Article 52 GDPR: Difference between revisions
No edit summary |
No edit summary |
||
Line 204: | Line 204: | ||
{{Recital/119 GDPR}} | {{Recital/119 GDPR}} | ||
== Commentary == | == Commentary == | ||
[[Article 8(3) CFR]] as well as [[Article 16(2) TFEU]] and [[Article 39 TEU]] require independent authorities to monitor and enforce the application of data protection law. Only convention 108 of the Council of Europe did not require that Supervisory Authorities ("SA") are established by the contracting countries. However, the modernised [https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf Convention 108] (Article 15) now refers to the requirement of an independent authority. | [[Article 8(3) CFR]] as well as [[Article 16(2) TFEU]] and [[Article 39 TEU]] require independent authorities to monitor and enforce the application of data protection law. Only convention 108 of the Council of Europe did not require that Supervisory Authorities ("SA") are established by the contracting countries. However, the modernised [https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf Convention 108] (Article 15) now refers to the requirement of an independent authority. |
Revision as of 13:12, 24 August 2021
Legal Text
1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.
5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.
6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.
Relevant Recitals
Commentary
Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU require independent authorities to monitor and enforce the application of data protection law. Only convention 108 of the Council of Europe did not require that Supervisory Authorities ("SA") are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.
In terms of Article 52 GDPR, three landmark cases of the CJEU had an influence its wording:
- In Commission vs. Germany, the Court decided that Germany did not correctly implement Article 28(1) of Directive 95/46 (DPD), considering that the fact that the SA competent for the private sector were subject to governmental supervision, and state scrutiny, which allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. The Court specified that the notion of "complete independence" in Article 28 Directive 95/46 must be given a broad and autonomous interpretation, and aligned on the Article 44 of Regulation 45/2001.
- Likewise, in Commission vs. Austria, the Court found that Austria failed to comply with Article 28 Directive 95/46 by allowing an influence of the government on the SA for the following reasons: the managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the right of the Chancellor to be informed on all aspects of the work of the SA.
- In 2014, in Commission vs. Hungary, the Court found that the complete independence of the SA was not guaranteed due to the premature termination of the mandate of the Commissioner for the protection of personal data, at the occasion of a re structuration of the SA.
(1) Complete Independence
Article 52(1) GDPR refers to the complete independence as reflected in Article 8(3) CFR, and Article 16 TFEU.
According to the Court, complete independence means that the decision-making power is totally independent of any direct or indirect external influence on the supervisory authority. This covers the so-called functional and organisational independence.
The SAs must act independently in any action they are taking. That covers not only decisions but also all tasks and powers referred to in Article 58 GDPR.
(2) Freedom from External Influence
The second paragraph should be read in the light of the case law of the CJEU, in the three cases mentioned above: the SAs must be able to act objectively and impartially and free form of influence that might have an effect on their decision, tasks and powers.
Direct influence refers to instructions given to a SA, on whatever aspect of its work. Indirect influence covers means that SA must remain above all suspicion of partiality. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA.
Beside that functional influence, the organisation for the SA should also ensure its independence towards any influence. In the Austria case mentioned above, the fact that the SA was integrated within the department of the Chancellery led the CJEU to conclude that the SA lacked of independence.
Similarly, the restructuring of a SA, leading to the early termination of the mandate of the commissioner in charge without objective justification, was a violation of the requirement of complete independence under the DPD.
(3) Prohibition Against Incompatible Actions
Article 53 GDPR does not list the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.
(4), (5) Sufficient Resources
To be efficient, and deal with their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks and use their powers. These tasks include the participation in the cooperation and consistency mechanisms: that involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-top-shop) but also technical and financial resources to cooperate with the other authorities.
In order to ensure complete independence of their resources, the SAs should be able to hire and select their own staff, who should be under their supervision.
(6) Financial Control
Of course, the independence of the SAs does not mean that they cannot receive a budget which is subject to the monitoring and control mechanisms regarding their financial expenditure. Paragraph 6 now requires that each SA has a separate budget annual budget.
Decisions
→ You can find all related decisions in Category:Article 52 GDPR