperation yields a violation of the nemo tenetur principle (privilege against self-incrimination), it seems possible for the investigated party to lawfully refuse such cooperation.[18] Failure to provide access can pursuant to Article 83(5)(e) GDPR result in an administrative fine of up to 20 000 000 EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
(f) Obtain access to premises including equipment and means
Finally, data protection SAs – similarly to the Commission and the national competition authorities in EU antitrust proceedings – are given the power to search the controller’s (or processor’s) premises in accordance with Article 58(1)(f) GDPR. The search is not restricted to the business premises but a judge’s authorization is indispensable with regard to the inviolability of the home and comparable places.[19] The term “premises” includes all data processing systems and all data processing devices. Member States might adopt special provisions in relation to controllers or processors that are subject to an obligation of professional secrecy or other equivalent obligations of secrecy with regard to SAs authorisation to access under Article 58(1)(e)(f) GDPR (Article 90(1) GDPR).
Example: The Norvegian SA enters the premises and is granted access to the data base of a Norvegian company during an investigation.
(2) Corrective powers
The corrective powers provided for in Article 58(2) GDPR enable the SAs to restore GDPR-compliant conditions in the event of violations. For this purpose, Article 58(2) GDPR builds a system of powers which should be proportionally used having in mind the type of the envisaged violation and the risks for the data subjects.
“Where, following its investigation, such an authority finds an infringement of the provisions of that regulation, it is required to react appropriately in order to remedy the shortcoming found. To that end, Article 58(2) of that regulation lists the various corrective measures that the supervisory authority may adopt [...].”
CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 57.
The GDPR leaves the SA a discretion as to the manner in which it must remedy any violation found. Thus, the SA must determine which action is appropriate and necessary, and must do so taking into consideration all the circumstances of the specific case as well as its responsibility to ensure that the GDPR is fully enforced with all due diligence.[20] In doing so, a SA has to decide at its due discretion whether exercising a milder remedial power (e.g. a warning) is sufficient to ensure the application and enforcement of the GDPR, or whether a more profound measure (e.g. a ban of on a processing activity) should be administered.
SAs are generally required to take action and use one or more of the corrective powers provided for in Article 58(2) GDPR whenever it is necessary to remedy a violation or when it is appropriate to ensure that that regulation is fully enforced. However, in exceptional cases SAs might have discretion whether to exercise corrective powers. This is might be the case when the GDPR violation has already been remedied and the processing of personal data is already brought into compliance with the GDPR. Additionally, such non-action must not undermine the consistent and high level of protection of personal data through strong enforcement of the GDPR.[21]
"In that regard, it cannot be ruled out that, exceptionally and in the light of the particular circumstances of the specific case, the supervisory authority may refrain from exercising a corrective power even though a breach of personal data has been established. That could be the case, inter alia, where the breach established has not continued, for example where the controller, which had, in principle, implemented appropriate technical and organisational measures within the meaning of Article 24 of the GDPR, has, as soon as it became aware of that breach, taken appropriate and necessary measures to ensure that that breach is brought to an end and does not recur, in view of its obligations under, inter alia, Article 5(2) and Article 24 of that regulation."
CJEU - C-768/21 - Land Hessen, margin number 43.
The SA's decision whether and how to use its corrective powers is subject to full judicial review in accordance with Article 79 GDPR.[22]
Article 83(5)(e) and Article 83(6) GDPR stipulate that non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows can be punished with up to €20,000,000 EUR or in the case of an undertaking, up to 4 % of the total worldwide annual turnover.
(a) Issue warnings
The mildest expression of the authority’s powers is the warning. The SA issues it if an intended processing operation is “likely” to violate the GDPR. A warning can be issued in cases where the processing has not started yet but is "intended". There are no specifics as to the form of the warning. It follows that it can be issued in writing or orally (although a formal approach appears sensible). The controller can react to a warning by redesigning the intended processing operation in a manner that makes it compliant with the law.[23]
Example: The Danish SA issues a written warning to a Danish company that their intended data base is likely to violate the GDPR unless they they implement measures to mitigate risks, such as data encryption, after the Danish company seems to be ignoring the written advice provided in prior consultations under Article 36 GDPR, and plans to proceed with the intended processing without implementing all the adjustments that the Danish SA had identified as necessary.
(b) Issue reprimands
If the SA identifies a violation of the GDPR, it may, under Article 58(2)(b) GDPR, issue a reprimand to a controller or a processor. Contrary to what happens in case of a warning, the reprimand indicates that one (or more rarely, several) violation of the GDPR has already occurred and has been established by the SA. The SA will issue a reprimand if the threshold for imposing a fine has not yet been reached. For these reasons, scholars have defined the reprimand as the “little sister of the fine” or compared it to a “yellow card” from the SA.[24] However, if a reprimand is disregarded, the SA can respond by exercising more stringent remedial powers and taking into account the conduct as a factor for a possible administrative fine (Article 83 GDPR).
Example: xxxx
(c) Order to comply with data subject’s requests
Article 58(2)(c) GDPR serves as a second-level remedy in case a controller or processor violates the rights of the data subject. Should that happen, the SA can then instruct the controller or the processor to comply with the data subject’s request, such as with regard to the right to access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability (Article 20 GDPR). In these cases, the SA acts through an “order”.[25]
Example: The Bavarian SA orders a company to provide to the complainant a full copy of all of her data that they are processing within 10 days after it has received the order.
(d) Order to bring processing in compliance with the GDPR
The SA can instruct the controller or processor to bring processing operations in line with the GDPR. Adjusment of processing to become GDPR compliant can be required in a specific manner and within a specific period of time. The order must always be sufficiently specific in terms of content. The controller must be able to understand what is required of them, so that they can act accordingly. If there are several options for bringing the processing in compliance with the requirements of the GDPR, the order must be written in a manner that the controller will be in a position to choose any of the options. The order must not be restricted to a certain option in such situations for reasons of proportionality. If, for example, several equally efficient encryption methods exist according to the state of the art, it must be examined whether the order can leave the choice of the specific method to the controller.[26] Otherwise, there is no limit to the type of instruction. The wording of the law appears to authorise any request that could serve the scope of (re-)establishing GDPR compliance. Measures include, for example, instructions to take technical and organisational measures within the meaning of Article 32 GDPR, to appoint a data protection officer according to Article 37 GDPR, to create and maintain a record of processing activities according to Article 30 GDPR, to regulate the relationship with a processor by means of a contract or other binding legal act (Article 28(3) GDPR), to change the alignment of surveillance cameras, or to change the use of pre-formulated consent within the meaning of Article 7 GDPR.[27]
Example: xxxx
(e) Order communication of a data breach to the data subject
According to Article 58(2)(e) GDPR of the GDPR, the SA can instruct the controller to immediately notify persons affected by a data breach which triggers the notification obligations under Article 33 GDPR and Article 34 GDPR. This provision is closely connected to Article 34(4) GDPR that clarifies that the SA can require the controller to comunicate a personal data breach to a data subject, if it considers that the data breach is resulting in a high risk. The order is always addressed to the controller as controllers are obliged to inform data subjects of a data breach also, if the data breach occured on the side of the processor (Article 33(1)(2) GDPR).[28]
Example: xxx
(f) Impose a limitation or a ban on processing
The SA can also order a limitation or ban on data processing in accordance with Article 58(2)(f) GDPR. The limitation on data processing can be temporary or permanent. A ban does not only limit but prohibits processing completely. In case of a ban the limitation not only concern certain data, processing purposes or a certain duration, but the processing as a whole is prohibited. For example, a ban of processing will be ordered if certain processing with a specific service provider cannot be organised in compliance with the GDPR.[29]
These measures are strict and should be considered only as long as and to the extent that it is necessary and proportionate. In particularly, in the case of a ban as a particularly invasive measure, the SA must always check whether milder, equally suitable means are available, such as a limitation of processing. A ban on processing should be the last resort.[30] At the same time, however, the ban will be a proportionate or sometimes even the only effective means, in particular in cases where it is impossible for the controller or processor to establish legal compliance for a processing operation. For example, if the processing takes place without a legal basis (Article 6 GDPR), the conditions for consent in accordance with Article 7 GDPR cannot be met in relation to the processing operation or no suitable technical and organisational measures in accordance with Article 32 GDPR can be implemented in accordance with the state of the art. Moreover, it is at the discretion of the SA whether it prefers an immediate remedy to a delayed adjustment.[31]
A ban is to be considered also when controller or processor has shown a particularly disrespectful conduct, as it happens when a previous warning, reprimand or order has been issued and the recipient has disregarded it.[32] For example, the Norvegian SA imposed a temporary ban on processing of data for behavioral advertising on Facebook and Instagram for Noway, after Meta failed to comply with the decison of the Irish SA adopted under the Article 60 GDPR mechanism and bring cross-border processing for behavioral advertising on Facebook and Instagram in line with the GDPR within the set time limit.[33] Both decisions are under appeal. The ban was extended to the whole EU/EEA by a EDPB Urgent Binding Decision adopted under Article 66 GDPR instructing the Irish SA as the LSA to take, within two weeks, final measures regarding Meta and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire EEA.[34]
In general, the unlawfulness of the processing is a condition for a limitation or ban of processing by a SA. However, in exceptional cases where the (un)lawfulness is not yet established (certain), but the risk for the data subjects is high, presumably unlawful processing can be limited or banned until the question of lawfulness of such processing has been clarified.[35]
(g) Order to rectify or erase personal data
Article 58(2)(g) GDPR authorises the SA to order a correction or deletion of data (Article 16 GDPR, Article 17 GDPR) or a restriction of data processing (Article 18 GDPR), provided that the conditions for the measure laid down in respective Article are fulfilled. The SA can intervene ex officio. A prior request of the data subject or a complaint is not necessary.[36] In addition, the SA can order that the controller has to notify the recipients of data that the data has been rectified, erased or the processing thereof had been restricted (Article 17(2) GDPR and Article 19 GDPR). The addressee of the order is always the controller, as the rights listed in Article 58(2)(g) GDPR apply only to controllers.[37]
(h) Withdraw a certification
If a SA comes to the conclusion that the prerequisites of a previously issued certification are no longer met, it might, in accordance with Article 42(7) GDPR, revoke the certification. If the certification is granted by a certification body, the SA can do so in accordance with Article 58(2) GDPR and instruct the body to revoke the certification or not to issue it. Correspondingly, Article 43(1) GDPR provides for an obligation of the certification bodies to inform the SA in order to allow it to exercise its powers before the body issues or renews a certificate.[38] Under Article 43(2)(c) GDPR every certification body must have their own procedures for review and revocation of certifications. The aim of this provision is that the SA intervenes in the event that it has justified doubts about the independence and credibility of a certification body so that procedures, products and services can no longer benefit from the sales-promoting effect of the certification.[39]
(i) Impose an administrative fine
The most renowned (although probably not most important) remedy introduced by the GDPR is the imposition of a fine under Article 58(2) GDPR in conjunction with Article 83 GDPR. Their amount, which can go to up to EUR 20 million or, if superior, up to 4 % of the undertaking’s total worldwide annual turnover, is determined taking into account the type of violation (Article 83(4)(5) GDPR) as well as other qualitative factors listed in Article 83(2) GDPR, in particular according to the type, gravity and duration of the infringement. The SA can, but does not have to, impose fines for violations. The relevant decision is at the discretion of the SA, whereby the considerations mentioned in Article 83 GDPR are to be taken into account. The fine can be imposed in addition to or instead of further remedial measures within the meaning of Article 58(2)(a)-(h) GDPR.[40]
Case law: Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive.[41]
(j) Order suspension of data flows to a recipient in a third country
A final remedy is provided for in Article 58(2)(j) GDPR. According to this, a SA can order the suspension of data transfer to a third country or to an international organisation if the third country or international organisation concerned does not or no longer offers an appropriate level of protection within the meaning of Article 45 GDPR.
(3) Advisory powers
The authorisation and advisory powers in Article 58(3) GDPR supplement the investigative and corrective measures SAs are afforded with. Article 58(3) GDPR lists all those cases in which authorisation or approval from a SA is a prerequisite for acting in accordance with the GDPR. In these cases, the SA carries out a prior check in order to preventively ensure the application and enforcement of the GDPR. In detail, this concerns the following powers (cf. Article 58(3)(c)-(j) GDPR): Approval of processing that is particularly risky for the fundamental data protection right, provided that a member state has made use of the optional specification clause (Article 36(5) GDPR); Opinion on and approval of drafts for rules of conduct in accordance with Article 40(5) GDPR and, where relevant, Article 64(1)(b) GDPR; Accreditation of certification bodies in accordance with Article 43 GDPR; Issuing of certifications in accordance with Article 42(5), if relevant, in accordance with Article 64(1)(c) GDPR; Standard contractual clauses in accordance with Article 28(8) GDPR and, if the case, Article 46(2) GDPR; Approval of standard contractual clauses for international data transfer in accordance with Article 46(3)(a) GDPR and Article 64(1)(e) GDPR; Approval of administrative agreements for international data transfer in accordance with Article 46(3) (b) GDPR; Approval of binding corporate rules in accordance with Article 47 GDPR.
(4) Appropriate safeguards
In the absence of a uniform European administrative procedural law, the powers of the SAs must in principle be exercised in accordance with the national procedural law of the respective member state. National procedural law must meet certain requirements; in particular, it must provide for due process and effective judicial remedies.[42]
(5) Supervisory authorities (SAs) in courts
Article 58(5) GDPR contains an opening clause that must be filled out by the legislators of the member states. According to this, SAs must always have the power to bring violations of the GDPR to court. Specifying national legal provisions must decide whether a SA itself has a right of action or whether it has to involve the national judicial authorities, which in turn have to initiate judicial proceedings. The GDPR allows the member states to insert the enforcement powers of the national SAs into the national legal system.
(6) Additional powers provided by national law
According to Article 58(6) GDPR, each member state can stipulate that its SA receives further powers in addition to those mentioned in paragraphs 1-3, provided that this not impair the effective implementation of Chapter VII of the GDPR on cooperation and coherence. Based on the express wording of paragraph 6, it can be assumed that the SAs may be given additional powers, but that the existing powers may not be restricted. A contrary view cannot be derived from any other provision of the GDPR.[43]
Decisions
→ You can find all related decisions in Category:Article 58 GDPR
References
- ↑ Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers. See, Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 3 (Manz 2021).
- ↑ Feiler, Forgó, EU-DSGVO, Article 83 GDPR, margin number 17 (Verlag Österreich 2016).
- ↑ Georgieva/Schmidl, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 58 GDPR, p. 945 (Oxford University Press 2020).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 14 (Nomos 2022).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition). See also Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 12 (2nd Edition, C.H. Beck 2018).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 13 (C.H. Beck 2018).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 14 (Nomos 2019).
- ↑ Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 17 f. (Manz 2021).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 15 (Nomos 2019).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 16 (C.H. Beck 2018).See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 16 (Nomos 2019).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 30 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 17 (Nomos 2019).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 35 GDPR, margin number 14 (C.H. Beck, 36th edition).
- ↑ See Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2021). Also following the Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
- ↑ CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 37 (available here).
- ↑ CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 38 and 46 (available here).
- ↑ CJEU, Case C-768/21, Land Hessen, 26 September 2024, margin number 49 (available here).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 19 (C.H. Beck 2018).
- ↑ Martini, Wenzel, „Gelbe Karte“ von der Aufsichtsbehörde: Die Verwarnung als datenschutzrechtliches Sanktionenhybrid, in PinG, 5 (2017), p. 92-96.
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 30 and 31 (Nomos 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 34 (Nomos 2019).
- ↑ Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 20 (C.H. Beck 2021).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 36 (Nomos 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin numbers 38 and 39 (Nomos 2019).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 26 (C.H. Beck 2020, 3rd Edition).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin numbers 39-41 (Nomos 2019).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 24 (2nd Edition, C.H. Beck 2018).
- ↑ The order of the Norvegian SA on urgent and provisional measures - Meta, dated 14 June 2023, is available here. The decision establsihing the infringment of the GDPR by Meta in respect of behavoral advertising on Facebook of the Irish SA is available here.
- ↑ Decisions are not available yet. The notification about the adopted measueres on EDPB level is available here.
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 56 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 42 (Nomos 2019).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 27 (C.H. Beck 2020, 3rd Edition).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 44 (Nomos 2019).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 26 (2nd Edition, C.H. Beck 2018).
- ↑ As Zavadil clarifies, the Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive; Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
- ↑ xxxx
- ↑ Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 31 (C.H. Beck 2021).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 56 (Manz 2021).