Article 57 GDPR: Difference between revisions

From GDPRhub
No edit summary
Line 288: Line 288:
Not only do data protection authorities raise public awareness but they also provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. The term “''rights''” includes material rights (such as the right to be forgotten, [[Article 17 GDPR]]) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]), as well as the right to compensation ([[Article 80 GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).</ref> Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together to provide information to data subjects (''"if appropriate, cooperate with the supervisory authorities in other Member States to that end"'').<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref><blockquote>Example: Answering an email about the mandatory requirements of a complaint or if a company has an establishment in another member state. </blockquote>
Not only do data protection authorities raise public awareness but they also provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. The term “''rights''” includes material rights (such as the right to be forgotten, [[Article 17 GDPR]]) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in [[Article 77 GDPR]], [[Article 78 GDPR]] and [[Article 80 GDPR]]), as well as the right to compensation ([[Article 80 GDPR]]).<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).</ref> Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together to provide information to data subjects (''"if appropriate, cooperate with the supervisory authorities in other Member States to that end"'').<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).</ref><blockquote>Example: Answering an email about the mandatory requirements of a complaint or if a company has an establishment in another member state. </blockquote>


===== (f) Handle, investigate complaints and inform the complainant of the progress an outcome =====
===== (f) Handle, investigate complaints and inform the complainant of the progress and outcome =====
Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under [[Article 80 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref> Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 11(C.H. Beck 2020, 3rd Edition).</ref> <blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>Handling of a complaint should be performed within a reasonable period of time (see also [[Article 77 GDPR|Article 77(2) GDPR]] and [[Article 78 GDPR]]). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).</ref>
Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under [[Article 80 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref> Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> According to the EDPB's Internal Document 02/2021 "''[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to [[Article 77 GDPR|Article 77 [GDPR]]] to lodge a complaint with a [SA].''"<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>
====== Complaint ======
GDPR does not define what constitutes a complaint. According to EDPB gudance complaint may be defined as: a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here] and documents cited therein.</ref> "''As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint.''" <ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>


The provision is addressed at the SAs. It must be read in conjunction with [[Article 78 GDPR]] providing for a legal remedy against legaly binding decisions of SAs and in case of inactivity of a SA.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the supervisory authority. For more information see commentary to [[Article 78 GDPR]].
====== Complaint by a data subject ======
GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). [[Article 77 GDPR]] ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref>  
GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). [[Article 77 GDPR]] ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref>  


Line 300: Line 299:


====== Within a reasonable period ======
====== Within a reasonable period ======
The period of handling the complaint must be kept within a "reasonable" time frame. Whether a reasonable time frame has been observed depends on the omplexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).</ref> Nevertheless, the period will usually be longer if coordination with other supervisory authorities pursuant to [[Article 60 GDPR]] is needed, leading to a consistency procedure and a binding decisions has to be adopted by the European Data Protection Board (EDPB) pursuant to [[Article 65 GDPR]].<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).</ref><blockquote>Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time. </blockquote>
Handling of a complaint should be performed within a reasonable period of time (see also [[Article 77 GDPR|Article 77(2) GDPR]] and [[Article 78 GDPR]]). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).</ref>


Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).</ref> Nevertheless, the period will usually be longer if coordination with other SAs is needed, for example pursuant to [[Article 60 GDPR]], in particularly in the event that the consistency procedure leads to the adoption of a binding decision by the European Data Protection Board (EDPB) pursuant to [[Article 65 GDPR]].<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).</ref><blockquote>Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time. </blockquote>The provision must also be read in conjunction with [[Article 78 GDPR]] providing for a legal remedy against legaly binding decisions of SAs and in case of inactivity of a SA.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA. For more information see commentary to [[Article 78 GDPR]].
===== (g) Cooperate with other supervisory authorities to ensure consistency and enforcement =====
===== (g) Cooperate with other supervisory authorities to ensure consistency and enforcement =====
SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per [[Article 4 GDPR|Article 4(21) GDPR]]. <blockquote>
SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per [[Article 4 GDPR|Article 4(21) GDPR]]. <blockquote>
Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.  </blockquote>
Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.  </blockquote>
The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EU/EEA ([[Article 51 GDPR|Article 51(2) GDPR]]). Such aim would be impossible without a proactive cooperation. Therefore, it is the task of every national data protection SA, to work with other SAs to ensure the uniform application and enforcement of the GDPR''.'' 
The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EU/EEA ([[Article 51 GDPR|Article 51(2) GDPR]]). Such aim would be impossible without a proactive cooperation. To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR ([[Article 60 GDPR]], [[Article 61 GDPR]], [[Article 62 GDPR]], [[Article 63 GDPR]], [[Article 64 GDPR]], [[Article 65 GDPR]], [[Article 66 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).</ref>
 
To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR ([[Article 60 GDPR]], [[Article 61 GDPR]], [[Article 62 GDPR]], [[Article 63 GDPR]], [[Article 64 GDPR]], [[Article 65 GDPR]], [[Article 66 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).</ref>
 
===== (h) Conduct investigations =====
===== (h) Conduct investigations =====
The SA is tasked to carry out ''ex officio'' investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with [[Article 60 GDPR|Article 60(1) GDPR]] and [[Article 61 GDPR|Article 61(1)GDPR]]). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).</ref><blockquote>Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.  </blockquote>At the European level, Article 46(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 Regulation (EC) No 45/2001] contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).<ref>Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 here].</ref>
The SA is tasked to carry out ''ex officio'' investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with [[Article 60 GDPR|Article 60(1) GDPR]] and [[Article 61 GDPR|Article 61(1)GDPR]]). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.<ref>''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).</ref><blockquote>Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.  </blockquote>At the European level, Article 46(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 Regulation (EC) No 45/2001] contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).<ref>Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32001R0045 here].</ref>

Revision as of 17:17, 19 October 2023

Article 57 - Tasks
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 57 - Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);
(l) give advice on the processing operations referred to in Article 36(2);
(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);
(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(r) authorise contractual clauses and provisions referred to in Article 46(3);
(s) approve binding corporate rules pursuant to Article 47;
(t) contribute to the activities of the Board;
(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
(v) fulfil any other tasks related to the protection of personal data.

2. Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Relevant Recitals

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission
The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

Recital 129: Tasks and Powers of Supervisory Authorities
In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

Recital 132: Awareness-Raising Activities and Specific Measures
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

Recital 133: Mutual Assistance and Provisional Measures
The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority.

Commentary

Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).[1] Article 57(2) to (4) specify that the submission of complaints should be facilitated, tasks should be performed free of charge for data subjects, as wll as rules regarding excesive requests.

Articles that are related to this provision, include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR (codes of conduct); Article 42 GDPR (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).[2]

(1) Tasks of the supervisory authority (SA)

Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its teritory, without prejudice to other tasks set out under the GDPR.

The tasks can be devided into monitoring and enforcement, investigation and audit activities, advisory activities, cooperation requirements, execution of the activities and instruments envisaged in other Articles of the GDPR, documentation requirements and following current developments.[3]

The aim of the detailed regulation is to create an equivalent level of data protection within the EU through a "uniform implementation framework" (Recital 123 GDPR, 129 GDPR and Article 57(1)(g)(h) GDPR).[4]

Ensuring free flow of personal data is not entailed among the tasks of the SA.[5]

Without prejudice to other tasks

The provision does not provide for a closed list, as other tasks and responsibilities may arise from other provisions included in the GDPR, such as drawing up of annual activity reports under Article 59 GDPR.

Tasks of SAs

(a) Monitor and enforce the GDPR

According to Article 57(1)(a) GDPR, the SAs must ("shall") monitor and enforce the application of the GDPR. These are SA's main tasks. The collocation of these tasks (letter a) reflects its prominence. It summarises the core idea of SAs activities. Other tasks envisaged by the provision are almost all preordained to the fulfilment of these main tasks.[6]

Monitor

Monitoring means checking compliance with the GDPR. In particular, the performance of data protection reviews.[7]

Example: Reviewing the certifications granted under Article 42(7) GDPR.[8]

This provision takes into account that data protection law, even at the highest level, is of little use if it is not enforced.[9]

Enforce

Enforcement means remedying identified infringements of the GDPR, including coercive enforcement. [10] This means that if the SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, it should not stop there. Its activities include the effective enforcement of the GDPR against entities. The SA should make use of its corrective powers under Article 58(2) GDPR.[11] This ranges from warning, to issuing a ban on processing and to the imposition of fines.

Example: Company YX is transfering data to the US without a valid legal basis. SA can establish an infringment of the GDPR, order return of data to the EU/EEA, ban future processing of respective data outside the EU/EEA and impose a fine.

SAs thus become effective supervisors with the possibility to intervene comprehensively and, if necessary, with coercive measures for the purpose of the effective application of the GDPR.[11]

(b) Promote public awareness

Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children.

Example: A SA organises a public campaign "know your rights" on data subjects rights that includes visits of schools.

The focus can be placed on sensitive areas and thus also the perception and presence of SAs can be strengthened. Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'.[12] The annual report that SAs are required to draw up under Article 59 GDPR can be used to promote and raise awareness, but also educational events on data protection issues. For example on the European Data Protection Day, which is celebrated on 28 January.[13] To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection. [14]

(c) Advise member states and other public bodies

The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in Article 36(4) GDPR which stipulates that member states must consult the SA during the preparation of a legislative measure which relates to processing of personal data.[15] SAs should be consulted during preparation of laws and regulations, as well as administrative measures. The advisory activities of the SAs are intended to make data processing transparent and enable the addressees of the advisory service to conduct legal and administrative activities in compliance with data protection.

Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the sytem introduces new technical solutions for processing of data.

Which institutions and bodies are to be advised is determined by member state law.

(d) Promote the awareness of controllers and processors

SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.[16]

Example: Provision of workshops for data protection officers.

(e) Provide information concerning the exercise of data subject rights

Not only do data protection authorities raise public awareness but they also provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. The term “rights” includes material rights (such as the right to be forgotten, Article 17 GDPR) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in Article 77 GDPR, Article 78 GDPR and Article 80 GDPR), as well as the right to compensation (Article 80 GDPR).[17] Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together to provide information to data subjects ("if appropriate, cooperate with the supervisory authorities in other Member States to that end").[18]

Example: Answering an email about the mandatory requirements of a complaint or if a company has an establishment in another member state.

(f) Handle, investigate complaints and inform the complainant of the progress and outcome

Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under Article 80 GDPR).[19] Handling of complaints is one of the main tasks of supervisory authorities.[20] According to the EDPB's Internal Document 02/2021 "[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to Article 77 [GDPR] to lodge a complaint with a [SA]."[21] This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.[22]

Case law: In case C-362/14 - Schrems CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.[23]

Complaint

GDPR does not define what constitutes a complaint. According to EDPB gudance complaint may be defined as: a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.[24] "As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint." [25]

GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). Article 77 GDPR ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.[26]

Investigate the subject matter of the complaint

The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions (Article 58(1) GDPR). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.[27]

Example: When a complaint concerns an infringment through a collection of her data without a legal basisi on a website via cookies no on-site investigation is neccessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even needed.

Within a reasonable period

Handling of a complaint should be performed within a reasonable period of time (see also Article 77(2) GDPR and Article 78 GDPR). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.[28]

Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.[29] Nevertheless, the period will usually be longer if coordination with other SAs is needed, for example pursuant to Article 60 GDPR, in particularly in the event that the consistency procedure leads to the adoption of a binding decision by the European Data Protection Board (EDPB) pursuant to Article 65 GDPR.[30]

Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time.

The provision must also be read in conjunction with Article 78 GDPR providing for a legal remedy against legaly binding decisions of SAs and in case of inactivity of a SA.[31] For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA. For more information see commentary to Article 78 GDPR.

(g) Cooperate with other supervisory authorities to ensure consistency and enforcement

SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per Article 4(21) GDPR.

Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.

The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EU/EEA (Article 51(2) GDPR). Such aim would be impossible without a proactive cooperation. To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR (Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR).[32]

(h) Conduct investigations

The SA is tasked to carry out ex officio investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with Article 60(1) GDPR and Article 61(1)GDPR). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.[33]

Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.

At the European level, Article 46(b) of Regulation (EC) No 45/2001 contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).[34]

(i) Monitor relevant development

Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA shall be updated on new communication technologies and business practices.

Example: Social networks start using pay-or-ok solutions.

This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should be aware of new trends for example processing of personal data for purposes of advertising, pay-or-ok soutions, and the use of new consent and contract clauses.[35]

This seems to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.[36] To do so, the SAs shall be given appropriate human and technical resources (Article 52(4) GDPR).

(j) Adopt standard contractual clauses

Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in Article 28(8) GDPR and Article 46(2)(d) GDPR. Both cases require activitly bax the EDPB, either in the consistency mechanism under Article 63 GDPR or by adopting an opinion under Article 64(1)(d) GDPR.

For more information see commentary to Article 28(8) GDPR and Article 46(2)(d) GDPR.

(k) Establish and maintain a list of processing operations requiring a data protection impact assessment

Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out (Article 35(4) GDPR). On the other hand, maintaining a negative list for cases where a DPIA is not needed is not a mandatory task.[37] According to Article 35(5) GDPR, a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.

For more information, please refer to Article 35 GDPR.

(l) Give advice on data protection impact assessment

Advising controllers and processors with regard to high-risk processing opertions referred to in Article 36(2) GDPR is one of the tasks of SAs. This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with Article 36(2) GDPR, in particularly making proposals to mitigate the risk. [38] SA can also make use of any of its powers referred to in Article 58 GDPR. This includes its corrective powers, in particulatly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.[39]

For more details see commentary to Article 36 GDPR.

(m) Encourage the drawing up of codes of conduct and regulate the use of codes of conduct

SAs have the task of promoting development of codes of conduct by associations and other organisations representing categories of controllers or processors pursuant to Article 40(1) GDPR. SA receives the draft, examines it, issues opinions on the question if it is compatible with the GDPR and, if so, approves it.[40]

See comment under Article 40 GDPR.

(n) Encourage and regulate the use of data protection certification mechanisms

This task is directly connected with Article 42(1) GDPR that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined pursuant to Article 42(5) GDPR.[41]

See comment under Article 42 GDPR.

(o) Carry out periodic reviews of certifications

This task is further specified in Article 42 GDPR. A SA must periodically review the certifications granted under Article 42 GDPR (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with Article 42(7) GDPR.[42]

For more information see comment under Article 42 GDPR.

(p) Draft and publish the requirements for accreditation of a body for monitoring codes of conduct and of a certification body

Tis task concerns codes of conduct under Article 41 GDPR and certifications under Article 43 GDPR, which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA establises and publishes the requirements these bodies must fulfil for accreditation.[43]

See also commentary to Article 41 GDPR and Article 43 GDPR.

(q) Accreditation of a body for monitoring codes of conduct and of a certification body

SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to Article 41 GDPR and a certification body pursuant to Article 43 GDPR on the basis of the requiremens formulated under Article 57(1)(p) (see point (p) above).

For more information see also comments under Article 41 GDPR and Article 43 GDPR.

(r) Authorise contractual clauses and provisions

Similarly, SAs are in charge of authorisation of contractual clauses and provisions referred to in Article 46(3) GDPR providing a legal basis for transfers of data to third countries (outside EU/EEA) or to international organisations.

See comment under Article 46 GDPR.

(s) Approve binding corporate rules

This task concerns the role of SAs assigned to them by Article 47 GDPR with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.

See commentry to Article 47 GDPR.

(t) Contribute to the activities of the EDPB

Pursuant to Article 57(1)(t) GDPR SAs contribute to the activities of the EDPB ("the Board"). The concept of contributions is to be understood comprehensively. It refers among other to the entire coherence procedure (Articles 63 to 66 GDPR), as well as to the numerous tasks of the EDPB.[44] EDPB's tasks are listed in Article 70 GDPR and include, in particular, the preparation and publication of opinions, guidelines, recommendations and best practices. The SAs should actively contribute to the fulfilment of these tasks. This concerns both the meetings of the EDPB itself and their preparation, in particular within the framework of expert subgroups.[45]

The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.[46]

(u) Keep internal records of infringements of the GDPR and measures taken

Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under Article 58(2) GDPR, which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimend, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report (Article 59 GDPR) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.[47]

(v) Fulfil any other tasks related to the protection of personal data

Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “other tasks related to the protection of personal data”. The list of tasks is therefore not exhaustive and member states can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.[48] An example of other tasks is the prior authorisation of data processing in the public interest if required under national law (Article 36(5) GDPR and Article 58(3)(c) GDPR).[49]

On its territory

The wording ("on its terrirory") is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its member state.[50]

(2) Submission of complaints is to be facilitated

Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.[51] This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “complaint submission form” which should be easy to understand and gain access to. [52] The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.[53] The provision, however, does not exclude “other means of communications”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.[54]

Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint (Article12(4) GDPR and Article 13(2)(d)(e) GDPR). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice (Article 77 GDPR).[55]

(3) Free of charge principle (for the data subject)

The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.[56] However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.[57]

(4) Exception: manifestly unfounded or excessive requests

Article 57(4) GDPR provides for an exception to the “free of charge” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.[58] The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive.

Decisions

→ You can find all related decisions in Category:Article 57 GDPR

References

  1. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).
  2. See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).
  3. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  4. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).
  5. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).
  6. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).
  7. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
  8. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
  9. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).
  10. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).
  11. 11.0 11.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).
  12. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
  13. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).
  14. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).
  15. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).
  16. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).
  17. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).
  18. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  19. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
  20. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
  21. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available here.
  22. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
  23. CJEU, case C- 362/ 14 - Schrems I, paragraph 63.
  24. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available here and documents cited therein.
  25. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available here.
  26. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
  27. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).
  28. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).
  29. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).
  30. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).
  31. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
  32. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).
  33. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).
  34. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.
  35. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).
  36. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
  37. xxxx
  38. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).
  39. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).
  40. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).
  41. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).
  42. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).
  43. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).
  44. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 49 (Nomos 2019).
  45. Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)
  46. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
  47. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).
  48. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).
  49. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).
  50. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).
  51. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  52. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  53. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  54. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  55. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  56. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).
  57. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).
  58. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.