Article 57 GDPR: Difference between revisions
No edit summary |
|||
Line 275: | Line 275: | ||
=====(b) Promote public awareness===== | =====(b) Promote public awareness===== | ||
Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children. | Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children. <blockquote>Example: A SA organises a public campaign "''know your rights''" on data subjects rights that includes visits of schools. </blockquote>The focus can be placed on sensitive areas and thus also the perception and presence of SAs can be strengthened. ''Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'''.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).</ref> The annual report that SAs are required to draw up under [[Article 59 GDPR]] can be used to promote and raise awareness, but also educational events on data protection issues. For example on the European Data Protection Day, which is celebrated on 28 January.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).</ref> To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).</ref> | ||
===== (c) Advise member states and other public bodies===== | ===== (c) Advise member states and other public bodies===== | ||
The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in Article 36(4) GDPR which stipulates that member states shall consult the SA during the preparation of a legislative measure which relates to processing of personal data.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).</ref> The advisory activities of the | The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in [[Article 36 GDPR|Article 36(4) GDPR]] which stipulates that member states shall consult the SA during the preparation of a legislative measure which relates to processing of personal data.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).</ref> Sas should be consulted during preparation of laws and regulations, as well as administrative measures. The advisory activities of the SAs are intended to make data processing transparent and enable the addressees of the advisory service to conduct legal and administrative activities in accordance with data protection''.'' <blockquote>Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the sytem introduces new technical solutions for processing of data.</blockquote>Which institutions and bodies are to be advised is determined by member state law. | ||
===== (d) Promote the awareness of controllers and processors ===== | ===== (d) Promote the awareness of controllers and processors ===== | ||
SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).</ref><blockquote>Example: | SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).</ref><blockquote>Example: Provision of workshops for data protecvtion officers. </blockquote> | ||
===== (e) Provide information concerning the exercise of data subject rights ===== | ===== (e) Provide information concerning the exercise of data subject rights ===== | ||
Not only do data protection authorities raise public awareness but they also provide specific guidance to data subjects with information about the exercise of their GDPR rights. The term “''rights''” includes material rights (such as the right to be forgotten, [[Article 17 GDPR]]) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]). Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together for the purpose of a corresponding information campaign (e.g. by creating a joint information website or a joint leaflet).<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 12-15 (C.H. Beck 2017).</ref><blockquote>Example: Pusblishing on the website of easily understandble information about the rights of data subjects and how to draft and file a | Not only do data protection authorities raise public awareness but they also provide specific guidance to data subjects with information about the exercise of their GDPR rights. The term “''rights''” includes material rights (such as the right to be forgotten, [[Article 17 GDPR]]) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]), as well as the right to compensation ([[Article 80 GDPR]]). Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together for the purpose of a corresponding information campaign (e.g. by creating a joint information website or a joint leaflet).<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 12-15 (C.H. Beck 2017).</ref><blockquote>Example: Pusblishing on the website of easily understandble information about the rights of data subjects and how to draft and file a complaint. </blockquote> | ||
===== (f) Handle, investigate complaints and inform the complainant of the progress an outcome ===== | ===== (f) Handle, investigate complaints and inform the complainant of the progress an outcome ===== | ||
Line 390: | Line 390: | ||
===(2) Submission of complaints is to be facilitated=== | ===(2) Submission of complaints is to be facilitated=== | ||
Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “''complaint submission form''” which should be easy to understand and gain access to. <ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref> The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).</ref> The provision, however, does not exclude “''other means of communications''”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref> | |||
Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint ([[Article 12 GDPR|Article12(4) GDPR]] and [[Article 13 GDPR|Article 13(2)(d)(e) GDPR]]). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice ([[Article 77 GDPR]]).<ref>''Eichler'', in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).</ref> | |||
=== (3) Free of charge principle (for the data subject)=== | === (3) Free of charge principle (for the data subject)=== | ||
The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017).</ref> | The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).</ref> However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).</ref> | ||
===(4) Exception: manifestly unfounded or excessive requests=== | ===(4) Exception: manifestly unfounded or excessive requests=== | ||
Article 57(4) GDPR provides for an exception to the “''free of charge''” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); ''Körffer'', Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.</ref> The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive | Article 57(4) GDPR provides for an exception to the “''free of charge''” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); ''Körffer'', Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.</ref> The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive. | ||
==Decisions == | ==Decisions == |
Revision as of 16:01, 16 October 2023
Legal Text
1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
- (a) monitor and enforce the application of this Regulation;
- (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
- (c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
- (d) promote the awareness of controllers and processors of their obligations under this Regulation;
- (e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
- (f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
- (g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
- (h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
- (i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
- (j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
- (k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);
- (l) give advice on the processing operations referred to in Article 36(2);
- (m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
- (n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
- (o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);
- (p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
- (q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
- (r) authorise contractual clauses and provisions referred to in Article 46(3);
- (s) approve binding corporate rules pursuant to Article 47;
- (t) contribute to the activities of the Board;
- (u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
- (v) fulfil any other tasks related to the protection of personal data.
2. Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Relevant Recitals
Commentary
Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).[1] Article 57(2) to (4) specify that the submission of complaints should be facilitated, tasks should be performed free of charge for data subjects, as wll as rules regarding excesive requests.
Articles that are related to this provision, include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR (codes of conduct); Article 42 GDPR (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).[2]
(1) Tasks of the supervisory authority (SA)
Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its teritory, without prejudice to other tasks set out under the GDPR.
The tasks can be devided into monitoring and enforcement, investigation and audit activities, advisory activities, cooperation requirements, execution of the activities and instruments envisaged in other Articles of the GDPR, documentation requirements and following current developments.[3]
The aim of the detailed regulation is to create an equivalent level of data protection within the EU through a "uniform implementation framework" (Recital 123 GDPR, 129 GDPR and Article 57(1)(g)(h) GDPR).[4]
Ensuring free flow of personal data is not entailed among the tasks of the SA.[5]
Without prejudice to other tasks
The provision does not provide for a closed list, as other tasks and responsibilities may arise from other provisions included in the GDPR, such as drawing up of annual activity reports under Article 59 GDPR.
Tasks of SAs
(a) Monitor and enforce the GDPR
According to Article 57(1)(a) GDPR, the SAs must ("shall") monitor and enforce the application of the GDPR. These are SA's main tasks. The collocation of these tasks (letter a) reflects its prominence. It summarises the core idea of SAs activities. Other tasks envisaged by the provision are almost all preordained to the fulfilment of these main tasks.[6]
Monitor
Monitoring means checking compliance with the GDPR. In particular, the performance of data protection reviews.[7]
Example: Reviewing the certifications granted under Article 42(7) GDPR.[8]
This provision takes into account that data protection law, even at the highest level, is of little use if it is not enforced.[9]
Enforce
Enforcement means remedying identified infringements of the GDPR, including coercive enforcement. [10] This means that if the SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, it should not stop there. Its activities include the effective enforcement of the GDPR against entities. The SA should make use of its corrective powers under Article 58(2) GDPR.[11] This ranges from warning, to issuing a ban on processing and to the imposition of fines.
Example: Company YX is transfering data to the US without a valid legal basis. SA can establish an infringment of the GDPR, order return of data to the EU/EEA, ban future processing of respective data outside the EU/EEA and impose a fine.
SAs thus become effective supervisors with the possibility to intervene comprehensively and, if necessary, with coercive measures for the purpose of the effective application of the GDPR.[11]
(b) Promote public awareness
Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children.
Example: A SA organises a public campaign "know your rights" on data subjects rights that includes visits of schools.
The focus can be placed on sensitive areas and thus also the perception and presence of SAs can be strengthened. Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'.[12] The annual report that SAs are required to draw up under Article 59 GDPR can be used to promote and raise awareness, but also educational events on data protection issues. For example on the European Data Protection Day, which is celebrated on 28 January.[13] To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection. [14]
(c) Advise member states and other public bodies
The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in Article 36(4) GDPR which stipulates that member states shall consult the SA during the preparation of a legislative measure which relates to processing of personal data.[15] Sas should be consulted during preparation of laws and regulations, as well as administrative measures. The advisory activities of the SAs are intended to make data processing transparent and enable the addressees of the advisory service to conduct legal and administrative activities in accordance with data protection.
Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the sytem introduces new technical solutions for processing of data.
Which institutions and bodies are to be advised is determined by member state law.
(d) Promote the awareness of controllers and processors
SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.[16]
Example: Provision of workshops for data protecvtion officers.
(e) Provide information concerning the exercise of data subject rights
Not only do data protection authorities raise public awareness but they also provide specific guidance to data subjects with information about the exercise of their GDPR rights. The term “rights” includes material rights (such as the right to be forgotten, Article 17 GDPR) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in Article 77 GDPR, Article 78 GDPR and Article 80 GDPR), as well as the right to compensation (Article 80 GDPR). Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together for the purpose of a corresponding information campaign (e.g. by creating a joint information website or a joint leaflet).[17]
Example: Pusblishing on the website of easily understandble information about the rights of data subjects and how to draft and file a complaint.
(f) Handle, investigate complaints and inform the complainant of the progress an outcome
Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under Article 80 GDPR).[18] Handling of complaints is one of the main tasks of supervisory authorities.[19] This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.[20]
Case law: In case C-362/14 - Schrems CJ EU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.[21]
Handling of a complaint should be performed within a reasonable period of time (see also Article 77(2) GDPR and Article 78 GDPR). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.[22]
The provision is addressed at the SAs. It must be read in conjunction with Article 78 GDPR providing for a legal remedy against legaly binding decisions of SAs and in case of inactivity of a SA.[23] For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the supervisory authority. For more information see commentary to Article 78 GDPR.
Complaint by a data subject
GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). Article 77 GDPR ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.[24]
Investigate the subject matter of the complaint
The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions (Article 58(1) GDPR). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.[25]
Example: When a complaint concerns an infringment through a collection of her data without a legal basisi on a website via cookies no on-site investigation is neccessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even needed.
Within a reasonable period
The period of handling the complaint must be kept within a "reasonable" time frame. Whether a reasonable time frame has been observed depends on the omplexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.[26] Nevertheless, the period will usually be longer if coordination with other supervisory authorities pursuant to Article 60 GDPR is needed, leading to a consistency procedure and a binding decisions has to be adopted by the European Data Protection Board (EDPB) pursuant to Article 65 GDPR.[27]
Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time.
(g) Cooperate with other supervisory authorities to ensure consistency and enforcement
SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per Article 4(21) GDPR.
Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.
The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EU/EEA (Article 51(2) GDPR). Such aim would be impossible without a proactive cooperation. Therefore, it is the task of every national data protection SA, to work with other SAs to ensure the uniform application and enforcement of the GDPR.
To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR (Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR).[28]
(h) Conduct investigations
The SA is tasked to carry out ex officio investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with Article 60(1) GDPR and Article 61(1)GDPR). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.[29]
Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.
At the European level, Article 46(b) of Regulation (EC) No 45/2001 contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).[30]
(i) Monitor relevant development
Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA shall be updated on new communication technologies and business practices.
Example: Social networks start using pay-or-ok solutions.
This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should be aware of new trends for example processing of personal data for purposes of advertising, pay-or-ok soutions, and the use of new consent and contract clauses.[31]
This seems to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.[32] To do so, the SAs shall be given appropriate human and technical resources (Article 52(4) GDPR).
(j) Adopt standard contractual clauses under Articles 28(8) GDPR and 46(2)(d) GDPR
SAs can adopt standard contractual clauses in accordance with Article 28(8) GDPR and Article 46(2)(d) GDPR. Both cases trigger the coherence procedure before the EDPB according to Article 63 GDPR and Article 64(1)(d) GDPR.
For more information see commentary to Article 28(8) GDPR and Article 46(2)(d) GDPR.
(k) Establish and maintain a DPIA list under Article 35(4) GDPR
Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment must always be carried out (Article 35(1) GDPR). On the other side, maintaining a negative list for cases where a DPIA is not needed is not a mandatory task.[33] However, according to Article 35(5) GDPR, a SA may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are also to be submitted to the EDPS.
For more detailed information, please refer to Article 35 GDPR.
(l) Give advice on the processing operations referred to in Article 36(2) GDPR
Advising controllers and processors with regard to high-risk processing opertions is one of the tasks of SAs. This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with Article 36(2) GDPR, in particularly making proposals to mitigate the risk. [34]
SA can also make use of any of its powers referred to in Article 58 GDPR. If the written recommendations of the supervisory authority are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk, the SA can also exercise its corrective powers under Article 58(2) GDPR.[35]
In these cases, the data protection officers of the responsible parties act as a contact point for the SAs in accordance with Article 39(1)(e) GDPR.
For more details see commentary to Article 36 GDPR.
(m) Promote and regulate the use of codes of conduct pursuant to Article 40(5) GDPR
SAs have the task of promoting development of codes of conduct by associations and other organisations representing categories of controllers or processors pursuant to Article 40(1) GDPR. SA receives the draft, examines it, issues opinions on the question if it is compatible with the GDPR and, if so, approves it.[36]
See comment under Article 40 GDPR.
(n) Promote and regulate the use of data protection certification mechanisms pursuant to Article 42(5) GDPR
This task is directly connected with Article 42(1) GDPR that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined (Article 42(5) GDPR and Article 58(3)(f) GDPR).[37]
See comment under Article 42 GDPR.
(o) Carry out periodic reviews in accordance with Article 42(7) GDPR
SA reviews the certifications granted under Article 42 GDPR (see point (n) above) periodically, which is followed by a renewal or withdrawal of the certification (Article 42(7) GDPR).[38]
For more information see comment under Article 42 GDPR.
(p) Draft and publish the requirements for accreditation of a body for monitoring codes of conduct pursuant to Article 41 GDPR and of a certification body pursuant to Article 43 GDPR
Codes of conduct under Article 41 GDPR can be approved and certifications under Article 43 GDPR can be issued by bodies other than supervisory authorities. These bodies require accreditation for this purpose. The SA establises and publishes the requirements these bodies must fulfil for accreditation.[39]
See also commentary to Article 41 GDPR and Article 43 GDPR.
(q) Accreditation of a body for monitoring codes of conduct
SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to Article 41 GDPR and a certification body pursuant to Article 43 GDPR on the basis of the requiremens formulated pursuant to Article 57(1)(p) (see above).
For more information see also comments under Article 41 GDPR and Article 43 GDPR.
(r) Authorise contractual clauses and provisions referred to in Article 46(3) GDPR
Similarly, SAs are in charge of authorisation of contractual clauses and provisions providing a legal basis for transfers of data to third countries (outside EU/EEA) or to international organisations (Article 46(3) GDPR).
See comment under Article 46 GDPR.
(s) Approve binding corporate rules pursuant to Article 47
Another legal basis for internal transfers of data to a third country (outside EU/EEA) within one group of undertakings or group of enterprises engaged in a joint economic activity are binding corporate rules, which have to be approved by SAs (see Article 47 GDPR), making it one of the tasks of SAs.
See also commentry to Article 47 GDPR.
(t) Contribute to the activities of the EDPB
The numerous tasks of the European DAta Protection Board (EDPB) are listed in Article 70 GDPR and include, in particular, the preparation and publication of opinions, guidelines, recommendations and best practices. The SAs should actively contribute to the fulfilment of these tasks. This concerns both the meetings of the EDPB itself and their preparation, in particular within the framework of expert subgroups. The obligation to cooperate is independent of whether the SA itself is a member of the EDPB.[40]
(u) Keep internal records of infringements of the GDPR and of measures taken in accordance with Article 58(2) GDPR
Example: xxx
See also comment under Article 58 GDPR.
Article 57(1)(v) GDPR constitutes the residual provision for all “other tasks related to the protection of personal data”. The list of tasks is therefore not exhaustive and member states can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.[41]
Example: xxx
On its territory
The wording ("on its terrirory") is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its member state.[42]
(2) Submission of complaints is to be facilitated
Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.[43] This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “complaint submission form” which should be easy to understand and gain access to. [44] The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.[45] The provision, however, does not exclude “other means of communications”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.[46]
Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint (Article12(4) GDPR and Article 13(2)(d)(e) GDPR). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice (Article 77 GDPR).[47]
(3) Free of charge principle (for the data subject)
The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.[48] However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.[49]
(4) Exception: manifestly unfounded or excessive requests
Article 57(4) GDPR provides for an exception to the “free of charge” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.[50] The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive.
Decisions
→ You can find all related decisions in Category:Article 57 GDPR
References
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).
- ↑ See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).
- ↑ 11.0 11.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 12-15 (C.H. Beck 2017).
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 11(C.H. Beck 2020, 3rd Edition).
- ↑ CJ EU - C- 362/ 14 - Schrems, para. 63.
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).
- ↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).
- ↑ Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
- ↑ xxxx
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).
- ↑ Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.