Article 52 GDPR

From GDPRhub
Revision as of 10:05, 10 September 2021 by FD (talk | contribs)
Article 52 - Independence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 52 - Independence


1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 118: Control and Monitoring of Supervisory Authorities
The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

Recital 119: Participation in Consistency Mechanism in Case of Multiple Supervisory Authorities
Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

Commentary

Article 8(3) CFR as well as Article 16(2) TFEU and Article 39 TEU require independent authorities to monitor and enforce the application of data protection law. Only convention 108 of the Council of Europe did not require that Supervisory Authorities ("SA") are established by the contracting countries. However, the modernised Convention 108 (Article 15) now refers to the requirement of an independent authority.

In terms of Article 52 GDPR, three landmark cases of the CJEU had an influence its wording:

- In Commission vs. Germany, the Court decided that Germany did not correctly implement Article 28(1) of Directive 95/46 (DPD), considering that the fact that the SA competent for the private sector were subject to governmental supervision, and state scrutiny, which allowed the government to influence, directly or indirectly, the decisions of the SAs, and even to cancel or replace these decisions. The Court specified that the notion of "complete independence" in Article 28 DPD must be given a broad and autonomous interpretation, and aligned on the Article 44 of Regulation 45/2001.

- Likewise, in Commission vs. Austria, the Court found that Austria failed to comply with Article 28 DPD by allowing an influence of the government on the SA for the following reasons: the managing member of the SA was an officer working for the Federal Chancellor office and under direct supervision of the Chancellor, the office of the SA was integrated within the department of the Federal Chancellery, and the right of the Chancellor to be informed on all aspects of the work of the SA.

- In 2014, in Commission vs. Hungary, the Court found that the complete independence of the SA was not guaranteed due to the premature termination of the mandate of the Commissioner for the protection of personal data, at the occasion of a re structuration of the SA.


(1) Complete Independence

Article 52(1) GDPR refers to the complete independence as reflected in Article 8(3) CFR, and Article 16 TFEU.

According to the Court, complete independence means that the decision-making power is totally independent of any direct or indirect external influence on the supervisory authority. This covers the so-called functional and organisational independence.

The SAs must act independently in any action they are taking. That covers not only decisions but also all tasks and powers referred to in Article 58 GDPR.

(2) Freedom from External Influence

The second paragraph should be read in the light of the case law of the CJEU, in the three cases mentioned above: the SAs must be able to act objectively and impartially and free form of influence that might have an effect on their decision, tasks and powers.

Direct influence refers to instructions given to a SA, on whatever aspect of its work. Indirect influence covers means that SA must remain above all suspicion of partiality. The mere possibility to exercise a political influence over their decisions is enough to conclude to the absence of independence of the SA.

Beside that functional influence, the organisation for the SA should also ensure its independence towards any influence. In the Austria case mentioned above, the fact that the SA was integrated within the department of the Chancellery led the CJEU to conclude that the SA lacked of independence.

Similarly, the restructuring of a SA, leading to the early termination of the mandate of the commissioner in charge without objective justification, was a violation of the requirement of complete independence under the DPD.

(3) Prohibition Against Incompatible Actions

Article 53 GDPR does not list the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.

(4), (5) Sufficient Resources

To be efficient, and deal with their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks and use their powers. These tasks include the participation in the cooperation and consistency mechanisms: that involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-top-shop) but also technical and financial resources to cooperate with the other authorities.

In order to ensure complete independence of their resources, the SAs should be able to hire and select their own staff, who should be under their supervision.

(6) Financial Control

Of course, the independence of the SAs does not mean that they cannot receive a budget which is subject to the monitoring and control mechanisms regarding their financial expenditure. Paragraph 6 now requires that each SA has a separate budget annual budget.

Decisions

→ You can find all related decisions in Category:Article 52 GDPR

References