Article 58 GDPR
Legal Text
1. Each supervisory authority shall have all of the following investigative powers:
- (a) to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
- (b) to carry out investigations in the form of data protection audits;
- (c) to carry out a review on certifications issued pursuant to Article 42(7);
- (d) to notify the controller or the processor of an alleged infringement of this Regulation;
- (e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
- (f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
2. Each supervisory authority shall have all of the following corrective powers:
- (a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
- (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
- (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;
- (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
- (e) to order the controller to communicate a personal data breach to the data subject;
- (f) to impose a temporary or definitive limitation including a ban on processing;
- (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
- (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
- (j) to order the suspension of data flows to a recipient in a third country or to an international organisation.
3. Each supervisory authority shall have all of the following authorisation and advisory powers:
- (a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;
- (b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
- (c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
- (d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
- (e) to accredit certification bodies pursuant to Article 43;
- (f) to issue certifications and approve criteria of certification in accordance with Article 42(5);
- (g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
- (h) to authorise contractual clauses referred to in point (a) of Article 46(3);
- (i) to authorise administrative arrangements referred to in point (b) of Article 46(3);
- (j) to approve binding corporate rules pursuant to Article 47.
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Relevant Recitals
Commentary
Article 58 GDPR standardises the powers that supervisory authorities (“SAs”) can use in performing their tasks under Article 57 GDPR. The provision includes a comprehensive catalogue of investigative, corrective and advisory powers. Such powers result directly from the GDPR and therefore do not need implementation by member states’ law. Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers.[1] In this regard, all the SA’s powers are important. However, under Article 83(5)(e) GDPR, non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR, may result in the highest fines possible.[2] It seems, therefore, that the legislator considers some of the powers described in Article 58 GDPR to be crucial for the functioning of SAs and, in turn, the entire GDPR system.
(1) Investigative powers
A necessary step to enforcing the GDPR and handling data subjects’ complaints is the possibility of carrying out investigations. Article 58(1) GDPR differentiates between different types of investigative powers. This powers are needed to establish the facts of a case.[3] Only on the basis of a comprehensive clarification of the facts of the case the SA is in a position to exercise its corrective powers under Article 58(2) GDPR or its authorisation powers under Article 58(3) GDPR.[4] SAs can combine several invegistative powers according to the needs of the investigation. To grant an example, the SA may link the data protection audit to further powers under paragraph 1, such as the access powers to obtain access to personal data processed, to information and to the premesis under Article 58(1)(e)(f) GDPR.
(a) Order the controller to provide information
The SA can instruct the controller, processor and, if applicable, the representative to provide all information that is necessary for the performance of their tasks. The obligation to provide the information relates to all information (knowledge) that is at ones disposal in any form, e.g. in written, visual, audio or data processing form, as well as data stored or accessible in other information media. It is intended to prevent that only individual pieces of information are provided to the SA during the investigation.[5] Information includes the personal data processed, but also the information on the purpose, nature and methods of processing, origin and recipients of the data, contracts, certifications. In cases of cross-border processing information and evidence may also be important as to which of several establishments is the main establishment (Article 56 GDPR in connection with Article 4(16) GDPR).[6]
Information can be provided, for example, by transmitting documents to the SA, submitting written statements or replying to questionnaires. In addition to this, Article 30(4) GDPR stipulates that the controller or processor or, if applicable, the representative shall make the record of processing activities available to the SA on request.[7]
Where the controller or processor would incriminate themselves by providing certain information and thus be subject to sanctions, they can invoke their right to refuse information based on the rule of law clause in Article 58(4) GDPR (see bellow) and the nemo tenetur principle.[8]
(b) Carry out data protection audits
The SAs can carry out investigations in the form of audits of data protection and of data security.[9] An audit implies that a comprehensive qualitative examination of the effectiveness of procedures is conducted.[10] In this context SAs can take different measures to analyse processing operations on personal data at a controller or processor, such as access to documents, the examination of hardware and software used, networks, databases, applications, interfaces, as well as the testing of security measures found or the evaluation of data records.[11]
The initial version of Article 58 GDPR limited the scope of the audit to the business premises of the controller. After the Corrigendum of the GDPR,[12] however, the term “business premises” was replaced by “premises”. It follows that private rooms, where at least a part of the processing takes place, are also included.[13]
(c) Review certifications
Under Article 58(1)(c) GDPR a SA can review certifications issued in accordance with Article 42(7) GDPR when they are being renewed as well as the activities of accredited certification bodies within the meaning of Article 43(1) GDPR. During the review the SA is exemining whether the requirements of certification are still met.[14]
(d) Notifify the controller of an alleged infringement
In accordance with Article 58(1)(d) GDPR, a SA can inform a controller or processor about an alleged – i.e. possible, but not yet determined – infringement of the GDPR ('Regulation'). Such a notice can be given, for example, directly in connection with a data protection audit, a data subject’s complaint or official information from another SA. The notice establishes a presumption of a violation of the GDPR, which, however, can be rejected by the controller or the processor.[15] This appears to be a constructive and proportional approach which gives controllers and processors a chance to know the provisional understanding of the SA and react accordingly, making submissions and/or bringing the processing into compliance, if a violation exists.
(e) Obtain access to personal data and all relevant information
The powers of investigation of the SAs also include a right of access to personal data and information in accordance with Article 58(1)(e) GDPR. This includes the right to directly access personal data, inspect internal documents, databases and procedures, and therefore is wider and more incisive than the right to (request and) obtain information under Article 58(1)(a) GDPR. SAs can obtain access to documents and systems on site and/or to connect into the processing systems.[16] SAs are also authorised to record the technical and organisational background of data processing, which means that all documents on procedures and security documentation are subject to access, including technical information on systems which do not yet process personal data, but which may enable a link with or to personal data.[17] Controllers and processors must cooperate with the SA during the inspection (Article 31 GDPR). However, if the cooperation yields a violation of the nemo tenetur principle, it seems possible for the investigated party to lawfully refuse such cooperation.[18] Failure to provide access can pursuant to Article 83(5)(e) GDPR result in an administrative fine of up to 20 000 000 EUR or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
(f) Obtain access to premises including equipment and means
Finally, data protection SAs – similarly to the Commission and the national competition authorities in EU antitrust proceedings – are given the power to search the controller’s (or processor’s) premises in accordance with Article 58(1)(f) GDPR. It seems that the search is no longer restricted to the business premises but a judge’s authorization is indispensable with regard to the inviolability of the home and comparable places.[19] The term “premises” includes all data processing systems and all data processing devices.
(2) Corrective powers
The corrective powers provided for in Article 58(2) GDPR enable the SAs to restore GDPR-compliant conditions in the event of violations. For this purpose, Article 58(2) GDPR builds a system of powers which should be proportionally used having in mind the type of the envisaged violation and the risks for the data subjects. In doing so, a SA has to decide at its due discretion whether exercising a milder remedial power is sufficient to ensure the application and enforcement of the GDPR, or whether a higher escalation level must trigger.
(a) Issue warnings
The mildest expression of the authority’s powers is the warning. The SA issues it if an intended processing operation is “likely” to violate the GDPR. There are no specifics as to the form of the warning. It follows that it can be issued in writing or orally (although a formal approach appears sensible). The controller can react to a warning by stopping the intended processing operation or bringing it into conformity with the law.[20]
(b) Issue reprimands
If the SA identifies a violation of the GDPR, it may, under Article 58(2)(b) GDPR, issue a reprimand to a controller or a processor. Contrary to what happens in case of a warning, the reprimand indicates that one (or more rarely, several) violation of the GDPR has already occurred. The SA will issue a reprimand if the threshold for imposing a fine has not yet been reached. For these reasons, scholars have defined the reprimand as the “little sister of the fine” or compared it to a “yellow card” from the SA.[21] However, if a reprimand is disregarded, the SA can respond by exercising more stringent remedial powers and taking into account the conduct as a factor for a possible administrative fine (Article 83 GDPR).
(c) Order to comply with data subject’s requests
Article 58(2)(c) GDPR serves as a second-level remedy in case a controller or processor violates the rights of the data subject. Should that happen, the SA can then instruct the controller or the processor to comply with the data subject’s request regarding the right to information (Article 13, 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability (Article 20 GDPR). In these cases, the SA acts through an “order”. In accordance with Article 83(5)(6) GDPR, ignoring it would expose the controller to a high-fines scenario.
(d) Order to restore compliance
The SA can instruct the controller or processor to bring processing operations in line with the GDPR. There is no limit to the type of instruction. The wording of the law appears to authorise any request that could serve the scope of (re-)establishing GDPR compliance. Measures include, for example, instructions to take technical and organisational measures within the meaning of Article 32 GDPR, to appoint a data protection officer according to Article 37 GDPR, to create and maintain a record of processing activities according to Article 30 GDPR, to regulate the relationship with a processor by means of a contract, to change the alignment of surveillance cameras, or to change the use of pre-formulated consent within the meaning of Article 7 GDPR.[22] In accordance with Article 83(5)(6) GDPR, ignoring an instruction would also expose the controller to the risk of potentially high-fines.
(e) Order communication of a data breach to the data subject
According to Article 58(2)(e) GDPR of the GDPR, the SA can instruct the controller to notify persons affected by a data breach which triggers the notification obligations under Articles 33, 34 GDPR.
(f) Impose a ban on processing
The SA can also order a restriction or ban on data processing in accordance with Article 58(2)(f) GDPR. The restriction on data processing can be temporary or permanent. These measures are strict and should be considered only if the controller or processor has shown a particularly disrespectful conduct, as it happens when a previous warning, reprimand or order has been issued and the recipient has disregarded it.
(g) Order to rectify or erase personal data
Article 58(2)(g) GDPR authorises the SA to order a correction or deletion of data or a restriction of data processing. This especially comes into consideration if an instruction or other order has been disregarded previously.
(h) Withdraw a certification
If a SA comes to the conclusion that the prerequisites of a previously issued certification are no longer met, it may, in accordance with Article 42(7) GDPR, revoke the certification. If the certification is granted by a certification body, the SA can do so in accordance with Article 58(2) GDPR and instruct the body to revoke the certification or not to issue it.
(i) Impose an administrative fine
The most renowned (although probably not most important) remedy introduced by the GDPR is the imposition of a fine under Article 58(2) GDPR in conjunction with Article 83 GDPR. Their amount, which can go to up to EUR 20 million or, if superior, up to 4 % of the undertaking’s total worldwide annual turnover, is determined taking into account the type of violation (Article 83(4)(5) GDPR) as well as other qualitative factors listed in Article 83(2) GDPR, in particular according to the type, gravity and duration of the infringement. The SA can, but does not have to, impose fines for violations. The relevant decision is at the discretion of the SA, whereby the considerations mentioned in Article 83 GDPR are to be taken into account. The fine can be imposed in addition to or instead of further remedial measures within the meaning of Article 58(2)(a)-(h) GDPR.[23]
(j) Order suspension of data flows to a recipient in a third country
A final remedy is provided for in Article 58(2)(j) GDPR. According to this, a SA can order the suspension of data transfer to a third country or to an international organisation if the third country or international organisation concerned does not or no longer offers an appropriate level of protection within the meaning of Article 45 GDPR.
(3) Advisory powers
The authorisation and advisory powers in Article 58(3) GDPR supplement the investigative and corrective measures SAs are afforded with. Article 58(3) GDPR lists all those cases in which authorisation or approval from a SA is a prerequisite for acting in accordance with the GDPR. In these cases, the SA carries out a prior check in order to preventively ensure the application and enforcement of the GDPR. In detail, this concerns the following powers (cf. Article 58(3)(c)-(j) GDPR): Approval of processing that is particularly risky for the fundamental data protection right, provided that a member state has made use of the optional specification clause (Article 36(5) GDPR); Opinion on and approval of drafts for rules of conduct in accordance with Article 40(5) GDPR and, where relevant, Article 64(1)(b) GDPR; Accreditation of certification bodies in accordance with Article 43 GDPR; Issuing of certifications in accordance with Article 42(5), if relevant, in accordance with Article 64(1)(c) GDPR; Standard contractual clauses in accordance with Article 28(8) GDPR and, if the case, Article 46(2) GDPR; Approval of standard contractual clauses for international data transfer in accordance with Article 46(3)(a) GDPR and Article 64(1)(e) GDPR; Approval of administrative agreements for international data transfer in accordance with Article 46(3) (b) GDPR; Approval of binding corporate rules in accordance with Article 47 GDPR.
(4) Appropriate safeguards
In the absence of a uniform European administrative procedural law, the powers of the SAs must in principle be exercised in accordance with the national procedural law of the respective member state. National procedural law must meet certain requirements; in particular, it must provide for due process and effective judicial remedies.[24]
(5) Supervisory authorities (SAs) in courts
Article 58(5) GDPR contains an opening clause that must be filled out by the legislators of the member states. According to this, SAs must always have the power to bring violations of the GDPR to court. Specifying national legal provisions must decide whether a SA itself has a right of action or whether it has to involve the national judicial authorities, which in turn have to initiate judicial proceedings. The GDPR allows the member states to insert the enforcement powers of the national SAs into the national legal system.
(6) Additional powers provided by national law
According to Article 58(6) GDPR, each member state can stipulate that its SA receives further powers in addition to those mentioned in paragraphs 1-3, provided that this not impair the effective implementation of Chapter VII of the GDPR on cooperation and coherence. Based on the express wording of paragraph 6, it can be assumed that the SAs may be given additional powers, but that the existing powers may not be restricted. A contrary view cannot be derived from any other provision of the GDPR.[25]
Decisions
→ You can find all related decisions in Category:Article 58 GDPR
References
- ↑ Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers. See, Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 3 (Manz 2021).
- ↑ Feiler, Forgó, EU-DSGVO, Article 83 GDPR, margin number 17 (Verlag Österreich 2016).
- ↑ Georgieva/Schmidl, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 58 GDPR, p. 945 (Oxford University Press 2020).
- ↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
- ↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 14 (Nomos 2022).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition). See also Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 58 GDPR, margin number 12 (2nd Edition, C.H. Beck 2018).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 13 (C.H. Beck 2018).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 14 (Nomos 2019).
- ↑ Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 17 f. (Manz 2021).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 15 (Nomos 2019).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 16 (C.H. Beck 2018).See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 16 (Nomos 2019).
- ↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 58 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 30 (Nomos 2022).
- ↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 17 (Nomos 2019).
- ↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 35 GDPR, margin number 14 (C.H. Beck, 36th edition).
- ↑ See Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2021). Also following the Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
- ↑ Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 19 (C.H. Beck 2018).
- ↑ Martini, Wenzel, „Gelbe Karte“ von der Aufsichtsbehörde: Die Verwarnung als datenschutzrechtliches Sanktionenhybrid, in PinG, 5 (2017), p. 92-96.
- ↑ Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 20 (C.H. Beck 2021).
- ↑ As Zavadil clarifies, the Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive; Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
- ↑ Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 31 (C.H. Beck 2021).
- ↑ Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 56 (Manz 2021).