Article 52 GDPR: Difference between revisions

From GDPRhub
No edit summary
(11 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 52 - Independence'''</center><br />
<br /><center>'''Article 52 - Independence'''</center>


<span id="1">1.  Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.</span>
<span id="1">1.  Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.</span>
Line 199: Line 199:
<span id="6">6.  Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.</span>
<span id="6">6.  Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.</span>


== Relevant Recitals==
==Relevant Recitals==
''You can help us fill this section!''
{{Recital/117 GDPR}}
{{Recital/118 GDPR}}
{{Recital/119 GDPR}}


== Commentary ==
== Commentary ==
Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU require independent authorities to monitor and enforce the application of data protection law.<ref>Only convention 108 of the Council of Europe did not require that Supervisory Authorities (“SA”) are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.</ref> Article 52 GDPR specifies the elements of such independence, making it clear that the authority and its members must exercise their functions without any external influence and without any conflict of interest. In order to make these principles operational, the provision requires Member States to provide the SA with adequate financial and organisational means for this purpose.


''You can help us fill this section!''
=== (1) Complete Independence ===
Under Article 52(1) GDPR, each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. In order to be “complete”, independence must be achieved in several ways. Evidently, the SA must be independent with respect to the entities, controllers or processors, over which it is required to exercise control. However, independence also applies to any other entity that may exercise any kind of direct or indirect control over the decision-making capacity of the SA, including the Commission.<ref>In Schrems I, the Court made it clear that the DPA must carry out a check on the transfer of data even where there is an adequacy decision. CJEU, Schrems I, §57</ref> To give an example, while Member States are free (within the parameters of the GDPR) to adopt or amend the institutional model that they consider to be the most appropriate for their supervisory authorities, ''“in order to comply with the requirement of ‘complete independence’, the supervisory authority must be placed outside the classic hierarchical administration''”.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).</ref> Nevertheless, even complete independence has limits. For example, it does not exclude that the appointment of SA members is made by political bodies such as the parliament or the government (Article 53(1) GDPR) or that their actions (including their inactivity) may be subject to judicial review (Article 78 GDPR). 
 
=== (2) Freedom from External Influence ===
Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone.
 
The provision should be read in the light of the case law of the CJEU. In particular, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62007CJ0518 Commission vs. Germany], the Court decided that Germany did not correctly respect such standard ([https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 Article 28(1) of Directive 95/46]) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. The Court specified that the notion of “''complete independence''” in Article 28 DPD must be given a broad and autonomous interpretation, and aligned on the Article 44 of Regulation 45/2001. Likewise, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62010CJ0614 Commission vs. Austria], the Court held that Austria failed to comply with Article 28 DPD by allowing an influence of the government on the SA for the following reasons. The managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the Chancellor had the right to be informed on all aspects of the work of the SA. Finally, in 2014, in [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0288 Commission vs. Hungary], the Court found that the complete independence of the SA was not guaranteed due to the possibility of prematurely terminating the mandate of the Commissioner.
 
In conclusion, the SAs must be able to act objectively and impartially and free from any influence that might influence their decision-making process, tasks and powers. Direct influence refers to instructions given to a SA, on whatever aspect of its work. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA. Indirect influence, on the other hand, occurs whenever the SA’s actions may be affected by external factors, such as when the mandate of the members may be terminated at any time. In the Court’s view, this generates a form of ‘prior compliance’ which is incompatible with the free and independent exercise of its functions.
 
Given these conditions, the question arises as to what is, or rather what should be, the scale of national legislative intervention to ensure effective independence during the term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisers in the private sector. In this case, too, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of the mandate. In this sense, one possible solution might be to provide the SA’s appointed members with a medium to long-term financial emolument that would allow them to free themselves from reductive calculations on their professional future.
=== (3) Prohibition Against Incompatible Actions ===
Under Article 53(3) GDPR, members of each SA shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. The provision lists neither the actions nor the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.
 
==== Incompatible Action ====
Given that, as mentioned above, the matter of which action or activity is incompatible must be defined by the individual Member States, it is possible to outline some examples of actions which can be said to be certainly incompatible with the function of an SA member. The receipt of gifts, whether tangible or intangible, promises or any other form of benefit is certainly incompatible. At the same time, and to the extent possible, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors, at least those against whom investigations are being conducted.
 
==== Incompatible Activity ====
In the case of activities, the wording of Article 52(3) GDPR makes no difference whether these are professional, part-time, or voluntary. The decisive factor is whether the respective activity is “incompatible” with the office. This is meant to avoid the evil appearance of reduced independence and neutrality, comparable to the rules on bias. This is to be judged according to a prognostic scale. Therefore, there will be an incompatibility if the activity may lead to conflicts of interest with the independent exercise of office and influence on the office, whether in an economic, political or other way. Typically, incompatible conduct is, for example, accepting a position within a company that can be scrutinised by the DPA. Same goes for paid or unpaid legal advice unless the client is located outside the SA’s own jurisdiction. However, even in these cases, it must be examined whether there can be a connection to one’s own official business. The latter may be the case, for example, if it is the establishment or processor of a body to be controlled in its own jurisdiction. When carrying out activities as a tax consultant or lawyer, it must be analyzed, especially regarding the mandate and the task to be assigned, whether collisions with supervisory tasks can occur. However, at least in principle, such freelance activities are not incompatible with the office.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).</ref>
 
=== (4) Sufficient Resources ===
To be efficient, and carry out their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks, and use their powers. These tasks include the participation in the cooperation and consistency mechanisms. That involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-stop shop) but also technical and financial resources to cooperate with the other authorities.
 
Thus, in accordance with Article 52(4) GPDR, Member States shall ensure that each SA is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks.
 
Human resources relate, on the one hand, to the necessary level of staff and, on the other hand, to the presence of qualified personnel to carry out the tasks and exercise of powers. This requires above all employees with a training background in the fields of law and computer science. Within the framework of the applicable salary structures, it must be ensured that the remuneration is designed in such a way that high-quality employees can be recruited in competition with the private sector.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 17 (NOMOS 2019).</ref>
 
Technical resources are aimed at an appropriate equipment with hardware and software in order to be able to carry out the transferred official business. The supervisory authorities must be at the cutting edge of information and communication technology in order to be able to carry out their monitoring tasks.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 17 (NOMOS 2019).</ref>
 
Financial resources consist of the budget needed for the stable functioning of the SA as well as resources for unforeseen tasks. This includes, for example, funds for travel expenses, also for participation in further education and training, for the implementation of conferences and workshops, for obtaining external expertise in difficult legal issues or in legal representation or for the short-term reinforcement of staff coverage in the event of special workload.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 19 (NOMOS 2019).</ref>
 
Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.
 
Finally, all the above elements should consider the activities carried out “in the context of mutual assistance, cooperation and participation in the Board”. The SA should therefore have at its disposal, for example, linguistic interpreters when the collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, adequate financial cover for travel and joint investigations.
 
=== (5) Recruitment and Staff Supervision ===
Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who then must be subject to the exclusive direction of the member or members of the sSA. By way of example, “''this excludes making available staff to the supervisory authority whilst that staff remains linked in an organisational way to or remains subject to any form of supervision by the body which made the staff available''”.<ref>''Zerdick'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).</ref>
 
=== (6) Financial Control ===
Naturally, the independence of the SAs does not mean that they cannot receive a budget which is subject to the monitoring and control mechanisms regarding their financial expenditure. Article 52(6) GDPR now requires that each SA has a separate annual budget.


== Decisions ==
== Decisions ==

Revision as of 15:53, 28 April 2022

Article 52 - Independence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 52 - Independence

1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 118: Control and Monitoring of Supervisory Authorities
The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

Recital 119: Participation in Consistency Mechanism in Case of Multiple Supervisory Authorities
Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

Commentary

Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU require independent authorities to monitor and enforce the application of data protection law.[1] Article 52 GDPR specifies the elements of such independence, making it clear that the authority and its members must exercise their functions without any external influence and without any conflict of interest. In order to make these principles operational, the provision requires Member States to provide the SA with adequate financial and organisational means for this purpose.

(1) Complete Independence

Under Article 52(1) GDPR, each supervisory authority shall act with complete independence in performing its tasks and exercising its powers. In order to be “complete”, independence must be achieved in several ways. Evidently, the SA must be independent with respect to the entities, controllers or processors, over which it is required to exercise control. However, independence also applies to any other entity that may exercise any kind of direct or indirect control over the decision-making capacity of the SA, including the Commission.[2] To give an example, while Member States are free (within the parameters of the GDPR) to adopt or amend the institutional model that they consider to be the most appropriate for their supervisory authorities, “in order to comply with the requirement of ‘complete independence’, the supervisory authority must be placed outside the classic hierarchical administration”.[3] Nevertheless, even complete independence has limits. For example, it does not exclude that the appointment of SA members is made by political bodies such as the parliament or the government (Article 53(1) GDPR) or that their actions (including their inactivity) may be subject to judicial review (Article 78 GDPR).

(2) Freedom from External Influence

Article 52(2) GDPR addresses the members of the SA during the performance of their duties. On the one hand, it requires them to remain free from external influences, whether direct or indirect, and on the other hand, it prohibits them from seeking or taking instructions from anyone.

The provision should be read in the light of the case law of the CJEU. In particular, in Commission vs. Germany, the Court decided that Germany did not correctly respect such standard (Article 28(1) of Directive 95/46) considering that the SAs competent for the private sector were subject to governmental supervision, and state scrutiny. That allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. The Court specified that the notion of “complete independence” in Article 28 DPD must be given a broad and autonomous interpretation, and aligned on the Article 44 of Regulation 45/2001. Likewise, in Commission vs. Austria, the Court held that Austria failed to comply with Article 28 DPD by allowing an influence of the government on the SA for the following reasons. The managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the Chancellor had the right to be informed on all aspects of the work of the SA. Finally, in 2014, in Commission vs. Hungary, the Court found that the complete independence of the SA was not guaranteed due to the possibility of prematurely terminating the mandate of the Commissioner.

In conclusion, the SAs must be able to act objectively and impartially and free from any influence that might influence their decision-making process, tasks and powers. Direct influence refers to instructions given to a SA, on whatever aspect of its work. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA. Indirect influence, on the other hand, occurs whenever the SA’s actions may be affected by external factors, such as when the mandate of the members may be terminated at any time. In the Court’s view, this generates a form of ‘prior compliance’ which is incompatible with the free and independent exercise of its functions.

Given these conditions, the question arises as to what is, or rather what should be, the scale of national legislative intervention to ensure effective independence during the term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisers in the private sector. In this case, too, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of the mandate. In this sense, one possible solution might be to provide the SA’s appointed members with a medium to long-term financial emolument that would allow them to free themselves from reductive calculations on their professional future.

(3) Prohibition Against Incompatible Actions

Under Article 53(3) GDPR, members of each SA shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. The provision lists neither the actions nor the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.

Incompatible Action

Given that, as mentioned above, the matter of which action or activity is incompatible must be defined by the individual Member States, it is possible to outline some examples of actions which can be said to be certainly incompatible with the function of an SA member. The receipt of gifts, whether tangible or intangible, promises or any other form of benefit is certainly incompatible. At the same time, and to the extent possible, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors, at least those against whom investigations are being conducted.

Incompatible Activity

In the case of activities, the wording of Article 52(3) GDPR makes no difference whether these are professional, part-time, or voluntary. The decisive factor is whether the respective activity is “incompatible” with the office. This is meant to avoid the evil appearance of reduced independence and neutrality, comparable to the rules on bias. This is to be judged according to a prognostic scale. Therefore, there will be an incompatibility if the activity may lead to conflicts of interest with the independent exercise of office and influence on the office, whether in an economic, political or other way. Typically, incompatible conduct is, for example, accepting a position within a company that can be scrutinised by the DPA. Same goes for paid or unpaid legal advice unless the client is located outside the SA’s own jurisdiction. However, even in these cases, it must be examined whether there can be a connection to one’s own official business. The latter may be the case, for example, if it is the establishment or processor of a body to be controlled in its own jurisdiction. When carrying out activities as a tax consultant or lawyer, it must be analyzed, especially regarding the mandate and the task to be assigned, whether collisions with supervisory tasks can occur. However, at least in principle, such freelance activities are not incompatible with the office.[4]

(4) Sufficient Resources

To be efficient, and carry out their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks, and use their powers. These tasks include the participation in the cooperation and consistency mechanisms. That involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-stop shop) but also technical and financial resources to cooperate with the other authorities.

Thus, in accordance with Article 52(4) GPDR, Member States shall ensure that each SA is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks.

Human resources relate, on the one hand, to the necessary level of staff and, on the other hand, to the presence of qualified personnel to carry out the tasks and exercise of powers. This requires above all employees with a training background in the fields of law and computer science. Within the framework of the applicable salary structures, it must be ensured that the remuneration is designed in such a way that high-quality employees can be recruited in competition with the private sector.[5]

Technical resources are aimed at an appropriate equipment with hardware and software in order to be able to carry out the transferred official business. The supervisory authorities must be at the cutting edge of information and communication technology in order to be able to carry out their monitoring tasks.[6]

Financial resources consist of the budget needed for the stable functioning of the SA as well as resources for unforeseen tasks. This includes, for example, funds for travel expenses, also for participation in further education and training, for the implementation of conferences and workshops, for obtaining external expertise in difficult legal issues or in legal representation or for the short-term reinforcement of staff coverage in the event of special workload.[7]

Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.

Finally, all the above elements should consider the activities carried out “in the context of mutual assistance, cooperation and participation in the Board”. The SA should therefore have at its disposal, for example, linguistic interpreters when the collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, adequate financial cover for travel and joint investigations.

(5) Recruitment and Staff Supervision

Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who then must be subject to the exclusive direction of the member or members of the sSA. By way of example, “this excludes making available staff to the supervisory authority whilst that staff remains linked in an organisational way to or remains subject to any form of supervision by the body which made the staff available”.[8]

(6) Financial Control

Naturally, the independence of the SAs does not mean that they cannot receive a budget which is subject to the monitoring and control mechanisms regarding their financial expenditure. Article 52(6) GDPR now requires that each SA has a separate annual budget.

Decisions

→ You can find all related decisions in Category:Article 52 GDPR

References

  1. Only convention 108 of the Council of Europe did not require that Supervisory Authorities (“SA”) are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.
  2. In Schrems I, the Court made it clear that the DPA must carry out a check on the transfer of data even where there is an adequacy decision. CJEU, Schrems I, §57
  3. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 879 (Oxford University Press 2020).
  4. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 12-14 (NOMOS 2019).
  5. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 17 (NOMOS 2019).
  6. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 17 (NOMOS 2019).
  7. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin numbers 19 (NOMOS 2019).
  8. Zerdick, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 52 GDPR, p. 882 (Oxford University Press 2020).