Article 55 GDPR
Legal Text
1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Relevant Recitals
Commentary
Article 55 is a rule on jurisdiction setting out rules regarding competences of national supervisory authorities ("SAs").[1] Pursuant to Article 55(1) GDPR, the SA has jurisdiction on the territory of its member state. In particular, the SA’s jurisdiction applies to the processing of personal data carried out in the context of the activities of an establishment of the controller in that member state. Article 55(2) GDPR governs the competences of SAs regarding processing carried out by public authorities or private bodies acting in the public interest. Paragraph 3 clarifies that SAs are not competent to supervise the work of the courts in the exercise of their judicial function.
Competences of SAs in cases of cross-border processing are governed by Article 56 GDPR. Cross-border processing is defined in Article 4(23) GDPR.
(1) Competence of the Supervisory Authority
Article 55(1) GDPR is limiting the jurisdiction of a SA to the territory of its own state. It expresses a basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. [2] “It also confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”[3]
At the same time, in accordance with the principle of sovereignty each state is prohibited to exercise power or authority on the territory of another state.[4]
Each supervisory authority (SA)
According to Article 51 GDPR each member states must establish at least one SA responsible to monitor the application of the GDPR. If several SAs co-exist in one member state, each SA does not need to be competent for the whole territory of the state. It is a question of national law, how the jurisdiction is divided between SAs within a state.[5]
Is competent
The competence of a SA on the territory of its own member state extend to all of its tasks and powers.
In the digital environment the place of processing of data and the place where the effects of this processing on individuals shows are not necessarily the same.[6] In Recital 122 GDPR takes this into account with regard to competences of SAs. It specifies that SAs should in particular have jurisdiction over:
- processing in the context of the activities of an establishment on the territory of its own Member State,
- processing carried out by public authorities or private bodies acting in the public interest (see (2) Responsibility Regarding Processing in the Public Interest bellow),
- processing affecting data subjects on its territory and
- processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory.
Recital 122 GDPR follows same concepts as Article 3 GDPR determining the scope of the GDPR, but the list is not limiting the competences of SAs to listed situations. With regard to competences of SAs Article 3 GDPR cannot be directly applied as it is dealing with the territorial scope of the GDPR and not with the question of competences of national SAs.[7]
Linking of competences to the establishment
A national SA has jurisdiction when an establishment of a controller or a processor is on its territory and processing is taking place in the context of the activity of this establishment. The concept of establishment was developed by the CJEU and requires a real and effective activity exercised through stable arrangements. Existence of a separate legal entity or a specific legal form is not required.[8]
The processing in question must be linked with the establishment to the extent that it can be considered to take place in the context of activities of the establishment. This means that processing does not need to be carried out by the establishment concerned itself but a link between the activity of the establishment and data processing must exist.[9]
Both concepts are further discussed in Article 4 GDPR.
Common misunderstanding: SAs is only competent to investigate the processing of data by controllers established and registered in its member state.
Competence for public authorities
Competence for processing by public authorities or private bodies acting in the public interest is addressed and further discussed in Article 55(2) Responsibility Regarding Processing in the Public Interest bellow.
In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of a SA on a territory of its own Member State includes’ among the others, “handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data”.[10]
Competence due to affect on data subjects on its territory
When processing affects only data subjects on the territory of the SAs where the complaint was lodged and the processor has an establishment there, SA is responsible to investigate and decide in the case. On the other hand, processing of data can affect data subjects in several member states. In such cases SAs have to act and handle cases in accordance with the rules on allocation of competences between the lead supervisory authority (LSA) and other supervisory authorities and other rules on allocation of competences and cooperation between SAs laid down in the consistency procedure and the cooperation procedure in Article 65 GDPR andArticle 60 GDPR to Article 67 GDPR. SAs are under the duty of sincere and effective cooperation and have to respect the allocation of competences.[11]
In particularly, data subjects in several member states are affected in situations of cross-border processing. The procedure is led by SA of the main establishment of the processor - the lead supervisory authority (LSA). LSA is competent to lead the investigation and issue the final decision against the controller. SAs of all states whose residents are affected by processing can participate in the investigation and decision making as SAs concerned. Additionally, the SA with which the complaint was lodged is also competent for issuing a decision rejecting the complaint or any parts thereof. In situations where a complaint was lodged with a SA by one of its residents who was affected and the processor has no establishment in this state, the SA will have to ask the SA of the establishment of the controller for cooperation in accordance with Article 61 and Article 62. A final decision establishing a violation and imposing corrective measures and a fine should be issued by the national SA where the controller is established.[12]
Case law: In case C-230/14, Weltimmo, CJEU stated that a SA cannot impose penalties outside the territory of its own member state but it can examine a complaint and exercise investigative powers against a company established in another member state which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation.[13]
Competence for processing by a controller not established in the Union (market principle)
A national SA has also jurisdiction when a controller and processor, which is not established in any of the member state, is processing the data of its residents in relation to offering goods or services or through monitoring their behavior. This refers to situations when GDPR is applicable according to Article 3(2) GDPR. For more information regarding conditions for applicability of GDPR in this circumstances see commentary to Article 3(2) GDPR.
In this situations, several SAs can be competent to act in parallel, each concerning the data processing of their residents. SAs may use the consistency mechanism to implement and apply the GDPR throughout the Union in a consistent manner.
In this situations the main question is how to enforce a decision when a violation of GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any member state, especially in situations when a controller has not designated a representative on the territory of the European Union (in breach of Article 27(1) GDPR). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.[14] It may also order that the data has to remain within the Union and cannot be transferred to a third country.[15]
Performance of tasks and the exercise of powers
SA’s tasks and powers include “handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data”.[16] Tasks of SAs are listed in Article 57 GDPR. Powers of SAs are listed in Article 58 GDPR.
On the territory of its own member state
The jurisdiction of a SA and its coercive power is limited to the territory of its own state. This means that a SA of one member state cannot investigate on the territory of another state.[17]
Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.
It also means that a decision issued by a SA cannot be enforced in another state.
Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.
At the same time according to the CJEU case law “the law should make it possible for individuals to enforce their right to protection”[18] Therefore the GDPR has provided a cooperation and consistency mechanism between SAs under Article 56 GDPR and Articles 60 to 67 GDPR, which should result in final decisions being issued by the national SA of the establishment of the controller.[19]
No rule on applicable law
The GDPR in several provisions mandates member states to adopt more specific national rules on data protection, such as on special categories of data (Article 9 GDPR) or human resources data (Article 88 GDPR). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.[20]
(2) Responsibility Regarding Processing in the Public Interest
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.[21]
The rule should prevent that public authorities and other bodies carrying out tasks in public interest of a member state are controlled by a SA of another state. Also, the monitoring of processing of data to comply with the legal obligation imposed by the public law of a member state, such as collection of telecommunication data, should be subject to control by the national SA of that state.[22]
Processing carried out by public authorities
This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. According to Recital 128 GDPR the rules on the LSA and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities. In such cases the only supervisory authority competent should be the supervisory authority of the state where the public authority is established.[23]
Any other activities by a public body, such as publicly owned undertaking, that would not be performing public tasks, such as commercial activities, are not subject to the exception under Article 55(2) GDPR. There may be a LSA.[24]
Processing carried out by private entities performing tasks under a legal obligation or under the public interest
Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.
For example: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the member state on the territory of which the plane will land or take off.[25]
(3) Processing by the Judiciary in Their Judicial Capacity
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the member state.[26]
Courts
Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies – such as the prosecutor office – should be subject to independent supervision separate from the SA.[27] This is confirmed by Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) that states that courts and other independent judicial authorities should always be subject to independent supervision.
Supervisory authority (SA) not competent
Courts are not totally exempt from control by SAs. They are exempt only when they are acting in their judicial capacity, but not regarding activities that are outside their judicial capacity. In this regard CJEU held that processing of personal data carried out in the context of a court's communication policy on cases falls outside the competence of a SA.[28]
On the other hand, activities of judicial administration, such as practices, procedures and offices that deal with the management of the system of the courts are subject to the control by a SA. Thus, processing of the data of the staff hired by a court remains subject to the supervision of the SA.
Acting in judicial capacity
It concluded that processing of personal data carried out by courts in the context of their communication policy on cases falls outside the competence of a SA.
Case law: In case C-245/20 CJEU clarified that processing operations carried out by courts ‘acting in their judicial capacity’ must be understood, as not being limited to the processing of data in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity whose supervision by a SA would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions. [29]
Decisions
→ You can find all related decisions in Category:Article 55 GDPR
References
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 8906 (Oxford University Press 2020).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55, margin number 16 (C.H. Beck 2020, 3rd Edition).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55GDPR, margin number 6 (Nomos 2019).
- ↑ CJEU, case C-645/19, Facebook Ireland and others v Gegevensbeschermingsautoriteit, 15 June 2021, margin number 22, available here. See also CJEU, case C-230/14, Weltimmo, 1 October 2015, margin numbers 29-33, available here.
- ↑ CJEU, case C-131/12, Google Spain, 13 May 2014, margin numbers 52 to 60, available here.
- ↑ See Recital 120 GDPR.
- ↑ CJEU, case C-230/14, Weltimmo, 1 October 2015, margin number 57, available here. See also CJEU, case C-645/19, Facebook Ireland and others v Gegevensbeschermingsautoriteit, 15 June 2021, margin number 53, available here.
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55GDPR, margin number 9 (Nomos 2019).
- ↑ CJEU, case C-230/14, Weltimmo, 1 October 2015, margin numbers 53 to 57, available here.
- ↑ See Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU, joined cases C-293/12 and C-594/12, Digital Rights Ireland, 8 April 2014, margin number 68.
- ↑ See Recital 122 GDPR
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ See CJEU, case C-230/14, Weltimmo, 1 October 2015, margin number 53, available here. See also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).
- ↑ Körffer, in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 7 and 10 to 13 (Nomos 2022).
- ↑ See Recital 128 GDPR and Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 18 (Nomos 2019). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 5 (Nomos 2022).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
- ↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
- ↑ See Recital 20 GDPR and CJEU, case C-297/27, x,z, 24 March 2022, margin number 24. (available here).
- ↑ See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
- ↑ See CJEU, case C-245/20, x,z, 24 March 2022, margin number 37. (available here).
- ↑ See CJEU, case 245/20, x,z, 24 March 2022, margin numbers 34 to 39. (available here).