Article 57 GDPR: Difference between revisions

From GDPRhub
(SCHUFA CJEU-quotes)
 
(29 intermediate revisions by 2 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 57 - Tasks'''</center>
'''Article 57 - Tasks'''


<span id="1">1.  Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:</span>
<span id="1">1.  Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:</span>
Line 247: Line 247:


== Commentary==
== Commentary==
Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).</ref> Article 57(2) to (4) specify that the submission of complaints should be facilitated, tasks should be performed free of charge for data subjects, as wll as rules regarding excesive requests.
Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).</ref> Articles 57(2) to (4) GDPR require SAs to facilitate the submission of complaints and not to charge fees to data subjects, except for manifestly unfounded or excessive requests.


Articles that are related to this provision, include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR  (codes of conduct); Article 42 GDPR  (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).<ref>''See Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).</ref>  
==== Related Articles ====
Articles that are related to Article 57 GDPR include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR  (codes of conduct); Article 42 GDPR  (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).<ref>''See Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).</ref>  


===(1) Tasks of the supervisory authority (SA) ===
===(1) Tasks of the supervisory authority (SA) ===
Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its teritory, without prejudice to other tasks set out under the GDPR.
Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("''shall''") perform on its territory. The detailed regulation aims at creating an equivalent level of data protection within the EU through a ''"uniform implementation framework''" (Recital 123 GDPR, 129 GDPR).<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).</ref>


The tasks can be devided into monitoring and enforcement, investigation and audit activities, advisory activities, cooperation requirements, execution of the activities and instruments envisaged in other Articles of the GDPR, documentation requirements and following current developments.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref>
Tasks listed in Article 57(1) GDPR can be divided into:


The aim of the detailed regulation is to create an equivalent level of data protection within the EU through a ''"uniform implementation framework''" (Recital 123 GDPR, 129 GDPR and Article 57(1)(g)(h) GDPR).<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).</ref>  
* monitoring and enforcement activities (points a, f, h and g),
* investigation and audit activities ( points f and h),
* advisory activities (points c, d, e and l)
* awareness raising activities (points b and d),
* cooperation activities (points g and t),
* performing of activities and instruments envisaged in other Articles of the GDPR (points j to s),
* documentation requirements (point u), and
* monitoring of relevant developments that could have an impact on the protection of personal data (point i).<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref>  


Ensuring free flow of personal data is not entailed among the tasks of the SA.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).</ref>


====Without prejudice to other tasks ====
Albeit detailed the list of tasks is not closed, as some tasks are set out in other parts of the GDPR ("''without prejudice to other tasks set out under this Regulation''"). An example thereof is drawing up of annual activity reports ([[Article 59 GDPR|Article 59 GDPR)]]. It should be noted that that ensuring free flow of personal data is not entailed among the tasks of the SA.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).</ref>
The provision does not provide for a closed list, as other tasks and responsibilities may arise from other provisions included in the GDPR, such as drawing up of annual activity reports under [[Article 59 GDPR]].  


====Tasks of SAs====
====(a) Monitor and enforce the application of the GDPR====
Monitoring and enforcement of the GDPR are SA's main tasks. They summarise the core idea of SA's activities. All other tasks entailed in Article 57(1) GDPR can be understood as a manifestation of this general task.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).</ref>


=====(a) Monitor and enforce the GDPR =====
===== Monitoring =====
According to Article 57(1)(a) GDPR, the SAs must ("shall") monitor and enforce the application of the GDPR. These are SA's main tasks. The collocation of these tasks (letter a) reflects its prominence''.'' It summarises the core idea of SAs activities. Other tasks envisaged by the provision are almost all preordained to the fulfilment of these main tasks.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).</ref>


======Monitor======
Monitoring of the application of the GDPR refers to controlling controllers and processors and reviewing whether they comply with the GDPR. Monitoring includes data protection audits of controllers and processors, probes of compliance wit certain provisions of the GDPR or types of data processing and reviewing the certifications issued in accordance with Article 42(7) GDPR. When performing this task SA typically uses investigative powers from Article 58(1)(a)(b)(e)(f).<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019). See also ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 7 (Nomos 2022).</ref><blockquote>Example: A DPA starts a probe into video surveillance practices in supermarkets to determine whether controllers comply with the principles of lawfulness and data minimisation.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).</ref> </blockquote><blockquote>{{Quote-CJEU|"[...] it is important to note that, in accordance with Article 8(3) of the Charter and Article 51(1) and Article 57(1)(a) of the GDPR, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data [...]"|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|55.}}</blockquote>
Monitoring means checking compliance with the GDPR. In particular, the performance of data protection reviews.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).</ref><blockquote>Example: Reviewing the certifications granted under [[Article 42 GDPR|Article 42(7) GDPR]].<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).</ref> </blockquote>This provision takes into account that data protection law, even at the highest level, is of little use if it is not enforced.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).</ref>  


======Enforce======
===== Enforce =====
Enforcement means remedying identified infringements of the GDPR, including coercive enforcement. <ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).</ref> This means that if the SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, it should not stop there. Its activities include the effective enforcement of the GDPR against entities. The SA should make use of its corrective powers under [[Article 58 GDPR|Article 58(2) GDPR]].<ref name=":0">''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).</ref> This ranges from warning, to issuing a ban on processing and to the imposition of fines.<blockquote>Example: Company YX is transfering data to the US without a valid legal basis. SA can establish an infringment of the GDPR, order return of data to the EU/EEA, ban future processing of respective data outside the EU/EEA and impose a fine.</blockquote>SAs thus become effective supervisors with the possibility to intervene comprehensively and, if necessary, with coercive measures for the purpose of the effective application of the GDPR.<ref name=":0" />
Enforcement of the application of the GDPR concerns the remedying of infringements of the GDPR that a SA has identified. <ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).</ref> This means that when a SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, the SA should not stop there, but ensure compliance.  


=====(b) Promote public awareness=====
Enforcement must be effective and, if necessary, coercive. Therefore SA should make use of its corrective powers under [[Article 58 GDPR|Article 58(2) GDPR]].<ref name=":0">''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).</ref> This ranges from warning, to issuing a ban on processing and to the imposition of fines. SAs thus become effective supervisors with the possibility to intervene comprehensively.<ref name=":0" /> Data protection law, even at the highest level, is of little use if it is not enforced.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).</ref><blockquote>Example: Company YX is transferring data to the US without a valid legal basis. After the SA has established the infringement of the GDPR it should ensure that the infringement stops and that the controller brings the processing of personal data in compliance with GDPR. This can be done by ordering return of data to the EU/EEA, banning future processing of respective data outside the EU/EEA and imposing a fine for¨in the event, if YX does not comply with the order.</blockquote>
Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children. <blockquote>Example: A SA organises a public campaign "''know your rights''" on data subjects rights that includes visits of schools. </blockquote>The focus can be placed on sensitive areas and thus also the perception and presence of SAs can be strengthened. ''Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'''.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> The annual report that SAs are required to draw up under [[Article 59 GDPR]] can be used to promote and raise awareness, but also educational events  on data protection issues. For example on the European Data Protection Day, which is celebrated on 28 January.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).</ref> To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).</ref>


===== (c) Advise member states and other public bodies=====
==== (b) Promote public awareness ====
The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in [[Article 36 GDPR|Article 36(4) GDPR]] which stipulates that member states must consult the SA during the preparation of a legislative measure which relates to processing of personal data.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).</ref> SAs should be consulted during preparation of laws and regulations, as well as administrative measures. The advisory activities of the SAs are intended to make data processing transparent and enable the addressees of the advisory service to conduct legal and administrative activities in compliance with data protection''.'' <blockquote>Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the sytem introduces new technical solutions for processing of data.</blockquote>Which institutions and bodies are to be advised is determined by member state law.
The GDPR assigns the SAs the task of making the public aware of the risks associated with data processing and of safeguards and protections that the GDPR affords to data subjects and children. Informing the public is an important task of the SAs as the knowledge of the functions, possibilities and risks of data processing is limited in the general public.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).</ref> Risks arise from the technical possibilities of accessing knowledge, but also from the consequences it can have on individuals and society when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. At the same time, only if data subjects are aware of the applicable data protection provisions provisions and the rights afforded to them, they can claim their rights and invoke violations.  


===== (d) Promote the awareness of controllers and processors =====
Promotion of public awareness can be an effective mean of raising the level of data protection. It can be done with educational events, conferences and also with annual reports that SAs are required to draw up under [[Article 59 GDPR]].<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).</ref> With awareness raising also the visibility and presence of SAs can be strengthened. ''Only as publicly known bodies can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'''.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref>  <blockquote>Example: A SA organises a public campaign "''know your rights''" on data subject’s rights that includes visits of schools. </blockquote>


SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).</ref><blockquote>Example: Provision of workshops for data protection officers. </blockquote>
==== (c) Advise Member States and other public bodies ====
This provision tasks SAs to provide general, preventive advice to public bodies on which measures should be taken to ensure an appropriate level of data protection. SAs should be consulted during preparation of laws and regulations, as well as administrative measures. In this regard [[Article 36 GDPR|Article 36(4) GDPR]] stipulates that Member States must consult the SA during the preparation of a legislative measure which relates to processing of personal data or of a regulatory measure based on such a legislative measure, which relates to processing. Which institutions and bodies are to be advised is determined by national laws of Member States. <ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).</ref> For more information refer to [[Article 36 GDPR|Article 36(4) GDPR]].<blockquote>Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the system introduces new technical solutions for processing of data.</blockquote>


===== (e) Provide information concerning the exercise of data subject rights =====
==== (d) Promote the awareness of controllers and processors ====


Not only do data protection authorities raise public awareness but they also provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. The term “''rights''” includes material rights (such as the right to be forgotten, [[Article 17 GDPR]]) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]), as well as the right to compensation ([[Article 80 GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).</ref> Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together to provide information to data subjects (''"if appropriate, cooperate with the supervisory authorities in other Member States to that end"'').<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref><blockquote>Example: Answering an email about the mandatory requirements of a complaint or if a company has an establishment in another member state. </blockquote>
SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct exchange with the obligated parties in the event of obvious difficulties in interpreting of provisions.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).</ref> <blockquote>Example: Organisation of workshops for data protection officers. </blockquote>In contrast to Article 57(1)(c) GDPR, which clearly mandates SAs to advise Member States and public sector bodies, this provision uses a different wording - "promote awareness". Similar wording is used in point (b) in relation to the general public - "promote public awareness". Consequently, this provision must be interpreted as mandating SAs to inform and educate controllers and processors in general. However, it cannot be interpreted as a mandate for the SAs to provide legal advice to controllers and processors in individual cases of data processing and, in particular, not to seek solutions together with controllers and processors on how to adjust a particular data processing that violates the GDPR to make it GDPR compliant in the context of complaints procedures or ex officio investigations instead of establishing a violation of the GDPR.


===== (f) Handle, investigate complaints and inform the complainant of the progress and outcome =====
==== (e) Provide information concerning the exercise of data subject rights ====
Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under [[Article 80 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref> Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> According to the EDPB's Internal Document 02/2021 "''[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to [[Article 77 GDPR|Article 77 [GDPR]]] to lodge a complaint with a [SA].''"<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>
====== Complaint ======
GDPR does not define what constitutes a complaint. According to EDPB gudance complaint may be defined as: a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.<ref>See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 3, available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_062020_on_admissibility_and_preliminary_vetting_of_complaints_en.pdf here]. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> ''"An infringement is a violation, a non-respect of the GDPR’s provisions including both the failure to accommodate the data subject as well as non-compliance with other controller or processor obligations."''<ref>Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-62020-preliminary-steps_en here].</ref> "''As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint.''" <ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>


GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). [[Article 77 GDPR]] ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref>
SAs are tasked to provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. These includes information regarding material rights, such as the right to be forgotten ([[Article 17 GDPR]]) and the right to compensation ([[Article 82 GDPR]]), as well as procedural rights and legal enforcement options, for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).</ref> Article 57(1)(e) GDPR also refers to the fact that several SAs may have to work together to provide information to data subjects (''"if appropriate, cooperate with the supervisory authorities in other Member States to that end"''), for example in cross-border where the SA of the main or only establishment of the controller is charged with the investigation ([[Article 56 GDPR]] and [[Article 60 GDPR]]) and the SA  with which the complaint has been lodged with informing the complainant (on the progress and outcome of the complaint ([[Article 77 GDPR|Article 77(2) GDPR]]).<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref><blockquote>Example: Provide information in an email about the mandatory requirements of a complaint upon data subject's request. </blockquote>


====== Investigate the subject matter of the complaint ======
==== (f) Handle, investigate complaints and inform the complainant of the progress and outcome ====
EDPB confirms in the Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringementsthat that SAs have pursuant to Article 57(1)(f) a duty to handle each and every complaint submitted to them.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  To handle a complaint refers to the whole procedure for dealing with complaints and thus covers all stages. This includes the investigation of the subject matter of the complaint, which ''"entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances."'' <ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, pages 11 and 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions ([[Article 58 GDPR|Article 58(1) GDPR]]). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).</ref>  While handling the complaint SAs should always fulfill their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>


====== To the extent appropriate ======
===== Handle complaints lodged by a data subject =====
SAs are provided with a margin of discretion as regards the extent or depth of the investigation needed. A complaint must be investigated "to the extent appropriate”. Which investigatory steps are to be taken, depends on both the circumstances of the specific case and the requirements under national procedural law, but some degree of investigation must take place if the complainant is deemed admissible.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Example: When a complaint concerns proccessing of data without a legal basis through a website no on-site investigation is neccessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even necessary. </blockquote>According to EDPB necessary and appropriate steps encompass the measures (investigative powers) mentioned in [[Article 58 GDPR|Article 58]] and among others include requesting information from the controller or processor and  carrying out an audit or on-site inspection. While a SA ''"has a discretionary power to decide upon the necessary investigatory steps to be taken, including the extent and kind of information needed in order to provide a reply to the data subject and to decide on the necessity of enforcement action [...] [t]his discretionary power must be exercised with all due diligence. In all cases, the factual and legal issues raised by the complainant must be exemined".''<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [[here]].</ref>
Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> "''This key duty of [SAs] corresponds with the right of data subjects pursuant to [[Article 77 GDPR|Article 77 [GDPR]]] to lodge a complaint with a [SA].''"<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> SA's obligation to perform its task under Article 57(1)(f) GDPR is triggered by a complaint being filed with the SA. According to [[Article 77 GDPR]] the complaint can be lodged by a data subject or by a non-for-profit body on behalf of a data subject under [[Article 80 GDPR]].


Finally, for all admitted complaints that are not withdrawn, SAs must provide a decision or other legally attacable act specifying the facts and legal considerations for confirming the alledged infringments from the complaint or rejecting the complaint or dismissing the complaint (not investigating it further).<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> The controller or processor, if an infringment of the GDPR is found and the complainant in the event that his complaint is rejected or dismissed, in full or in part, have the right to appeal the decision of the SA in accordance with [[Article 78 GDPR]].
When a SA obtains a complaint it must handle it.<ref>See CJEU - ''[[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|C-26/22 - Schufa Holding]]'', paragraphs 47-70.</ref> SAs have the duty to handle each and every complaint submitted to them.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> CJEU confirmed that complaints are not and cannot be treated as petitions. SAs are required to deal with them and sanction any violation of the GDPR in an appropriate manner. As the complaint is not a mere petition, a supervisory authority cannot invoke its discretion in not dealing with it, nor can postpone the handling in such a way that makes the right void of any substantial meaning. Lack of appropriate action by the supervisory authority or a substantial delay in handling a complaint thus constitute a violation of the principle of effectiveness and of the due diligence duty.<ref name=":1">CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin numbers 56 and 58 (available [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|here]]).</ref>
{{Quote-CJEU|"[…] each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence []."|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|56.}}<blockquote>The CJEU also confirmed that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects.<ref name=":1" /></blockquote>


===== Complaint =====
GDPR does not define what constitutes a complaint. It only specifies the subject matter of a complaint. According to Article 77(1) GDPR the complaint concerns processing of personal data of the complainant which, in the complainant's view, infringes the GDPR. European Data Protection Board ("EDPB") indicates that a complaint may be defined as a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR.<ref>See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, pages 3 and 4, available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_062020_on_admissibility_and_preliminary_vetting_of_complaints_en.pdf here]. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> Consequently, complaints are not restricted to breaches of data subject's rights under Chapter III of the GDPR, but also concern any other violation of the data subject rights due to non-compliance with other obligations under the GDPR by the controller or processor''.'' 
As the GDPR does not clarify what constitutes a complaint nor does it provide for the minimal requirements of a complaint, the elements that are required to be in a complaint for it to qualify as a complaint be admissible are determined by Member State law.
====== Handling ======
Handling refers to the whole complaint procedure and thus covers all stages of the procedure, from checking of admissibility of the complaint and investigating its subject matter to taking a decision on the complaint and informing the data subject about the decision. When a complaint is lodged, the SA first proofs whether the complaint contains all elements that are required for it to be admissible under national law.<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available [https://www.edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> Second, the SA must identify which SA is competent to handle the complaint in accordance with [[Article 55 GDPR]] and in cross-border cases [[Article 56 GDPR]] and if applicable sent the complaint to the competent SA. This is done in the IMI system.<ref>"'''''IMI (Internal Market Information System) was chosen as the IT platform to support cooperation and consistency procedures under the GDPR'''. IMI helps public authorities across the EU to cooperate and exchange information. The GDPR is the 13th legal area supported by the system.''" See EDPB website https://www.edpb.europa.eu/news/news/2018/state-play-imi-gdpr-purposes_en (29 March 2024).</ref>
GDPR is regulating the procedure to a very limited extend. Articles 55 GDPR and 56(1) GDPR contain rules on competence and Articles [[Article 56 GDPR|56 GDPR]] and 60 to 66 GDPR lay down a framework for handling of cross-border cases and cases with other transnational elements.<ref>Add Procedural regulation.</ref> As the complaint procedure is mostly not regulated by the GDPR, complaints are handled under applicable national procedural rules. Some Member States have adopted procedural laws in other states the procedure is regulated by internal rules of procedure, depending on the Member State's legal order. In any case, as EDPB Internal Document 02/2021 clarifies, when handling a complaint SAs should always fulfil their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
===== Investigate the subject matter of the complaint =====
In the next step the competent SA has to investigate the subject matter of the complaint. This ''"entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances."'' The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions ([[Article 58 GDPR|Article 58(1) GDPR]]). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).</ref> But the subject matter of the complaint must be investigated with all due diligence.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref><blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>
===== To the extent appropriate =====
SAs are provided with a margin of discretion as regards the extent or depth of the investigation needed. A complaint must be investigated "to the extent appropriate”. Which investigatory steps are to be taken, depends on both the circumstances of the specific case and the requirements under national procedural law, but some degree of investigation must take place if the complaint is deemed admissible.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Example: When a complaint concerns processing of data without a legal basis through a website no on-site investigation is necessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even necessary.  </blockquote>According to EDPB necessary and appropriate steps encompass the measures (investigative powers) mentioned in [[Article 58 GDPR|Article 58]] and among others include requesting information from the controller or processor and  carrying out an audit or on-site inspection. While a SA ''"has a discretionary power to decide upon the necessary investigatory steps to be taken, including the extent and kind of information needed in order to provide a reply to the data subject and to decide on the necessity of enforcement action [...] [t]his discretionary power must be exercised with all due diligence. In all cases, the factual and legal issues raised by the complainant must be exemined".''<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
Case law: In ''[[CJEU - C-311/18 - Schrems II|Schrems II]]'' CJEU clarified that each supervisory authority is required to examine the nature of a complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence.<ref>CJEU, [[CJEU - C-311/18 - Schrems II|C‑311/18 - ''Schrems II'']], paragraph 109; see also CJEU, C-26/22 -  xxx, paragraph 56.</ref>
===== Inform the complainant of the outcome of the investigation =====
Finally, for all admitted complaints that are not withdrawn, SAs must provide a decision or other legally attackable act specifying the facts and legal considerations for confirming the alleged infringements from the complaint or rejecting the complaint or dismissing the complaint (not investigating it further).<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> The SA where the complaint was lodged must inform the data subject of the outcome of the investigation. The controller or processor and the complainant have the right to appeal the decision of the SA in accordance with [[Article 78 GDPR]]. In case of an appeal SA's decision is subject to a full judicial review (see commentary to Article 78 GDPR).<ref>CJEU, [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|C-26/22]], paragraph 52; see also  [[CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság|C‑132/21 - ''Nemzeti'']]'','' paragraph 41.</ref> 
====== Within a reasonable period ======
====== Within a reasonable period ======
Handling of a complaint should be performed within a reasonable period of time (see also [[Article 77 GDPR|Article 77(2) GDPR]] and [[Article 78 GDPR]]). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).</ref>
Handling of a complaint should be performed within a reasonable period of time (see also [[Article 77 GDPR|Article 77(2) GDPR]] and [[Article 78 GDPR]]). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).</ref> Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringement of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).</ref> Nevertheless, the reasonable period  will be somewhat longer if coordination with other SAs is needed, for example pursuant to [[Article 60 GDPR]], in particular if there are reasoned objections from other supervisory authorities concerned and a binding decision of the European Data Protection Board (EDPB) needs to be adopted according to [[Article 65 GDPR]].<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).</ref><blockquote>Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled within a reasonable time. </blockquote>The provision must also be read in conjunction with [[Article 78 GDPR]] providing for a legal remedy against legally binding decisions of SAs (see above) and in case of inactivity of a SA.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA. 


Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).</ref> Nevertheless, the reasonable period  will be somewhat longer if coordination with other SAs is needed, for example pursuant to [[Article 60 GDPR]], in particular if there are reasoned objections from other supervisory authorities concerned and a binding decision of the European Data Protection Board (EDPB) needs to be adopted under [[Article 65 GDPR]].<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).</ref><blockquote>Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time. </blockquote>The provision must also be read in conjunction with [[Article 78 GDPR]] providing for a legal remedy against legaly binding decisions of SAs (seee above) and in case of inactivity of a SA.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA. 
===== (g) Cooperate with other supervisory authorities (SAs) =====
 
SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Proactivity is required as SAs are under the obligation to contribute to the consistent application of the GDPR throughout the EU/EEA according to [[Article 51 GDPR#2|Article 51(2) GDPR]] .<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).</ref> GDPR provides rules on cooperation between SAs in Articles 60 to 66 and [[Article 56 GDPR|Article 56(2) to (5)]]. Duty to cooperate is not limited to cases of cross-border processing as per [[Article 4 GDPR|Article 4(21) GDPR]].<blockquote>
For more information regading legal remedies see commentary to [[Article 78 GDPR]].
===== (g) Cooperate with other supervisory authorities to ensure consistency and enforcement =====
SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per [[Article 4 GDPR|Article 4(21) GDPR]]. <blockquote>
Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.  </blockquote>
Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.  </blockquote>
The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EEA ([[Article 51 GDPR|Article 51(2) GDPR]]). Such aim would be impossible without a proactive cooperation. To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR ([[Article 60 GDPR]], [[Article 61 GDPR]], [[Article 62 GDPR]], [[Article 63 GDPR]], [[Article 64 GDPR]], [[Article 65 GDPR]], [[Article 66 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).</ref>
For more information on cooperation see commentary to [[Article 60 GDPR]], [[Article 61 GDPR]], [[Article 62 GDPR]], [[Article 63 GDPR]], [[Article 64 GDPR]], [[Article 65 GDPR]], [[Article 66 GDPR]] and [[Article 56 GDPR]].
===== (h) Conduct investigations =====
===== (h) Conduct investigations =====
The SA is also tasked to carry out ''ex officio'' investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with [[Article 60 GDPR|Article 60(1) GDPR]] and [[Article 61 GDPR|Article 61(1)GDPR]]). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).</ref><blockquote>Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.   </blockquote>At the European level, Article 46(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 Regulation (EC) No 45/2001] contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).<ref>Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 here].</ref>
The SA is also tasked to carry out investigations on its own initiative to ensure compliance with the GDPR. Investigations under Article 57(1)(h) GDPR can also be initiated based on information that the SA obtained from another SA (e.g. in accordance with [[Article 60 GDPR|Article 60(1) GDPR]] and [[Article 61 GDPR|Article 61(1)GDPR]]), another national authority (e.g. a competition SA, consumer protection or telecommunications authority) or from any other source.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).</ref> However if a complaint was filed, the SA must exemine the complaint in a complaint procedure. At the European level, Article 46(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 Regulation (EC) No 45/2001] contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).<ref>Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 here].</ref><blockquote>Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passengers.  </blockquote>
 
===== (i) Monitor relevant development =====
===== (i) Monitor relevant development =====
Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA shall be updated on new communication technologies and business practices.  
Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA must follow new communication technologies and business practices. This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should also be aware of new trends in processing of personal data for purposes of advertising, pay-or-ok solutions, and the use of new consent and contract clauses.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).</ref> Following relevant developments seems also to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref> 
 
Example: Social networks start using pay-or-ok solutions.
 
This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should be aware of new trends for example processing of personal data for purposes of advertising, pay-or-ok soutions, and the use of new consent and contract clauses.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).</ref>


This seems to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref> To do so, the SAs shall be given appropriate human and technical resources ([[Article 52 GDPR|Article 52(4) GDPR]]).
Example: SA should react when social networks start using pay-or-ok solutions.


===== (j) Adopt standard contractual clauses =====
===== (j) Adopt standard contractual clauses =====
Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in [[Article 28 GDPR|Article 28(8) GDPR]] and [[Article 46 GDPR|Article 46(2)(d) GDPR]]. Both cases require activitly bax the EDPB, either in the consistency mechanism under [[Article 63 GDPR]] or by adopting an opinion under [[Article 64 GDPR|Article 64(1)(d) GDPR]].  
Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in [[Article 28 GDPR|Article 28(8) GDPR]] and [[Article 46 GDPR|Article 46(2)(d) GDPR]]. Both cases require activity by the EDPB, within the consistency mechanism under [[Article 63 GDPR]] or by adopting an opinion under [[Article 64 GDPR|Article 64(1)(d) GDPR]].  


For more information see commentary to [[Article 28 GDPR|Article 28(8) GDPR]] and Article [[Article 46 GDPR|46(2)(d) GDPR]].
For more information see commentary to [[Article 28 GDPR|Article 28(8) GDPR]] and Article [[Article 46 GDPR|46(2)(d) GDPR]].


===== (k) Establish and maintain a list of processing operations requiring a data protection impact assessment =====
===== (k) Maintain a list of processing operations requiring a data protection impact assessment =====
Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out ([[Article 35 GDPR|Article 35(4) GDPR]]). On the other hand, maintaining a ''negative list'' for cases where a DPIA is not needed is ''not a mandatory task''.<ref>xxxx</ref> According to [[Article 35 GDPR|Article 35(5) GDPR]], a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.
Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out ([[Article 35 GDPR|Article 35(4) GDPR]]). On the other hand, maintaining a ''negative list'' for cases where a DPIA is not needed is ''not a mandatory task''.<ref>xxxx</ref> According to [[Article 35 GDPR|Article 35(5) GDPR]], a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.


Line 336: Line 350:


===== (l) Give advice on data protection impact assessment =====
===== (l) Give advice on data protection impact assessment =====
Advising controllers and processors with regard to high-risk processing opertions referred to in [[Article 36 GDPR|Article 36(2) GDPR]] is one of the tasks of SAs.  This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with [[Article 36 GDPR|Article 36(2) GDPR]], in particularly making proposals to mitigate the risk. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).</ref> SA can also make use of any of its powers referred to in [[Article 58 GDPR]]. This includes its corrective powers, in particulatly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).</ref>
Advising controllers and processors with regard to high-risk processing operations referred to in [[Article 36 GDPR|Article 36(2) GDPR]] is one of the tasks of SAs.  This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with [[Article 36 GDPR|Article 36(2) GDPR]], in particularly making proposals to mitigate the risk. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).</ref> SA can also make use of any of its powers referred to in [[Article 58 GDPR]]. This includes its corrective powers, in particularly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).</ref>


For more details see commentary to [[Article 36 GDPR]].
For more details see commentary to [[Article 36 GDPR]].
Line 345: Line 359:
See comment under [[Article 40 GDPR]].
See comment under [[Article 40 GDPR]].


===== (n) Encourage and regulate the use of data protection certification mechanisms =====
===== (n) Regulate the use of data protection certification mechanisms =====
This task is directly connected with [[Article 42 GDPR|Article 42(1) GDPR]] that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined  pursuant to [[Article 42 GDPR|Article 42(5) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).</ref>
This task is directly connected with [[Article 42 GDPR|Article 42(1) GDPR]] that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined  pursuant to [[Article 42 GDPR|Article 42(5) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).</ref>


See comment under [[Article 42 GDPR]].
See comment under [[Article 42 GDPR]].


===== (o) Carry out periodic reviews of certifications =====
===== (o) Carry out reviews of certifications =====
This task is further specified in [[Article 42 GDPR]]. A SA must periodically review the certifications granted under [[Article 42 GDPR]] (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with [[Article 42 GDPR|Article 42(7) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).</ref>
This task is further specified in [[Article 42 GDPR]]. A SA must periodically review the certifications granted under [[Article 42 GDPR]] (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with [[Article 42 GDPR|Article 42(7) GDPR]].<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).</ref>


For more information see comment under [[Article 42 GDPR]].
For more information see comment under [[Article 42 GDPR]].


===== (p) Draft and publish the requirements for accreditation of a body for monitoring codes of conduct and of a certification body =====
===== (p) Draft the requirements for accreditation of monitoring bodies and certification bodies =====
Tis task concerns codes of conduct under [[Article 41 GDPR]] and certifications under [[Article 43 GDPR]], which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA establises and publishes the requirements these bodies must fulfil for accreditation.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).</ref>
Tis task concerns codes of conduct under [[Article 41 GDPR]] and certifications under [[Article 43 GDPR]], which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA determines and publishes the requirements these bodies must fulfil for accreditation.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).</ref>


See also commentary to [[Article 41 GDPR]] and [[Article 43 GDPR]].
See also commentary to [[Article 41 GDPR]] and [[Article 43 GDPR]].


===== (q) Accreditation of a body for monitoring codes of conduct and of a certification body =====
===== (q) Accredit of monitoring bodies and certification bodies =====
SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to [[Article 41 GDPR]] and a certification body pursuant to [[Article 43 GDPR]] on the basis of the requiremens formulated under Article 57(1)(p) (see point (p) above).
SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to [[Article 41 GDPR]] and a certification body pursuant to [[Article 43 GDPR]] on the basis of the requirements formulated under Article 57(1)(p) (see point (p) above).


For more information see also comments under [[Article 41 GDPR]] and [[Article 43 GDPR]].
For more information see also comments under [[Article 41 GDPR]] and [[Article 43 GDPR]].
Line 373: Line 387:
This task concerns the role of SAs assigned to them by [[Article 47 GDPR]] with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.   
This task concerns the role of SAs assigned to them by [[Article 47 GDPR]] with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.   


See commentry to [[Article 47 GDPR]].
See commentary to [[Article 47 GDPR]].


===== (t) Contribute to the activities of the EDPB =====
===== (t) Contribute to the activities of the EDPB =====
Line 381: Line 395:
The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).</ref>
The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).</ref>


===== (u) Keep internal records of infringements of the GDPR and measures taken =====
===== (u) Keep records of infringements =====
Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under [[Article 58 GDPR|Article 58(2) GDPR]], which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimend, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report ([[Article 59 GDPR]]) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).</ref>  
Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under [[Article 58 GDPR|Article 58(2) GDPR]], which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimand, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report ([[Article 59 GDPR]]) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).</ref>  


===== (v) Fulfil any other tasks related to the protection of personal data =====
===== (v) Fulfil other tasks =====


Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “''other tasks related to the protection of personal data''”. The list of tasks is therefore not exhaustive and member states can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).</ref> An example of other tasks is the prior authorisation of data processing in the public interest if required under national law ([[Article 36 GDPR|Article 36(5) GDPR]] and [[Article 58 GDPR|Article 58(3)(c) GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).</ref>
Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “''other tasks related to the protection of personal data''”. The list of tasks is therefore not exhaustive and Member States can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).</ref> An example of other tasks is the prior authorisation of data processing in the public interest if required under national law ([[Article 36 GDPR|Article 36(5) GDPR]] and [[Article 58 GDPR|Article 58(3)(c) GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).</ref>
====On its territory ====
====On its territory ====
The wording (''"on its terrirory")'' is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its member state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).</ref>  
The wording (''"on its territory")'' is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its Member State.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).</ref>  


===(2) Submission of complaints is to be facilitated===
===(2) Submission of complaints to be facilitated===
Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “''complaint submission form''” which should be easy to understand and gain access to. <ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref> The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> The provision, however, does not exclude “''other means of communications''”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref>
Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “''complaint submission form''” which should be easy to understand and gain access to. <ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref> The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> The provision, however, does not exclude “''other means of communications''”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref>


Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint ([[Article 12 GDPR|Article12(4) GDPR]] and [[Article 13 GDPR|Article 13(2)(d)(e) GDPR]]). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice ([[Article 77 GDPR]]).<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref>
Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint ([[Article 12 GDPR|Article12(4) GDPR]] and [[Article 13 GDPR|Article 13(2)(d)(e) GDPR]]). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice ([[Article 77 GDPR]]).<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref>


=== (3) Free of charge principle (for the data subject)===
=== (3) Free of charge principle for data subjects===
The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).</ref> However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).</ref>
The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).</ref> However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).</ref>
===(4) Exception: manifestly unfounded or excessive requests===
===(4) Exception: manifestly unfounded or excessive requests===

Latest revision as of 13:23, 2 October 2024

Article 57 - Tasks
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 57 - Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);
(l) give advice on the processing operations referred to in Article 36(2);
(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);
(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(r) authorise contractual clauses and provisions referred to in Article 46(3);
(s) approve binding corporate rules pursuant to Article 47;
(t) contribute to the activities of the Board;
(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
(v) fulfil any other tasks related to the protection of personal data.

2. Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Relevant Recitals

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission
The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

Recital 129: Tasks and Powers of Supervisory Authorities
In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

Recital 132: Awareness-Raising Activities and Specific Measures
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

Recital 133: Mutual Assistance and Provisional Measures
The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority.

Commentary

Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).[1] Articles 57(2) to (4) GDPR require SAs to facilitate the submission of complaints and not to charge fees to data subjects, except for manifestly unfounded or excessive requests.

Related Articles

Articles that are related to Article 57 GDPR include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR (codes of conduct); Article 42 GDPR (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).[2]

(1) Tasks of the supervisory authority (SA)

Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its territory. The detailed regulation aims at creating an equivalent level of data protection within the EU through a "uniform implementation framework" (Recital 123 GDPR, 129 GDPR).[3]

Tasks listed in Article 57(1) GDPR can be divided into:

  • monitoring and enforcement activities (points a, f, h and g),
  • investigation and audit activities ( points f and h),
  • advisory activities (points c, d, e and l)
  • awareness raising activities (points b and d),
  • cooperation activities (points g and t),
  • performing of activities and instruments envisaged in other Articles of the GDPR (points j to s),
  • documentation requirements (point u), and
  • monitoring of relevant developments that could have an impact on the protection of personal data (point i).[4]


Albeit detailed the list of tasks is not closed, as some tasks are set out in other parts of the GDPR ("without prejudice to other tasks set out under this Regulation"). An example thereof is drawing up of annual activity reports (Article 59 GDPR). It should be noted that that ensuring free flow of personal data is not entailed among the tasks of the SA.[5]

(a) Monitor and enforce the application of the GDPR

Monitoring and enforcement of the GDPR are SA's main tasks. They summarise the core idea of SA's activities. All other tasks entailed in Article 57(1) GDPR can be understood as a manifestation of this general task.[6]

Monitoring

Monitoring of the application of the GDPR refers to controlling controllers and processors and reviewing whether they comply with the GDPR. Monitoring includes data protection audits of controllers and processors, probes of compliance wit certain provisions of the GDPR or types of data processing and reviewing the certifications issued in accordance with Article 42(7) GDPR. When performing this task SA typically uses investigative powers from Article 58(1)(a)(b)(e)(f).[7]

Example: A DPA starts a probe into video surveillance practices in supermarkets to determine whether controllers comply with the principles of lawfulness and data minimisation.[8]

CJEU-icon.png

"[...] it is important to note that, in accordance with Article 8(3) of the Charter and Article 51(1) and Article 57(1)(a) of the GDPR, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data [...]"

CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 55..

Enforce

Enforcement of the application of the GDPR concerns the remedying of infringements of the GDPR that a SA has identified. [9] This means that when a SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, the SA should not stop there, but ensure compliance.

Enforcement must be effective and, if necessary, coercive. Therefore SA should make use of its corrective powers under Article 58(2) GDPR.[10] This ranges from warning, to issuing a ban on processing and to the imposition of fines. SAs thus become effective supervisors with the possibility to intervene comprehensively.[10] Data protection law, even at the highest level, is of little use if it is not enforced.[11]

Example: Company YX is transferring data to the US without a valid legal basis. After the SA has established the infringement of the GDPR it should ensure that the infringement stops and that the controller brings the processing of personal data in compliance with GDPR. This can be done by ordering return of data to the EU/EEA, banning future processing of respective data outside the EU/EEA and imposing a fine for¨in the event, if YX does not comply with the order.

(b) Promote public awareness

The GDPR assigns the SAs the task of making the public aware of the risks associated with data processing and of safeguards and protections that the GDPR affords to data subjects and children. Informing the public is an important task of the SAs as the knowledge of the functions, possibilities and risks of data processing is limited in the general public.[12] Risks arise from the technical possibilities of accessing knowledge, but also from the consequences it can have on individuals and society when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. At the same time, only if data subjects are aware of the applicable data protection provisions provisions and the rights afforded to them, they can claim their rights and invoke violations.

Promotion of public awareness can be an effective mean of raising the level of data protection. It can be done with educational events, conferences and also with annual reports that SAs are required to draw up under Article 59 GDPR.[13] With awareness raising also the visibility and presence of SAs can be strengthened. Only as publicly known bodies can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'.[14]

Example: A SA organises a public campaign "know your rights" on data subject’s rights that includes visits of schools.

(c) Advise Member States and other public bodies

This provision tasks SAs to provide general, preventive advice to public bodies on which measures should be taken to ensure an appropriate level of data protection. SAs should be consulted during preparation of laws and regulations, as well as administrative measures. In this regard Article 36(4) GDPR stipulates that Member States must consult the SA during the preparation of a legislative measure which relates to processing of personal data or of a regulatory measure based on such a legislative measure, which relates to processing. Which institutions and bodies are to be advised is determined by national laws of Member States. [15] For more information refer to Article 36(4) GDPR.

Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the system introduces new technical solutions for processing of data.

(d) Promote the awareness of controllers and processors

SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct exchange with the obligated parties in the event of obvious difficulties in interpreting of provisions.[16]

Example: Organisation of workshops for data protection officers.

In contrast to Article 57(1)(c) GDPR, which clearly mandates SAs to advise Member States and public sector bodies, this provision uses a different wording - "promote awareness". Similar wording is used in point (b) in relation to the general public - "promote public awareness". Consequently, this provision must be interpreted as mandating SAs to inform and educate controllers and processors in general. However, it cannot be interpreted as a mandate for the SAs to provide legal advice to controllers and processors in individual cases of data processing and, in particular, not to seek solutions together with controllers and processors on how to adjust a particular data processing that violates the GDPR to make it GDPR compliant in the context of complaints procedures or ex officio investigations instead of establishing a violation of the GDPR.

(e) Provide information concerning the exercise of data subject rights

SAs are tasked to provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. These includes information regarding material rights, such as the right to be forgotten (Article 17 GDPR) and the right to compensation (Article 82 GDPR), as well as procedural rights and legal enforcement options, for instance, the rights mentioned in Article 77 GDPR, Article 78 GDPR and Article 80 GDPR).[17] Article 57(1)(e) GDPR also refers to the fact that several SAs may have to work together to provide information to data subjects ("if appropriate, cooperate with the supervisory authorities in other Member States to that end"), for example in cross-border where the SA of the main or only establishment of the controller is charged with the investigation (Article 56 GDPR and Article 60 GDPR) and the SA with which the complaint has been lodged with informing the complainant (on the progress and outcome of the complaint (Article 77(2) GDPR).[18]

Example: Provide information in an email about the mandatory requirements of a complaint upon data subject's request.

(f) Handle, investigate complaints and inform the complainant of the progress and outcome

Handle complaints lodged by a data subject

Handling of complaints is one of the main tasks of supervisory authorities.[19] "This key duty of [SAs] corresponds with the right of data subjects pursuant to Article 77 [GDPR] to lodge a complaint with a [SA]."[20] SA's obligation to perform its task under Article 57(1)(f) GDPR is triggered by a complaint being filed with the SA. According to Article 77 GDPR the complaint can be lodged by a data subject or by a non-for-profit body on behalf of a data subject under Article 80 GDPR.

When a SA obtains a complaint it must handle it.[21] SAs have the duty to handle each and every complaint submitted to them.[22] CJEU confirmed that complaints are not and cannot be treated as petitions. SAs are required to deal with them and sanction any violation of the GDPR in an appropriate manner. As the complaint is not a mere petition, a supervisory authority cannot invoke its discretion in not dealing with it, nor can postpone the handling in such a way that makes the right void of any substantial meaning. Lack of appropriate action by the supervisory authority or a substantial delay in handling a complaint thus constitute a violation of the principle of effectiveness and of the due diligence duty.[23]

CJEU-icon.png

"[…] each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence […]."

CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 56..

The CJEU also confirmed that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects.[23]

Complaint

GDPR does not define what constitutes a complaint. It only specifies the subject matter of a complaint. According to Article 77(1) GDPR the complaint concerns processing of personal data of the complainant which, in the complainant's view, infringes the GDPR. European Data Protection Board ("EDPB") indicates that a complaint may be defined as a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR.[24] Consequently, complaints are not restricted to breaches of data subject's rights under Chapter III of the GDPR, but also concern any other violation of the data subject rights due to non-compliance with other obligations under the GDPR by the controller or processor.

As the GDPR does not clarify what constitutes a complaint nor does it provide for the minimal requirements of a complaint, the elements that are required to be in a complaint for it to qualify as a complaint be admissible are determined by Member State law.

Handling

Handling refers to the whole complaint procedure and thus covers all stages of the procedure, from checking of admissibility of the complaint and investigating its subject matter to taking a decision on the complaint and informing the data subject about the decision. When a complaint is lodged, the SA first proofs whether the complaint contains all elements that are required for it to be admissible under national law.[25] Second, the SA must identify which SA is competent to handle the complaint in accordance with Article 55 GDPR and in cross-border cases Article 56 GDPR and if applicable sent the complaint to the competent SA. This is done in the IMI system.[26]

GDPR is regulating the procedure to a very limited extend. Articles 55 GDPR and 56(1) GDPR contain rules on competence and Articles 56 GDPR and 60 to 66 GDPR lay down a framework for handling of cross-border cases and cases with other transnational elements.[27] As the complaint procedure is mostly not regulated by the GDPR, complaints are handled under applicable national procedural rules. Some Member States have adopted procedural laws in other states the procedure is regulated by internal rules of procedure, depending on the Member State's legal order. In any case, as EDPB Internal Document 02/2021 clarifies, when handling a complaint SAs should always fulfil their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).[28]

Investigate the subject matter of the complaint

In the next step the competent SA has to investigate the subject matter of the complaint. This "entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances." The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions (Article 58(1) GDPR). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.[29] But the subject matter of the complaint must be investigated with all due diligence.[30]

Case law: In case C-362/14 - Schrems CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.[31]

To the extent appropriate

SAs are provided with a margin of discretion as regards the extent or depth of the investigation needed. A complaint must be investigated "to the extent appropriate”. Which investigatory steps are to be taken, depends on both the circumstances of the specific case and the requirements under national procedural law, but some degree of investigation must take place if the complaint is deemed admissible.[32]

Example: When a complaint concerns processing of data without a legal basis through a website no on-site investigation is necessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even necessary.

According to EDPB necessary and appropriate steps encompass the measures (investigative powers) mentioned in Article 58 and among others include requesting information from the controller or processor and carrying out an audit or on-site inspection. While a SA "has a discretionary power to decide upon the necessary investigatory steps to be taken, including the extent and kind of information needed in order to provide a reply to the data subject and to decide on the necessity of enforcement action [...] [t]his discretionary power must be exercised with all due diligence. In all cases, the factual and legal issues raised by the complainant must be exemined".[33]

Case law: In Schrems II CJEU clarified that each supervisory authority is required to examine the nature of a complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence.[34]

Inform the complainant of the outcome of the investigation

Finally, for all admitted complaints that are not withdrawn, SAs must provide a decision or other legally attackable act specifying the facts and legal considerations for confirming the alleged infringements from the complaint or rejecting the complaint or dismissing the complaint (not investigating it further).[35] The SA where the complaint was lodged must inform the data subject of the outcome of the investigation. The controller or processor and the complainant have the right to appeal the decision of the SA in accordance with Article 78 GDPR. In case of an appeal SA's decision is subject to a full judicial review (see commentary to Article 78 GDPR).[36]

Within a reasonable period

Handling of a complaint should be performed within a reasonable period of time (see also Article 77(2) GDPR and Article 78 GDPR). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.[37] Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringement of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.[38] Nevertheless, the reasonable period will be somewhat longer if coordination with other SAs is needed, for example pursuant to Article 60 GDPR, in particular if there are reasoned objections from other supervisory authorities concerned and a binding decision of the European Data Protection Board (EDPB) needs to be adopted according to Article 65 GDPR.[39]

Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled within a reasonable time.

The provision must also be read in conjunction with Article 78 GDPR providing for a legal remedy against legally binding decisions of SAs (see above) and in case of inactivity of a SA.[40] For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA.

(g) Cooperate with other supervisory authorities (SAs)

SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Proactivity is required as SAs are under the obligation to contribute to the consistent application of the GDPR throughout the EU/EEA according to Article 51(2) GDPR .[41] GDPR provides rules on cooperation between SAs in Articles 60 to 66 and Article 56(2) to (5). Duty to cooperate is not limited to cases of cross-border processing as per Article 4(21) GDPR.

Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.

For more information on cooperation see commentary to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR.

(h) Conduct investigations

The SA is also tasked to carry out investigations on its own initiative to ensure compliance with the GDPR. Investigations under Article 57(1)(h) GDPR can also be initiated based on information that the SA obtained from another SA (e.g. in accordance with Article 60(1) GDPR and Article 61(1)GDPR), another national authority (e.g. a competition SA, consumer protection or telecommunications authority) or from any other source.[42] However if a complaint was filed, the SA must exemine the complaint in a complaint procedure. At the European level, Article 46(b) of Regulation (EC) No 45/2001 contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).[43]

Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passengers.

(i) Monitor relevant development

Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA must follow new communication technologies and business practices. This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should also be aware of new trends in processing of personal data for purposes of advertising, pay-or-ok solutions, and the use of new consent and contract clauses.[44] Following relevant developments seems also to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.[45]

Example: SA should react when social networks start using pay-or-ok solutions.

(j) Adopt standard contractual clauses

Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in Article 28(8) GDPR and Article 46(2)(d) GDPR. Both cases require activity by the EDPB, within the consistency mechanism under Article 63 GDPR or by adopting an opinion under Article 64(1)(d) GDPR.

For more information see commentary to Article 28(8) GDPR and Article 46(2)(d) GDPR.

(k) Maintain a list of processing operations requiring a data protection impact assessment

Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out (Article 35(4) GDPR). On the other hand, maintaining a negative list for cases where a DPIA is not needed is not a mandatory task.[46] According to Article 35(5) GDPR, a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.

For more information, please refer to Article 35 GDPR.

(l) Give advice on data protection impact assessment

Advising controllers and processors with regard to high-risk processing operations referred to in Article 36(2) GDPR is one of the tasks of SAs. This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with Article 36(2) GDPR, in particularly making proposals to mitigate the risk. [47] SA can also make use of any of its powers referred to in Article 58 GDPR. This includes its corrective powers, in particularly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.[48]

For more details see commentary to Article 36 GDPR.

(m) Encourage the drawing up of codes of conduct and regulate the use of codes of conduct

SAs have the task of promoting development of codes of conduct by associations and other organisations representing categories of controllers or processors pursuant to Article 40(1) GDPR. SA receives the draft, examines it, issues opinions on the question if it is compatible with the GDPR and, if so, approves it.[49]

See comment under Article 40 GDPR.

(n) Regulate the use of data protection certification mechanisms

This task is directly connected with Article 42(1) GDPR that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined pursuant to Article 42(5) GDPR.[50]

See comment under Article 42 GDPR.

(o) Carry out reviews of certifications

This task is further specified in Article 42 GDPR. A SA must periodically review the certifications granted under Article 42 GDPR (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with Article 42(7) GDPR.[51]

For more information see comment under Article 42 GDPR.

(p) Draft the requirements for accreditation of monitoring bodies and certification bodies

Tis task concerns codes of conduct under Article 41 GDPR and certifications under Article 43 GDPR, which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA determines and publishes the requirements these bodies must fulfil for accreditation.[52]

See also commentary to Article 41 GDPR and Article 43 GDPR.

(q) Accredit of monitoring bodies and certification bodies

SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to Article 41 GDPR and a certification body pursuant to Article 43 GDPR on the basis of the requirements formulated under Article 57(1)(p) (see point (p) above).

For more information see also comments under Article 41 GDPR and Article 43 GDPR.

(r) Authorise contractual clauses and provisions

Similarly, SAs are in charge of authorisation of contractual clauses and provisions referred to in Article 46(3) GDPR providing a legal basis for transfers of data to third countries (outside EU/EEA) or to international organisations.

See comment under Article 46 GDPR.

(s) Approve binding corporate rules

This task concerns the role of SAs assigned to them by Article 47 GDPR with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.

See commentary to Article 47 GDPR.

(t) Contribute to the activities of the EDPB

Pursuant to Article 57(1)(t) GDPR SAs contribute to the activities of the EDPB ("the Board"). The concept of contributions is to be understood comprehensively. It refers among other to the entire coherence procedure (Articles 63 to 66 GDPR), as well as to the numerous tasks of the EDPB.[53] EDPB's tasks are listed in Article 70 GDPR and include, in particular, the preparation and publication of opinions, guidelines, recommendations and best practices. The SAs should actively contribute to the fulfilment of these tasks. This concerns both the meetings of the EDPB itself and their preparation, in particular within the framework of expert subgroups.[54]

The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.[55]

(u) Keep records of infringements

Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under Article 58(2) GDPR, which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimand, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report (Article 59 GDPR) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.[56]

(v) Fulfil other tasks

Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “other tasks related to the protection of personal data”. The list of tasks is therefore not exhaustive and Member States can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.[57] An example of other tasks is the prior authorisation of data processing in the public interest if required under national law (Article 36(5) GDPR and Article 58(3)(c) GDPR).[58]

On its territory

The wording ("on its territory") is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its Member State.[59]

(2) Submission of complaints to be facilitated

Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.[60] This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “complaint submission form” which should be easy to understand and gain access to. [61] The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.[62] The provision, however, does not exclude “other means of communications”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.[63]

Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint (Article12(4) GDPR and Article 13(2)(d)(e) GDPR). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice (Article 77 GDPR).[64]

(3) Free of charge principle for data subjects

The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.[65] However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.[66]

(4) Exception: manifestly unfounded or excessive requests

Article 57(4) GDPR provides for an exception to the “free of charge” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.[67] The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive.

Decisions

→ You can find all related decisions in Category:Article 57 GDPR

References

  1. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).
  2. See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).
  3. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).
  4. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  5. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).
  6. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).
  7. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 7 (Nomos 2022).
  8. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
  9. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).
  10. 10.0 10.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).
  11. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).
  12. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).
  13. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).
  14. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
  15. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).
  16. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).
  17. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).
  18. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  19. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
  20. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available here.
  21. See CJEU - C-26/22 - Schufa Holding, paragraphs 47-70.
  22. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
  23. 23.0 23.1 CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin numbers 56 and 58 (available here).
  24. See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, pages 3 and 4, available here. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available here.
  25. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available here.
  26. "IMI (Internal Market Information System) was chosen as the IT platform to support cooperation and consistency procedures under the GDPR. IMI helps public authorities across the EU to cooperate and exchange information. The GDPR is the 13th legal area supported by the system." See EDPB website https://www.edpb.europa.eu/news/news/2018/state-play-imi-gdpr-purposes_en (29 March 2024).
  27. Add Procedural regulation.
  28. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
  29. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).
  30. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
  31. CJEU, case C- 362/ 14 - Schrems I, paragraph 63.
  32. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
  33. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
  34. CJEU, C‑311/18 - Schrems II, paragraph 109; see also CJEU, C-26/22 - xxx, paragraph 56.
  35. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
  36. CJEU, C-26/22, paragraph 52; see also C‑132/21 - Nemzeti, paragraph 41.
  37. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).
  38. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).
  39. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).
  40. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
  41. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).
  42. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).
  43. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.
  44. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).
  45. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
  46. xxxx
  47. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).
  48. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).
  49. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).
  50. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).
  51. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).
  52. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).
  53. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 49 (Nomos 2019).
  54. Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)
  55. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
  56. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).
  57. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).
  58. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).
  59. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).
  60. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  61. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  62. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  63. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  64. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  65. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).
  66. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).
  67. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.