Article 55 GDPR
Legal Text
1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Relevant Recitals
Commentary
Pursuant to Article 55(1) GDPR, the Supervisory Authority (“SA”) has jurisdiction on the territory of its Member State. This rule echoes the provision in Article 3(1) GDPR on the territorial application of the GDPR. In particular, the SA’s jurisdiction applies to the processing of personal data carried out in the context of the activities of an establishment of the controller in that Member State. With respect to that establishment, therefore, the SAs may perform the tasks and exercise the powers conferred by the GDPR. Article 55(2) GDPR confirms the above rule for processing carried out in the public interest and for the exercise of an official task of the SA (Article 6(1)(c) and (e) GDPR), with the only clarification that the cooperation mechanism of Article 56 does not apply in these cases. Finally, Article 55(3) GDPR excludes SAs from supervising the work of the courts in the exercise of their judicial function.
(1) Competence of the Supervisory Authority
Article 55(1) GDPR expresses a basic principle of public international law: a State has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1) GDPR, the competence of the national SA follows the principle of establishment expressed in Article 3 GDPR.
In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of a SA on a territory of its own Member State includes’ among the others, “handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data”.[1]
However, it should be pointed out that Article 55 GDPR has an important derogation, provided for in the subsequent Article 56 GDPR (the so-called, “one-stop shop procedure”).[2] The latter applies when a cross-border processing of data takes place and the main establishment of the controller (or its single establishment within the European Union) is located in another Member State. In such cases, the SA competence is assigned to the authority of the main establishment.[3]
(2) Responsibility Regarding Processing in the Public Interest
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.[4]
This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure.
(3) Processing by the Judiciary in Their Judicial Capacity
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[5]
Moreover, Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies – such as the prosecutor office – should be subject to independent supervision separate from the SA.[6] However, Article 55(3) GDPR does not define what the term “acting in their judicial capacity” determines. Whereas the processing of the data of the staff hired by a court remains subject to the supervision of the SA, it remains unclear whether that is the case with the publication of a court’s decisions on its website.
In this context, a preliminary ruling is pending before the CJEU. The referring court asks the CJEU whether Article 55(3) GDPR must be interpreted as meaning that “processing operations of courts acting in their judicial capacity” can be understood to mean the “provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist”.[7]
Decisions
→ You can find all related decisions in Category:Article 55 GDPR
References
- ↑ See Recital 120 GDPR.
- ↑ CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 35 (available here).
- ↑ Or its single establishment within the European Union (Article 56 GDPR).
- ↑ Körffer, in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).
- ↑ See Recital 20 GDPR.
- ↑ See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
- ↑ See Rechtbank Midden-Nederland, 7 August 2020, Request for a preliminary ruling from the rechtbank Midden-Nederland (Netherlands) lodged on 29 May 2020, C-297/27 (available here).