Article 52 GDPR: Difference between revisions

From GDPRhub
No edit summary
 
(16 intermediate revisions by 3 users not shown)
Line 206: Line 206:


==Commentary==
==Commentary==
Already EU primary law in Article 8(3) CFR, Article 16(2) TFEU and Article 39 TEU, as well as Article 52 GDPR require independent supervisory authorities (SAs) to monitor and enforce the application of data protection law.<ref>Only convention 108 of the Council of Europe did not require that Supervisory Authorities (“SA”) are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.</ref> Article 52 GDPR introduces the requirement of 'complete independence' of supervisory authorities. Article 52 GDPR mostly codifies the concept of complete independence that was developed by the CJ EU when interpreting Article 28(1) of Directive 95/46 (Data Protection Directive - DPD).<ref>Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046 here].
Primary Union law necessitates the independence of supervisory authorities under Article 8(3) of the Charter of Fundamental Rights of the European Union ("''CFR''"), Article 16(2) of the Treaty on the Functioning of the European Union ("''TFEU''") and Article 39 of the Treaty on the European Union ("''TEU''"). These Articles provide that Member States must ensure that compliance with data protection rules are be subject to the "''control of independent authorities''." Article 52 GDPR gives effect to this requirement.  


CJ EU was deciding on the requirement of complete independence of SAs in cases ''C-518/07 - Commisson v Germany'', ''C-614/10 - Commission v Austria'', and ''C-288/12 - Commission v Hungary''. </ref>
Article 52 GDPR codifies the concept of "''complete independence''" developed by the European Court of Justice ("''CJEU''") in several landmark cases concerning the interpretation of Article 28(1) of Directive 95/46/EC (''"DPD"''), the Regulation's predecessor.<ref>Case ''C-518/07, Commisson v Germany''; Case ''C-614/10, Commission v Austria;'' and ''Case C-288/12, Commission v Hungary''. </ref> Article 28(1) DPD established the existence of supervisory authorities and mandated that they were to "''act with complete independence in exercising the functions entrusted to them''."


Article 52(1) GDPR clarifies that the independence of SAs must be complete. Subsequently, it further specifies that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article 52(2)(3) GDPR). In order to make these principles operational, the provision requires member states to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR). Some elements of complete independence of SAs are addressed also in [[Article 53 GDPR]] and [[Article 54 GDPR]].
Similarly, Article 52(1) GDPR explicitly demands that the independence of SAs must be complete. It has elaborated this to mean that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article&nbsp;52(2)(3)&nbsp;GDPR). In order to make these principles operational, the provision requires Member States to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in [[Article 53 GDPR]] and [[Article 54 GDPR]].


Complete independence was established in order to strengthen the protection of individuals and bodies affected by their decisions and not to grant a special status to those authorities themselves.<ref>See ''C-518/07 - Commission v Germany'', para 25.</ref> <blockquote>Case law: In Commission v Austria the CJ EU held that “''the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim.''”<ref name=":0">''See CJEU C-614/10 - Commission v Austria, para 25.'' </ref>
The CJEU in the Case of ''Commission v Germany'', notes that the notion of absolute independence for SAs was developed in order to strengthen the protection of individuals, not for the purpose of granting special status to SAs.<ref>See CJEU, case ''C-518/07 - Commission v Germany'', paragraph 25.</ref> Moreover, this understanding was affirmed in ''Commission v Austria'', wherein the CJEU held that “''the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data'' [...]''.''”<ref name=":0">''See CJEU, case C-614/10 - Commission v Austria, paragraph 25.'' </ref>


CJ EU also pointed out that provisions concerning complete independence are to be interpreted autonomously and broadly, and provisions on independence of SAs and the European Data Protection Supervisor (EDPS) are to be interpreted homogenously, since they are based on the same general principle of independence.<ref>See [https://gdprhub.eu/C-518/07%20-%20Commission%20v%20Germany ''C-518/07 - Commission v Germany''], paragraphs 17-39 and 51 and paragraphs 26-28.
The notion independence reoccurs throughout the regulation. For instance, the principle of independence is also referred to in [[Article 4 GDPR|Article 4(12) GDPR]] (definition of SA), [[Article 45 GDPR|Article 45(2)(b) GDPR]] (personal data transfers to a third country or an international organisation outside of the outside of the European Economic Area), and [[Article 69 GDPR]] (on the independence of the European Data Protection Board ("''EDPB''")).<ref>''See Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 876 (Oxford University Press 2020).</ref>  
See also ''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, pages 875 and 878 (Oxford University Press 2020).
===(1) Complete independence of supervisory authorities (SAs)===
 
Article 52(1) GDPR acts as a catch-all clause that applies as a general standard,<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 6 (Nomos 2022).</ref> regardless if more specific provisions of the GDPR do not apply.     
The independence of EDPS is now regulated in Article 55 EUDPR (Regulation (EU) 2018/1725, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 here]), which has replaced Article 44 of the Regulation 45/2001.
</ref></blockquote> 
 
The requirement of independence reoccures in some other parts of the GDPR: [[Article 4 GDPR|Article 4(12) GDPR]] (definition of SA), [[Article 45 GDPR|Article 45(2)(b) GDPR]] (in the context of transfer of data outside of the European Economic Area), and [[Article 69 GDPR]] (with regard to the European Data Protection Board (EDPB)).<ref>''See Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 876 (Oxford University Press 2020).</ref>  
===(1) Complete Independence of Supervisory Authorities (SAs)===
Under Article 52(1) GDPR, each SA must act with complete independence in performing its tasks and exercising its powers. It is a general catch-all clause that applies when a situation is not covered by any of the subsequent more specific provisions of the GDPR safeguarding the complete independence of SAs.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 5 (Nomos 2022).</ref>    
==== Each supervisory authority (SA) ====
==== Each supervisory authority (SA) ====
Member states can establish one or several SAs for monitoring the implementation of the GDPR ([[Article 51 GDPR]]). Article 52(1) GDPR clarifies that ''"each"'' of them must ("shall") act with complete independence.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).</ref>
Member States can establish one or several SAs for monitoring the implementation of the GDPR ([[Article 51 GDPR]]). Article&nbsp;52(1)&nbsp;GDPR clarifies that ''"each"'' of them must ("shall") act with complete independence.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).</ref>


==== Shall act ====
==== Shall act ====
This condition necessitates member states, SAs and each of their members to ensure that the the requirement of complete independence is fulfilled. In the event that the provision is not implemented, the Commission can start an infringement proceeding against the state under Article 258 TFEU. Also other member state may bring an action before the CJ EU under Article 259 TFEU. <blockquote>Case law: In three separate cases started by the Commission CJ EU found that Germany, Austria and Hungary, respectively,  failed to ensure complete independence of their SAs and thus did not fulfil their obligations.<ref>''See C-518/07 - Commission v Germany,  C-614/10 - Commission v Austria,'' and  ''C-288/12 - Commission v Hungary''</ref>   </blockquote>
This condition mandates that Member States, SAs and each of their members ensure that the the requirement of complete independence is fulfilled. In the event that the provision is not implemented, the Commission may start infringement proceedings against the state under Article 258 TFEU. In addition, other Member States may bring an action before the CJEU under Article&nbsp;259&nbsp;TFEU.   


Infringement proceedings against Member States have occurred before. In three separate cases instigated by the Commission, the CJEU found that Germany, Austria, and Hungary had not fulfilled their obligations, as they had failed to ensure the complete independence of their SAs.<ref>''See CJEU, case [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 C-518/07 - Commission v Germany,] case [https://curia.europa.eu/juris/liste.jsf?num=C-614/10&language=EN C-614/10 - Commission v Austria],'' and case ''[https://curia.europa.eu/juris/liste.jsf?language=en&num=C-288/12 C-288/12 - Commission v Hungary].''</ref> 
==== Complete independence ====   
==== Complete independence ====   


In ''Commission v Germany'' the Court specified that the notion of “''complete independence''” must be given a broad and autonomous interpretation. Complete independence requires that the decisions of SAs and SAs themselves, as guardians of the right to private life, are objective and impartial and remain above any suspicion of partiality.<ref>CJ EU - ''C-518/07 - Commission v Germany'', paragraph 36.</ref>  
In ''Commission v Germany'' the Court specified that the notion of “''complete independence''” must be given a broad and autonomous interpretation. Other provisions on the independence of SAs and the European Data Protection Supervisor ("''EDPS''") are to be interpreted homogenously, as they are based on the same general principle of independence.<ref>See CJEu, case [https://gdprhub.eu/C-518/07%20-%20Commission%20v%20Germany ''C-518/07 - Commission v Germany''], paragraphs 17-39 and 51 and paragraphs 26-28, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here]. See also  ''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, pages 875 and 878 (Oxford University Press 2020). The independence of EDPS is now regulated in Article 55 EUDPR (Regulation (EU) 2018/1725, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 here]), which has replaced Article 44 of the Regulation 45/2001.
</ref>


This is necessary for SAs to carry out their function, which includes ''"ensuring a fair balance between fundamental rights, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data''.”<ref>CJ EU - ''C-518/07 - Commission v Germany'', paragraph 24.</ref>  
Complete independence requires that the decisions of SAs and SAs themselves, are objective and impartial and remain above any suspicion of partiality.<ref>CJEU, case ''C-518/07 - Commission v Germany'', paragraph 36, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref> To fulfil the requirement of complete independence, SAs must remain free from any external influence, which is liable to have an effect on their decisions.<ref>CJEU, case ''C-518/07 - Commission v Germany'', paragraph 41, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref> According to the CJEU, this freedom is necessary for SAs to carry out their functions, which include ''"ensuring a fair balance between fundamental rights, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data''.”<ref>CJEU, case ''C-518/07 - Commission v Germany'', paragraph 24, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref>


Consequently, a SA must enjoy independence in all its possible forms, including:     
Consequently, an SA must enjoy independence in all possible forms, including:     


* institutional and organizational independence (see below);
* institutional and organizational independence (see below);
* independence in decision making, without any external influence (see Article 52 (2) section bellow):
* independence in decision making, without any external influence (see Article 52(2) GDPR, below):
* functional independence (see Article 52(3) section below);
* functional independence (see Article 52(3) GDPR, below);
* operational independence, such as having own premises and staff (see Article 52(4)(5) sections below);
* operational independence, such as having own premises and staff (see Article 52(4)(5) GDPR, below);
* financial and budgetary independence (see Article 52(4)(6) sections below), and
* financial and budgetary independence (see Article 52(4)(6) GDPR, below), and
* restrictions regarding premature termination of mandate of SA members (see Article 53 GDPR).
* restrictions regarding premature termination of mandate of SA members (see Article 53 GDPR).


Evidently, the SA must be independent with respect to the entities, controllers or processors, over which it is required to exercise control. However, independence also applies to the state or any other entity that may exercise any kind of direct or indirect control over the decision-making capacity of the SA, including the Commission.<ref>In Schrems I, the Court made it clear that the DPA must carry out a check on the transfer of data even where there is an adequacy decision. CJEU, Schrems I, §57</ref> SAs must remain free from any external influence, which is liable to have an effect on their decisions.<ref>CJ EU - ''C-518/07 - Commission v Germany'', paragraph 41.</ref>    <blockquote>Example: The government cannot change or replace a decision that was taken by the SA.    </blockquote>To remain free from political influence SAs ''"the supervisory authority must be placed outside the classic hierarchical administration''”, while they obtain democratic legitimation from the way of appointment of their members, from being required to comply with the laws and being subject to the review by a court. SAs also accountable to the parliament. They provide annual reports pursuant to Article 59 GDPR.<ref>CJ EU - ''C-518/07 - Commission v Germany'', paragraphs 40-46.</ref>   


Another aspect of complete independence is, according to CJ EU and now implemented in Article 53(3)(4) GDPR, that a mandate of a SA member cannot end prematurely (outside the parameters of the GDPR), not even by a law introducing institutional restructuring of the SA.<ref>CJEU - ''[[C-288/12 – Commission v Hungary]],'' paragraph 61.</ref>  
These requirements mean that SAs must be independent with respect to the entities, controllers or processors, over which they are required to exercise control. The concept of independence applies also to the state or any other entity that may exercise any kind of direct or indirect influence over the decision-making capacity of an SA. For example, in practice, this requirement mandates that legislative or executive bodies, such as the government of a Member State or the Commission, cannot change or replace a decision taken by a SA. Moreover, the concept of complete independence extends to SA member's term of office, which cannot end prematurely outside of the GDPR's parameters, even if Member States introduce domestic laws which attempt to restructure the functioning of SAs.<ref>CJEU, case ''[https://curia.europa.eu/juris/liste.jsf?language=en&num=C-288/12 C-288/12 – Commission v Hungary],'' paragraph 61, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-288/12 here].</ref>     
 
The independence of SAs extends to adequacy decisions adopted by the Commission. An SA is not bound by an adequacy decision adopted by the Commission under [[Article 45 GDPR]], if it considers it to not comply with the GDPR's requirements. For instance, in ''Schrems I,'' the CJEU made it clear that the competent SA when examining a data subject's claim relating to the third-country transfer of data ''"must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the [law]."''<ref>CJEU in case ''C-362/14 - Schrems I'', paragraph 57, available [https://curia.europa.eu/juris/liste.jsf?num=C-362/14 here].</ref>   
 
The aim of such complete independence is to ensure that SAs are free from political influence. For this reason, the CJEU has highlighted that their governance must remain outside of a State's ''"classic hierarchical administration.''”<ref>CJEU in case ''C-518/07 - Commission v Germany'', paragraphs 42.</ref> The requirement of independence does not jeopardise their democratic legitimation, as an SAs' democratic legitimacy stems from the appointment of their members, which is to be done by means of a transparent procedure by a Member State's parliament, government, head of State, or an independent body entrusted with the appointment under Member State law ([[Article 53 GDPR]]). SAs are also accountable to the political bodies of their Member States.     


Nevertheless, even complete independence has limits. For example, it does not exclude that the appointment of SA members is made by political bodies such as the parliament or the government ([[Article 53 GDPR|Article 53(1) GDPR]]) or that their actions (including their inactivity) may be subject to judicial review ([[Article 78 GDPR]]). After all, independence does not mean unaccountability.<ref>See Sydow, Article 52, margin number 30.</ref>  
Nevertheless, complete independence should not be taken to mean unaccountability.<ref>See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 30 (Nomos 2022).</ref> Pursuant to Article&nbsp;59&nbsp;GDPR, they must provide annual reports to the national parliament, the government and any other authorities as designated by member state law. Moreover, in line with the rule of law, decisions of SAs are subject to judicial review, under Article 78 GDPR.   
==== Performing its tasks and exercising its powers ====
==== Performing its tasks and exercising its powers ====


===== Tasks of supervisory authorities (SAs) =====
===== Tasks of supervisory authorities (SAs) =====
Among the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the consistency mechanism, in particularly in cases of cross border processing ([[Article 62 GDPR]]). Tasks of SAs are laid down in [[Article 57 GDPR]]. For more information, see  [[Article 57 GDPR]].
Among the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the Article&nbsp;63&nbsp;GDPR consistency mechanism. The tasks of SAs are laid down in [[Article 57 GDPR]].<ref>For further analysis on this point please refer to [[Article 57 GDPR]].</ref>


===== Powers of supervisory authorities (SAs) =====
===== Powers of supervisory authorities (SAs) =====
The powers of SAs include several investigative and corrective powers, such as conducting on premises investigations, ordering a processor to stop processing data subject's personal data administer fines for infringements of GDPR. The powers of SAs are set out in [[Article 58 GDPR]]. For more information, please refer to [[Article 58 GDPR]].
The powers of SAs are both investigative and corrective, which are set out in [[Article 58 GDPR]].<ref>For further analysis, please refer to [[Article 58 GDPR]].</ref>


===(2) Freedom from External Influence===
The fact that SAs' legally binding decisions are subject to full judicial review (see commentary on [[Article 78 GDPR]]) does not diminish the SAs' independence:
Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone. The first obligation codifies the findings of the CJ EU. <ref>See CJEU in C-518/07, paras 19, 25, 30, 50.</ref> <blockquote>
Case law


In Commission v Germany, the Court decided that considering that the SAs competent for the private sector were subject to governmental supervision and state scrutiny, which allowed the government to influence the decisions of the SAs, directly and indirectly, the requirement of independence was not met.<ref>CJ EU - ''C-518/07 - Commission v Germany''.</ref></blockquote>
{{Quote-CJEU|"[…] it is true that, in accordance with Article 8(3) of the Charter, compliance with the rules on the protection of personal data is subject to control by an independent authority. In that context, Article 52 of the GDPR specifies, in particular, that each supervisory authority is to act with complete independence in performing its tasks and exercising its powers in accordance with that regulation […].
The second reflects similar wording in Article 44(1) of Regulation 45/2001, now Article 55(2) EUDPR.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 880 (Oxford University Press 2020).  
However, those guarantees of independence are in no way compromised by the fact that the legally binding decisions of a supervisory authority are subject to full judicial review."|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|64 et seq.}}


See Article 55(2) EUDPR - ''Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC,'' [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 available here]''.''</ref>
===(2) Freedom from external influence===
Article 52(2) GDPR requires two things from members of SAs in the performance of their duties. Firstly, it requires them to remain free from external influences, whether direct or indirect, and secondly, it prohibits them from seeking or taking instructions from anyone.  


Freedom from external influence and prohibition of conflict of interests are aiming to prevent the risk of political influence, interest in non-compliance with GDPR provisions and prior compliance of SAs.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 19 (C.H. Beck 2020, 3rd Edition).</ref>  
As the guardians of the right to data privacy, SAs must be able to act objectively and impartially, free from any external influence that might affect their decision-making process. In particular, this prohibition is primarily targetted towards undue governmental and political influence.<ref>See CJEU, case ''C-518/07 – Commission v Germany'', paragraph 35, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref> <blockquote>
 
<u>Case law</u>: In ''Commission v Germany'', CJEU considered that a government may, among others, tend to favour economic interests in the application of data protection provisions by certain establishments which are economically significant for their state or a region.<ref>CJEU explained in Commission v Germany that “the government of the ''Land'' concerned might have an interest in not complying with the provisions of the GDPR”. They might be an interested party in a processing, for example, in the case of contracts with the private sector. They might have an interest in having access to a data base, in particularly for taxation or law enforcement purposes. Also, a government might tend to favour economic interests in the application of data protection provisions by certain companies which are economically important for the ''Land'' or region. See CJEU, case ''C-518/07 – Commission v Germany'', paragraph 35, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref> The Court decided that the requirement of independence was not met, as SAs competences over the private sector were subject to governmental supervision and state scrutiny, which allowed the government to directly and indirectly influence the decisions of Germany's SAs.<ref>CJEU in case ''C-518/07 - Commission v Germany,'' paragraphs 19, 25, 30 and 50 available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref> In ''Commission v Austria'', the CJEU among others held that the fact that the office of SAs was composed of officials of the Federal Chancellery (Office of the Head of Austrian Government), which was itself subject to supervision by the Austrian SA, carried a risk of influence over SA’s decisions and prevented it from being above all suspicion of partiality and therefore incompatible with the requirement of independence.<ref>CJEU, case ''C-614/10 - Commission v Austria'', paragraph 61, available [https://curia.europa.eu/juris/liste.jsf?num=C-614/10&language=EN here].</ref></blockquote>
==== Member(s) of supervisory authorities (SAs). ====
==== Member(s) of supervisory authority (SA) ====
Members of SAs are the carriers of the principle of independence of SAs. Members are the lead personnel appointed in accordance with [[Article 53 GDPR|Article 53(1) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin numbers 21 to 24 (Nomos 2022).</ref> In addition to at least one member, every SA also has staff. The concept of independence does not apply to staff. They must follow instructions of members of the SAs but must remain independent from any influence from outside of the SA (see Article 52(4) GDPR section below).<ref>See ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 26 (Nomos 2022).</ref>
Members of SAs are the carriers of the principle of independence of SAs. Members are the lead personnel appointed in accordance with [[Article 53 GDPR|Article 53(1) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin numbers 21 to 24 (Nomos 2022).</ref> In addition to at least one member, every SA also has staff. The concept of independence does not apply to staff. They must follow instructions of members of the SAs but must remain independent from any influence from outside of the SA (see Article 52(4) GDPR section below).<ref>See ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 26 (Nomos 2022).</ref>


==== Remain free from external influence ====
==== Remain free from external influence ====
As the guardians of the right to data privacy SAs must be able to act objectively and impartially and free from any influence that might affect their decision-making process.  
===== Direct influence =====
The prohibition under Article 52(2) GDPR is broad and forbids any form of direct influence. Forms of direct influence are more explicit that indirect influence, and could include instructions given to an SA on any aspect of its work, direct political influence, or prior compliance. <ref>Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 5 (Nomos 2019); to that end see also Article 58(4) GDPR.</ref> These examples are non-exhaustive. In practice, this prohibition forbids situations such as the following:<blockquote><u>Example</u>: The government cannot review a decision of an SA for its correct interpretation and application of the GDPR and replace it.


Case law:  
<u>Example</u>: The Commission cannot instruct an SA as to which company should or should not be investigated.


In Commission vs. Austria, the CJ EU among others held that the fact that the office of SAs was composed of officials of the Federal Chancellery (Office of the Head of Austrian Government), which is itself subject to supervision by the Austrian SA, carries a risk of influence over SA’s decisions and prevents it from being above all suspicion of partiality and therefore incompatible with the requirement of independence.<ref>CJEU, C-614/10 - Commission v Austria, paragraph 61.</ref>
<u>Example</u>: An SA will not decide to impose a fine for the repeated violation of the GDPR, as they are aware that their state's ministry as the scrutinising authority, will annul and replace their decision because the government does not want to impose any fines for political reasons.</blockquote>
===== Indirect influence =====
Indirect influence is implicit, and occurs in instances where an SA’s actions or decisions are swayed by external factors. CJEU case law suggests that the mere suspicion of partiality is sufficient to constitute an infringement upon an SA's independence. In the Court’s view, this risk may generate a form of ‘prior compliance’ which is incompatible with the free and independent exercise of an SA's functions. Indirect influence equally may result from external control over an SA member's career prospects, including external control over disciplinary action, especially in circumstances where political incentives exist for the GDPR's non-enforcement.  <blockquote><u>Case law</u>: In ''Commission v Germany'', the CJEU explained that “''the mere risk that the state scrutinizing authorities could exercise political powers over the decisions of SAs is enough to hinder the latter in the independent performance of their tasks. First, as was stated by the Commission, there could be ‘prior compliance’ on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality.''” <ref>CJEU, case ''C-518/07 – Commission v Germany'', paragraph 36, available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-518/07 here].</ref>  


In Commission v Germany CJEU clarified that political influence is prohobitted because governments may have an interest in not complying with the provisions with regard to the protection of personal data.<ref>See CJ EU ''C-518/07 – Commission v Germany'', paragraph 35.</ref> <blockquote>Example: The government wants to have access to a database for taxation or law enforcement purposes and thus an interest that the data base and its access to it continue.
<u>Case law</u>: In ''Commission v Austria'', the CJEU held that the fact that the Federal Chancellor had an unconditional right to be informed on all aspects of the work of the SA was enough to subject the SA to indirect influence from the Federal Chancellor. The Court also noted that the professional evaluation of an SA member by their hierarchical superior for the purposes of a promotion had the capacity to constitute a form of prior compliance.<ref>CJEU in case ''C-614/10 - Commission v Austria'', paragraphs 63 and 51, available [https://curia.europa.eu/juris/liste.jsf?num=C-614/10&language=EN here].</ref>  


Case Law:
<u>Case law</u>: Similarly, in ''Commission v Hungary'', the CJEU clarified that an SA member's risk of premature termination from their term of office could lead them to enter into a form of prior compliance with the political authority in question. The mere risk of prior compliance was incompatible with the requirement of independence.<ref>CJEU in case ''C-288/12 - Commission v Hungary'', available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-288/12 here].</ref></blockquote>Given these conditions, the question arises as to what should be the scale of national legislative intervention to ensure effective independence during SA members' term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisors in the private sector. In instances such as these, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of members' term.  
 
CJ EU explained in Commission v Germany that a government  may among others tend to favour economic interests in the application of data protection provisions by certain companies which are economically important for the their state or a region.<ref>CJ EU explained in Commission v Germany that “the government of the ''Land'' concerned might have an interest in not complying with the provisions of the GDPR”. They might be an interested party in a processing, for example, in the case of contracts with the private sector. They might have an interest in having access to a data base, in particularly for taxation or law enforcement purposes. Also, a government might tend to favour economic interests in the application of data protection provisions by certain companies which are economically important for the ''Land'' or region. See CJ EU, ''C-518/07 – Commission v Germany'', paragraph 35.</ref></blockquote>External influence can take different forms. In particular, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62007CJ0518 Commission vs. Germany], the Court decided that Germany did not correctly respect such standard ([https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Article 28(1) of Directive 95/46]) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions.
 
===== Direct influence =====
Direct influence refers to instructions given to a SA, on whatever aspect of its work. This means that instructions to SAs regarding service or performance related aspects are prohibited.<ref>Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 5 (Nomos 2019); to that end see also Article 58(4) GDPR.</ref><blockquote>Example: The Commission cannot tell a SA which company should or should not be investigated.</blockquote>Also instructions regarding issues of legality are forbidden.<ref>CJ EU, ''C-518/07 - Commission v Germany.''</ref> Only courts may scrutinize the work of SAs.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 5 (Nomos 2019). To that end see also [[Article 58 GDPR|Article 58(4) GDPR]].</ref><blockquote>Example: A SA will not decide to impose a fine for a repeated violation of the GDPR, when they know that a ministry as the scrutinizing authority will annul and replace their decision because the ministry does not want to impose such a burden on the company for political reasons.</blockquote>It is not necessary that instructions were given. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA. SAs must remain above suspicion of partiality.<blockquote>Case law: In Commission v Germany CJ EU explained that “''the mere risk that the state scrutinizing authorities could exercise political powers over the decisions of SAs is enough to hinder the latter in the independent performance of their tasks.''” There could be danger of prior compliance on the part of those authorities in the light the scrutinizing authorities decision-making practice and their decisions would not remain above any suspicion of partiality.<ref>CJ EU, ''C-518/07 – Commission v Germany'', paragraph 36.</ref></blockquote>
 
===== Indirect influence =====
Indirect influence occurs whenever the SA’s actions may be affected by external factors, which could motivate members of SAs act in a certain manner out of their “own free” will. In the Court’s view, this also generates a form of ‘prior compliance’ which is incompatible with the free and independent exercise of its functions. Indirect influence may equally result from possible effect on career prospects or disciplinary action.<blockquote>Example: If the government is in charge of deciding about a salary increase and promotion of a SA member, it is quite unlikely that the SA will issue a fine for noncompliance with the GDPR, if the government is of the opinion that warnings and not fines should be issued in the event of violations of the GDPR.</blockquote><blockquote>Case law: In Commission vs. Austria, the CJ EU held that the fact that the Federal Chancellor had an unconditional right to be informed on all aspects of the work of the SA is liable to subject the SA to indirect influence from the Federal Chancellor. It also pointed out that the evaluation of a SA member by his hierarchical superior, in this case the Federal Chancellor, for the purposes of his promotion could lead to a form of prior compliance on the part of the SA.<ref>CJEU Judgment, C-614/10, paragraphs 63 and 51.</ref></blockquote>Similarly, in Commission v Hungary, CJ EU clarified that a change of institutional model cannot objectively justify compelling the person entrusted with the duties of supervision to vacate their office before the expiry of their full term. If member states were allowed to compel a SA member to vacate office before serving its full term then the treat of a premature termination to which a member would be exposed throughout its term of office could lead to enter into a form of prior compliance with political authority, which is incompatible with the requirement of independence.
 
Given these conditions, the question arises as to what is, or rather what should be, the scale of national legislative intervention to ensure effective independence during the term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisers in the private sector. In this case, too, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of the mandate. In this sense, one possible solution might be to provide the SA’s appointed members with a medium to long-term financial emolument that would allow them to free themselves from reductive calculations on their professional future.


==== Freedom from instructions ====
==== Freedom from instructions ====
SAs are prohibited from asking for instructions or following instructions, if they were given. Seeking or taking instructions by SAs would undermine the impartiality of SAs.<blockquote>Case law:
Included in the wording of Article 52(2) GDPR, is an explicit prohibition on SAs from seeking or taking instructions from anybody. The CJEU has clarified, that freedom from external interference is an essential element of the principle of independence.<blockquote><u>Case law</u>: In ''Commission v Hungary'', CJEU held that “''[t]he operational independence of supervisory authorities, in that their members are not bound by instructions of any kind in the performance of their duties, is thus an essential condition that must be met if those authorities are to satisfy the criterion of independence.''”<ref>CJEU in case ''C-288/12 - Commission v Hungary'', para 52. Available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-288/12 here].</ref></blockquote>


In Commission v Hungary, CJEU held that “The operational independence of supervisory authorities, in that their members are not bound by instructions of any kind in the performance of their duties, is thus an essential condition that must be met if those authorities are to satisfy the criterion of independence”.<ref>CJEU Judgment, C-288/12, para 52.</ref></blockquote>
===(3) Prohibition against incompatible actions===
Under Article 52(3) GDPR, members of each SA during their term of office, are forbidden from engaging in any incompatible actions or occupations with their duties, whether gainful or not. The purpose of this provision is to protect the independence of SAs, as well as to ensure the lawfulness of their actions and to ensure the maintenance of their reputation.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 31 (Nomos 2022</ref> The GDPR provides no list of actions or occupations that are considered "''incompatible"'', as under Article 54(1)(f) GDPR, Member States must regulate the matter through their national legislation. Recital 121 also confirms that Member States are to regulate for the general conditions of SA members, and in addition, this Recital necessitates that SA members act with integrity.


===(3) Prohibition Against Incompatible Actions===
Unlike the members of other supervisory bodies, such as the EDPS, members of SAs are permitted to hold other positions in addition to those with the SA, so long as these do not conflict with their duties under the GDPR. This freedom allows members of SAs to hold other competences. For example, in Germany on a federal level and in some German individual federal states, as well as in Malta and Slovenia, SAs are the public authority in charge of freedom of information legislation.
Under Article 52(3) GDPR, members of each SA shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. The provision lists neither the actions nor the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.  
====Incompatible action====
The prohibition of incompatible actions applies both to SA members' professional and private life. As noted above, the concept incompatibility is left to Member States to define. Nonetheless, examples of actions which would be considered incompatible with the function of an SA member are those which risk giving rise to external influence or partiality. For example, the receipt of gifts, promises or any other form of benefit is certainly incompatible. In addition, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors to the extent possible, and in the least should avoid contact with those against whom investigations are being conducted. 
====Incompatible occupation====
Regarding the concept of "''incompatible occupation,"'' the wording of Article 52(3) GDPR makes no differentiation to the nature of the occupation. It makes no difference for the purpose of the provision whether these are professional, part-time, or voluntary. The decisive factor is the occupation's incompatibility. This prohibition aims to curb against external occupational activities of SA members which have the potential to undermine the body's independence and neutrality.  


The purpose of this provision is to protect the independence of a SA, as well as the lawfulness of its actions and its reputation.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 31 (Nomos 2022</ref> It requires the members of SAs to act with integrity (Recital 121 GDPR).
The concept of incompatibility is to be judged on a prognostic scale. Therefore, an occupation will be deemed incompatible if it has the potential to lead to undue influence or conflicts of interest with an SA's independent exercise of office, regardless of whether these are economic or political and so forth. The mere risk of incompatibility is sufficient to fall under the Article's prohibition.  


While the EDPS that is in charge of supervision of processing of personal data by EU institutions must pursuant to [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 Article 55(3) EUDPR] refrain from any other occupation, members of SAs are allowed to engage in other occupation, as long as it does not collide with their duties under the GDPR. This allows SAs to have also other competences, such as being at the same time the public authority in charge of freedom of information legislation. This is for example the case in Germany on the federal level and in some ''Länder'' and in Slovenia.
Typically, incompatible conduct would be, for example, accepting a position within a company whose actions are liable to scrutiny by the DPA, or the provision of legal advice within the SA’s own jurisdiction. However, even in circumstances such as these, each case must be examined to determine whether a conflict of interest arises. For instance, if an SA member were to take on an additional role as as a tax consultant or lawyer in their individual capacity, the potential risk of conflict with supervisory tasks would have to be assessed, as in principle, such activities are not inherently incompatible with the office.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).</ref>
====Incompatible Action====
The prohibition of incompatible actions applies with regard to professional and private life of members.  


Given that, as mentioned above, the matter of which action or activity is incompatible must be defined by the individual member states, it is possible to outline some examples of actions which can be said to be certainly incompatible with the function of a SA member. The receipt of gifts, whether tangible or intangible, promises or any other form of benefit is certainly incompatible. At the same time, and to the extent possible, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors, at least those against whom investigations are being conducted. <blockquote>Example: A member of a SA, which is competent for the control of company Supertech, goes every year on all-inclusive luxury holiday with his friend, the chief executive officer of this company for free.   </blockquote>
===(4) Sufficient resources ===
 
Article 52(4) GDPR and Article 52(6) GDPR establish the framework for SAs financial governance. Article 52(4) GDPR stipulates that SAs must enjoy material independence. To be able to efficiently carry out their tasks, SAs must receive the necessary financial, organisational, technical and human resources to fulfil their multiple obligations under the GDPR. Included in SAs' material independence is autonomy in relation to the distribution of resources within the allocated budget.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 15 (Nomos 2019).</ref>
====Incompatible occupation====
In the case of occupation, the wording of Article 52(3) GDPR makes no difference whether these are professional, part-time, or voluntary. The decisive factor is whether the respective activity is “incompatible” with the office. This is meant to avoid the evil appearance of reduced independence and neutrality, comparable to the rules on bias. This is to be judged according to a prognostic scale. Therefore, there will be an incompatibility if the activity may lead to conflicts of interest with the independent exercise of office and influence on the office, whether in an economic, political or other way. Typically, incompatible conduct is, for example, accepting a position within a company that can be scrutinised by the DPA. Same goes for paid or unpaid legal advice unless the client is located outside the SA’s own jurisdiction. However, even in these cases, it must be examined whether there can be a connection to one’s own official business. The latter may be the case, for example, if it is the establishment or processor of a body to be controlled in its own jurisdiction. When carrying out activities as a tax consultant or lawyer, it must be analyzed, especially regarding the mandate and the task to be assigned, whether collisions with supervisory tasks can occur. However, at least in principle, such freelance activities are not incompatible with the office.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).</ref>


===(4) Sufficient Resources ===
This provision attempts to ensure that SAs' independent functioning and effective performance is not compromised by inadequate staffing and financial resources.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 22 (C.H. Beck 2020, 3rd Edition).</ref> The powers granted to SAs under the GDPR are hollow if an authority is unable to carry out its tasks, or can only do so ineffectively, because it lacks the necessary resources.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 40 (Nomos 2022).</ref> For this reason, the adequacy of resources should be periodically reviewed.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).</ref>
To be efficient, and carry out their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks, and use their powers. These tasks include the participation in the cooperation and consistency mechanisms. Data protection law at a high level and an independent supervisory authority with numerous powers are pointless if this authority cannot carry out its tasks or can only do so ineffectively because it lacks the necessary staff, technical equipment, financial and other resources.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 40 (Nomos 2022).</ref> Additionally adequacy of resources should be periodically reviewed.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).</ref>  <blockquote>Example: If considering its resources a SA can carry out a control of each controller and processor in its area of responsibility only every 45.000 years the conditions of this provision are not met.<ref>This was the case in Baden-Württemberg in Germany. See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 42 (Nomos 2022).</ref> </blockquote>Article 52(4) GDPR and Article 52(6) GDPR specify the elements of material independence of SAs. Part of its material independence is autonomy in relation to the allocation and disposal of resources within the allocated budget.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 15 (Nomos 2019).</ref>
==== Human resources ====
==== Human resources ====
Human resources relate, on the one hand, to the necessary level of staff and, on the other hand, to the presence of qualified personnel to carry out the tasks and exercise of powers. This requires above all employees with a training background in the fields of law and computer science, including communication technology. Within the framework of the applicable salary structures, it must be ensured that the remuneration is designed in such a way that high-quality employees can be recruited in competition with the private sector.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 17 (NOMOS 2019).</ref> The structure of staff should enable the SAs to take prompt and effective action.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).</ref>
Human resources refer to the necessary number of staff and to the availability of qualified personnel to carry out the tasks and exercise of powers. This provision requires that SAs have employees with a training background in the fields of law and computer science, including communication technology. To do so, the applicable salary structures of SAs must be designed in such a way to ensure that high-quality employees can be recruited in competition with the private sector.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 17 (NOMOS 2019).</ref> The structure of staff should enable SAs to take prompt and effective action.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).</ref>


==== Technical resources ====
==== Technical resources ====
Technical resources are aimed at an appropriate equipment with hardware and software in order to be able to carry out the transferred official business. The supervisory authorities must be at the cutting edge of information and communication technology in order to be able to carry out their monitoring tasks.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 18 (NOMOS 2019).</ref>
Technical resources refer to the availability of appropriate hardware and software equipment to SAs, in order for them to be able to carry out their monitoring tasks.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 18 (NOMOS 2019).</ref>


==== Financial resources ====
==== Financial resources ====
Financial resources consist of the budget needed for the stable functioning of the SA as well as resources for unforeseen tasks. This includes, for example, funds for travel expenses, also for participation in further education and training, for the implementation of conferences and workshops, for obtaining external expertise in difficult legal issues or in legal representation or for the short-term reinforcement of staff coverage in the event of special workload.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 19 (NOMOS 2019).</ref> Also, sufficient financial resources must be provided for the costs of necessary human and technical resources, the premises and the infrastructure.
Financial resources consist of the funding needed for the effective functioning of SAs, as well as resources for unforeseen tasks. According to Article 52(6) GDPR each SA must have its own budget (see below). Sufficient financial resources must be provided an SA's basic running costs, such as for the necessary human and technical resources, the premises, and the infrastructure. Included in the financial resources, for example, could be funds for travel expenses, participation in further education and training, the implementation of conferences and workshops, obtaining external legal expertise, legal representation, or for the short-term reinforcement of staff coverage in the event of special workload.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 19 (NOMOS 2019).</ref>  
 
Sufficient financial resources are very important for uninfluenced and impartial monitoring and decision making of SAs. Otherwise, there is a risk that SAs may be more lenient, look for amicable solutions and refrain from imposing heavy fines to avoid their decisions being challenged. In particularly, if they do not have the neccessary financial resources to defend its decision in the event of an appeal in court.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 16 (Nomos 2019)</ref>


According to Article 52(6) GDPR each SA must have its own budget (see below).
Sufficient financial resources are crucial to the impartiality of SAs. Otherwise, there is a risk that SAs may be more lenient in the enforcement of the GDPR and may refrain from imposing heavy fines to avoid their decisions being challenged. Especially, if they do not have the necessary financial resources to defend their decision in the event of an appeal in court.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 16 (Nomos 2019)</ref>
==== Premises and infrastructure ====
==== Premises and infrastructure ====
Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin numbers 20 and 21 (Nomos 2019)</ref>
Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin numbers 20 and 21 (Nomos 2019)</ref>
Line 331: Line 319:


===== Necessary =====
===== Necessary =====
Article 52(4) GDPR links the criteria of sufficient resources to the effective performance of SA's tasks and exercise of its powers. It does not further specify how much resources is sufficient resources. The resources that an SA will need depend on different factors, such as the size of the territory and number of subjects it is bound to monitor, the size and complexity of data processing by controlling subjects, on how many complaints it receives. Another factor is the size of companies. Typically, big tech companies are more complex and time consuming to monitor than smaller businesses.
Article 52(4) GDPR explicitly relates the criteria of sufficient resources to the effective performance of an SA's tasks and exercise of its powers. The provision does not specify what minimum threshold of resource allocation is "''sufficient''" for the purposes of the GDPR. However, what is considered sufficient is likely to differ significantly from SA to SA, as this depends on varying factors, such as the size of the territory and number of subjects within it, the number of complaints it receives, and the complexity of those complaints. Another significant factor is the size of companies and their respective processing operations within an SA's territory. Naturally, larger technology companies are more complex and time consuming to monitor than smaller businesses.


===== Effective performance =====
===== Effective performance =====
Effective performance means that a SA are efficiently performs all its tasks and efficiently exercises all its powers. In case of violations of the GDPR this means that every or most violations are identified, investigated and sanctioned. In general, high likelihood of sanctioning in case of infringements is a very significant factor for individual’s voluntary compliance with the laws. This is far from current reality where most violations of GDPR are not addressed, mass violations are tolerated and complaint procedures in most states take several years to be decided.<ref>From lodging the complaint with a SA until a decision is issued it usualy takes 2.5 to 5 years. For more information see statistics of DPA’s handling of noyb cases, available [https://noyb.eu/en/project/dpa here].</ref>  
Effective performance refers to the efficient functioning of an SA, in both the fulfilment of its tasks and the exercise of its powers. In practice, the notion of effective performance suggests that the majority of GDPR violations are identified, investigated and sanctioned. In general, the likelihood of severe sanctioning against infringements is a crucial element of ensuring voluntary compliance with the law. Nonetheless, the concept of effective sanctioning remains far from the current reality where most GDPR violations are not addressed, mass violations are tolerated and complaints in most states take several years to be decided.<ref>From lodging the complaint with a SA until a decision is issued it usualy takes 2.5 to 5 years. For more information see statistics of DPA’s handling of noyb cases, available [https://noyb.eu/en/project/dpa here].</ref>
 
Example: In Austria in case of driving over the speed limit and being caught, a speed ticket with a fine (1/2 of full fine) is automatically send to the driver. If he pays no procedure is started. This is a very effective way of dealing with violations of traffic rules.
 
===== In the context of mutual assistance, cooperation and participation in the EDPB =====
===== In the context of mutual assistance, cooperation and participation in the EDPB =====
Finally, member states must provide sufficient resources not only for performing the tasks and powers on national level, but also for the activities carried out “in the context of mutual assistance, cooperation and participation in the Board”. The tasks relating to SAs participation in the cooperation and consistency mechanism enshrined in Chapter 7 of GDPR. That involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-stop shop) but also technical and financial resources to cooperate with the other authorities. The SA should therefore have at its disposal, for example, linguistic interpreters when the collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, adequate financial cover for travel and joint investigations.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 52 GDPR, margin number 23 (C.H. Beck 2017).</ref>
Finally, Member States must provide sufficient resources not only for SAs on national level, but also on a European level. Member States must additionally provide sufficient resources for activities carried out ''“in the context of mutual assistance, cooperation and participation in the Board.”'' These activities relate to SAs' participation in the cooperation and consistency mechanism under Chapter 7 of the GDPR, and include staff attendance of EDPB meetings and cooperation with other SAs under the consistency mechanism (one-stop shop). In short, SAs must be provided with the sufficient technical and financial resources to cooperate with other authorities. An SA should therefore have at its disposal, for example, translators for when collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, the adequate financial resources for the instigation of joint investigations.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 52 GDPR, margin number 23 (C.H. Beck 2017).</ref>


===(5) Recruitment and Staff Supervision===
===(5) Recruitment and staff supervision===
The independence and efficiency of SAs may be compromised if its staff is chosen by another body or employed elsewhere. Unsuitable and incompetent staff cannot efficiently monitor the application of the GDPR. Therefore, Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who then must be subject to the exclusive direction of the member or members of the SAs.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 47 (Nomos 2022).</ref>  
The independence and efficiency of SAs may be compromised if its staff is chosen by another body or employed elsewhere. Unsuitable and incompetent staff cannot efficiently monitor the application of the GDPR. Therefore, Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who must then be subject to the exclusive direction of the SA.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 47 (Nomos 2022).</ref>  


==== Chooses and has own staff ====
==== Chooses and has own staff ====
The ability to choose and have own staff enables a SA to employ suitable staff with the expertise, experience, qualifications and skills required to perform their tasks.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).</ref><blockquote>Case law: In Commission v Austria CJ EU decided among others that Austria did not fulfil the conditions of independence because the office  of the SA was integrated within the department of the Federal Chancellery composed of officials of the Federal Chancellery.<ref>CJEU Judgment, C-614/10, paragraphs 61 and 66.</ref></blockquote>Each SA must select its own staff. Taking into account Recital 121, this requirement can be met not only if the SA recruits and selects the staff itself, but also if the selection of staff is carried out by an independent body.<ref>Recital 121, sentence 3 reads: ''"The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority."''</ref> Autonomy and independence in the selection of staff gives SA an opportunity to better respond to existing professional and staffing needs.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).</ref>  
An SAs' ability to choose and have its own staff enables SAs to employ suitable staff with the expertise, experience, qualifications and skills required to perform their tasks.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).</ref> Each SA must select its own staff. Taking into account Recital 121, this requirement can be met not only if the SA recruits and selects the staff itself, but also if the selection of staff is carried out by an independent body.<ref>Recital 121, sentence 3 reads: ''"The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority."''</ref> Autonomy and independence in the selection of staff gives SA an opportunity to better respond to its existing professional and staffing needs.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).</ref><blockquote><u>Case law</u>: In ''Commission v Austria'', the CJEU decided among others that Austria did not fulfil the conditions of independence because the SA's office was integrated within the department of the Federal Chancellery composed of officials of the Federal Chancellery.<ref>CJEU, case ''C-614/10 - Commission v Austria'' paragraphs 61 and 66.</ref></blockquote>
 
==== Exclusive direction of member(s) of supervisory authorities (SAs) ====
==== Exclusive direction of member(s) of supervisory authorities (SAs) ====
Staff of a SA is subject to exclusive supervision and direction of the member(s) of the SA, as any supervision or directions by another body could influence the work of the staff and thus also the work of the SA. This also “''excludes making available staff to the supervisory authority whilst that staff remains linked in an organisational way to or remains subject to any form of supervision by the body which made the staff available''”.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).</ref>  
Staff of an SA are subject to the exclusive supervision and direction of the member(s) of the SA, as any supervision or directions by another body could influence the work of the staff and thus the work of the SA. This requirement also excludes the possibility of staff working for the SA, having any organisational links or being subject to the supervision of any other body.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).</ref>  


===(6) Financial Control and Budget===
===(6) Financial control and budget===
Article 52(6) GDPR addresses another aspect of financial independence of SAs, financial control and own budget.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).</ref> In addition, Article 52(4) GDPR requires member states to ensure sufficient financial and other resources.
Article 52(6) GDPR addresses a crucial aspect of SAs' financial independence, their freedom from financial oversight which has the capacity to affect their independence. Moreover, this provision necessitates that SAs have their own <span id="6">separate, public annual budgets.</span>


==== Financial control ====
==== Financial control ====
Naturally, the independence of the SAs does not mean that their financial expenditure cannot be subject to any monitoring and control mechanisms.<ref>Recital 118 GDPR provides that "''the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review''."</ref> However, it does set limits on the scope of financial controls. Member states must ensure that the financial controls do not compromise the independence of SAs.  <blockquote>Example: In a complaint case against a processor the SA spent 10.000 EUR on the investigation. The financial audit can verify whether the SA spent the amount in accordance with the relevant financial rules, e.g. public procurement rules, but not whether the investigation itself was necessary. </blockquote>However, Article 52(6) GDPR should not be understood as obliging member states to subject the SAs to financial controls.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 52 (Nomos 2022).</ref>
Naturally, the concept of independence does not suggest that SAs should not be subject to any financial oversight, Recital 118 GDPR provides that "''the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review''." Although, Article 52(6) GDPR should not be understood as obliging Member States to subject its SA(s) to financial controls,<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 52 (Nomos 2022).</ref> the provision does clearly set limits on the scope of financial controls, as these cannot compromise the independence of SAs. They must only be used as a mechanism for accountability, and may not be implemented in a way that would impede an SA's functioning. 
 
==== Budget ====
==== Budget ====
Each SA must now also have a separate annual budget. Separate budget gives a SA the ability to plan its own budget and to decide where allocate and spend the funds.  
Each SA must have a separate annual budget, which allows SAs a sense of financial autonomy. For the purposes of Article 52(6) GDPR, SAs must be able to independently determine the allocation of their funds.  


== Decisions==
== Decisions==

Latest revision as of 13:50, 2 October 2024

Article 52 - Independence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 52 - Independence

1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 118: Control and Monitoring of Supervisory Authorities
The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

Recital 120: Resources, Premises and Infrastructure for Supervisory Authorities
Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have a separate, public annual budget, which may be part of the overall state or national budget.

Recital 121: General Conditions for the Member(s) of Supervisory Authorities
The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Commentary

Primary Union law necessitates the independence of supervisory authorities under Article 8(3) of the Charter of Fundamental Rights of the European Union ("CFR"), Article 16(2) of the Treaty on the Functioning of the European Union ("TFEU") and Article 39 of the Treaty on the European Union ("TEU"). These Articles provide that Member States must ensure that compliance with data protection rules are be subject to the "control of independent authorities." Article 52 GDPR gives effect to this requirement.

Article 52 GDPR codifies the concept of "complete independence" developed by the European Court of Justice ("CJEU") in several landmark cases concerning the interpretation of Article 28(1) of Directive 95/46/EC ("DPD"), the Regulation's predecessor.[1] Article 28(1) DPD established the existence of supervisory authorities and mandated that they were to "act with complete independence in exercising the functions entrusted to them."

Similarly, Article 52(1) GDPR explicitly demands that the independence of SAs must be complete. It has elaborated this to mean that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article 52(2)(3) GDPR). In order to make these principles operational, the provision requires Member States to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR.

The CJEU in the Case of Commission v Germany, notes that the notion of absolute independence for SAs was developed in order to strengthen the protection of individuals, not for the purpose of granting special status to SAs.[2] Moreover, this understanding was affirmed in Commission v Austria, wherein the CJEU held that “the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data [...].[3]

The notion independence reoccurs throughout the regulation. For instance, the principle of independence is also referred to in Article 4(12) GDPR (definition of SA), Article 45(2)(b) GDPR (personal data transfers to a third country or an international organisation outside of the outside of the European Economic Area), and Article 69 GDPR (on the independence of the European Data Protection Board ("EDPB")).[4]

(1) Complete independence of supervisory authorities (SAs)

Article 52(1) GDPR acts as a catch-all clause that applies as a general standard,[5] regardless if more specific provisions of the GDPR do not apply.

Each supervisory authority (SA)

Member States can establish one or several SAs for monitoring the implementation of the GDPR (Article 51 GDPR). Article 52(1) GDPR clarifies that "each" of them must ("shall") act with complete independence.[6]

Shall act

This condition mandates that Member States, SAs and each of their members ensure that the the requirement of complete independence is fulfilled. In the event that the provision is not implemented, the Commission may start infringement proceedings against the state under Article 258 TFEU. In addition, other Member States may bring an action before the CJEU under Article 259 TFEU.

Infringement proceedings against Member States have occurred before. In three separate cases instigated by the Commission, the CJEU found that Germany, Austria, and Hungary had not fulfilled their obligations, as they had failed to ensure the complete independence of their SAs.[7]

Complete independence

In Commission v Germany the Court specified that the notion of “complete independence” must be given a broad and autonomous interpretation. Other provisions on the independence of SAs and the European Data Protection Supervisor ("EDPS") are to be interpreted homogenously, as they are based on the same general principle of independence.[8]

Complete independence requires that the decisions of SAs and SAs themselves, are objective and impartial and remain above any suspicion of partiality.[9] To fulfil the requirement of complete independence, SAs must remain free from any external influence, which is liable to have an effect on their decisions.[10] According to the CJEU, this freedom is necessary for SAs to carry out their functions, which include "ensuring a fair balance between fundamental rights, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data.”[11]

Consequently, an SA must enjoy independence in all possible forms, including:

  • institutional and organizational independence (see below);
  • independence in decision making, without any external influence (see Article 52(2) GDPR, below):
  • functional independence (see Article 52(3) GDPR, below);
  • operational independence, such as having own premises and staff (see Article 52(4)(5) GDPR, below);
  • financial and budgetary independence (see Article 52(4)(6) GDPR, below), and
  • restrictions regarding premature termination of mandate of SA members (see Article 53 GDPR).


These requirements mean that SAs must be independent with respect to the entities, controllers or processors, over which they are required to exercise control. The concept of independence applies also to the state or any other entity that may exercise any kind of direct or indirect influence over the decision-making capacity of an SA. For example, in practice, this requirement mandates that legislative or executive bodies, such as the government of a Member State or the Commission, cannot change or replace a decision taken by a SA. Moreover, the concept of complete independence extends to SA member's term of office, which cannot end prematurely outside of the GDPR's parameters, even if Member States introduce domestic laws which attempt to restructure the functioning of SAs.[12]

The independence of SAs extends to adequacy decisions adopted by the Commission. An SA is not bound by an adequacy decision adopted by the Commission under Article 45 GDPR, if it considers it to not comply with the GDPR's requirements. For instance, in Schrems I, the CJEU made it clear that the competent SA when examining a data subject's claim relating to the third-country transfer of data "must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the [law]."[13]

The aim of such complete independence is to ensure that SAs are free from political influence. For this reason, the CJEU has highlighted that their governance must remain outside of a State's "classic hierarchical administration.[14] The requirement of independence does not jeopardise their democratic legitimation, as an SAs' democratic legitimacy stems from the appointment of their members, which is to be done by means of a transparent procedure by a Member State's parliament, government, head of State, or an independent body entrusted with the appointment under Member State law (Article 53 GDPR). SAs are also accountable to the political bodies of their Member States.

Nevertheless, complete independence should not be taken to mean unaccountability.[15] Pursuant to Article 59 GDPR, they must provide annual reports to the national parliament, the government and any other authorities as designated by member state law. Moreover, in line with the rule of law, decisions of SAs are subject to judicial review, under Article 78 GDPR.

Performing its tasks and exercising its powers

Tasks of supervisory authorities (SAs)

Among the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the Article 63 GDPR consistency mechanism. The tasks of SAs are laid down in Article 57 GDPR.[16]

Powers of supervisory authorities (SAs)

The powers of SAs are both investigative and corrective, which are set out in Article 58 GDPR.[17]

The fact that SAs' legally binding decisions are subject to full judicial review (see commentary on Article 78 GDPR) does not diminish the SAs' independence:

CJEU-icon.png

"[…] it is true that, in accordance with Article 8(3) of the Charter, compliance with the rules on the protection of personal data is subject to control by an independent authority. In that context, Article 52 of the GDPR specifies, in particular, that each supervisory authority is to act with complete independence in performing its tasks and exercising its powers in accordance with that regulation […].

However, those guarantees of independence are in no way compromised by the fact that the legally binding decisions of a supervisory authority are subject to full judicial review."

CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 64 et seq..


(2) Freedom from external influence

Article 52(2) GDPR requires two things from members of SAs in the performance of their duties. Firstly, it requires them to remain free from external influences, whether direct or indirect, and secondly, it prohibits them from seeking or taking instructions from anyone.

As the guardians of the right to data privacy, SAs must be able to act objectively and impartially, free from any external influence that might affect their decision-making process. In particular, this prohibition is primarily targetted towards undue governmental and political influence.[18]

Case law: In Commission v Germany, CJEU considered that a government may, among others, tend to favour economic interests in the application of data protection provisions by certain establishments which are economically significant for their state or a region.[19] The Court decided that the requirement of independence was not met, as SAs competences over the private sector were subject to governmental supervision and state scrutiny, which allowed the government to directly and indirectly influence the decisions of Germany's SAs.[20] In Commission v Austria, the CJEU among others held that the fact that the office of SAs was composed of officials of the Federal Chancellery (Office of the Head of Austrian Government), which was itself subject to supervision by the Austrian SA, carried a risk of influence over SA’s decisions and prevented it from being above all suspicion of partiality and therefore incompatible with the requirement of independence.[21]

Member(s) of supervisory authority (SA)

Members of SAs are the carriers of the principle of independence of SAs. Members are the lead personnel appointed in accordance with Article 53(1) GDPR.[22] In addition to at least one member, every SA also has staff. The concept of independence does not apply to staff. They must follow instructions of members of the SAs but must remain independent from any influence from outside of the SA (see Article 52(4) GDPR section below).[23]

Remain free from external influence

Direct influence

The prohibition under Article 52(2) GDPR is broad and forbids any form of direct influence. Forms of direct influence are more explicit that indirect influence, and could include instructions given to an SA on any aspect of its work, direct political influence, or prior compliance. [24] These examples are non-exhaustive. In practice, this prohibition forbids situations such as the following:

Example: The government cannot review a decision of an SA for its correct interpretation and application of the GDPR and replace it.

Example: The Commission cannot instruct an SA as to which company should or should not be investigated.

Example: An SA will not decide to impose a fine for the repeated violation of the GDPR, as they are aware that their state's ministry as the scrutinising authority, will annul and replace their decision because the government does not want to impose any fines for political reasons.

Indirect influence

Indirect influence is implicit, and occurs in instances where an SA’s actions or decisions are swayed by external factors. CJEU case law suggests that the mere suspicion of partiality is sufficient to constitute an infringement upon an SA's independence. In the Court’s view, this risk may generate a form of ‘prior compliance’ which is incompatible with the free and independent exercise of an SA's functions. Indirect influence equally may result from external control over an SA member's career prospects, including external control over disciplinary action, especially in circumstances where political incentives exist for the GDPR's non-enforcement.

Case law: In Commission v Germany, the CJEU explained that “the mere risk that the state scrutinizing authorities could exercise political powers over the decisions of SAs is enough to hinder the latter in the independent performance of their tasks. First, as was stated by the Commission, there could be ‘prior compliance’ on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality.[25]

Case law: In Commission v Austria, the CJEU held that the fact that the Federal Chancellor had an unconditional right to be informed on all aspects of the work of the SA was enough to subject the SA to indirect influence from the Federal Chancellor. The Court also noted that the professional evaluation of an SA member by their hierarchical superior for the purposes of a promotion had the capacity to constitute a form of prior compliance.[26]

Case law: Similarly, in Commission v Hungary, the CJEU clarified that an SA member's risk of premature termination from their term of office could lead them to enter into a form of prior compliance with the political authority in question. The mere risk of prior compliance was incompatible with the requirement of independence.[27]

Given these conditions, the question arises as to what should be the scale of national legislative intervention to ensure effective independence during SA members' term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisors in the private sector. In instances such as these, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of members' term.

Freedom from instructions

Included in the wording of Article 52(2) GDPR, is an explicit prohibition on SAs from seeking or taking instructions from anybody. The CJEU has clarified, that freedom from external interference is an essential element of the principle of independence.

Case law: In Commission v Hungary, CJEU held that “[t]he operational independence of supervisory authorities, in that their members are not bound by instructions of any kind in the performance of their duties, is thus an essential condition that must be met if those authorities are to satisfy the criterion of independence.[28]

(3) Prohibition against incompatible actions

Under Article 52(3) GDPR, members of each SA during their term of office, are forbidden from engaging in any incompatible actions or occupations with their duties, whether gainful or not. The purpose of this provision is to protect the independence of SAs, as well as to ensure the lawfulness of their actions and to ensure the maintenance of their reputation.[29] The GDPR provides no list of actions or occupations that are considered "incompatible", as under Article 54(1)(f) GDPR, Member States must regulate the matter through their national legislation. Recital 121 also confirms that Member States are to regulate for the general conditions of SA members, and in addition, this Recital necessitates that SA members act with integrity.

Unlike the members of other supervisory bodies, such as the EDPS, members of SAs are permitted to hold other positions in addition to those with the SA, so long as these do not conflict with their duties under the GDPR. This freedom allows members of SAs to hold other competences. For example, in Germany on a federal level and in some German individual federal states, as well as in Malta and Slovenia, SAs are the public authority in charge of freedom of information legislation.

Incompatible action

The prohibition of incompatible actions applies both to SA members' professional and private life. As noted above, the concept incompatibility is left to Member States to define. Nonetheless, examples of actions which would be considered incompatible with the function of an SA member are those which risk giving rise to external influence or partiality. For example, the receipt of gifts, promises or any other form of benefit is certainly incompatible. In addition, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors to the extent possible, and in the least should avoid contact with those against whom investigations are being conducted. 

Incompatible occupation

Regarding the concept of "incompatible occupation," the wording of Article 52(3) GDPR makes no differentiation to the nature of the occupation. It makes no difference for the purpose of the provision whether these are professional, part-time, or voluntary. The decisive factor is the occupation's incompatibility. This prohibition aims to curb against external occupational activities of SA members which have the potential to undermine the body's independence and neutrality.

The concept of incompatibility is to be judged on a prognostic scale. Therefore, an occupation will be deemed incompatible if it has the potential to lead to undue influence or conflicts of interest with an SA's independent exercise of office, regardless of whether these are economic or political and so forth. The mere risk of incompatibility is sufficient to fall under the Article's prohibition.

Typically, incompatible conduct would be, for example, accepting a position within a company whose actions are liable to scrutiny by the DPA, or the provision of legal advice within the SA’s own jurisdiction. However, even in circumstances such as these, each case must be examined to determine whether a conflict of interest arises. For instance, if an SA member were to take on an additional role as as a tax consultant or lawyer in their individual capacity, the potential risk of conflict with supervisory tasks would have to be assessed, as in principle, such activities are not inherently incompatible with the office.[30]

(4) Sufficient resources

Article 52(4) GDPR and Article 52(6) GDPR establish the framework for SAs financial governance. Article 52(4) GDPR stipulates that SAs must enjoy material independence. To be able to efficiently carry out their tasks, SAs must receive the necessary financial, organisational, technical and human resources to fulfil their multiple obligations under the GDPR. Included in SAs' material independence is autonomy in relation to the distribution of resources within the allocated budget.[31]

This provision attempts to ensure that SAs' independent functioning and effective performance is not compromised by inadequate staffing and financial resources.[32] The powers granted to SAs under the GDPR are hollow if an authority is unable to carry out its tasks, or can only do so ineffectively, because it lacks the necessary resources.[33] For this reason, the adequacy of resources should be periodically reviewed.[34]

Human resources

Human resources refer to the necessary number of staff and to the availability of qualified personnel to carry out the tasks and exercise of powers. This provision requires that SAs have employees with a training background in the fields of law and computer science, including communication technology. To do so, the applicable salary structures of SAs must be designed in such a way to ensure that high-quality employees can be recruited in competition with the private sector.[35] The structure of staff should enable SAs to take prompt and effective action.[36]

Technical resources

Technical resources refer to the availability of appropriate hardware and software equipment to SAs, in order for them to be able to carry out their monitoring tasks.[37]

Financial resources

Financial resources consist of the funding needed for the effective functioning of SAs, as well as resources for unforeseen tasks. According to Article 52(6) GDPR each SA must have its own budget (see below). Sufficient financial resources must be provided an SA's basic running costs, such as for the necessary human and technical resources, the premises, and the infrastructure. Included in the financial resources, for example, could be funds for travel expenses, participation in further education and training, the implementation of conferences and workshops, obtaining external legal expertise, legal representation, or for the short-term reinforcement of staff coverage in the event of special workload.[38]

Sufficient financial resources are crucial to the impartiality of SAs. Otherwise, there is a risk that SAs may be more lenient in the enforcement of the GDPR and may refrain from imposing heavy fines to avoid their decisions being challenged. Especially, if they do not have the necessary financial resources to defend their decision in the event of an appeal in court.[39]

Premises and infrastructure

Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.[40]

Necessary for effective performance of its tasks and exercise of its powers

Necessary

Article 52(4) GDPR explicitly relates the criteria of sufficient resources to the effective performance of an SA's tasks and exercise of its powers. The provision does not specify what minimum threshold of resource allocation is "sufficient" for the purposes of the GDPR. However, what is considered sufficient is likely to differ significantly from SA to SA, as this depends on varying factors, such as the size of the territory and number of subjects within it, the number of complaints it receives, and the complexity of those complaints. Another significant factor is the size of companies and their respective processing operations within an SA's territory. Naturally, larger technology companies are more complex and time consuming to monitor than smaller businesses.

Effective performance

Effective performance refers to the efficient functioning of an SA, in both the fulfilment of its tasks and the exercise of its powers. In practice, the notion of effective performance suggests that the majority of GDPR violations are identified, investigated and sanctioned. In general, the likelihood of severe sanctioning against infringements is a crucial element of ensuring voluntary compliance with the law. Nonetheless, the concept of effective sanctioning remains far from the current reality where most GDPR violations are not addressed, mass violations are tolerated and complaints in most states take several years to be decided.[41]

In the context of mutual assistance, cooperation and participation in the EDPB

Finally, Member States must provide sufficient resources not only for SAs on national level, but also on a European level. Member States must additionally provide sufficient resources for activities carried out “in the context of mutual assistance, cooperation and participation in the Board.” These activities relate to SAs' participation in the cooperation and consistency mechanism under Chapter 7 of the GDPR, and include staff attendance of EDPB meetings and cooperation with other SAs under the consistency mechanism (one-stop shop). In short, SAs must be provided with the sufficient technical and financial resources to cooperate with other authorities. An SA should therefore have at its disposal, for example, translators for when collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, the adequate financial resources for the instigation of joint investigations.[42]

(5) Recruitment and staff supervision

The independence and efficiency of SAs may be compromised if its staff is chosen by another body or employed elsewhere. Unsuitable and incompetent staff cannot efficiently monitor the application of the GDPR. Therefore, Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who must then be subject to the exclusive direction of the SA.[43]

Chooses and has own staff

An SAs' ability to choose and have its own staff enables SAs to employ suitable staff with the expertise, experience, qualifications and skills required to perform their tasks.[44] Each SA must select its own staff. Taking into account Recital 121, this requirement can be met not only if the SA recruits and selects the staff itself, but also if the selection of staff is carried out by an independent body.[45] Autonomy and independence in the selection of staff gives SA an opportunity to better respond to its existing professional and staffing needs.[46]

Case law: In Commission v Austria, the CJEU decided among others that Austria did not fulfil the conditions of independence because the SA's office was integrated within the department of the Federal Chancellery composed of officials of the Federal Chancellery.[47]

Exclusive direction of member(s) of supervisory authorities (SAs)

Staff of an SA are subject to the exclusive supervision and direction of the member(s) of the SA, as any supervision or directions by another body could influence the work of the staff and thus the work of the SA. This requirement also excludes the possibility of staff working for the SA, having any organisational links or being subject to the supervision of any other body.[48]

(6) Financial control and budget

Article 52(6) GDPR addresses a crucial aspect of SAs' financial independence, their freedom from financial oversight which has the capacity to affect their independence. Moreover, this provision necessitates that SAs have their own separate, public annual budgets.

Financial control

Naturally, the concept of independence does not suggest that SAs should not be subject to any financial oversight, Recital 118 GDPR provides that "the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review." Although, Article 52(6) GDPR should not be understood as obliging Member States to subject its SA(s) to financial controls,[49] the provision does clearly set limits on the scope of financial controls, as these cannot compromise the independence of SAs. They must only be used as a mechanism for accountability, and may not be implemented in a way that would impede an SA's functioning.

Budget

Each SA must have a separate annual budget, which allows SAs a sense of financial autonomy. For the purposes of Article 52(6) GDPR, SAs must be able to independently determine the allocation of their funds.

Decisions

→ You can find all related decisions in Category:Article 52 GDPR

References

  1. Case C-518/07, Commisson v Germany; Case C-614/10, Commission v Austria; and Case C-288/12, Commission v Hungary.
  2. See CJEU, case C-518/07 - Commission v Germany, paragraph 25.
  3. See CJEU, case C-614/10 - Commission v Austria, paragraph 25.
  4. See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 876 (Oxford University Press 2020).
  5. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 6 (Nomos 2022).
  6. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).
  7. See CJEU, case C-518/07 - Commission v Germany, case C-614/10 - Commission v Austria, and case C-288/12 - Commission v Hungary.
  8. See CJEu, case C-518/07 - Commission v Germany, paragraphs 17-39 and 51 and paragraphs 26-28, available here. See also Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, pages 875 and 878 (Oxford University Press 2020). The independence of EDPS is now regulated in Article 55 EUDPR (Regulation (EU) 2018/1725, available here), which has replaced Article 44 of the Regulation 45/2001.
  9. CJEU, case C-518/07 - Commission v Germany, paragraph 36, available here.
  10. CJEU, case C-518/07 - Commission v Germany, paragraph 41, available here.
  11. CJEU, case C-518/07 - Commission v Germany, paragraph 24, available here.
  12. CJEU, case C-288/12 – Commission v Hungary, paragraph 61, available here.
  13. CJEU in case C-362/14 - Schrems I, paragraph 57, available here.
  14. CJEU in case C-518/07 - Commission v Germany, paragraphs 42.
  15. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 30 (Nomos 2022).
  16. For further analysis on this point please refer to Article 57 GDPR.
  17. For further analysis, please refer to Article 58 GDPR.
  18. See CJEU, case C-518/07 – Commission v Germany, paragraph 35, available here.
  19. CJEU explained in Commission v Germany that “the government of the Land concerned might have an interest in not complying with the provisions of the GDPR”. They might be an interested party in a processing, for example, in the case of contracts with the private sector. They might have an interest in having access to a data base, in particularly for taxation or law enforcement purposes. Also, a government might tend to favour economic interests in the application of data protection provisions by certain companies which are economically important for the Land or region. See CJEU, case C-518/07 – Commission v Germany, paragraph 35, available here.
  20. CJEU in case C-518/07 - Commission v Germany, paragraphs 19, 25, 30 and 50 available here.
  21. CJEU, case C-614/10 - Commission v Austria, paragraph 61, available here.
  22. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin numbers 21 to 24 (Nomos 2022).
  23. See Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 26 (Nomos 2022).
  24. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 5 (Nomos 2019); to that end see also Article 58(4) GDPR.
  25. CJEU, case C-518/07 – Commission v Germany, paragraph 36, available here.
  26. CJEU in case C-614/10 - Commission v Austria, paragraphs 63 and 51, available here.
  27. CJEU in case C-288/12 - Commission v Hungary, available here.
  28. CJEU in case C-288/12 - Commission v Hungary, para 52. Available here.
  29. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 31 (Nomos 2022
  30. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).
  31. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 15 (Nomos 2019).
  32. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 22 (C.H. Beck 2020, 3rd Edition).
  33. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 40 (Nomos 2022).
  34. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).
  35. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 17 (NOMOS 2019).
  36. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).
  37. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 18 (NOMOS 2019).
  38. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 19 (NOMOS 2019).
  39. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 16 (Nomos 2019)
  40. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin numbers 20 and 21 (Nomos 2019)
  41. From lodging the complaint with a SA until a decision is issued it usualy takes 2.5 to 5 years. For more information see statistics of DPA’s handling of noyb cases, available here.
  42. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 52 GDPR, margin number 23 (C.H. Beck 2017).
  43. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 47 (Nomos 2022).
  44. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).
  45. Recital 121, sentence 3 reads: "The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority."
  46. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).
  47. CJEU, case C-614/10 - Commission v Austria paragraphs 61 and 66.
  48. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).
  49. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 52 (Nomos 2022).