Article 52 GDPR: Difference between revisions
No edit summary |
|||
Line 206: | Line 206: | ||
==Commentary== | ==Commentary== | ||
Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU require independent authorities ( | Already EU primary law - Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU, require independent supervisory authorities (SAs) to monitor and enforce the application of data protection law.<ref>Only convention 108 of the Council of Europe did not require that Supervisory Authorities (“SA”) are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.</ref> | ||
Article 52 GDPR introduces the requirement of complete independence of supervisory authorities (SA). Together with [[Article 53 GDPR]] and [[Article 54 GDPR]], it mostly codifies the concept of complete independence that was developed by the CJ EU when interpreting Article 28(1) of Data Protection Directive.<ref>Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046 here]. | |||
CJ EU was deciding on the requirement of complete independence of SAs in cases ''[[C-518/07 - Commisson v Germany]]'', ''[[C-614/10 - Commission v Austria]]'', and ''[[C-288/12 - Commission v Hungary]]''. </ref> | |||
Article 52 (1) GDPR clarifies that the independence of SAs must be complete. | |||
===(1) Complete Independence of | Subsequently, Article 52 further specifies that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article 52(2)(3) GDPR). In order to make these principles operational, the provision requires member states to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR). <blockquote>Case law: | ||
Under Article 52(1) GDPR, each SA shall act with complete independence in performing its tasks and exercising its powers. | |||
CJ EU held in Commission vs. Austria that “the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim.”<ref name=":0">''See CJEU C-614/10 - Commission v Austria, para 25.'' </ref> | |||
Moreover, such independence was established not to grant a special status to those authorities themselves, but in order to strengthen the protection of individuals and bodies affected by their decisions.<ref>See [[C-518/07 - Commission v Germany|''C-518/07 - Commission v Germany'']], para 25.</ref> | |||
In its judgments the CJEU also clarified that the provisions concerning the complete independence of SAs and the EDPS (European Data Protection Supervisor) are to be interpreted homogenously.<ref>Regarding the homogenous interpretation see [https://gdprhub.eu/C-518/07%20-%20Commission%20v%20Germany ''C-518/07 - Commission v Germany''], para 26-28; and ''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 875 (Oxford University Press 2020). | |||
The independence of EDPS is now regulated in Article 55 EUDPR (Regulation (EU) 2018/1725, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 here]), which has replaced Article 44 of the Regulation 45/2001. | |||
</ref> </blockquote>The requirement of independence reoccures also in other parts of the GDPR: [[Article 4 GDPR|Article 4(12) GDPR]] (definition of SA), [[Article 45 GDPR|Article 45(2)(b) GDPR]] (in the context of transfer of data outside of the European Economic Area), and [[Article 69 GDPR]] (with regard to European Data Protection Board (EDPB)).<ref>''See Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 876 (Oxford University Press 2020).</ref> | |||
===(1) Complete Independence of Supervisory Authorities (SAs)=== | |||
Under Article 52(1) GDPR, each SA shall act with complete independence in performing its tasks and exercising its powers. It is the general caluse that applies if a situation is not covered by any of the more specific provisions of the GDPR addressing the complete independence of SAs. <blockquote>Case law: | |||
CJ EU held that the guarantee of independence of national supervisory authorities was established in order to strengthen the protection of individuals and bodies affected by their decisions.<ref>''See CJEU C-614/10 - Commission v Austria, para 25.''</ref> Complete independence "''is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. [...] It follows that, when carrying out their duties, SAs must act objectevly and impartialy'' ”<ref name=":0" /> </blockquote> | |||
==== Each SA ==== | ==== Each SA ==== | ||
Line 221: | Line 235: | ||
==== Shall act ==== | ==== Shall act ==== | ||
SA must (''"shall"'') act with complete independence | SA must (''"shall"'') act with complete independence. This condition necessitates member states, SAs and each of their members to ensure that the SA acts in complete independence when performing its tasks and exercising its powers, such as conducting an investigation and taking decisions on the existence of a breach of the GDPR. | ||
==== Complete independence ==== | ==== Complete independence ==== | ||
In | In ''Commission v Germany'' the Court specified that the notion of “''complete independence''” must be given a broad and autonomous interpretation. Complete independence requires that the decisions of SAs and SAs themselves, as guardians of the right to private life, are objective and impartial and remain above any suspicion of partiality. SAs and its members may not be exposed to any kind of motivation for prior compliance. <ref>CJ EU in case [[C-288/12 - Commission v Hungary|C-288/12 - ''Commission v Hungary'']], para 53, and case law cited therein.</ref> | ||
Complete independence includes the following aspects: | |||
* institutional independence (see Article 52(2)(3) below), organisational independence (see Article 52(4)(5) below), and financial independence (see Article 52(4)(6) below), | |||
* independence in relation to the controlled entities, member states, its governments and the Commission, | |||
* independence with regard to control and influence over decision making (see Article 52(2)(3) below), | |||
* prohibition of premature end of mandate of SA members, without their consent (see Article 52(2) below and [[Article 53 GDPR]]), | |||
* the limitation of control of SA's work by the courts and by the parliament through the submission of annual reports. | |||
Evidently, the SA must be independent with respect to the entities, controllers or processors, over which it is required to exercise control. However, independence also applies to the state or any other entity that may exercise any kind of direct or indirect control over the decision-making capacity of the SA, including the Commission.<ref>In Schrems I, the Court made it clear that the DPA must carry out a check on the transfer of data even where there is an adequacy decision. CJEU, Schrems I, §57</ref> To give an example, while Member States are free (within the parameters of the GDPR) to adopt or amend the institutional model that they consider to be the most appropriate for their supervisory authorities, ''“in order to comply with the requirement of ‘complete independence’, the supervisory authority must be placed outside the classic hierarchical administration''”.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).</ref> Nevertheless, even complete independence has limits. For example, it does not exclude that the appointment of SA members is made by political bodies such as the parliament or the government ([[Article 53 GDPR|Article 53(1) GDPR]]) or that their actions (including their inactivity) may be subject to judicial review ([[Article 78 GDPR]]). | |||
Case law: | Case law: | ||
==== Performing its tasks and exercising its powers ==== | |||
==== | ===== Tasks of supervisory authorities (SAs) ===== | ||
One of the tasks of each SA is handling of complaints of data subjects and | One of the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the consistency mechanism, in particularly in cases of cross border processing ([[Article 62 GDPR]]). Tasks of SAs are laid down in [[Article 57 GDPR]]. For more information, see [[Article 57 GDPR]]. | ||
==== | ===== Powers of supervisory authorities (SAs) ===== | ||
The powers of SAs include several investigative and corrective powers, such as conducting on premises investigations, ordering the controller and its representatives to provide any information the SA requires for handling a case, ordering a processor to stop processing data subject's personal data administer fines for infringements of GDPR. The powers of SAs are set out in [[Article 58 GDPR]]. For more information, please refer to [[Article 58 GDPR]]. | The powers of SAs include several investigative and corrective powers, such as conducting on premises investigations, ordering the controller and its representatives to provide any information the SA requires for handling a case, ordering a processor to stop processing data subject's personal data administer fines for infringements of GDPR. The powers of SAs are set out in [[Article 58 GDPR]]. For more information, please refer to [[Article 58 GDPR]]. | ||
===(2) Freedom from External Influence=== | ===(2) Freedom from External Influence=== | ||
Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone | Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone. The first obligation codifies the findings of the CJ EU. <ref>See CJEU in C-518/07, paras 19, 25, 30, 50.</ref> The second reflects similar wording in Article 44(1) of Regulation 45/2001, now Article 55(2) EUDPR.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 880 (Oxford University Press 2020). | ||
See Article 55(2) EUDPR - ''Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC,'' [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 available here]''.''</ref> | See Article 55(2) EUDPR - ''Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC,'' [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1725 available here]''.''</ref> | ||
Together with Article 52(3) GDPR, it addresses the institutional independence of SAs. <ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 19 (C.H. Beck 2020, 3rd Edition).</ref> | |||
==== Member(s) of SAs ==== | ==== Member(s) of SAs ==== | ||
Line 246: | Line 272: | ||
==== Remain free from external influence ==== | ==== Remain free from external influence ==== | ||
In particular, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62007CJ0518 Commission vs. Germany], the Court decided that Germany did not correctly respect such standard ([https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Article 28(1) of Directive 95/46]) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. | External influence can take different forms. In particular, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62007CJ0518 Commission vs. Germany], the Court decided that Germany did not correctly respect such standard ([https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Article 28(1) of Directive 95/46]) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. | ||
Likewise, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62010CJ0614 Commission vs. Austria], the Court held that Austria failed to comply with Article 28 DPD by allowing an influence of the government on the SA. The managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the Chancellor had the right to be informed on all aspects of the work of the SA. Finally, in 2014, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0288 Commission vs. Hungary], the Court found that the complete independence of the SA was not guaranteed due to the possibility of prematurely terminating the mandate of the Commissioner. | |||
In Commission v Germany CJEU also clarified that the government may have an interest in not complying with the provisions with regard to the protection of personal data where the processing of such data by a non-public body is at issue. <ref>"That government may itself be an interested party in that processing if it actually or potentially participates therein, for example, in the case of a public-private partnership or in the case of public contracts with the private sector. That government may also have a specific interest if it is necessary or even merely useful for it to have access to databases in order to fulfil certain of its functions, in particular for taxation or law enforcement purposes. Furthermore, that government may also tend to favour economic interests in the application of the provisions on the protection of individuals with regard to the processing of personal data by certain companies which are economically important for the Land or region." CJEU in ''[[C-518/07 - Commission v Germany]]'', para 35.</ref> | In Commission v Germany CJEU also clarified that the influence of the government on the SAs is not acceptable because the government may have an interest in not complying with the provisions with regard to the protection of personal data where the processing of such data by a non-public body is at issue. <ref>"That government may itself be an interested party in that processing if it actually or potentially participates therein, for example, in the case of a public-private partnership or in the case of public contracts with the private sector. That government may also have a specific interest if it is necessary or even merely useful for it to have access to databases in order to fulfil certain of its functions, in particular for taxation or law enforcement purposes. Furthermore, that government may also tend to favour economic interests in the application of the provisions on the protection of individuals with regard to the processing of personal data by certain companies which are economically important for the Land or region." CJEU in ''[[C-518/07 - Commission v Germany]]'', para 35.</ref> | ||
In conclusion, the SAs must be able to act objectively and impartially and free from any influence that might influence their decision-making process, tasks and powers. | In conclusion, the SAs must be able to act objectively and impartially and free from any influence that might influence their decision-making process, tasks and powers. |
Revision as of 19:07, 25 September 2023
Legal Text
Article 52 - Independence
1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.
5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.
6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.
Relevant Recitals
Commentary
Already EU primary law - Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU, require independent supervisory authorities (SAs) to monitor and enforce the application of data protection law.[1]
Article 52 GDPR introduces the requirement of complete independence of supervisory authorities (SA). Together with Article 53 GDPR and Article 54 GDPR, it mostly codifies the concept of complete independence that was developed by the CJ EU when interpreting Article 28(1) of Data Protection Directive.[2]
Article 52 (1) GDPR clarifies that the independence of SAs must be complete.
Subsequently, Article 52 further specifies that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article 52(2)(3) GDPR). In order to make these principles operational, the provision requires member states to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR).
Case law:
CJ EU held in Commission vs. Austria that “the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim.”[3]
Moreover, such independence was established not to grant a special status to those authorities themselves, but in order to strengthen the protection of individuals and bodies affected by their decisions.[4]
In its judgments the CJEU also clarified that the provisions concerning the complete independence of SAs and the EDPS (European Data Protection Supervisor) are to be interpreted homogenously.[5]
The requirement of independence reoccures also in other parts of the GDPR: Article 4(12) GDPR (definition of SA), Article 45(2)(b) GDPR (in the context of transfer of data outside of the European Economic Area), and Article 69 GDPR (with regard to European Data Protection Board (EDPB)).[6]
(1) Complete Independence of Supervisory Authorities (SAs)
Under Article 52(1) GDPR, each SA shall act with complete independence in performing its tasks and exercising its powers. It is the general caluse that applies if a situation is not covered by any of the more specific provisions of the GDPR addressing the complete independence of SAs.
Case law: CJ EU held that the guarantee of independence of national supervisory authorities was established in order to strengthen the protection of individuals and bodies affected by their decisions.[7] Complete independence "is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. [...] It follows that, when carrying out their duties, SAs must act objectevly and impartialy ”[3]
Each SA
Member States can establish one or several SAs for monitoring the implementation of the GDPR (Article 51 GDPR). Article 52(1) GDPR clarifies that "each" of them must act with complete independence.[8]
Shall act
SA must ("shall") act with complete independence. This condition necessitates member states, SAs and each of their members to ensure that the SA acts in complete independence when performing its tasks and exercising its powers, such as conducting an investigation and taking decisions on the existence of a breach of the GDPR.
Complete independence
In Commission v Germany the Court specified that the notion of “complete independence” must be given a broad and autonomous interpretation. Complete independence requires that the decisions of SAs and SAs themselves, as guardians of the right to private life, are objective and impartial and remain above any suspicion of partiality. SAs and its members may not be exposed to any kind of motivation for prior compliance. [9]
Complete independence includes the following aspects:
- institutional independence (see Article 52(2)(3) below), organisational independence (see Article 52(4)(5) below), and financial independence (see Article 52(4)(6) below),
- independence in relation to the controlled entities, member states, its governments and the Commission,
- independence with regard to control and influence over decision making (see Article 52(2)(3) below),
- prohibition of premature end of mandate of SA members, without their consent (see Article 52(2) below and Article 53 GDPR),
- the limitation of control of SA's work by the courts and by the parliament through the submission of annual reports.
Evidently, the SA must be independent with respect to the entities, controllers or processors, over which it is required to exercise control. However, independence also applies to the state or any other entity that may exercise any kind of direct or indirect control over the decision-making capacity of the SA, including the Commission.[10] To give an example, while Member States are free (within the parameters of the GDPR) to adopt or amend the institutional model that they consider to be the most appropriate for their supervisory authorities, “in order to comply with the requirement of ‘complete independence’, the supervisory authority must be placed outside the classic hierarchical administration”.[11] Nevertheless, even complete independence has limits. For example, it does not exclude that the appointment of SA members is made by political bodies such as the parliament or the government (Article 53(1) GDPR) or that their actions (including their inactivity) may be subject to judicial review (Article 78 GDPR).
Case law:
Performing its tasks and exercising its powers
Tasks of supervisory authorities (SAs)
One of the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the consistency mechanism, in particularly in cases of cross border processing (Article 62 GDPR). Tasks of SAs are laid down in Article 57 GDPR. For more information, see Article 57 GDPR.
Powers of supervisory authorities (SAs)
The powers of SAs include several investigative and corrective powers, such as conducting on premises investigations, ordering the controller and its representatives to provide any information the SA requires for handling a case, ordering a processor to stop processing data subject's personal data administer fines for infringements of GDPR. The powers of SAs are set out in Article 58 GDPR. For more information, please refer to Article 58 GDPR.
(2) Freedom from External Influence
Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone. The first obligation codifies the findings of the CJ EU. [12] The second reflects similar wording in Article 44(1) of Regulation 45/2001, now Article 55(2) EUDPR.[13]
Together with Article 52(3) GDPR, it addresses the institutional independence of SAs. [14]
Member(s) of SAs
Members of SAs are the carriers of the principle of independence of SAs. Members are the lead personnel appointed in accordance with Article 53(1) GDPR.[15] In addition to at least one member, every SA also has own staff. The concept of independence does not apply to staff. They must follow instructions of members of the SAs but must remain independent from any influence from outside of the SA (see Article 52(4) GDPR below).[16]
Remain free from external influence
External influence can take different forms. In particular, in Commission vs. Germany, the Court decided that Germany did not correctly respect such standard (Article 28(1) of Directive 95/46) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions.
Likewise, in Commission vs. Austria, the Court held that Austria failed to comply with Article 28 DPD by allowing an influence of the government on the SA. The managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the Chancellor had the right to be informed on all aspects of the work of the SA. Finally, in 2014, in Commission vs. Hungary, the Court found that the complete independence of the SA was not guaranteed due to the possibility of prematurely terminating the mandate of the Commissioner.
In Commission v Germany CJEU also clarified that the influence of the government on the SAs is not acceptable because the government may have an interest in not complying with the provisions with regard to the protection of personal data where the processing of such data by a non-public body is at issue. [17]
In conclusion, the SAs must be able to act objectively and impartially and free from any influence that might influence their decision-making process, tasks and powers.
Direct influence
Direct influence refers to instructions given to a SA, on whatever aspect of its work. This means that instructions to SAs regarding service or performance related aspects are prohibited, as well as instructions regarding issues of legality. It is not necessary that instructions were given. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA. Only courts may scrutinize the work of SAs.[18]
Indirect influence
Indirect influence, on the other hand, occurs whenever the SA’s actions may be affected by external factors, which could motivate members of SAs act in a certain manner out of their “own free” will. In the Court’s view, this generates a form of ‘prior compliance’ which is incompatible with the free and independent exercise of its functions.
Given these conditions, the question arises as to what is, or rather what should be, the scale of national legislative intervention to ensure effective independence during the term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisers in the private sector. In this case, too, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of the mandate. In this sense, one possible solution might be to provide the SA’s appointed members with a medium to long-term financial emolument that would allow them to free themselves from reductive calculations on their professional future.
Freedom from instructions
Not seek nor take
- Limits: Cooperation Article 60 GDPR, Consistency mechanism Article 63 ff.
Instructions
- passively
Performance of tasks and exercise of its powers
See above.
(3) Prohibition Against Incompatible Actions
Under Article 52(3) GDPR, members of each SA shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. The provision lists neither the actions nor the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.
Incompatible Action
Given that, as mentioned above, the matter of which action or activity is incompatible must be defined by the individual Member States, it is possible to outline some examples of actions which can be said to be certainly incompatible with the function of an SA member. The receipt of gifts, whether tangible or intangible, promises or any other form of benefit is certainly incompatible. At the same time, and to the extent possible, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors, at least those against whom investigations are being conducted.
Incompatible Activity
In the case of activities, the wording of Article 52(3) GDPR makes no difference whether these are professional, part-time, or voluntary. The decisive factor is whether the respective activity is “incompatible” with the office. This is meant to avoid the evil appearance of reduced independence and neutrality, comparable to the rules on bias. This is to be judged according to a prognostic scale. Therefore, there will be an incompatibility if the activity may lead to conflicts of interest with the independent exercise of office and influence on the office, whether in an economic, political or other way. Typically, incompatible conduct is, for example, accepting a position within a company that can be scrutinised by the DPA. Same goes for paid or unpaid legal advice unless the client is located outside the SA’s own jurisdiction. However, even in these cases, it must be examined whether there can be a connection to one’s own official business. The latter may be the case, for example, if it is the establishment or processor of a body to be controlled in its own jurisdiction. When carrying out activities as a tax consultant or lawyer, it must be analyzed, especially regarding the mandate and the task to be assigned, whether collisions with supervisory tasks can occur. However, at least in principle, such freelance activities are not incompatible with the office.[19]
(4) Sufficient Resources
To be efficient, and carry out their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks, and use their powers. These tasks include the participation in the cooperation and consistency mechanisms. Data protection law at a high level and an independent supervisory authority with numerous powers are pointless if this authority cannot carry out its tasks or can only do so ineffectively because it lacks the necessary staff, technical equipment, financial and other resources.[20]
Example: If considering its resources a SA can carry out a control of each controller and processor in its area of responsibility only every 45.000 years the conditions of this provision are not met.[21]
Article 52(4) GDPR and Article 52(6) GDPR specify the elements of material independence of SAs. Part of its material independence is autonomy in relation to the allocation and disposal of resources within the allocated budget.[22]
Shall ensure
Thus member states are under the obligation (“shall ensure”) that each SA is provided with the resources, premises and infrastructure necessary for the effective performance of its tasks. Additionally adequacy of resources should be periodically reviewed.[23]
Human resources
Human resources relate, on the one hand, to the necessary level of staff and, on the other hand, to the presence of qualified personnel to carry out the tasks and exercise of powers. This requires above all employees with a training background in the fields of law and computer science, including communication technology. Within the framework of the applicable salary structures, it must be ensured that the remuneration is designed in such a way that high-quality employees can be recruited in competition with the private sector.[24] The structure of staff should enable the SAs to take prompt and effective action.[25]
Technical resources
Technical resources are aimed at an appropriate equipment with hardware and software in order to be able to carry out the transferred official business. The supervisory authorities must be at the cutting edge of information and communication technology in order to be able to carry out their monitoring tasks.[26]
Financial resources
Financial resources consist of the budget needed for the stable functioning of the SA as well as resources for unforeseen tasks. This includes, for example, funds for travel expenses, also for participation in further education and training, for the implementation of conferences and workshops, for obtaining external expertise in difficult legal issues or in legal representation or for the short-term reinforcement of staff coverage in the event of special workload.[27] Also, sufficient financial resources must be provided for the costs of necessary human and technical resources, the premises and the infrastructure.
Sufficient financial resources are very important for uninfluenced and impartial monitoring and decision making of SAs. Otherwise, there is a risk that SAs may be more lenient, look for amicable solutions and refrain from imposing heavy fines to avoid their decisions being challenged. In particularly, if they do not have the neccessary financial resources to defend its decision in the event of an appeal in court.[28]
According to Article 52(6) GDPR each SA must have its own budget (see below).
Premises and infrastructure
Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.[29]
Necessary for effective performance of its tasks and exercise of its powers
Necessary
Article 52(4) GDPR links the criterea of sufficient resources to the effective performance of SA's tasks and exercise of its powers. It does not further specify how much resources is sufficient resources. The resources that an SA will need depend on different factors, such as the size of the territory and number of subjects it is bound to monitor, the size and complexity of data processing by controlling subjects, on how many complaints it receives. Another factor is the size of companies. Typically, big tech companies are more complex and time consuming to monitor than smaller businesses.
Effective performance
Effective performance means that a SA are efficiently performs all its tasks and efficiently exercises all its powers. In case of violations of the GDPR this means that every or most violations are identified, investigated and sanctioned. In general, high likelihood of sanctioning in case of infringements is a very significant factor for individual’s voluntary compliance with the laws. This is far from current reality where most violations of GDPR are not addressed, mass violations are tolerated and complaint procedures in most states take several years to be decided.[30]
Example: In Austria in case of driving over the speed limit and being caught, a speed ticket with a fine (1/2 of full fine) is automatically send to the driver. If he pays no procedure is started. This is a very effective way of dealing with violations of traffic rules.
In the context of mutual assistance, cooperation and participation in the EDPB
Finally, members states must provide sufficient resources not only for performing the tasks and powers on national lvel, but also for the activities carried out “in the context of mutual assistance, cooperation and participation in the Board”. The tasks relating to SAs participation in the cooperation and consistency mechanism enshrined in Chapter 7 of GDPR. That involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-stop shop) but also technical and financial resources to cooperate with the other authorities. The SA should therefore have at its disposal, for example, linguistic interpreters when the collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, adequate financial cover for travel and joint investigations.[31]
(5) Recruitment and Staff Supervision
The independence and efficiency of SAs may be compromised if its staff is chosen by another body or employed elsewhere. Unsuitable and incompetent staff cannot efficiently monitor the application of the GDPR. Therefore, Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who then must be subject to the exclusive direction of the member or members of the SAs.[32]
Chooses and has own staff
The ability to choose and have own staff enables a SA to employ suitable staff with the expertise, experience, qualifications and skills required to perform their tasks.[33]
Each SA must select its own staff. Taking into account Recital 121, this requirement can be met not only if the SA recruits and selects the staff itself, but also if the selection of staff is carried out by an independent body.[34] Autonomy and independence in the selection of staff gives SA an opportunity to better respond to existing professional and staffing needs.[35]
Exclusive direction of member(s) of supervisory authorities (SAs)
Staff of a SA is subject to exclusive supervision and direction of the member(s) of the SA, as any supervision or directions by another body could influence the work of the staff and thus also the work of the SA. This also “excludes making available staff to the supervisory authority whilst that staff remains linked in an organisational way to or remains subject to any form of supervision by the body which made the staff available”.[36]
(6) Financial Control and Budget
Article 52(6) GDPR addresses another aspect of financial independence of SAs, financial control and own budget.[37] In addition, Article 52(4) GDPR requires member states to ensure sufficient financial and other resources.
Financial control
Naturally, the independence of the SAs does not mean that their financial expenditure cannot be subject to any monitoring and control mechanisms.[38] However, it does set limits on the scope of financial controls. Member states must ensure that the financial controls do not compromise the independence of SAs.
Example: In a complaint case against a processor the SA spent 10.000 EUR on the investigation. The financial audit can verify whether the SA spent the amount in accordance with the relevant financial rules, e.g. public procurement rules, but not whether the investigation itself was necessary.
However, Article 52(6) GDPR should not be understood as obliging member states to subject the SAs to financial controls.[39]
Budget
Each SA must now also have a separate annual budget. Separate budget gives a SA the ability to plan its own budget and to decide where allocate and spend the funds.
Decisions
→ You can find all related decisions in Category:Article 52 GDPR
References
- ↑ Only convention 108 of the Council of Europe did not require that Supervisory Authorities (“SA”) are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.
- ↑ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available here. CJ EU was deciding on the requirement of complete independence of SAs in cases C-518/07 - Commisson v Germany, C-614/10 - Commission v Austria, and C-288/12 - Commission v Hungary.
- ↑ 3.0 3.1 See CJEU C-614/10 - Commission v Austria, para 25.
- ↑ See C-518/07 - Commission v Germany, para 25.
- ↑ Regarding the homogenous interpretation see C-518/07 - Commission v Germany, para 26-28; and Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 875 (Oxford University Press 2020). The independence of EDPS is now regulated in Article 55 EUDPR (Regulation (EU) 2018/1725, available here), which has replaced Article 44 of the Regulation 45/2001.
- ↑ See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 876 (Oxford University Press 2020).
- ↑ See CJEU C-614/10 - Commission v Austria, para 25.
- ↑ Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).
- ↑ CJ EU in case C-288/12 - Commission v Hungary, para 53, and case law cited therein.
- ↑ In Schrems I, the Court made it clear that the DPA must carry out a check on the transfer of data even where there is an adequacy decision. CJEU, Schrems I, §57
- ↑ Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).
- ↑ See CJEU in C-518/07, paras 19, 25, 30, 50.
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 880 (Oxford University Press 2020). See Article 55(2) EUDPR - Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, available here.
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 19 (C.H. Beck 2020, 3rd Edition).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin numbers 21 to 24 (Nomos 2022).
- ↑ See Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 26 (Nomos 2022).
- ↑ "That government may itself be an interested party in that processing if it actually or potentially participates therein, for example, in the case of a public-private partnership or in the case of public contracts with the private sector. That government may also have a specific interest if it is necessary or even merely useful for it to have access to databases in order to fulfil certain of its functions, in particular for taxation or law enforcement purposes. Furthermore, that government may also tend to favour economic interests in the application of the provisions on the protection of individuals with regard to the processing of personal data by certain companies which are economically important for the Land or region." CJEU in C-518/07 - Commission v Germany, para 35.
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 5 (Nomos 2019). To that end see also Article 58(4) GDPR.
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 40 (Nomos 2022).
- ↑ This was the case in Baden-Württemberg in Germany. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 42 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 15 (Nomos 2019).
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 17 (NOMOS 2019).
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 52 GDPR, p. 881 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 18 (NOMOS 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 52 GDPR, margin number 19 (NOMOS 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin number 16 (Nomos 2019)
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 52 GDPR, margin numbers 20 and 21 (Nomos 2019)
- ↑ From lodging the complaint with a SA until a decision is issued it usualy takes 2.5 to 5 years. For more information see statistics of DPA’s handling of noyb cases, available here.
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 52 GDPR, margin number 23 (C.H. Beck 2017).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 47 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).
- ↑ Recital 121, sentence 3 reads: "The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority."
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 23 (Nomos 2022).
- ↑ Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 52 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).
- ↑ Recital 118 GDPR provides that "the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review."
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 52 GDPR, margin number 52 (Nomos 2022).