Article 52 GDPR

← Article 52 - Independence →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 52 - Independence

1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Relevant Recitals

Commentary

Primary Union law necessitates the independence of supervisory authorities under Article 8(3) of the Charter of Fundamental Rights of the European Union ("CFR"), Article 16(2) of the Treaty on the Functioning of the European Union ("TFEU") and Article 39 of the Treaty on the European Union ("TEU"). These Articles provide that Member States must ensure that compliance with data protection rules are be subject to the "control of independent authorities." Article 52 GDPR gives effect to this requirement.

Article 52 GDPR codifies the concept of "complete independence" developed by the European Court of Justice ("CJEU") in several landmark cases concerning the interpretation of Article 28(1) of Directive 95/46/EC ("DPD"), the Regulation's predecessor.^[1] Article 28(1) DPD established the existence of supervisory authorities and mandated that they were to "act with complete independence in exercising the functions entrusted to them."

Similarly, Article 52(1) GDPR explicitly demands that the independence of SAs must be complete. It has elaborated this to mean that the authority and its members must exercise their functions without any external influence and without conflicts of interest (Article 52(2)(3) GDPR). In order to make these principles operational, the provision requires member states to provide the SA with adequate financial and organisational means for this purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR.

The CJEU in the Case of Commission v Germany, notes that the notion of absolute independence for SAs was developed in order to strengthen the protection of individuals, not for the purpose of granting special status to SAs.^[2] Moreover, this understanding was affirmed in Commission v Austria, wherein the CJEU held that “the guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on the protection of individuals with regard to the processing of personal data [...].”^[3]

The notion independence reoccurs throughout the regulation. For instance, the principle of independence is also referred to in Article 4(12) GDPR (definition of SA), Article 45(2)(b) GDPR (personal data transfers to a third country or an international organisation outside of the outside of the European Economic Area), and Article 69 GDPR (on the independence of the European Data Protection Board ("EDPB")).^[4]

(1) Complete independence of aupervisory authorities (SAs)

Article 52(1) GDPR acts as a catch-all clause that applies as a general standard,^[5] regardless if more specific provisions of the GDPR do not apply.

Each supervisory authority (SA)

Member states can establish one or several SAs for monitoring the implementation of the GDPR (Article 51 GDPR). Article 52(1) GDPR clarifies that "each" of them must ("shall") act with complete independence.^[6]

Shall act

This condition mandates that member states, SAs and each of their members ensure that the the requirement of complete independence is fulfilled. In the event that the provision is not implemented, the Commission may start infringement proceedings against the state under Article 258 TFEU. In addition, other member states may bring an action before the CJEU under Article 259 TFEU.

Infringement proceedings against member states have occurred before. In three separate cases instigated by the Commission, the CJEU found that Germany, Austria, and Hungary had not fulfilled their obligations, as they had failed to ensure the complete independence of their SAs.^[7]

Complete independence

In Commission v Germany the Court specified that the notion of “complete independence” must be given a broad and autonomous interpretation. Other provisions on the independence of SAs and the European Data Protection Supervisor ("EDPS") are to be interpreted homogenously, as they are based on the same general principle of independence.^[8]

Complete independence requires that the decisions of SAs and SAs themselves, are objective and impartial and remain above any suspicion of partiality.^[9] To fulfil the requirement of complete independence, SAs must remain free from any external influence, which is liable to have an effect on their decisions.^[10] According to the CJEU, this freedom is necessary for SAs to carry out their functions, which include "ensuring a fair balance between fundamental rights, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data.”^[11]

Consequently, a SA must enjoy independence in all possible forms, including:

• institutional and organizational independence (see below);
• independence in decision making, without any external influence (see Article 52(2) GDPR, below):
• functional independence (see Article 52(3) GDPR, below);
• operational independence, such as having own premises and staff (see Article 52(4)(5) GDPR, below);
• financial and budgetary independence (see Article 52(4)(6) GDPR, below), and
• restrictions regarding premature termination of mandate of SA members (see Article 53 GDPR).

These requirements mean that SAs must be independent with respect to the entities, controllers or processors, over which they are required to exercise control. Importantly, the concept of independence applies to the state or any other entity that may exercise any kind of direct or indirect influence over the decision-making capacity of a SA, including the Commission. For example, in practice, this requirement mandates that legislative or executive bodies, such as the government of a member state or the Commission, cannot change or replace a decision taken by a SA. Moreover, the concept of complete independence extends to SA member's term of office, which cannot end prematurely outside of the GDPR's parameters, even if member states introduce domestic laws which attempt to restructure the functioning of SAs.^[12] SA members' term of office is regulated in Articles 53(3) and 53(4) GDPR.

The independence of SAs extends to adequacy decisions adopted by the Commission. A SA is not bound by an adequacy decision adopted by the Commission under Article 45 GDPR, if it considers it to not comply with the GDPR's requirements. For instance, in Schrems I, the CJEU made it clear that the competent SA when examining a data subject's claim relating to the third-country transfer of data "must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the [law]."^[13]

The aim of complete independence, is to ensure that SAs are free from political influence. For this reason, the CJEU has highlighted that their governance must remain outside of a State's "classic hierarchical administration.”^[14] The requirement of independence does not jeopardise their democratic legitimation, as a SAs' democratic legitimacy stems from the appointment of their members. Pursuant to Article 53 GDPR, the appointment of an SA's members is to be done by means of a transparent procedure by a member state's parliament, government, head of State, or an independent body entrusted with the appointment under member state law. SAs are also accountable to the political bodies of their member states.

Nevertheless, complete independence should not be taken to mean unaccountability.^[15] Pursuant to Article 59 GDPR, they must provide annual reports to the national parliament, the government and any other authorities as designated by member state law. Moreover, in line with the rule of law, decisions of SAs are subject to judicial review, under Article 78 GDPR.

Performing its tasks and exercising its powers

Tasks of supervisory authorities (SAs)

Among the tasks of each SA is handling of complaints of data subjects and cooperation with other SAs under the Article 63 GDPR consistency mechanism. The tasks of SAs are laid down in Article 57 GDPR.^[16]

Powers of supervisory authorities (SAs)

The powers of SAs are both investigative and corrective, which are set out in Article 58 GDPR.^[17]

(2) Freedom from external influence

Article 52(2) GDPR requires two things from members of SAs in the performance of their duties. Firstly, it requires them to remain free from external influences, whether direct or indirect, and secondly, it prohibits them from seeking or taking instructions from anyone.

As the guardians of the right to data privacy, SAs must be able to act objectively and impartially, free from any external influence that might affect their decision-making process. In particular, this prohibition is primarily targetted towards undue governmental and political influence.^[18]

Case law: In Commission v Germany, the Court decided that the requirement of independence was not met, as SAs competences over the private sector were subject to governmental supervision and state scrutiny, which allowed the government to directly and indirectly influence the decisions of Germany's SAs.^[19]

Case law: In Commission v Austria, the CJEU among others held that the fact that the office of SAs was composed of officials of the Federal Chancellery (Office of the Head of Austrian Government), which was itself subject to supervision by the Austrian SA, carried a risk of influence over SA’s decisions and prevented it from being above all suspicion of partiality and therefore incompatible with the requirement of independence.^[20]

Case law: In Commission v Germany CJEU considered that a government may, among others, tend to favour economic interests in the application of data protection provisions by certain establishments which are economically significant for their state or a region.^[21]

Member(s) of supervisory authority (SA)

Members of SAs are the carriers of the principle of independence of SAs. Members are the lead personnel appointed in accordance with Article 53(1) GDPR.^[22] In addition to at least one member, every SA also has staff. The concept of independence does not apply to staff. They must follow instructions of members of the SAs but must remain independent from any influence from outside of the SA (see Article 52(4) GDPR section below).^[23]

Remain free from external influence

Direct influence

The prohibition under Article 52(2) GDPR is broad and forbids any form of direct influence. Forms of direct influence could include instructions given to a SA on any aspect of its work, political influence, or prior compliance. ^[24] These examples are non-exhaustive, CJEU case law suggests that the mere suspicion of partiality is sufficient to constitute an infringement upon a SA's independence.

Case law: In Commission v Germany, the CJEU explained that “the mere risk that the state scrutinizing authorities could exercise political powers over the decisions of SAs is enough to hinder the latter in the independent performance of their tasks. First, as was stated by the Commission, there could be ‘prior compliance’ on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality.” ^[25]

In practice, this prohibition forbids situations such as the following:

Example: The government cannot review a decision of a SA for its correct interpretation and application of the GDPR and replace it.

Example: The Commission cannot instruct a SA as to which company should or should not be investigated.

Example: A SA will not decide to impose a fine for the repeated violation of the GDPR, as they are aware that their state's ministry as the scrutinising authority, will annul and replace their decision because the government does not want to impose any fines for political reasons.

Indirect influence

Indirect influence occurs whenever the SA’s actions may be affected by external factors, which could motivate members of SAs act in a certain manner out of their “own free” will. In the Court’s view, this also generates a form of ‘prior compliance’ which is incompatible with the free and independent exercise of its functions. Indirect influence may equally result from possible effect on career prospects or disciplinary action.

Case law: In Commission v Austria, the CJEU held that the fact that the Federal Chancellor had an unconditional right to be informed on all aspects of the work of the SA is liable to subject the SA to indirect influence from the Federal Chancellor. It also pointed out that the evaluation of a SA member by his hierarchical superior for the purposes of his promotion could lead to a form of prior compliance on the part of the SA.^[26] Example: If the government is in charge of deciding about a salary increase and promotion of a SA member, it is quite unlikely that the SA will issue a fine for an infringment of the GDPR, when the government is of the opinion that warnings and not fines should be issued in the event of violations of the GDPR.

Similarly, in Commission v Hungary, CJEU clarified that a risk of premature termination of the mandate to which a member of a SA would be exposed throughout his term of office could lead him to enter into a form of prior compliance with political authority, which is incompatible with the requirement of independence.^[27]

Given these conditions, the question arises as to what is, or rather what should be, the scale of national legislative intervention to ensure effective independence during the term of office. The problem is particularly pressing where certain professional categories are concerned, such as legal advisers in the private sector. In this case, too, a form of prior compliance can be envisaged, not so much with respect to political or governmental bodies, but rather with respect to positions taken previously, or to the risk that certain ‘unpopular’ decisions may reduce the number of job opportunities after the end of the mandate. In this sense, one possible solution might be to provide the SA’s appointed members with a medium to long-term financial emolument that would allow them to free themselves from reductive calculations on their professional future.

Freedom from instructions

SAs are prohibited from asking for instructions or following instructions, if they were given. Seeking or taking instructions by SAs would undermine the impartiality of SAs.

Case law: In Commission v Hungary, CJEU held that “[t]he operational independence of supervisory authorities, in that their members are not bound by instructions of any kind in the performance of their duties, is thus an essential condition that must be met if those authorities are to satisfy the criterion of independence”.^[28]

(3) Prohibition against incompatible actions

Under Article 52(3) GDPR, members of each SA shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. The provision lists neither the actions nor the occupations that are supposed to be incompatible with a function within the SA. However, Article 54(1)(f) GDPR requires the Member States to regulate the matter in their national legislation.

The purpose of this provision is to protect the independence of a SA, as well as the lawfulness of its actions and its reputation.^[29] It requires the members of SAs to act with integrity (Recital 121 GDPR).

While the EDPS that is in charge of supervision of processing of personal data by EU institutions must pursuant to Article 55(3) EUDPR refrain from any other occupation, members of SAs are allowed to engage in other occupation, as long as it does not collide with their duties under the GDPR. This allows SAs to have also other competences, such as being at the same time the public authority in charge of freedom of information legislation. This is for example the case in Germany on the federal level and in some Länder and in Malta and Slovenia.

Incompatible action

The prohibition of incompatible actions applies with regard to professional and private life of members.

Given that, as mentioned above, the matter of which action or activity is incompatible must be defined by the individual member states, it is possible to outline some examples of actions which can be said to be certainly incompatible with the function of a SA member. The receipt of gifts, whether tangible or intangible, promises or any other form of benefit is certainly incompatible. At the same time, and to the extent possible, SA members should avoid frequent private contact with potential counterparties or representatives of controllers or processors, at least those against whom investigations are being conducted.

Example: A member of a SA, which is competent for the control of company Supertech, goes every year on all-inclusive luxury holiday with his friend, the chief executive officer of Supertech for free.  

Incompatible occupation

In the case of occupation, the wording of Article 52(3) GDPR makes no difference whether these are professional, part-time, or voluntary. The decisive factor is whether the respective activity is “incompatible” with the office. This is meant to avoid the evil appearance of reduced independence and neutrality, comparable to the rules on bias. This is to be judged according to a prognostic scale. Therefore, there will be an incompatibility if the activity may lead to conflicts of interest with the independent exercise of office and influence on the office, whether in an economic, political or other way. Typically, incompatible conduct is, for example, accepting a position within a company that can be scrutinised by the DPA. Same goes for paid or unpaid legal advice unless the client is located outside the SA’s own jurisdiction. However, even in these cases, it must be examined whether there can be a connection to one’s own official business. The latter may be the case, for example, if it is the establishment or processor of a body to be controlled in its own jurisdiction. When carrying out activities as a tax consultant or lawyer, it must be analyzed, especially regarding the mandate and the task to be assigned, whether collisions with supervisory tasks can occur. However, at least in principle, such freelance activities are not incompatible with the office.^[30]

(4) Sufficient Resources

To be efficient, and carry out their tasks, the SAs should receive the financial, organisational, technical and human resources necessary to deal with their multiple tasks, and use their powers. These tasks include the participation in the cooperation and consistency mechanisms. Data protection law at a high level and an independent supervisory authority with numerous powers are pointless if this authority cannot carry out its tasks or can only do so ineffectively because it lacks the necessary staff, technical equipment, financial and other resources.^[31] Additionally adequacy of resources should be periodically reviewed.^[32]

Example: If considering its resources a SA can carry out a control of each controller and processor in its area of responsibility only every 45.000 years the conditions of this provision are not met.^[33]

Article 52(4) GDPR and Article 52(6) GDPR specify the elements of material independence of SAs. Part of its material independence is autonomy in relation to the allocation and disposal of resources within the allocated budget.^[34]

Human resources

Human resources relate, on the one hand, to the necessary level of staff and, on the other hand, to the presence of qualified personnel to carry out the tasks and exercise of powers. This requires above all employees with a training background in the fields of law and computer science, including communication technology. Within the framework of the applicable salary structures, it must be ensured that the remuneration is designed in such a way that high-quality employees can be recruited in competition with the private sector.^[35] The structure of staff should enable the SAs to take prompt and effective action.^[36]

Technical resources

Technical resources are aimed at an appropriate equipment with hardware and software in order to be able to carry out the transferred official business. The supervisory authorities must be at the cutting edge of information and communication technology in order to be able to carry out their monitoring tasks.^[37]

Financial resources

Financial resources consist of the budget needed for the stable functioning of the SA as well as resources for unforeseen tasks. This includes, for example, funds for travel expenses, also for participation in further education and training, for the implementation of conferences and workshops, for obtaining external expertise in difficult legal issues or in legal representation or for the short-term reinforcement of staff coverage in the event of special workload.^[38] Also, sufficient financial resources must be provided for the costs of necessary human and technical resources, the premises and the infrastructure.

Sufficient financial resources are very important for uninfluenced and impartial monitoring and decision making of SAs. Otherwise, there is a risk that SAs may be more lenient, look for amicable solutions and refrain from imposing heavy fines to avoid their decisions being challenged. In particularly, if they do not have the neccessary financial resources to defend its decision in the event of an appeal in court.^[39]

According to Article 52(6) GDPR each SA must have its own budget (see below).

Premises and infrastructure

Other essential elements for the proper functioning of the SA are the premises and the infrastructure. The SA should be equipped with premises with adequate space to ensure the permanence of its members and the confidentiality of meetings. Communication and security infrastructures commensurate with the sensitivity of the task are obviously needed.^[40]

Necessary for effective performance of its tasks and exercise of its powers

Necessary

Article 52(4) GDPR links the criteria of sufficient resources to the effective performance of SA's tasks and exercise of its powers. It does not further specify how much resources is sufficient resources. The resources that an SA will need depend on different factors, such as the size of the territory and number of subjects it is bound to monitor, the size and complexity of data processing by controlling subjects, on how many complaints it receives. Another factor is the size of companies. Typically, big tech companies are more complex and time consuming to monitor than smaller businesses.

Effective performance

Effective performance means that a SA are efficiently performs all its tasks and efficiently exercises all its powers. In case of violations of the GDPR this means that every or most violations are identified, investigated and sanctioned. In general, high likelihood of sanctioning in case of infringements is a very significant factor for individual’s voluntary compliance with the laws. This is far from current reality where most violations of GDPR are not addressed, mass violations are tolerated and complaint procedures in most states take several years to be decided.^[41]

Example: In Austria in case of driving over the speed limit and being caught, a speed ticket with a fine (1/2 of full fine) is automatically send to the driver. If he pays no procedure is started. This is a very effective way of dealing with violations of traffic rules.

In the context of mutual assistance, cooperation and participation in the EDPB

Finally, member states must provide sufficient resources not only for performing the tasks and powers on national level, but also for the activities carried out “in the context of mutual assistance, cooperation and participation in the Board”. The tasks relating to SAs participation in the cooperation and consistency mechanism enshrined in Chapter 7 of GDPR. That involves staff attending the EDPB meetings, cooperation with the other SAs under the consistency mechanism (one-stop shop) but also technical and financial resources to cooperate with the other authorities. The SA should therefore have at its disposal, for example, linguistic interpreters when the collegial work requires the translation of documents or the interaction with colleagues of a different language, encrypted communication systems to maintain the secrecy of the investigations and, more generally, adequate financial cover for travel and joint investigations.^[42]

(5) Recruitment and Staff Supervision

The independence and efficiency of SAs may be compromised if its staff is chosen by another body or employed elsewhere. Unsuitable and incompetent staff cannot efficiently monitor the application of the GDPR. Therefore, Article 52(5) GDPR specifies that each SA must be able to choose and employ its own staff, who then must be subject to the exclusive direction of the member or members of the SAs.^[43]

Chooses and has own staff

The ability to choose and have own staff enables a SA to employ suitable staff with the expertise, experience, qualifications and skills required to perform their tasks.^[44]

Case law: In Commission v Austria CJEU decided among others that Austria did not fulfil the conditions of independence because the office  of the SA was integrated within the department of the Federal Chancellery composed of officials of the Federal Chancellery.^[45]

Each SA must select its own staff. Taking into account Recital 121, this requirement can be met not only if the SA recruits and selects the staff itself, but also if the selection of staff is carried out by an independent body.^[46] Autonomy and independence in the selection of staff gives SA an opportunity to better respond to existing professional and staffing needs.^[47]

Exclusive direction of member(s) of supervisory authorities (SAs)

Staff of a SA is subject to exclusive supervision and direction of the member(s) of the SA, as any supervision or directions by another body could influence the work of the staff and thus also the work of the SA. This also “excludes making available staff to the supervisory authority whilst that staff remains linked in an organisational way to or remains subject to any form of supervision by the body which made the staff available”.^[48]

(6) Financial Control and Budget

Article 52(6) GDPR addresses another aspect of financial independence of SAs, financial control and own budget.^[49] In addition, Article 52(4) GDPR requires member states to ensure sufficient financial and other resources.

Financial control

Naturally, the independence of the SAs does not mean that their financial expenditure cannot be subject to any monitoring and control mechanisms.^[50] However, it does set limits on the scope of financial controls. Member states must ensure that the financial controls do not compromise the independence of SAs.

Example: In a complaint case against a processor the SA spent 10.000 EUR on the investigation. The financial audit can verify whether the SA spent the amount in accordance with the relevant financial rules, e.g. public procurement rules, but not whether the investigation itself was necessary.

However, Article 52(6) GDPR should not be understood as obliging member states to subject the SAs to financial controls.^[51]

Budget

Each SA must now also have a separate annual budget. Separate budget gives a SA the ability to plan its own budget and to decide where allocate and spend the funds.

Decisions

→ You can find all related decisions in Category:Article 52 GDPR

References