Article 54 GDPR: Difference between revisions

From GDPRhub
No edit summary
 
(35 intermediate revisions by 7 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 54 - Rules on the establishment of the supervisory authority'''</center><br />
 
 
<br /><br /><center>'''Article 54 - Rules on the establishment of the supervisory authority'''</center>


<span id="1">1.  Each Member State shall provide by law for all of the following:</span>
<span id="1">1.  Each Member State shall provide by law for all of the following:</span>
Line 204: Line 206:


== Relevant Recitals==
== Relevant Recitals==
<span id="r121">
{{Recital/117 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 121'''</div>  
{{Recital/121 GDPR}}
<div class="mw-collapsible-content">
==Commentary==
The general conditions for the member or members of the supervisory authority
 
should be laid down by law in each Member State and should in particular provide that those
Article 54 GDPR lays down the requirements for the organisational framework of supervisory authorities ("''SA''s").<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).</ref> However, in doing so, it combines two notably different objectives under its ambit. The first of which, under Article 54(1) GDPR, is to list the specifications to be legislated for by each Member States through their national legislation for the establishment and governance of SAs. This provision is largely repetitive of requirements outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality obligations of SA members and staff. These confidentiality obligations were already in place under Article 28(7) of the GDPR's predecessor, ''Directive 95/46/EC''.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition).</ref>
members are to be appointed, by means of a transparent procedure, either by the parliament,
 
government or the head of State of the Member State on the basis of a proposal from the
===(1) Elements provided by Member States law===
government, a member of the government, the parliament or a chamber of the parliament, or
Article 54(1) GDPR mandates Member States to provide for all the elements listed below through their national law. A substantial number of provisions under Article 54(1) GDPR are mainly reiterations of obligations outlined under Articles 51- 53 GDPR.   
by an independent body entrusted under Member State law. In order to ensure the
 
independence of the supervisory authority, the member or members should act with integrity,
====(a) Establishment of the supervisory authority (SA)====
refrain from any action that is incompatible with their duties and should not, during their term
The criteria regulating the establishment of SAs are set out in [[Article 51 GDPR|Article 51(1)]] and [[Article 52 GDPR|52 GDPR]], Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref> Under the GDPR, Member States are permitted to appoint several different types of SAs, for example, sector specific SAs.<ref>For more on this point, please refer to [[Article 51 GDPR]].</ref> In these instances, the law should provide for the conditions and rules regarding the establishment of each type. In addition, commentators have noted that the functional nature of an SA should also be legislated for through national law. For instance, Member States should legislate for whether their SAs are monocratic or collegial bodies, or whether they have any competences in addition to the monitoring of the enforcement of the GDPR.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).</ref>
of office, engage in any incompatible occupation, whether gainful or not. The supervisory
 
authority should have its own staff, chosen by the supervisory authority or an independent
For more information regarding the establishment of SAs, please refer to [[Article 51 GDPR|Article 51(1) GDPR]] and [[Article 52 GDPR]] in this Commentary.
body established by Member State law, which should be subject to the exclusive direction of
 
the member or members of the supervisory authority.
====(b) Qualifications and eligibility conditions for SA members====
</div></div>
Article 54(1)(b) GDPR echoes [[Article 53 GDPR|Article 53(2) GDPR]], which outlines the qualificatory and experiential requirements for SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> However, unlike Article 53(2) GDPR, Article 54(1)(b) GDPR explicitly clarifies that these eligibility requirements are to be determined by national law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).</ref>
 
For more information on the eligibility requirements for SA members, please refer to [[Article 53 GDPR|Article 53(2) GDPR]]. 
 
====(c) The rules and procedures for the appointment of SA members ====
Pursuant to Article 54(1)(c) GDPR, Member States must legislate for the rules and procedures governing the appointment of SA members. This provision is, in essence, a restatement of [[Article 53 GDPR|Article 53(1) GDPR]], with the difference that Article 53(1) GDPR further stipulates that any procedure legislated for is '<nowiki/>''transparent'''.


For more information on the procedural requirements for the appointment of SA members, please refer to [[Article 53 GDPR|Article 53(1) GDPR]]. 


==Commentary==
====(d) Duration of the term====
Pursuant to Article 54(1)(d) GDPR, each Member State is obliged to legislate for SA member(s) term of office. The provision specifies that the minimum term is four years; nonetheless, Member States are free to set longer terms.<ref>This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).</ref> However, any attempt to legislate for a term of office that is for life or until retirement should be excluded, as Article 54(1)(e) GDPR addresses the question of reappointment. Therefore, the GDPR assumes a limited term for the position.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).</ref>


Article 54 GDPR combines two very different objectives under the heading "Establishment of the supervisory authority":
====(e) Reappointment====
Article 54(1)(e) GDPR mandates Member States to legislate for the reappointment of SA members. Member States are entitled to determine whether, and how often the reappointment of members is permitted. For instance, Union law does not prohibit Member States from legislating for reappointment bans, or limitations to the number of consecutive reappointments, or even for the possibility of indefinite reappointments. 


Paragraph 1 contains a list of the individual specifications to be made by the Member States in national legislation regarding [[Article 51 GDPR|Articles 51 - 53 GDPR]] in order to ensure the establishment of an independent authority. As per [[Article 51 GDPR|Article 51(3) GDPR]], Member states have to notify the Commission of the provisions of its laws adopted pursuant to Chapter VI of the GDPR.  
Notably though, leniency on the possibility of multiple consecutive reappointments has the capacity to undermine the independence of SA members, and by relation, the institutional integrity of SAs as independent bodies. Commentators have noted that, in particular in the context of members' re-election, allowing multiple reappointments risks candidates who have previously held office, to make concessions to the appointing body in favour of their renomination. Admittedly, the risk to independence is countered by the fact that a reappointed member will have greater experience than a candidate who has not previously held office.<ref>See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).</ref> 


Paragraph 2 regulates the special data protection confidentiality obligation of the respective member or members of this authority. Such confidentiality obligations already existed in [[Article 28 Directive 95/46|Article 28(7) Directive 95/46]]. Whereas this provisions seems to be of direct application, it does not preclude national legislation to further specify the confidentiality obligations of the members of the SA and its staff.  
====(f) Rules on members' occupation, prohibitions, incompatible actions and benefits====
Under Article 54(1)(f) GDPR, Member States must ('''shall''<nowiki/>') legislate for the (i) conditions governing the obligations of members and staff of each SA, (ii) prohibitions on the actions, occupations and benefits incompatible with membership during and after their term of office, as well as (iii) the rules governing the cessation of their employment.


=== (1) Elements Provided by Member States Law ===
===== SA member(s) and staff =====
Paragraph 1 obliges Member States law to provide for all the elements listed under this paragraph in a law. it seems that the law does not need to be a legislative law, but can include any other set or legal provisions. As per [[Article 51 GDPR|Article 51(3) GDPR]], Member states have to notify the Commission of the provisions of its laws adopted pursuant to Chapter VI.  
While not made explicit under Article 54(1)(f)GDPR, any domestic legislation governing the obligations and prohibitions for SA members during their term of office, must be in line with provisions of [[Article 52 GDPR|Article 52(3) GDPR]] and [[Article 53 GDPR|Articles 53(3) and 53(4) GDPR]]. These provisions expand on the conditions outlined under this Article. For instance, [[Article 52 GDPR|Article 52(3) GDPR]] prohibits SA members from engaging in any incompatible actions and occupations, while [[Article 53 GDPR|Articles 53(3) and 53(4) GDPR]] regulate the expiry of a member's term of office and dismissal.  


==== (a) The Establishment of the Supervisory Authority ====
To clarify, the GDPR's use of the terms '<nowiki/>''members''<nowiki/>' and '''staff''<nowiki/>' differentiate between the two types of SA personnel. The former refers to SAs' lead personnel, while the latter refers to supporting staff. Under Article 54(1)(f) GDPR, rules regulating the actions of staff must also be legislated for through national law. However, these conditions are not required to comply with the strict criteria governing SA members, as provided for provided for in [[Article 52 GDPR|Article 52(3) GDPR]] and  [[Article 53 GDPR|Articles 53(3) and 53(4) GDPR]].<ref>See ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 14 to 16. (C.H. Beck 2020, 3rd Edition).</ref>
Considering that the Member State may have appointed several authorities (see [[Article 51 GDPR|Article 51(1) GDPR]]), the law should provide for the conditions and rules regarding the establishment of each authority. Member States are free to choose for a monocratic (one head of the authority) or a collegial body (several persons adopt the decisions of the authority).  


==== <span id="1b">'''(b) The Qualifications and Eligibility Conditions Required to be Appointed as Member of Each Supervisory Authority'''</span> ====
For more information on SA members and staff, please refer to [[Article 52 GDPR|Article 52(2) GDPR]]  (SA members) and [[Article 52 GDPR|Article 52(5) GDPR]] (SA staff).  
[[Article 53 GDPR|Article 53(2) GDPR]] sets out clear requirements in this respect: the members of the supervisory authority will require qualifications, experience and skills as a prerequisite for being hired as a data protection supervisor. However, terms such as “qualification”, “experience” and “skills” are vague legal terms that, in the absence of comprehensive EU competence for general and vocational education, and should be further specified in national law. It seems (from the use of "and" in [[Article 53 GDPR|Article 53(2) GDPR]]) that these conditions are cumulative. The way the law will organise the assessment of these competence is still not clear and does not preclude the Member States from organising an assessment of the candidates based on a test.


==== (c) The Rules and Procedures for the Appointment of the Member or Members of Each Supervisory Authority ====
=====Obligations=====
The appointment procedure for the appointment of the members should be regulated in Article 54(1)(c) GDPR, choosing one of the four possible variants (appointment by parliament, the government, the head of state or by an independent body).  
Article 54(1)(f) GDPR is not particularly specific in relation to what obligations are to be imposed upon SA members during their term of office. Elements of what constitute a member's '<nowiki/>''obligations''<nowiki/>' are found in other Articles of the GDPR. For instance, [[Article 52 GDPR]] mandates that members serve their office with integrity.<ref>See also Recital 121 GDPR.</ref> While, [[Article 51 GDPR|Article 51(1) GDPR]] outlines SAs' broad purpose of monitoring the GDPR's application, the objectives of which are to protect the right to data protection and facilitate the free flow of personal data within the Union.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017). </ref> Especially relevant to the interpretation of the term '<nowiki/>''obligations''' by the national legislature are [[Article 57 GDPR|Articles 57]] and [[Article 58 GDPR|58 GDPR,]] which determine the tasks and powers of SAs.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 13 (Nomos 2019).</ref>   


==== (d)  The Duration of the Term of the Member or Members of Each Supervisory Authority of no Less Than Four Years, Except for the First Appointment after 24 May 2016, Part of Which may Take Place for a Shorter Period Where that is Necessary to Protect the Independence of the Supervisory Authority by Means of a Staggered Appointment Procedure ====
=====Prohibitions on incompatible actions, occupations and benefits =====
Each Member state is obliged to regulate by law the term of office of the member or members of each data protection supervisory authority. As per Article 54(2) GDPR, the term of the office of the members shall only expire  at the occasion of the end of the term, resignation or compulsory retirement. A minimum term of four years ago. This is a period that corresponds to the regular length of a legislative period in most EU member states and is creates therefore a link between data protection supervision and the parliament or the executive branch responsible for it.
Any interpretation by national law on the scope and content of incompatible actions, occupations and benefits which SA members and staff are prohibited to take, are to be read in line with [[Article 52 GDPR|Article 52(3) GDPR]]. Given that GDPR is quite vague in terms of specifying what exactly '''incompatible actions, occupations and benefits''<nowiki/>' are, it is particularly important that national legislation does not limit itself to reproducing the text of Articles 52(3) GDPR and 54(1)(f) GDPR.


As an exception, Member states can provide for a shorter term of office than the four-year minimum term of office, only once, namely for the first appointments after May 25, 2016, and only if the aim of a shorter appointment is to stagger the terms of office to strengthen the independence of the supervisory authority. Obviously, such possibility can no longer be used for later appointments.
For more information on the conflict of interest rules, please refer to commentary to [[Article 52 GDPR|Article 52(3) GDPR]].  


==== (e)  Whether and, if so, for how Many Terms the Member or Members of each Supervisory Authority is Eligible for Reappointment ====
===== During and after the term of office =====
This provision leaves it to the Member states to regulate through national legislation whether and how often the reappointment of the member or members of a data protection supervisory authority is permissible. A re appointment ban (only one mandate being possible) is conceivable but also a limitation of the number of reappointment can be laid down in the law.  
Member States must adopt appropriate conflict of interest rules for the time during the term in office, as well as for after. In particular, Member States should regulate against the issue of '<nowiki/>''revolving doors''<nowiki/>'. This term refers to the movement of high-level personnel from public roles to those in the private sector, in particular to industries impacted by the work undertaken by those individuals while holding public office.<ref>[[Article 52 GDPR|Article 52(3) GDPR]] is already containing rules on conflict of interest for members of SAs. Article 54(1)(f) GDPR is widening the scope by obliging the member states to adopt national rules on this subject matter for members of SAs and for staff, as well as on the issue of revolving doors.</ref> The European Ombudsman has highlighted that the movement of public officials to the private sector presents risks to the integrity of public bodies, as '<nowiki/>''valuable inside knowledge can move into the private sector, or because former officials may lobby their former colleagues or existing officials may be influenced by possible future employment.'''<ref>The European Ombudsman's work on revolving doors (2022), available at https://www.ombudsman.europa.eu/webpub/2022/revolving-doors/en/.</ref> The level of independence required of SAs as public bodies is extremely high. Consequently, even the risk of partiality is sufficient to undermine it.<ref>For more on this point, please refer to [[Article 52 GDPR]]. </ref> Therefore, it would be incompatible with the principle of independence if an SA member were to work for a private entity which was under the SA's scrutiny, immediately after their term of office with the SA ended.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, page 898 (Oxford University Press 2020).</ref>


==== (f)  The Conditions Governing the Obligations of the Member or Members and Staff of each Supervisory Authority, Prohibitions on Actions, Occupations and Benefits Incompatible Therewith During and after the Term of Office and Rules Governing the Cessation of Employment ====
A possible solution to curb potential conflicts of interest could be a '<nowiki/>''cooling off''<nowiki/>' period after the end of a member's term of office. Commentators suggest that periods of 18-24 months should be be viewed as a minimum standard.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).</ref> At the same time, it is important that any '''cooling off''<nowiki/>' periods do not lead to a ban on all professional activities.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 46 (Nomos 2022).</ref> 
Such conditions can be laid down in national law or in a contract (where the staff is subject to an employment contract). They concern:


===== i) The Obligations of the Members and the Staff of the Supervisory Authority =====
===== Cessation of employment rules =====
With regard to this mandate, the Member states law must stipulate the obligation to exercise their office with integrity and independence. The mandate of the data protection supervisory authorities is laid down in [[Article 51 GDPR|Article 51(1) GDPR]], namely the monitoring of the application of the GDPR, in order to protect the data protection rights on the one hand, and on the other hand, to facilitate the free flow of personal data within the Union.
Member States are free to regulate for the rules concerning members' and staff's cessation of employment. In this regard, the GDPR does not contain any specific requirements. Naturally, these rules should not infringe upon SAs' independence, as required by [[Article 52 GDPR]]. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 47 (Nomos 2022).</ref> However, if SA members are legally employed with the SA, any conditions set out by [[Article 53 GDPR|Articles 53(3) and 53(4) GDPR]] regulating members' end of term or dismissal must also be taken into account by the laws governing their cessation of employment.  


===== ii) Prohibitions on Actions, Occupations and Benefits Incompatible Therewith During and After the Term of Office =====
For more information regarding the conditions regulating SA members' end of term, please refer to [[Article 53 GDPR]].    
The rules laid down by national law are to be linked with [[Article 52 GDPR|Article 52(3) GDPR]]. It is particularly important that the national legislation does not limit itself to reproduce the text of [[Article 52 GDPR|Article 52(3) GDPR]], Article 54(2)(f) GDPR, but further specifies what is to be understood as "incompatible", and "prohibited occupations, actions and benefits".  


A “cooling off” period should also be specified after the end of the term of office as data protection supervisor, whereby periods of 18–24 months can be viewed as an EU-wide minimum standard.  
===(2) Duty of professional secrecy===
The second paragraph of Article 54 GDPR prohibits any member or staff of an SA from sharing confidential information with a third party, or disclosing it to the public without prior authorisation.  


===== iii) The Termination Rules =====
The duty of professional secrecy, is at its core an essential element of SAs' investigative powers. In broader terms, the duty of professional secrecy applies as a general principle to the information obtained by SAs in the course of the fulfilment of their role as a supervisory body under Union law. Similar obligations apply to members of competition authorities and other Union regulatory bodies, for instance members of the Commission or European Central Bank.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).</ref> Notably, the duty of professional secrecy does not extend to SAs' cooperation mechanism under [[Article 60 GDPR|Articles 60]], [[Article 61 GDPR|61]], [[Article 64 GDPR|64]], and [[Article 65 GDPR|65 GDPR]].
The ordinary and extraordinary reasons for termination of office are are regulated in [[Article 53 GDPR|Article 53(3)(4) GDPR]]. Therefore, the Member states only have to regulate the procedure in the event of dismissals, (i.e. in particular who decides on the existence of the extraordinary reasons for termination, the period within which a dismissal is to be decided and under which procedure). Of course, these rules should not impair the independence of the supervisory authority, as required by [[Article 52 GDPR]].


=== (2) Duty of Professional Secrecy ===
The general duty of professional secrecy finds its footing in primary Union law, under Article 339 of the Treaty on the Functioning of the European Union ("''TFEU''").<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).</ref> Transparency considerations arise in relation to the duty of professional secrecy, especially in the context of public access to documents. For instance, access to documents can lawfully be restricted on confidentiality grounds, in particular when they concern the protection of personal data of individuals or the protection of trade secrets. As a result, the duty of professional secrecy is intertwined with the right of access under the right to good administration found in Article 41(2)(b) of the Charter of Fundamental Rights of the European Union ("''CFR''"),<ref>This provision notes that the right of good administration includes ''<nowiki/>'the right of every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy''<nowiki/>'.</ref> and the right of public access under Article 42 CFR and Regulation 1049/2001.<ref>Article 42 CFR notes that '''[a]ny citizen of the Union, and any natural or legal person residing or having its registered office in a Member State, has a right of access to documents of the institutions, bodies, offices and agencies of the Union, whatever their medium''.'</ref> In relation to these conflicting interests, commentators have noted that the obligation of secrecy should ''“not unduly restrict the transparency of DPA [SA] performance, one of the main elements of public accountability of DPAs [SAs].”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 899 (Oxford University Press 2020).</ref>
The duty to keep information confidential is of the essence for a trust-based exercise of the investigation powers of supervisory authorities. Similar obligations exists regarding competition authorities and other regulatory bodies supervising economic operators.  


The notion of confidential information, which is the subject of this obligations, is to be linked with the notion of confidential obligation under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12016E339 Article 339 TFEU.] As recognised by the [https://curia.europa.eu/juris/document/document.jsf;jsessionid=ED42DC3332D7191F9F41B87972F8D2CB?text=&docid=57554&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2454075 CJEU], information should be considered as confidential if it fulfils the following conditions: (i) The information is known only to a limited number of people; (ii) Disclosure of the information can seriously cause serious harm to the person who has provided it or to third parties; (iii) the interests liable to be harmed by disclosure must, objectively, be worthy of protection. The test of [[Article 339 TFEU]] requires a reinforced protection for business secrets.  
The duty of professional secrecy arises in other provisions of the GDPR, namely under [[Article 38 GDPR|Article 38(5) GDPR]] in relation to data protection officers ("''DPO"''). For the interpretation of the duty of professional secrecy in regard to DPOs, please refer to [[Article 38 GDPR|Article 38(5) GDPR]].


The definition of [[Article 339 TFEU]] can be applied ot the obligation of secrecy and confidentiality of the supervisory authorities.  
==== Members and the staff of supervisory authority (SA) ====
The duty of professional secrecy only applies to SA staff and members. Thus, nothing prevents the parties to the proceedings (including the complainant) from sharing the information obtained from the SA, subject to restrictions under national law.


In this context, we also see that the such confidentiality shall also apply in <span id="2">particular to reporting by natural persons of infringements of this Regulation. That is due to the core activity of a supervisory authority: their staff should pay particular attention to the protection of the holders of fundamental rights, whose rights could be impaired if their names would be disclosed to the public.</span>
==== Union or Member State law ====
Member states may further regulate the duty of professional secrecy through their national legislation. In any case, EU law applies as a minimum threshold, thus Member States may regulate for more stringent requirements but not for less.  


A link between the obligation of confidentiality should be done with the right to access one's file under the right to good administration ([[Article 41 CFR|Article 41(2)(b) CFR]]) and the right to have access to documents ([[Article 42 CFR]] and [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32001R1049 Regulation 1049/2001]), but also with the right to date protection. Access to documents can be limited on the basis of the obligation of confidentiality and/or the protection of personal date of individuals. The articulation between these rights can however be difficult in practice since the right to be heard implies that the complainant can access the file, which could include confidential information.  
===== Union law =====
Article 339 TFEU establishes that '''[t]he members of the institutions of the Union, the members of committees, and the officials and other servants of the Union shall be required, even after their duties have ceased, not to disclose information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components.''<nowiki/>' Other relevant legislative provisions include Article 17 of the EU Staff Regulations,<ref>Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A01962R0031-20140501 here].</ref> and Article 56 of Regulation (EU) 2018/1725 ("''EUDPR''").<ref>Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 here].</ref>


<span id="2">Information is only protected according if it has come to the knowledge of a member or an employee of a supervisory authority “in the course of the performance of their tasks or exercise of their powers". Considering the broad range of powers under [[Article 58 GDPR]], this protection will apply to a large range of information.</span>  
===== National law =====
Generally, Member States regulate for sector specific confidentiality obligations. In particular, these regulations apply to professionals which handle confidential information on a regular basis, such as doctors, lawyers and public officials. As noted above, Member States may choose to further regulate the confidentiality obligations applying to SAs.   


The wording of Article 54(2) GDPR leaves both refers to EU law and national law. Therefore, in order to fully understand the implication of this provision, one should also read Member states legislation. The provision obviously prohibits any member or staff of an supervisory authority to share the confidential information with a third party or to disclose it to the public without prior authorisation. Of course, this prohibition will not apply when the supervisory authority will exchange information with other supervisory authorities when they cooperate under [[Article 60 GDPR|Articles 60, 61, 64, 65 GDPR]].
==== Duty of professional secrecy ====
The duty of professional secrecy applies to any confidential information which SA members and staff have come into contact with in the course of the performance of their tasks or exercise of their powers.


We can also note that the obligation of confidentiality only applies to the staff and the member of the authority. Subject to restrictions under national law, nothing seems therefore to prevent the parties to the proceedings (including the complainant) to share the information obtained from the supervisory authority.
===== Confidential information =====
The CJEU clarified, in ''Bank Austria Creditanstalt v Commission'', that information will be considered confidential if it fulfils the following three conditions: (i) if the information is known only to a limited number of people; (ii) disclosure of the information can cause serious harm to the person who has provided it or to third parties; and (iii) the interests likely to be harmed by disclosure must, objectively, be worthy of protection.<ref>[https://curia.europa.eu/juris/liste.jsf?language=en&num=T-198/03 Case T-198/03], ''Bank Austria Creditanstalt v Commission'', para 71.                                </ref> Commentators have noted that the test of Article 339 TFEU requires a reinforced protection for business secrets.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 and 13 (C.H. Beck 2017).</ref>


Finally, the obligation of confidentiality also applies after the end of the activity for the data protection supervisory authority. In this case, A specific duration of the duty of confidentiality should be determined in each individual case based on the need for protection of the information and the consequences to be expected from disclosure.
===== ''In the course of the performance of their tasks or exercise of their powers'' =====
Information is only protected if it has come to the knowledge of a member or an employee of a SA '''in the course of the performance of their tasks or exercise of their powers''<nowiki/>'. Given the broad nature of the tasks and powers afforded to SAs under [[Article 57 GDPR|Articles 57]] and [[Article 58 GDPR|58 GDPR]], the duty of professional secrecy applies to all confidential information that SA members and staff come into contact with in the course of their duties, which considering the extent of SAs' work is not an insignificant amount.


===== ''Reporting by natural persons of infringements'' =====
The duty of professional secrecy, in particular, applies to the reporting of GDPR infringements by natural persons. Considering that protecting the fundamental rights and freedoms of natural persons is a central component of SAs' role, they must pay particular attention to the protection of the holders of those fundamental rights.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 14 (C.H. Beck 2017).</ref>
==== During and after their term of office ====
The duty of professional secrecy applies both during and following an SA member's or staff's term of office. There is no specific duration for which the duty of professional secrecy continues to apply after the expiry of the term of office. The period of time should be determined on a case-by-case basis, taking into account the sensitivity of the information concerned and the potential consequences to be expected from disclosure.
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 54 GDPR]]
→ You can find all related decisions in [[:Category:Article 54 GDPR]]


==References==
==References==
<references />''Selmayr'', in Ehmann, Selmayr, Datenschutzgrundverordnung, Art. 54 margin number 5-11 (C.H. Beck 2018).
<references />
 
CJEU, 30 May 2006, Bank Austria Creditanstalt v Commission, T-198/03 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=T-198/03 here]). 
[[Category:GDPR Articles]]
[[Category:GDPR Articles]]

Latest revision as of 13:19, 30 October 2023

Article 54 - Rules on the establishment of the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text



Article 54 - Rules on the establishment of the supervisory authority

1. Each Member State shall provide by law for all of the following:

(a) the establishment of each supervisory authority;
(b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority;
(c) the rules and procedures for the appointment of the member or members of each supervisory authority;
(d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;
(e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;
(f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 121: General Conditions for the Member(s) of Supervisory Authorities
The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Commentary

Article 54 GDPR lays down the requirements for the organisational framework of supervisory authorities ("SAs").[1] However, in doing so, it combines two notably different objectives under its ambit. The first of which, under Article 54(1) GDPR, is to list the specifications to be legislated for by each Member States through their national legislation for the establishment and governance of SAs. This provision is largely repetitive of requirements outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality obligations of SA members and staff. These confidentiality obligations were already in place under Article 28(7) of the GDPR's predecessor, Directive 95/46/EC.[2]

(1) Elements provided by Member States law

Article 54(1) GDPR mandates Member States to provide for all the elements listed below through their national law. A substantial number of provisions under Article 54(1) GDPR are mainly reiterations of obligations outlined under Articles 51- 53 GDPR.

(a) Establishment of the supervisory authority (SA)

The criteria regulating the establishment of SAs are set out in Article 51(1) and 52 GDPR, Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law.[3] Under the GDPR, Member States are permitted to appoint several different types of SAs, for example, sector specific SAs.[4] In these instances, the law should provide for the conditions and rules regarding the establishment of each type. In addition, commentators have noted that the functional nature of an SA should also be legislated for through national law. For instance, Member States should legislate for whether their SAs are monocratic or collegial bodies, or whether they have any competences in addition to the monitoring of the enforcement of the GDPR.[5]

For more information regarding the establishment of SAs, please refer to Article 51(1) GDPR and Article 52 GDPR in this Commentary.

(b) Qualifications and eligibility conditions for SA members

Article 54(1)(b) GDPR echoes Article 53(2) GDPR, which outlines the qualificatory and experiential requirements for SA members.[6] However, unlike Article 53(2) GDPR, Article 54(1)(b) GDPR explicitly clarifies that these eligibility requirements are to be determined by national law.[7]

For more information on the eligibility requirements for SA members, please refer to Article 53(2) GDPR.

(c) The rules and procedures for the appointment of SA members

Pursuant to Article 54(1)(c) GDPR, Member States must legislate for the rules and procedures governing the appointment of SA members. This provision is, in essence, a restatement of Article 53(1) GDPR, with the difference that Article 53(1) GDPR further stipulates that any procedure legislated for is 'transparent'.

For more information on the procedural requirements for the appointment of SA members, please refer to Article 53(1) GDPR.

(d) Duration of the term

Pursuant to Article 54(1)(d) GDPR, each Member State is obliged to legislate for SA member(s) term of office. The provision specifies that the minimum term is four years; nonetheless, Member States are free to set longer terms.[8] However, any attempt to legislate for a term of office that is for life or until retirement should be excluded, as Article 54(1)(e) GDPR addresses the question of reappointment. Therefore, the GDPR assumes a limited term for the position.[9]

(e) Reappointment

Article 54(1)(e) GDPR mandates Member States to legislate for the reappointment of SA members. Member States are entitled to determine whether, and how often the reappointment of members is permitted. For instance, Union law does not prohibit Member States from legislating for reappointment bans, or limitations to the number of consecutive reappointments, or even for the possibility of indefinite reappointments.

Notably though, leniency on the possibility of multiple consecutive reappointments has the capacity to undermine the independence of SA members, and by relation, the institutional integrity of SAs as independent bodies. Commentators have noted that, in particular in the context of members' re-election, allowing multiple reappointments risks candidates who have previously held office, to make concessions to the appointing body in favour of their renomination. Admittedly, the risk to independence is countered by the fact that a reappointed member will have greater experience than a candidate who has not previously held office.[10]

(f) Rules on members' occupation, prohibitions, incompatible actions and benefits

Under Article 54(1)(f) GDPR, Member States must ('shall') legislate for the (i) conditions governing the obligations of members and staff of each SA, (ii) prohibitions on the actions, occupations and benefits incompatible with membership during and after their term of office, as well as (iii) the rules governing the cessation of their employment.

SA member(s) and staff

While not made explicit under Article 54(1)(f)GDPR, any domestic legislation governing the obligations and prohibitions for SA members during their term of office, must be in line with provisions of Article 52(3) GDPR and Articles 53(3) and 53(4) GDPR. These provisions expand on the conditions outlined under this Article. For instance, Article 52(3) GDPR prohibits SA members from engaging in any incompatible actions and occupations, while Articles 53(3) and 53(4) GDPR regulate the expiry of a member's term of office and dismissal.

To clarify, the GDPR's use of the terms 'members' and 'staff' differentiate between the two types of SA personnel. The former refers to SAs' lead personnel, while the latter refers to supporting staff. Under Article 54(1)(f) GDPR, rules regulating the actions of staff must also be legislated for through national law. However, these conditions are not required to comply with the strict criteria governing SA members, as provided for provided for in Article 52(3) GDPR and Articles 53(3) and 53(4) GDPR.[11]

For more information on SA members and staff, please refer to Article 52(2) GDPR (SA members) and Article 52(5) GDPR (SA staff).

Obligations

Article 54(1)(f) GDPR is not particularly specific in relation to what obligations are to be imposed upon SA members during their term of office. Elements of what constitute a member's 'obligations' are found in other Articles of the GDPR. For instance, Article 52 GDPR mandates that members serve their office with integrity.[12] While, Article 51(1) GDPR outlines SAs' broad purpose of monitoring the GDPR's application, the objectives of which are to protect the right to data protection and facilitate the free flow of personal data within the Union.[13] Especially relevant to the interpretation of the term 'obligations' by the national legislature are Articles 57 and 58 GDPR, which determine the tasks and powers of SAs.[14]

Prohibitions on incompatible actions, occupations and benefits

Any interpretation by national law on the scope and content of incompatible actions, occupations and benefits which SA members and staff are prohibited to take, are to be read in line with Article 52(3) GDPR. Given that GDPR is quite vague in terms of specifying what exactly 'incompatible actions, occupations and benefits' are, it is particularly important that national legislation does not limit itself to reproducing the text of Articles 52(3) GDPR and 54(1)(f) GDPR.

For more information on the conflict of interest rules, please refer to commentary to Article 52(3) GDPR.

During and after the term of office

Member States must adopt appropriate conflict of interest rules for the time during the term in office, as well as for after. In particular, Member States should regulate against the issue of 'revolving doors'. This term refers to the movement of high-level personnel from public roles to those in the private sector, in particular to industries impacted by the work undertaken by those individuals while holding public office.[15] The European Ombudsman has highlighted that the movement of public officials to the private sector presents risks to the integrity of public bodies, as 'valuable inside knowledge can move into the private sector, or because former officials may lobby their former colleagues or existing officials may be influenced by possible future employment.'[16] The level of independence required of SAs as public bodies is extremely high. Consequently, even the risk of partiality is sufficient to undermine it.[17] Therefore, it would be incompatible with the principle of independence if an SA member were to work for a private entity which was under the SA's scrutiny, immediately after their term of office with the SA ended.[18]

A possible solution to curb potential conflicts of interest could be a 'cooling off' period after the end of a member's term of office. Commentators suggest that periods of 18-24 months should be be viewed as a minimum standard.[19] At the same time, it is important that any 'cooling off' periods do not lead to a ban on all professional activities.[20]

Cessation of employment rules

Member States are free to regulate for the rules concerning members' and staff's cessation of employment. In this regard, the GDPR does not contain any specific requirements. Naturally, these rules should not infringe upon SAs' independence, as required by Article 52 GDPR. [21] However, if SA members are legally employed with the SA, any conditions set out by Articles 53(3) and 53(4) GDPR regulating members' end of term or dismissal must also be taken into account by the laws governing their cessation of employment.

For more information regarding the conditions regulating SA members' end of term, please refer to Article 53 GDPR.

(2) Duty of professional secrecy

The second paragraph of Article 54 GDPR prohibits any member or staff of an SA from sharing confidential information with a third party, or disclosing it to the public without prior authorisation.

The duty of professional secrecy, is at its core an essential element of SAs' investigative powers. In broader terms, the duty of professional secrecy applies as a general principle to the information obtained by SAs in the course of the fulfilment of their role as a supervisory body under Union law. Similar obligations apply to members of competition authorities and other Union regulatory bodies, for instance members of the Commission or European Central Bank.[22] Notably, the duty of professional secrecy does not extend to SAs' cooperation mechanism under Articles 60, 61, 64, and 65 GDPR.

The general duty of professional secrecy finds its footing in primary Union law, under Article 339 of the Treaty on the Functioning of the European Union ("TFEU").[23] Transparency considerations arise in relation to the duty of professional secrecy, especially in the context of public access to documents. For instance, access to documents can lawfully be restricted on confidentiality grounds, in particular when they concern the protection of personal data of individuals or the protection of trade secrets. As a result, the duty of professional secrecy is intertwined with the right of access under the right to good administration found in Article 41(2)(b) of the Charter of Fundamental Rights of the European Union ("CFR"),[24] and the right of public access under Article 42 CFR and Regulation 1049/2001.[25] In relation to these conflicting interests, commentators have noted that the obligation of secrecy should “not unduly restrict the transparency of DPA [SA] performance, one of the main elements of public accountability of DPAs [SAs].”[26]

The duty of professional secrecy arises in other provisions of the GDPR, namely under Article 38(5) GDPR in relation to data protection officers ("DPO"). For the interpretation of the duty of professional secrecy in regard to DPOs, please refer to Article 38(5) GDPR.

Members and the staff of supervisory authority (SA)

The duty of professional secrecy only applies to SA staff and members. Thus, nothing prevents the parties to the proceedings (including the complainant) from sharing the information obtained from the SA, subject to restrictions under national law.

Union or Member State law

Member states may further regulate the duty of professional secrecy through their national legislation. In any case, EU law applies as a minimum threshold, thus Member States may regulate for more stringent requirements but not for less.

Union law

Article 339 TFEU establishes that '[t]he members of the institutions of the Union, the members of committees, and the officials and other servants of the Union shall be required, even after their duties have ceased, not to disclose information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components.' Other relevant legislative provisions include Article 17 of the EU Staff Regulations,[27] and Article 56 of Regulation (EU) 2018/1725 ("EUDPR").[28]

National law

Generally, Member States regulate for sector specific confidentiality obligations. In particular, these regulations apply to professionals which handle confidential information on a regular basis, such as doctors, lawyers and public officials. As noted above, Member States may choose to further regulate the confidentiality obligations applying to SAs.

Duty of professional secrecy

The duty of professional secrecy applies to any confidential information which SA members and staff have come into contact with in the course of the performance of their tasks or exercise of their powers.

Confidential information

The CJEU clarified, in Bank Austria Creditanstalt v Commission, that information will be considered confidential if it fulfils the following three conditions: (i) if the information is known only to a limited number of people; (ii) disclosure of the information can cause serious harm to the person who has provided it or to third parties; and (iii) the interests likely to be harmed by disclosure must, objectively, be worthy of protection.[29] Commentators have noted that the test of Article 339 TFEU requires a reinforced protection for business secrets.[30]

In the course of the performance of their tasks or exercise of their powers

Information is only protected if it has come to the knowledge of a member or an employee of a SA 'in the course of the performance of their tasks or exercise of their powers'. Given the broad nature of the tasks and powers afforded to SAs under Articles 57 and 58 GDPR, the duty of professional secrecy applies to all confidential information that SA members and staff come into contact with in the course of their duties, which considering the extent of SAs' work is not an insignificant amount.

Reporting by natural persons of infringements

The duty of professional secrecy, in particular, applies to the reporting of GDPR infringements by natural persons. Considering that protecting the fundamental rights and freedoms of natural persons is a central component of SAs' role, they must pay particular attention to the protection of the holders of those fundamental rights.[31]

During and after their term of office

The duty of professional secrecy applies both during and following an SA member's or staff's term of office. There is no specific duration for which the duty of professional secrecy continues to apply after the expiry of the term of office. The period of time should be determined on a case-by-case basis, taking into account the sensitivity of the information concerned and the potential consequences to be expected from disclosure.

Decisions

→ You can find all related decisions in Category:Article 54 GDPR

References

  1. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
  2. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition).
  3. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  4. For more on this point, please refer to Article 51 GDPR.
  5. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).
  6. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).
  7. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).
  8. This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).
  9. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).
  10. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).
  11. See Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 14 to 16. (C.H. Beck 2020, 3rd Edition).
  12. See also Recital 121 GDPR.
  13. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).
  14. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 13 (Nomos 2019).
  15. Article 52(3) GDPR is already containing rules on conflict of interest for members of SAs. Article 54(1)(f) GDPR is widening the scope by obliging the member states to adopt national rules on this subject matter for members of SAs and for staff, as well as on the issue of revolving doors.
  16. The European Ombudsman's work on revolving doors (2022), available at https://www.ombudsman.europa.eu/webpub/2022/revolving-doors/en/.
  17. For more on this point, please refer to Article 52 GDPR.
  18. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, page 898 (Oxford University Press 2020).
  19. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).
  20. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 46 (Nomos 2022).
  21. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 47 (Nomos 2022).
  22. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).
  23. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).
  24. This provision notes that the right of good administration includes 'the right of every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy'.
  25. Article 42 CFR notes that '[a]ny citizen of the Union, and any natural or legal person residing or having its registered office in a Member State, has a right of access to documents of the institutions, bodies, offices and agencies of the Union, whatever their medium.'
  26. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 899 (Oxford University Press 2020).
  27. Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community, available here.
  28. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, available here.
  29. Case T-198/03, Bank Austria Creditanstalt v Commission, para 71.
  30. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 and 13 (C.H. Beck 2017).
  31. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 14 (C.H. Beck 2017).