Article 55 GDPR
Legal Text
1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Relevant Recitals
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. 2The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
Commentary
Article 55 GDPR stipulates the general competence of the supervisory authority. According to its wording, each SA shall be competent to i) perform the tasks and ii) exercise the powers on the territory of its own Member State.
(1) Competence of the Supervisory Authority
Article 55 GDPR is not as such on territorial competence of the SA, but should be read together with Article 56 GDPR, which derogates to Article 55 GDPR in case of cross border processing. The exception to this general rule is envisaged by Article 56 GDPR which regulates a specific procedure for cross-border processing.[1]
The competence of supervisory authority on a territory of its own Member State includes ‘handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data’.[2]
(2) Responsibility Regarding Processing in the Public Interest
Article 55(2) GDPR introduces an exception to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 GDPR shall not apply. However, cooperation under Articles 60 and 61 GDPR is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.
This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR.
Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.
(3) Processing by the Judiciary in Their Judicial Capacity
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts supervisory authorities from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) CFR but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[3]
Moreover, Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies - such as the prosecutor office - should be subject to independent supervision separate from the SA.[4]
However, Article 55(3) GDPR does not define what the terms ‘acting in their judicial capacity’ mean. Whereas we can affirm that the processing of the data of the staff hired by a court remains subject to the supervision of the SA, what about the publication of the decisions of a court on its website?
An interesting question has been asked to the CJEU in this context. The referring court asks the Court of Justice whether Article 55(3) GDPR must be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist'.[5]
Decisions
→ You can find all related decisions in Category:Article 55 GDPR
References
- ↑ CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 45 (available here).
- ↑ See Recital 120 GDPR.
- ↑ See Recital 20 GDPR.
- ↑ See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
- ↑ See Rechtbank Midden-Nederland, 7 August 2020, Request for a preliminary ruling from the rechtbank Midden-Nederland (Netherlands) lodged on 29 May 2020, C-297/27 (available here).