Article 55 GDPR: Difference between revisions
mNo edit summary |
|||
(12 intermediate revisions by 2 users not shown) | |||
Line 199: | Line 199: | ||
== Commentary == | == Commentary == | ||
Article 55 is a provision on jurisdiction.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> According to the general rule in paragraph 1, a supervisory authority (SA) has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 contain competence rules for two specific situations. Processing in public interest, in the exercise of public authority or to comply with a legal obligation (point c and e of Article 6(1) GDPR) is always supervised by the SA of the Member State concerned, also in cross-border cases. Second, processing by judiciary is partially exempt from supervision by SAs to safeguard the independence of judiciary (separation of powers). | Article 55 is a provision on jurisdiction.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> According to the general rule in paragraph 1, a supervisory authority (SA) has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 contain competence rules for two specific situations, overlaying the principle of territorial competence. Processing in public interest, in the exercise of public authority or to comply with a legal obligation (point c and e of Article 6(1) GDPR) is always supervised by the SA of the Member State concerned, also in cross-border cases. Second, processing by judiciary is partially exempt from supervision by SAs to safeguard the independence of judiciary (separation of powers). | ||
Additionally, Article 56 GDPR contains rules on competences of SAs in cases of cross-border processing. A cross-border case occurs and thus Article 56 GDPR is to be consulted where data is processed by several establishments of a processor or controller in the EU/EEA or when processing substantially affects (or is likely to sustainably affect) data subjects in more than one Member State, as per legal definition of cross-border processing in Article 4(23) GDPR. | Additionally, Article 56 GDPR contains rules on competences of SAs in cases of cross-border processing. A cross-border case occurs and thus Article 56 GDPR is to be consulted where data is processed by several establishments of a processor or controller in the EU/EEA or when processing substantially affects (or is likely to sustainably affect) data subjects in more than one Member State, as per legal definition of cross-border processing in [[Article 4 GDPR|Article 4(23) GDPR]]. | ||
=== (1) Territorial competence of supervisory authorities (SAs) === | === (1) Territorial competence of supervisory authorities (SAs) === | ||
The jurisdiction of a SA is limited to the territory of its own Member State. SAs are entitled to act and exercise their powers on the territory of its own state and their competence ends at the border of it's Member State. This reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> On the other hand, each state is prohibited to exercise power or authority on the territory of another state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> <blockquote>Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.</blockquote>It also means that a decision issued by a SA cannot be enforced in another state | The jurisdiction of a SA is limited to the territory of its own Member State. SAs are entitled to act and exercise their powers on the territory of its own state and their competence ends at the border of it's Member State. This reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> On the other hand, each state is prohibited to exercise power or authority on the territory of another state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> <blockquote>Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.</blockquote>It also means that a decision issued by a SA cannot be enforced in another state. | ||
This was confirmed by CJEU in Weltimmo | Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.<blockquote>This was confirmed by CJEU in [[CJEU - C-230/14 - Weltimmo|C-230/14 - Weltimmo]]. The judgement, among others, confirmed the territorial nature of competences, performance of tasks and exercising of powers of SAs. It concerned the interpretation of Article 28 GDPR of Directive 95/46, the GDPR predecessor. It stays relevant with regard to concepts explained and guiding principles regarding SAs' competences, including their duty to cooperate with other SAs, where necessary to enforce the law in order to provide effective protection to individuals.<ref>''See Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 905 (Oxford University Press 2020); ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55, margin number 11 (C.H. Beck 2024, 4<sup>th</sup> edition) and ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 6 (Nomos 2019).</ref></blockquote>The limitation of jurisdiction to the territory of the state ''“confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).</ref> | ||
==== Is competent on the territory of its Member State ==== | |||
For the competence to be vested with a SA of a Member State a link must exist between a data processing concerned and SA's territory. Recital 122 specifies situations when such link is considered to exists and competence should, in particularly, be vested with a SA of a Member State. This is where processing either takes place in the context of the activities of an establishment on SA's territory, affects data subjects on its territory, or where processing, by a controller or processor without an establishment in the EU/EEA, is targeting data subjects residing on its territory. Recital 122 reference points reflect the criteria defining the territorial application of the GDPR from [[Article 3 GDPR]] confirming that there is always a SA competent to supervise and enforce the application of the GDPR whenever it applies. The variety and flexibility of reference points takes into account the variety and flexibility of processing operations in the digital world, where the place of processing is not necessarily relevant for the effects that respective processing has on individuals.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, pages 906 - 908 (Oxford University Press 2020).</ref> | |||
Case law: '' | ===== Competence - establishment in a Member State ===== | ||
To have jurisdiction in situations where competence is linked to the establishment on its territory data does not need to be physically processed by the controller or processor nor must the controller or processor be formally established in that Member State. The concepts of "in the context of its activities" and "establishment" are much wider. <blockquote>Case law: In ''Google Spain'' CJEU ruled that personal data, which were de facto processed by the global search engine provider Google Search, were also processed in the context of the commercial and advertising activities of its Spanish subsidiary that was promoting and selling advertising space offered by that engine in the territory of Spain and thus making the service offered by that engine profitable. <ref>CJEU judgement in case [[CJEU - C‑131/12 - Google Spain|C-131/12 - Google Spain]], paragraphs 55-60.</ref> </blockquote>According to CJEU concept of ‘establishment’ extends to any real and effective activity, even a minimal one, exercised through stable arrangements.<ref>CJEU judgements in ''C-191/15 - Verein für Konsumenteninformationen'', paragraph 76; and ''Weltimmo'' - C‑230/14, paragraph 31.</ref> "''Legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor."'' Recital 22 GDPR resonates these case law. The concept is flexible and appropriate to ensure effective and complete protection of the individual.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 907 '''xxx''' (Oxford University Press 2020).</ref><blockquote>Case law: In [[CJEU - C-230/14 - Weltimmo|Weltimmo CJEU]] considered that operating a website by a company of one state in the language of another state and having, among others, a representative in that state, who was actively involved in certain operations of the company in that state, presents real and effective activity through stable arrangements vesting the competence to hear claims of individuals with the SA of that state. <ref>CJEU judgement in case ''C-230/14 - Weltimmo,'' paragraphs 31-38.</ref> On the other hand, as confirmed in ''C-191/15 - Verein für Konsumenteninformation'', the mere accessibility of a website in a Member State does not suffice to constitute establishment and vest competence with the SA of that state.<ref name=":0">''CJEU judgement in case C-191/15 - Verein für Konsumenteninformationen'', paragraph 76, available [https://curia.europa.eu/juris/liste.jsf?num=C-191/15 here].</ref></blockquote>The concepts of "in the context of its activities" and "establishment" are further discussed in [[Article 4 GDPR]] of this commentary. | |||
===== Competence - national cases ===== | |||
The competent SA is simple to determine in cases where the processing concerned takes place within the establishment of a controller or processor in one Member State and concerns only data subjects on the territory of the same state. The national SA of that state will be competent to handle a complaint, conduct an investigation, issue a decision and a fine or to carry out any other task and exercise any other power conferred on it by the GDPR.<blockquote>Example: Polish SA will be competent to handle a complaint lodged with it by a Hungarian citizen living in Poland with regard to processing of her data by the Polish company Spring.</blockquote> | |||
===== Competence - cross-border processing ===== | |||
For cross-border processing ([[Article 4 GDPR|Article 4(23) GDPR]]), where processing takes place in more than one establishment of a processor or controller in the EU/EEA or where processing substantially affects or is likely to substantial affect data subjects in more than one Member State the competences are allocated between SAs, which would be competent under Article 55(1) GDPR, as provided in [[Article 56 GDPR]] in connection with [[Article 60 GDPR]]. For more information see commentary to respective articles. | |||
===== Competence - other transnational cases cases ===== | |||
In other cases with transnational elements, for instance, if the data of a data subject of one Member State where the complaint was filed is processed by a controller established in another State or if the server with the data is in another Member State and needs to be inspected on sight, SAs from several Member States might have to work together to provide for effective protection and enforcement of the GDPR. GDPR provides the necessary tools in [[Article 61 GDPR|Articles 61]] (mutual assistance) and [[Article 62 GDPR|62 GDPR]] (joint operations), which apply not only when the conditions for cross-border processing are fulfilled but also for other cases of processing with transnational elements. The cooperation between SAs is mandatory in each case where it is not possible to effectively protect the rights of individuals and enforce the GDPR without it. <blockquote>Case law: In [[CJEU - C-230/14 - Weltimmo|case C-230/14, ''Weltimmo'']], CJEU held that for finding an infringement and imposing penalties the SA where the complaint was lodged must request cooperation of the SA of the establishment in accordance with the rules on cooperation. At the same time CJEU pointed out that “''the law should make it possible for individuals to enforce their right to protection''” <ref name=":1">CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']], paragraphs 53 to 57.</ref> </blockquote> | |||
===== Competence where controller and processor is not established in the EU/EEA ===== | |||
A SA is also competent when processing carried out by a controller or processor not established in the EU/EEA is targeting data subjects residing on its territory. The targeting can be done in relation to offering goods or services or through monitoring their behaviour. This refers to situations when GDPR is applicable according to [[Article 3 GDPR|Article 3(2) GDPR]]. In these situations, several SAs can be competent to act in parallel, each with regard to the processing of data of their residents.<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU ''C-293/12 - Digital Rights Ireland,'' paragraph 68, [https://curia.europa.eu/juris/liste.jsf?num=C-293/12&language=de available here].</ref> | |||
This is confirmed by the wording of | In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on the territory of the European Union (in breach of [[Article 27 GDPR|Article 27(1) GDPR]]). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.<ref>See ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> It may also order that the data has to remain within the Union and cannot be transferred to a third country. | ||
==== Performance of tasks and exercise of powers ==== | |||
The competence of a SA extends to all of the tasks assigned to it and powers conferred to it by the GDPR, as long as the tasks are performed and the powers exercised on the territory of its own Member State. This is confirmed by the wording of [[Article 57 GDPR]] and [[Article 58 GDPR]] the main articles on tasks and powers of SAs, respectively. Both Articles explicitly limit SA's performance of entailed tasks and the exercising of conferred powers to the territory of its own Member State. | |||
The tasks | The competence with regard to tasks and powers "''include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data"'' as noted in Recital 122. | ||
While Article 55 GDPR vests the competence with the SA to perform tasks assigned to it and powers conferred to it, Articles 57 and 58 GDPR impose the obligation to perform all the tasks and exercise the powers, when applicable. | |||
==== Competence on the territory ==== | |||
The jurisdiction of a SA and its coercive power is limited to the territory of its own state due to the principle of sovereignty. This means that a SA of one Member State cannot use its powers outside the borders of it's state, on the territory of another state.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> CJEU ruled on the territorial limitation of performance of tasks and exercising of powers in [[CJEU - C-230/14 - Weltimmo|''Weltimmo judgement (''C-230/14)]].<blockquote>Case law: In [[CJEU - C-230/14 - Weltimmo|case C-230/14, ''Weltimmo'']], CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. <ref name=":1" /> | |||
</blockquote>This provision should not be understood as an obligation that each SA must be competent for the whole territory where several SAs co-exist in one Member State. It is a question of national law to determine the jurisdiction of SAs when a state takes advantage of the option provided under [[Article 51 GDPR|Article 51(3) GDPR]] to establish several SAs.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref> | |||
==== No rule on applicable law ==== | ==== No rule on applicable law ==== | ||
The GDPR in several provisions mandates Member States to adopt more specific national rules on data protection, such as on special categories of data ([[Article 9 GDPR]]) or human resources data ([[Article 88 GDPR]]). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).</ref> | The GDPR in several provisions mandates Member States to adopt more specific national rules on data protection, such as on special categories of data ([[Article 9 GDPR]]) or human resources data ([[Article 88 GDPR]]). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).</ref> | ||
=== (2) Exclusive competence regarding processing for compliance with a legal obligation or in the public interest === | === (2) Exclusive competence regarding processing for compliance with a legal obligation or in the public interest === | ||
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.<ref>''Körffer'', in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).</ref> | Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.<ref>''Körffer'', in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).</ref> | ||
Line 265: | Line 252: | ||
==== Processing carried out by private entities performing tasks under a legal obligation or under the public interest ==== | ==== Processing carried out by private entities performing tasks under a legal obligation or under the public interest ==== | ||
Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.<blockquote><u>For example</u>: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the Member State on the territory of which the plane will land or take off.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).</ref></blockquote> | Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than [[Article 6 GDPR|Article 6(1)(c)(e)]], for example based on consent or contract ([[Article 6 GDPR|Article 6(1)(b)]]), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.<blockquote><u>For example</u>: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the Member State on the territory of which the plane will land or take off.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).</ref></blockquote> | ||
=== (3) Limited competence for supervision of courts === | === (3) Limited competence for supervision of courts === | ||
Line 275: | Line 262: | ||
==== Supervisory authority (SA) is (not) competent ==== | ==== Supervisory authority (SA) is (not) competent ==== | ||
Courts are not totally exempt from control by SAs. They are exempt only when they are acting in their judicial capacity, but not regarding activities that are outside their judicial capacity. <blockquote>Case law: | Courts are not totally exempt from control by SAs. They are exempt only when they are acting in their judicial capacity, but not regarding activities that are outside their judicial capacity. <blockquote>Case law: CJEU considered in case [https://gdprhub.eu/CJEU%20-%20C-245/20%20-%20Autoriteit%20Persoonsgegevens ''C-245/20 -'' ''Autoriteit Persoonsgegevens''] that processing of personal data carried out in the context of a court's communication policy on cases falls outside the competence of a SA.<ref>See [https://gdprhub.eu/CJEU%20-%20C-245/20%20-%20Autoriteit%20Persoonsgegevens ''C-245/20 -'' ''Autoriteit Persoonsgegevens''], paragraph 37.</ref></blockquote>On the other hand, activities of judicial administration, such as practices, procedures and offices that deal with the management of the system of the courts are subject to the control by a SA. Thus, processing of the data of the staff hired by a court remains subject to the supervision of the SA. | ||
===== Acting in judicial capacity ===== | ===== Acting in judicial capacity ===== | ||
<blockquote>Case law: In case [https://gdprhub.eu/CJEU%20-%20C-245/20%20-%20Autoriteit%20Persoonsgegevens ''C-245/20 -'' ''Autoriteit Persoonsgegevens''] | <blockquote>Case law: In case [https://gdprhub.eu/CJEU%20-%20C-245/20%20-%20Autoriteit%20Persoonsgegevens ''C-245/20 -'' ''Autoriteit Persoonsgegevens''] CJEU clarified that processing operations carried out by courts ‘acting in their judicial capacity’ must be understood, as not being limited to the processing of data in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity whose supervision by a SA would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions. <ref>See CJEU ''[[CJEU - C-245/20 - Autoriteit Persoonsgegevens|C-245/20 - Autoriteit Persoonsgegevens]]'', paragraphs 34 to 39.</ref></blockquote> | ||
== Decisions == | == Decisions == |
Latest revision as of 21:34, 1 April 2024
Legal Text
1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Relevant Recitals
Commentary
Article 55 is a provision on jurisdiction.[1] According to the general rule in paragraph 1, a supervisory authority (SA) has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 contain competence rules for two specific situations, overlaying the principle of territorial competence. Processing in public interest, in the exercise of public authority or to comply with a legal obligation (point c and e of Article 6(1) GDPR) is always supervised by the SA of the Member State concerned, also in cross-border cases. Second, processing by judiciary is partially exempt from supervision by SAs to safeguard the independence of judiciary (separation of powers).
Additionally, Article 56 GDPR contains rules on competences of SAs in cases of cross-border processing. A cross-border case occurs and thus Article 56 GDPR is to be consulted where data is processed by several establishments of a processor or controller in the EU/EEA or when processing substantially affects (or is likely to sustainably affect) data subjects in more than one Member State, as per legal definition of cross-border processing in Article 4(23) GDPR.
(1) Territorial competence of supervisory authorities (SAs)
The jurisdiction of a SA is limited to the territory of its own Member State. SAs are entitled to act and exercise their powers on the territory of its own state and their competence ends at the border of it's Member State. This reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. [2] On the other hand, each state is prohibited to exercise power or authority on the territory of another state.[3]
Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.
It also means that a decision issued by a SA cannot be enforced in another state. Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.
This was confirmed by CJEU in C-230/14 - Weltimmo. The judgement, among others, confirmed the territorial nature of competences, performance of tasks and exercising of powers of SAs. It concerned the interpretation of Article 28 GDPR of Directive 95/46, the GDPR predecessor. It stays relevant with regard to concepts explained and guiding principles regarding SAs' competences, including their duty to cooperate with other SAs, where necessary to enforce the law in order to provide effective protection to individuals.[4]
The limitation of jurisdiction to the territory of the state “confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”[5]
Is competent on the territory of its Member State
For the competence to be vested with a SA of a Member State a link must exist between a data processing concerned and SA's territory. Recital 122 specifies situations when such link is considered to exists and competence should, in particularly, be vested with a SA of a Member State. This is where processing either takes place in the context of the activities of an establishment on SA's territory, affects data subjects on its territory, or where processing, by a controller or processor without an establishment in the EU/EEA, is targeting data subjects residing on its territory. Recital 122 reference points reflect the criteria defining the territorial application of the GDPR from Article 3 GDPR confirming that there is always a SA competent to supervise and enforce the application of the GDPR whenever it applies. The variety and flexibility of reference points takes into account the variety and flexibility of processing operations in the digital world, where the place of processing is not necessarily relevant for the effects that respective processing has on individuals.[6]
Competence - establishment in a Member State
To have jurisdiction in situations where competence is linked to the establishment on its territory data does not need to be physically processed by the controller or processor nor must the controller or processor be formally established in that Member State. The concepts of "in the context of its activities" and "establishment" are much wider.
Case law: In Google Spain CJEU ruled that personal data, which were de facto processed by the global search engine provider Google Search, were also processed in the context of the commercial and advertising activities of its Spanish subsidiary that was promoting and selling advertising space offered by that engine in the territory of Spain and thus making the service offered by that engine profitable. [7]
According to CJEU concept of ‘establishment’ extends to any real and effective activity, even a minimal one, exercised through stable arrangements.[8] "Legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor." Recital 22 GDPR resonates these case law. The concept is flexible and appropriate to ensure effective and complete protection of the individual.[9]
Case law: In Weltimmo CJEU considered that operating a website by a company of one state in the language of another state and having, among others, a representative in that state, who was actively involved in certain operations of the company in that state, presents real and effective activity through stable arrangements vesting the competence to hear claims of individuals with the SA of that state. [10] On the other hand, as confirmed in C-191/15 - Verein für Konsumenteninformation, the mere accessibility of a website in a Member State does not suffice to constitute establishment and vest competence with the SA of that state.[11]
The concepts of "in the context of its activities" and "establishment" are further discussed in Article 4 GDPR of this commentary.
Competence - national cases
The competent SA is simple to determine in cases where the processing concerned takes place within the establishment of a controller or processor in one Member State and concerns only data subjects on the territory of the same state. The national SA of that state will be competent to handle a complaint, conduct an investigation, issue a decision and a fine or to carry out any other task and exercise any other power conferred on it by the GDPR.
Example: Polish SA will be competent to handle a complaint lodged with it by a Hungarian citizen living in Poland with regard to processing of her data by the Polish company Spring.
Competence - cross-border processing
For cross-border processing (Article 4(23) GDPR), where processing takes place in more than one establishment of a processor or controller in the EU/EEA or where processing substantially affects or is likely to substantial affect data subjects in more than one Member State the competences are allocated between SAs, which would be competent under Article 55(1) GDPR, as provided in Article 56 GDPR in connection with Article 60 GDPR. For more information see commentary to respective articles.
Competence - other transnational cases cases
In other cases with transnational elements, for instance, if the data of a data subject of one Member State where the complaint was filed is processed by a controller established in another State or if the server with the data is in another Member State and needs to be inspected on sight, SAs from several Member States might have to work together to provide for effective protection and enforcement of the GDPR. GDPR provides the necessary tools in Articles 61 (mutual assistance) and 62 GDPR (joint operations), which apply not only when the conditions for cross-border processing are fulfilled but also for other cases of processing with transnational elements. The cooperation between SAs is mandatory in each case where it is not possible to effectively protect the rights of individuals and enforce the GDPR without it.
Case law: In case C-230/14, Weltimmo, CJEU held that for finding an infringement and imposing penalties the SA where the complaint was lodged must request cooperation of the SA of the establishment in accordance with the rules on cooperation. At the same time CJEU pointed out that “the law should make it possible for individuals to enforce their right to protection” [12]
Competence where controller and processor is not established in the EU/EEA
A SA is also competent when processing carried out by a controller or processor not established in the EU/EEA is targeting data subjects residing on its territory. The targeting can be done in relation to offering goods or services or through monitoring their behaviour. This refers to situations when GDPR is applicable according to Article 3(2) GDPR. In these situations, several SAs can be competent to act in parallel, each with regard to the processing of data of their residents.[13]
In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on the territory of the European Union (in breach of Article 27(1) GDPR). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.[14] It may also order that the data has to remain within the Union and cannot be transferred to a third country.
Performance of tasks and exercise of powers
The competence of a SA extends to all of the tasks assigned to it and powers conferred to it by the GDPR, as long as the tasks are performed and the powers exercised on the territory of its own Member State. This is confirmed by the wording of Article 57 GDPR and Article 58 GDPR the main articles on tasks and powers of SAs, respectively. Both Articles explicitly limit SA's performance of entailed tasks and the exercising of conferred powers to the territory of its own Member State.
The competence with regard to tasks and powers "include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data" as noted in Recital 122.
While Article 55 GDPR vests the competence with the SA to perform tasks assigned to it and powers conferred to it, Articles 57 and 58 GDPR impose the obligation to perform all the tasks and exercise the powers, when applicable.
Competence on the territory
The jurisdiction of a SA and its coercive power is limited to the territory of its own state due to the principle of sovereignty. This means that a SA of one Member State cannot use its powers outside the borders of it's state, on the territory of another state.[15] CJEU ruled on the territorial limitation of performance of tasks and exercising of powers in Weltimmo judgement (C-230/14).
Case law: In case C-230/14, Weltimmo, CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. [12]
This provision should not be understood as an obligation that each SA must be competent for the whole territory where several SAs co-exist in one Member State. It is a question of national law to determine the jurisdiction of SAs when a state takes advantage of the option provided under Article 51(3) GDPR to establish several SAs.[16]
No rule on applicable law
The GDPR in several provisions mandates Member States to adopt more specific national rules on data protection, such as on special categories of data (Article 9 GDPR) or human resources data (Article 88 GDPR). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.[17]
(2) Exclusive competence regarding processing for compliance with a legal obligation or in the public interest
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.[18]
The rule should prevent SAs of another state from monitoring public authorities and other bodies carrying out tasks in public interest. Also, the monitoring of processing of data to comply with a legal obligation imposed by the public law of a Member State, such as collection of telecommunication data, should be subject to control by the national SA of that state.[19]
Processing carried out by public authorities
This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. According to Recital 128 GDPR the rules on the LSA and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities. In such cases the only supervisory authority competent should be the supervisory authority of the state where the public authority is established.[20]
Any other activities by a public body, such as publicly owned undertaking, that would not be performance of public tasks, such as commercial activities, are not subject to the exception under Article 55(2) GDPR. There may be a LSA.[21]
Processing carried out by private entities performing tasks under a legal obligation or under the public interest
Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.
For example: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the Member State on the territory of which the plane will land or take off.[22]
(3) Limited competence for supervision of courts
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[23]
Courts
Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies – such as the prosecutor office – should be subject to independent supervision separate from the SA.[24] This is confirmed by Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) that states that courts and other independent judicial authorities should always be subject to independent supervision.
Supervisory authority (SA) is (not) competent
Courts are not totally exempt from control by SAs. They are exempt only when they are acting in their judicial capacity, but not regarding activities that are outside their judicial capacity.
Case law: CJEU considered in case C-245/20 - Autoriteit Persoonsgegevens that processing of personal data carried out in the context of a court's communication policy on cases falls outside the competence of a SA.[25]
On the other hand, activities of judicial administration, such as practices, procedures and offices that deal with the management of the system of the courts are subject to the control by a SA. Thus, processing of the data of the staff hired by a court remains subject to the supervision of the SA.
Acting in judicial capacity
Case law: In case C-245/20 - Autoriteit Persoonsgegevens CJEU clarified that processing operations carried out by courts ‘acting in their judicial capacity’ must be understood, as not being limited to the processing of data in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity whose supervision by a SA would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions. [26]
Decisions
→ You can find all related decisions in Category:Article 55 GDPR
References
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
- ↑ See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 905 (Oxford University Press 2020); Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55, margin number 11 (C.H. Beck 2024, 4th edition) and Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 6 (Nomos 2019).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, pages 906 - 908 (Oxford University Press 2020).
- ↑ CJEU judgement in case C-131/12 - Google Spain, paragraphs 55-60.
- ↑ CJEU judgements in C-191/15 - Verein für Konsumenteninformationen, paragraph 76; and Weltimmo - C‑230/14, paragraph 31.
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 907 xxx (Oxford University Press 2020).
- ↑ CJEU judgement in case C-230/14 - Weltimmo, paragraphs 31-38.
- ↑ CJEU judgement in case C-191/15 - Verein für Konsumenteninformationen, paragraph 76, available here.
- ↑ 12.0 12.1 CJEU C-230/14 - Weltimmo, paragraphs 53 to 57.
- ↑ See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU C-293/12 - Digital Rights Ireland, paragraph 68, available here.
- ↑ See Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).
- ↑ Körffer, in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin numbers 7 and 10 to 13 (Nomos 2022).
- ↑ See Recital 128 GDPR and Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 18 (Nomos 2019). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 5 (Nomos 2022).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
- ↑ See Recital 20 GDPR and CJEU, in C-245/20 - Autoriteit Persoonsgegevens, paragraph 24.
- ↑ See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
- ↑ See C-245/20 - Autoriteit Persoonsgegevens, paragraph 37.
- ↑ See CJEU C-245/20 - Autoriteit Persoonsgegevens, paragraphs 34 to 39.