Article 53 GDPR: Difference between revisions

From GDPRhub
No edit summary
 
(22 intermediate revisions by 3 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 53 - General conditions for the members of the supervisory authority'''</center>
<br />'''Article 53 - General conditions for the members of the supervisory authority'''


<span id="1">1.  Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:</span>
<span id="1">1.  Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:</span>
Line 209: Line 209:
==Commentary==
==Commentary==


Article 53 GDPR regulates, for the first time by means of a European law, the manner of appointment of the members of the supervisory authority (SA), the qualities required to hold office, certain elements relating to the termination of office and the minimum conditions for removal in the event of misconduct. The provision, which partly integrates Articles 51, 52, 54 GDPR, has different characteristics depending on the different paragraphs. In some cases, it is directly applicable as a provision of an EU regulation, in others, it requires legislative intervention by the member states.  
Article 53 GDPR regulates the means of appointment for supervisory authority members ("''SA''"). The provision governs the qualities required to hold office, circumstances relating to the termination of office and the minimum conditions for removal in the event of misconduct. This Article partly integrates [[Article 51 GDPR|Articles 51]], [[Article 52 GDPR|52]] and [[Article 54 GDPR|54 GDPR]], and resultantly its paragraphs are made up of differing characteristics. For instance, some paragraphs are directly applicable as provisions of Union law, while others require legislative intervention by Member States.  


=== (1) Authority appointing the members of the supervisory authority ===
=== (1) Authority appointing the members of the supervisory authority (SA) ===
In line with the specificities of the different constitutional and organisational rules, this provision leaves the decision on how the members of the supervisory authorities should be appointed up to the members states.<ref>For examples, see FRA, Elements of independence of the data protection authorities in the EU, p.19 (available [https://www.asktheeu.org/en/request/2398/response/9765/attach/3/21.FRA%20Focus%20Data%20protection%20authorities%20independence%20funding%20and%20staffing%20ATTACHMENT%20FRA%202013%20Focus%20DPA.pdf here]).</ref>
Given the specificities of Member States' varying constitutional and administrative rules, this provision allows Member States to determine the manner of SA members' appointment in line with their own national frameworks.<ref>For examples, see European Union Agency for Fundamental Rights, 'Elements of independence of the data protection authorities in the EU', p.19 (available [https://www.asktheeu.org/en/request/2398/response/9765/attach/3/21.FRA%20Focus%20Data%20protection%20authorities%20independence%20funding%20and%20staffing%20ATTACHMENT%20FRA%202013%20Focus%20DPA.pdf here]).</ref> Pursuant to [[Article 54 GDPR|Article 54(1)(c) GDPR]], the rules governing the appointment procedure must be legislated for by each Member State.


==== Transparent procedure ====
==== Transparent procedure ====
Irrespective of which body makes the appointment, the procedure must be transparent. The GDPR does not provide any further information on how this should be structured. However, as a minimum requirement of transparency, publicity of the selection process should be fully adopted. The procedure should also show that several alternatives have been considered and evaluated according to the criteria specified by the GDPR.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 4 (NOMOS 2019).</ref><blockquote>Example:</blockquote>
The procedure regulating appointment must be transparent, irrespective of which public body makes the appointment. This requirement is rooted in the principle of public accountability, and aims to ensure that the public is able to scrutinise the appointment of SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition).</ref> The GDPR does not clarify as to what qualifies as a transparent procedure. However, Commentators have noted that the minimum threshold for transparency, should be in the least, include making the details of the selection process available to the public. In addition, any such procedure should demonstrate that alternative candidates have been considered and evaluated in accordance with the criteria specified by the GDPR.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 4 (NOMOS 2019).</ref> <blockquote><u>Example</u>: Even if the European Data Protection Supervisor (EDPS) is governed by Regulation 2018/1725, rather than by the GDPR,  the procedure for the appointment of its president can be considered a good example of a transparent procedure. To a certain degree, this procedure can be a source of inspiration for national SAs. In 2019 the selection process was structured in the following way:
 
* ''A public call for candidates for the Supervisor posts resulted in the most competent applicants being shortlisted by an inter-institutional selection board;''
* ''Following interviews with the shortlisted candidates, the selection board presented the European Commission with their recommendations for its review and submission to the European Parliament and the Council.''
* ''Hearings to evaluate the experiences, skills and independence of the candidates took place in the European Parliament. A joint decision  of the Parliament and Council was reached following their deliberations.''<ref>https://edps.europa.eu/about-edps/supervisors_en</ref></blockquote>


==== Appointing body ====
==== Appointing body ====
naming in particular a procedure by the parliament, the government, the head of state or an independent body. It is regrettable that the appointment procedure will therefore always imply a political decision, since the four authorities listed in Article 53(1) GDPR are political organisations.<ref>In fact, independent bodies can also be appointed by entities of a political nature. In this case, therefore, it cannot be ruled out that the appointment of the SA member be inspired by some political criteria.</ref>
Article 53(1) names four possible appointing bodies. These are a Member State's (i) parliament, (ii) government, (iii) head of state, or (iv) an independent body entrusted with the appointment under Member State law.
 
If member(s) of the SA are appointed by either the (i) parliament, (ii) government, or (iii) head of state, the appointment should be made based on a proposal by any one of the aforementioned bodies.<ref>Recital 121 GDPR.</ref> While a joint appointment by different branches of state is not foreseen by the GDPR,<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford University Press 2020).</ref> there is no reason to consider a joint appointment as contrary to Article 53(1) GDPR, so long as one of the bodies mentioned above is involved and can effectively determine the result of the final decision.
=== (2) Qualification, experience and skills of the member(s) ===
Article 53(2) GDPR stipulates that each SA member must ("shall") have the qualifications, experience and skills in the area of personal data protection, required to perform its duties and exercise its powers. In addition to expertise in data protection law, in particularly IT and organisational expertise are of relevance for the work of SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 8 and 9 (C.H. Beck 2020, 3rd Edition).</ref> Also general requirements, such as general requirements foreseen for all employees of the national administration, can be prescribed for members.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 21 (Nomos 2022).</ref> Competence requirements must be provided by law pursuant to [[Article 54 GDPR|Article 54(1)(b) GDPR]]. 
 
These competence requirements serve two purposes. The first is to ensure the high quality of SAs' work, and consequently the effectiveness of data protection. The second is to act as a minimum barrier against appointments of a purely political nature, without adequate professional preparation.<ref>''Ziebarth'', in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 18 (Nomos 2018, 2nd edition).</ref> However, Article 53(2) GDPR does not require Member States to test the knowledge of its SAs' members. Moreover, unlike the rules regulating the appointment of members of other institutions such as the Court of Justice and the General Court,<ref>The rules regulating the appointment of the members of the Court of Justice and the General Court establish that its members are to be chosen from 'persons whose independence is beyond doubt’, pursuant to Articles 253 and 254 of the Treaty on the Functioning of the European Union ("''TFEU''").


=== (2) Qualification, expertise and skills of the member(s) ===
For more on this point see ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).</ref> the GDPR does not require that members are to be chosen from individuals whose independence is absolute.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).</ref>   
Article 52(2) GDPR stipulates that each SA member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.  These competence requirements serve two purposes. On the one hand, at least in theory, they enable the SA to equip itself with qualified staff according to the respective competences (legal department, technical department and PR). On the other hand, they act as a minimum barrier against appointments of a purely political nature, without adequate professional preparation.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 53 GDPR, margin number 18 (Nomos 2018, 2nd edition).</ref> Apart from these minimum standards, Article 53(2) does not require member states to test the knowledge of the members.  


==== Qualifications ====
==== Qualifications ====
The “''qualification''” includes the educational background, such as the completion of vocational training, the completion of a course of study, the acquisition of additional qualifications, and further training certificates in relation to the activities of the SA. The qualification is thus aimed at proving that theoretical knowledge has been acquired.  
The qualification requirement refers to a member's educational background, such as the completion of vocational training, a course of study, or the acquisition of additional qualifications and further training certificates in relation to the activities of the SA. The qualification requirement is aimed at ensuring that a potential SA member is able to demonstrate that they have acquired the relevant theoretical knowledge for their position.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).</ref> 
 
==== Experience and skills ====
The experience requirement necessitates that an SA member must have previously applied what was learned through practical activity.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).</ref> While the term “''skills''” concern the abilities of the applicants relevant to the position, these include both legal and non-legal skills, and it is irrelevant whether they are innate or acquired through experience. 
==== Performance of tasks and the exercise of powers ====
The criteria outlined by the GDPR for the appointment of SA members is directly related to ensuring that an SA is able to effectively perform the tasks and exercise the powers afforded to it under the GDPR.<ref>For more on the SAs' tasks, please refer to [[Article 57 GDPR]] and for their powers please refer to [[Article 58 GDPR]].</ref> These tasks and powers include handling complaints lodged by data subjects, conducting investigations on the application of the GDPR, and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.<ref>See Recital 122 GDPR.</ref> Consequently, an SA's effective functioning is based on the competence of its members, who cannot sufficiently fulfil their duties unless they have the relevant <span id="2">qualifications, experience and skills to do so.</span>
 
=== (3) End of mandate ===
Article 53(3) GDPR regulates the ordinary coming to an end of the SA membership. It sets out three grounds for the ordinary termination of the mandate of a SA member. These are (i) expiry of term of office, (ii) resignation and (iii) compulsory retirement. Anything which falls outside of this exhaustive list cannot justify the end of a member's mandate, for instance the internal re-organisation of an SA.<ref>In this respect, reference should be made to  Case C‑288/12,  ''Commission v Hungary'', and Case </ref>
 
The provision's aim of establishing an exhaustive list of grounds for the termination of a member's mandate is an attempt to safeguard the independence of SAs, by limiting the exposure of their members to undue political influence.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> <blockquote>
<u>Case law</u>: In ''Commission v Hungary'', the CJEU held that while the Member States are entitled to restructure their data protection systems and SAs, such restructuring shall not result in a preliminary termination of the mandate of a SA member. Preliminary termination of the SA member’s mandate would unjustifiably interfere with the independence of SAs.<ref>CJEU in case [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-288%252F12&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2428845 C-288/2012 - ''Commission v Hungary''], paragraphs 53 to 59.</ref>
 
<u>Case law</u>: The ''Garai'' case is also interesting in this regard. While it did not concern a SA, it regarded the early dismissal of the members of the national regulatory authority (NRA) for electronic communications in Spain. The CJEU concluded that the dismissal of the members before the end of their mandates due to the merging between different regulatory bodies was against the requirement of independence of the NRA in the ''<nowiki/>'absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members'.''<ref>[https://curia.europa.eu/juris/document/document.jsf?text=&docid=184670&doclang=EN Case C‑424/15, ''Garai v Administración del Estado''], paragraph 52.</ref></blockquote>Members of SAs can, in addition, be legally employed by SAs. In such cases the conditions for the termination of the employment of members must be in line with the provisions of Article 53 GDPR. However, the rules governing the cessation of employment must be determined by member State's national law, in accordance with [[Article 54 GDPR|Article 54(1)(f) GDPR]].
 
==== Expiry of the term of office ====
Normally, the duties of a SA member end '''in the event of the expiry of the term of office''<nowiki/>'. The term of office is dealt with in [[Article 54 GDPR|Article 54(1) GDPR]], under which Member States are obliged to legislate for through their national laws. The term in office of an SA member also expires in case of death.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).</ref>
==== Resignation and compulsory retirement ====
SA members can voluntarily decide to end their mandate before the full completion of their term in office. It should be highlighted that resignation should be voluntary, and not influenced by external pressure.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR), Article 53 GDPR, page 890 (Oxford University Press 2020).</ref>


==== Experience ====
Retirement can be a reason for the premature termination of an SA member's mandate af a SA member, especially in cases of retirement due to age or illness.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).</ref> Rules regulating the retirement of SA members must be provided for through a Member State's national law before an SA member is nominated, in order to comply with the principle of independence.<ref>To this extent, see also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Article 53 GDPR, page 891 (Oxford University Press 2020).</ref> <blockquote><u>Case law</u>: The CJEU established in ''Commission v Hungary,'' that Member States cannot change the rules concerning SA Members' term in office during their term, as this could result in a form of prior compliance, undermining the requirement of independence.<ref>Case [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-288%252F12&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lg=&page=1&cid=2428845 C-288/12 - ''Commission v Hungary'']</ref></blockquote>
The “''experience''” establishes a temporal reference in that what was learned has been applied and deepened in the practical activity. 


==== Expertise ====
=== (4) Dismissal of SA members ===
“''Expertise''” concerns the acquisition of practical knowledge and the necessary interdisciplinarity, which can be demonstrated, for example, by the performance of supervisory tasks and the exercise of supervisory powers. Regular participation in practice-relevant projects would be another proof of expertise.<ref>''Polenz'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).</ref>
Under Article 53(4) GDPR, an SA member can be dismissed only in two cases. The first of which is in the case of serious misconduct, and the second is if members can no longer fulfil the conditions required for the performance of the duties. These are the two extraordinary reasons for the premature termination of duties of SAs and should be interpreted restrictively. Notably, these grounds are exceptions to the ordinary grounds governing the end of a member's mandate under Article 53(3) GDPR,<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).</ref> as grounds for dismissal must be severe enough to justify the intrusion into the general principle of independence of SAs.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 890 (Oxford University Press 2020).</ref> Dismissal entails an involuntary preliminary loss of office


=== (3) End of the mandate ===
The GDPR does not specify what these two instances entail, nor is clear regarding which authority is responsible for deciding a member's dismissal, or for what procedural safeguards are in place, if any. These elements should be explicitly provided by a Member State's national law and be precise enough to avoid any misleading interpretation or arbitrariness.  
Article 53(3) GDPR regulates the coming to an end of the duties of SA members. Normally, this happens “''in the event of the expiry of the term of office''”. The term of office is dealt with in [[Article 54 GDPR|Article 54(1) GDPR]], as an obligation for the member states to include a provision in their national laws. The other cases bringing to an end of the mandate are the voluntary resignation or compulsory retirement. It should be highlighted that resignation should be voluntary, so not pressured by government or parliament.<ref>Rightfully, ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 890 (Oxford University Press 2020).</ref> Finally, it seems worth recalling that real or alleged internal reorganisations of the SA do not fall within the mandatory cases under Article 53(3) GDPR and therefore do not justify the termination of the mandate.<ref>In this respect, reference should be made to Commission vs. Hungary, where the Court found that the complete independence of the SA was not guaranteed due to the premature termination of the mandate of the Commissioner for the protection of personal data, at the occasion of a restructuration of the SA. Beside the Commission v. Hungary judgement of the CJEU, the Garai case is also interesting in this regard. It concerned the early dismissal of the members of the national regulatory authority (NRA) for electronic communications in Spain. The CJEU concluded that the dismissal of the members before the end of their mandates due to the merging between different regulatory bodies was against the requirement of independence of the NRA in the ''"absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members".''</ref><blockquote>Case law: 


Example:  </blockquote>
The two cases mentioned by Article 53(4) GDPR are contained in several other EU law provisions concerning the dismissal of members of independent bodies. These are Article 247 of the Treaty on the Functioning of the European Union ("''TFEU''"), which regulates the dismissal of members of the Commission, Article 228(2) TFEU with regard to the dismissal of European Ombudsman, and Article 53(5) of Regulation (EU) 2018/1725 dealing with the dismissal of European Data Protection Supervisor.<ref>Other relevant provisions include Articles 11.4 and 14.2 of the Protocol (No 4) to TFEU on the statute of the statute of the European System of Central Banks and of the European Central Bank regarding the members of the executive board of the ECB and governors of national central banks. See also ''Selmayr'', in Ehmann, Selmayr, DS-GVO Kommentar, Article 53 GDPR, margin number 13 (C.H. Beck 2018).</ref> Interpretation of these elements and corresponding provisions by the CJEU may be of relevance for the interpretations of Article 53(4) GDPR.


=== (4) Dismissal of members ===
==== Serious misconduct ====
Under Article 53(4) GDPR, an SA member can be dismissed only in two cases: serious misconduct or if they no longer fulfill the conditions required for the performance of the duties. The GDPR does not specify what these two important requirements entail nor is it clear which authority is responsible for deciding on removal or what procedural safeguards are in place, if any. These elements should be explicitly provided by member state law and be precise enough to avoid any misleading interpretation or arbitrariness.<blockquote>Example:</blockquote>
An SA member's actions may amount to serious misconduct, in instances where their actions are deemed incompatible with the duties and obligations of a SA member. These actions could include engaging in criminal activity, the holding of competing offices or engaging in an incompatible occupation.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 13 (Nomos 2019). </ref> For example, [[Article 52 GDPR|Article 52(2) GDPR]] requires SA members to remain free from external influence and [[Article 52 GDPR|Article 52(3) GDPR]] entails a prohibition of incompatible actions.
==== No longer fulfils the conditions ====
The failure to fulfil the conditions of office refers to the general conditions required by the Member State's law, such as citizenship and general conditions for officials to hold office, or other circumstances that would permanently prevent an SA member from fulfilling their duties.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 27, 28 and 21 (Nomos 2022). </ref>
==== Responsible authority and procedure ====
The procedure and the responsible authority should allow for an independent decisions regarding the dismissal of an SA member, ensuring that it is by no means politically influenced. For example, courts can be given the competence to decide on the dismissal of SA member. On the other hand, parliaments may not, as a decision on the dismissal of an SA member would be considered political if the deciding body was a Member State's parliament voting by a simple majority.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 30 and 31 (Nomos 2022).</ref>  


==Decisions==
==Decisions==

Latest revision as of 23:06, 1 April 2024

Article 53 - General conditions for the members of the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 53 - General conditions for the members of the supervisory authority

1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:

— their parliament;

— their government;

— their head of State; or

— an independent body entrusted with the appointment under Member State law.

2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.

3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.

4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 121: General Conditions for the Member(s) of Supervisory Authorities
The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Commentary

Article 53 GDPR regulates the means of appointment for supervisory authority members ("SA"). The provision governs the qualities required to hold office, circumstances relating to the termination of office and the minimum conditions for removal in the event of misconduct. This Article partly integrates Articles 51, 52 and 54 GDPR, and resultantly its paragraphs are made up of differing characteristics. For instance, some paragraphs are directly applicable as provisions of Union law, while others require legislative intervention by Member States.

(1) Authority appointing the members of the supervisory authority (SA)

Given the specificities of Member States' varying constitutional and administrative rules, this provision allows Member States to determine the manner of SA members' appointment in line with their own national frameworks.[1] Pursuant to Article 54(1)(c) GDPR, the rules governing the appointment procedure must be legislated for by each Member State.

Transparent procedure

The procedure regulating appointment must be transparent, irrespective of which public body makes the appointment. This requirement is rooted in the principle of public accountability, and aims to ensure that the public is able to scrutinise the appointment of SA members.[2] The GDPR does not clarify as to what qualifies as a transparent procedure. However, Commentators have noted that the minimum threshold for transparency, should be in the least, include making the details of the selection process available to the public. In addition, any such procedure should demonstrate that alternative candidates have been considered and evaluated in accordance with the criteria specified by the GDPR.[3]

Example: Even if the European Data Protection Supervisor (EDPS) is governed by Regulation 2018/1725, rather than by the GDPR, the procedure for the appointment of its president can be considered a good example of a transparent procedure. To a certain degree, this procedure can be a source of inspiration for national SAs. In 2019 the selection process was structured in the following way:

  • A public call for candidates for the Supervisor posts resulted in the most competent applicants being shortlisted by an inter-institutional selection board;
  • Following interviews with the shortlisted candidates, the selection board presented the European Commission with their recommendations for its review and submission to the European Parliament and the Council.
  • Hearings to evaluate the experiences, skills and independence of the candidates took place in the European Parliament. A joint decision  of the Parliament and Council was reached following their deliberations.[4]

Appointing body

Article 53(1) names four possible appointing bodies. These are a Member State's (i) parliament, (ii) government, (iii) head of state, or (iv) an independent body entrusted with the appointment under Member State law.

If member(s) of the SA are appointed by either the (i) parliament, (ii) government, or (iii) head of state, the appointment should be made based on a proposal by any one of the aforementioned bodies.[5] While a joint appointment by different branches of state is not foreseen by the GDPR,[6] there is no reason to consider a joint appointment as contrary to Article 53(1) GDPR, so long as one of the bodies mentioned above is involved and can effectively determine the result of the final decision.

(2) Qualification, experience and skills of the member(s)

Article 53(2) GDPR stipulates that each SA member must ("shall") have the qualifications, experience and skills in the area of personal data protection, required to perform its duties and exercise its powers. In addition to expertise in data protection law, in particularly IT and organisational expertise are of relevance for the work of SA members.[7] Also general requirements, such as general requirements foreseen for all employees of the national administration, can be prescribed for members.[8] Competence requirements must be provided by law pursuant to Article 54(1)(b) GDPR.

These competence requirements serve two purposes. The first is to ensure the high quality of SAs' work, and consequently the effectiveness of data protection. The second is to act as a minimum barrier against appointments of a purely political nature, without adequate professional preparation.[9] However, Article 53(2) GDPR does not require Member States to test the knowledge of its SAs' members. Moreover, unlike the rules regulating the appointment of members of other institutions such as the Court of Justice and the General Court,[10] the GDPR does not require that members are to be chosen from individuals whose independence is absolute.[11]

Qualifications

The qualification requirement refers to a member's educational background, such as the completion of vocational training, a course of study, or the acquisition of additional qualifications and further training certificates in relation to the activities of the SA. The qualification requirement is aimed at ensuring that a potential SA member is able to demonstrate that they have acquired the relevant theoretical knowledge for their position.[12]

Experience and skills

The experience requirement necessitates that an SA member must have previously applied what was learned through practical activity.[13] While the term “skills” concern the abilities of the applicants relevant to the position, these include both legal and non-legal skills, and it is irrelevant whether they are innate or acquired through experience.

Performance of tasks and the exercise of powers

The criteria outlined by the GDPR for the appointment of SA members is directly related to ensuring that an SA is able to effectively perform the tasks and exercise the powers afforded to it under the GDPR.[14] These tasks and powers include handling complaints lodged by data subjects, conducting investigations on the application of the GDPR, and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.[15] Consequently, an SA's effective functioning is based on the competence of its members, who cannot sufficiently fulfil their duties unless they have the relevant qualifications, experience and skills to do so.

(3) End of mandate

Article 53(3) GDPR regulates the ordinary coming to an end of the SA membership. It sets out three grounds for the ordinary termination of the mandate of a SA member. These are (i) expiry of term of office, (ii) resignation and (iii) compulsory retirement. Anything which falls outside of this exhaustive list cannot justify the end of a member's mandate, for instance the internal re-organisation of an SA.[16]

The provision's aim of establishing an exhaustive list of grounds for the termination of a member's mandate is an attempt to safeguard the independence of SAs, by limiting the exposure of their members to undue political influence.[17]

Case law: In Commission v Hungary, the CJEU held that while the Member States are entitled to restructure their data protection systems and SAs, such restructuring shall not result in a preliminary termination of the mandate of a SA member. Preliminary termination of the SA member’s mandate would unjustifiably interfere with the independence of SAs.[18]

Case law: The Garai case is also interesting in this regard. While it did not concern a SA, it regarded the early dismissal of the members of the national regulatory authority (NRA) for electronic communications in Spain. The CJEU concluded that the dismissal of the members before the end of their mandates due to the merging between different regulatory bodies was against the requirement of independence of the NRA in the 'absence of any rules guaranteeing that such dismissals do not jeopardise the independence and impartiality of such members'.[19]

Members of SAs can, in addition, be legally employed by SAs. In such cases the conditions for the termination of the employment of members must be in line with the provisions of Article 53 GDPR. However, the rules governing the cessation of employment must be determined by member State's national law, in accordance with Article 54(1)(f) GDPR.

Expiry of the term of office

Normally, the duties of a SA member end 'in the event of the expiry of the term of office'. The term of office is dealt with in Article 54(1) GDPR, under which Member States are obliged to legislate for through their national laws. The term in office of an SA member also expires in case of death.[20]

Resignation and compulsory retirement

SA members can voluntarily decide to end their mandate before the full completion of their term in office. It should be highlighted that resignation should be voluntary, and not influenced by external pressure.[21]

Retirement can be a reason for the premature termination of an SA member's mandate af a SA member, especially in cases of retirement due to age or illness.[22] Rules regulating the retirement of SA members must be provided for through a Member State's national law before an SA member is nominated, in order to comply with the principle of independence.[23]

Case law: The CJEU established in Commission v Hungary, that Member States cannot change the rules concerning SA Members' term in office during their term, as this could result in a form of prior compliance, undermining the requirement of independence.[24]

(4) Dismissal of SA members

Under Article 53(4) GDPR, an SA member can be dismissed only in two cases. The first of which is in the case of serious misconduct, and the second is if members can no longer fulfil the conditions required for the performance of the duties. These are the two extraordinary reasons for the premature termination of duties of SAs and should be interpreted restrictively. Notably, these grounds are exceptions to the ordinary grounds governing the end of a member's mandate under Article 53(3) GDPR,[25] as grounds for dismissal must be severe enough to justify the intrusion into the general principle of independence of SAs.[26] Dismissal entails an involuntary preliminary loss of office

The GDPR does not specify what these two instances entail, nor is clear regarding which authority is responsible for deciding a member's dismissal, or for what procedural safeguards are in place, if any. These elements should be explicitly provided by a Member State's national law and be precise enough to avoid any misleading interpretation or arbitrariness.

The two cases mentioned by Article 53(4) GDPR are contained in several other EU law provisions concerning the dismissal of members of independent bodies. These are Article 247 of the Treaty on the Functioning of the European Union ("TFEU"), which regulates the dismissal of members of the Commission, Article 228(2) TFEU with regard to the dismissal of European Ombudsman, and Article 53(5) of Regulation (EU) 2018/1725 dealing with the dismissal of European Data Protection Supervisor.[27] Interpretation of these elements and corresponding provisions by the CJEU may be of relevance for the interpretations of Article 53(4) GDPR.

Serious misconduct

An SA member's actions may amount to serious misconduct, in instances where their actions are deemed incompatible with the duties and obligations of a SA member. These actions could include engaging in criminal activity, the holding of competing offices or engaging in an incompatible occupation.[28] For example, Article 52(2) GDPR requires SA members to remain free from external influence and Article 52(3) GDPR entails a prohibition of incompatible actions.

No longer fulfils the conditions

The failure to fulfil the conditions of office refers to the general conditions required by the Member State's law, such as citizenship and general conditions for officials to hold office, or other circumstances that would permanently prevent an SA member from fulfilling their duties.[29]

Responsible authority and procedure

The procedure and the responsible authority should allow for an independent decisions regarding the dismissal of an SA member, ensuring that it is by no means politically influenced. For example, courts can be given the competence to decide on the dismissal of SA member. On the other hand, parliaments may not, as a decision on the dismissal of an SA member would be considered political if the deciding body was a Member State's parliament voting by a simple majority.[30]

Decisions

→ You can find all related decisions in Category: Article 53 GDPR

References

  1. For examples, see European Union Agency for Fundamental Rights, 'Elements of independence of the data protection authorities in the EU', p.19 (available here).
  2. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition).
  3. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 4 (NOMOS 2019).
  4. https://edps.europa.eu/about-edps/supervisors_en
  5. Recital 121 GDPR.
  6. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford University Press 2020).
  7. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 8 and 9 (C.H. Beck 2020, 3rd Edition).
  8. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 21 (Nomos 2022).
  9. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin number 18 (Nomos 2018, 2nd edition).
  10. The rules regulating the appointment of the members of the Court of Justice and the General Court establish that its members are to be chosen from 'persons whose independence is beyond doubt’, pursuant to Articles 253 and 254 of the Treaty on the Functioning of the European Union ("TFEU"). For more on this point see Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).
  11. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 889 (Oxford University Press 2020).
  12. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).
  13. Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin number 6 (NOMOS 2019).
  14. For more on the SAs' tasks, please refer to Article 57 GDPR and for their powers please refer to Article 58 GDPR.
  15. See Recital 122 GDPR.
  16. In this respect, reference should be made to Case C‑288/12, Commission v Hungary, and Case
  17. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
  18. CJEU in case C-288/2012 - Commission v Hungary, paragraphs 53 to 59.
  19. Case C‑424/15, Garai v Administración del Estado, paragraph 52.
  20. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).
  21. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR), Article 53 GDPR, page 890 (Oxford University Press 2020).
  22. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 11 (Nomos 2019).
  23. To this extent, see also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Article 53 GDPR, page 891 (Oxford University Press 2020).
  24. Case C-288/12 - Commission v Hungary
  25. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 53 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
  26. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, page 890 (Oxford University Press 2020).
  27. Other relevant provisions include Articles 11.4 and 14.2 of the Protocol (No 4) to TFEU on the statute of the statute of the European System of Central Banks and of the European Central Bank regarding the members of the executive board of the ECB and governors of national central banks. See also Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 53 GDPR, margin number 13 (C.H. Beck 2018).
  28. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 53 GDPR, margin number 13 (Nomos 2019).
  29. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 27, 28 and 21 (Nomos 2022).
  30. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 53 GDPR, margin numbers 30 and 31 (Nomos 2022).