Article 54 GDPR: Difference between revisions

From GDPRhub
(12 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 54 - Rules on the establishment of the supervisory authority'''</center><br />
<br /><center>'''Article 54 - Rules on the establishment of the supervisory authority'''</center>


<span id="1">1.  Each Member State shall provide by law for all of the following:</span>
<span id="1">1.  Each Member State shall provide by law for all of the following:</span>
Line 204: Line 204:


== Relevant Recitals==
== Relevant Recitals==
<span id="r121">
{{Recital/121 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 121'''</div>
<div class="mw-collapsible-content">
The general conditions for the member or members of the supervisory authority
should be laid down by law in each Member State and should in particular provide that those
members are to be appointed, by means of a transparent procedure, either by the parliament,
government or the head of State of the Member State on the basis of a proposal from the
government, a member of the government, the parliament or a chamber of the parliament, or
by an independent body entrusted under Member State law. In order to ensure the
independence of the supervisory authority, the member or members should act with integrity,
refrain from any action that is incompatible with their duties and should not, during their term
of office, engage in any incompatible occupation, whether gainful or not. The supervisory
authority should have its own staff, chosen by the supervisory authority or an independent
body established by Member State law, which should be subject to the exclusive direction of
the member or members of the supervisory authority.
</div></div>
 
 
==Commentary==
==Commentary==


Article 54 combines two very different objectives under the heading "Establishment of the supervisory authority" : Paragraph 1 contains a list of the individual specifications to be made by the Member States in national legislation regarding Articles 51 - 53 in order to ensure the establishment of an independent authority. As per Article 51(3), Member states have to notify the Commission of the provisions of its laws adopted pursuant to Chapter VI.
Article 54 GDPR combines two very different objectives under the heading “''Establishment of the supervisory authority''”. Article 54(1) GDPR contains a list of the individual specifications to be made by the Member States in national legislation regarding Articles 51-53 GDPR in order to ensure the establishment of an independent supervisory authority (“SA”). Article 54(2) GDPR regulates the special data protection confidentiality obligation of the respective member or members of the SA. Such confidentiality obligations already existed in Article 28(7) Directive 95/46. Whereas this provisions seems to be of direct application, it does not preclude national legislation to further specify the confidentiality obligations of the members of the SA and its staff.  
 
Paragraph 2 regulates the special data protection confidentiality obligation of the respective member or members of this authority. Such confidentiality obligations already existed in Article 28(7) of Directive 95/46. Whereas this provisions seems to be of direct application, it does not preclude national legislation to further specify the confidentiality obligations of the members of the SA and its staff.
 
 
'''Article 54(1)'''
 
Paragraph 1 obliges Member States law to provide for all the elements listed under this paragraph in a law. it seems that the law does not need to be a legislative law, but can include any other set or legal provisions. As per Article 51(3), Member states have to notify the Commission of the provisions of its laws adopted pursuant to Chapter VI.  


'''(a) the establishment of the supervisory authority'''
=== (1) Elements Provided by Member States Law ===
Article 54(1) GDPR mandates Member States’ law to provide for all the elements listed below. 


Considering that the Member State may have appointed several authorities (see [[Article 51(1)]]), the law should provide for the conditions and rules regarding the establishment of each authority. Member States are free to choose for a monocratic (one head of the authority) or a collegial body (several persons adopt the decisions of the authority).  
==== (a) Establishment of the Supervisory Authority ====
Article 54(1)(a) GDPR repeats the content of Article 51(1) GDPR. Considering that the Member State may have appointed several authorities, the law should provide for the conditions and rules regarding the establishment of each of them. Member States are free to choose for a monocratic or a collegial body.  


<span id="1b">'''(b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority'''</span>
==== (b) Qualifications and Eligibility Conditions for SA's Members ====
Article 54(1)(b) GDPR  clearly refers to Article 53(2) GDPR according to which the members of the SA will require qualifications, experience and skills as a prerequisite for being hired as a data protection supervisor. “''Qualification''”, “''experience''” and “''skills''” are vague legal terms that, in the absence of comprehensive EU competence for general and vocational education, should be further specified in national law. It seems (from the use of “''and''” in Article 53(2) GDPR) that these conditions are cumulative. The way the law will construct the assessment of these competence is still not clear and does not preclude the Member States from establishing an assessment of the candidates based on a test. 


Article 53(2) sets out clear requirements in this respect: the members of the supervisory authority will require qualifications, experience and skills as a prerequisite for being hired as a data protection supervisor. However, terms such as “qualification”, “experience” and “skills” are vague legal terms that, in the absence of comprehensive EU competence for general and vocational education, and should be further specified in national law.  It seems (from the use of "and" in Article 53(2)) that these conditions are cumulative. The way the law will organise the assessment of these competence is still not clear and does not preclude the Member States from organising an assessment of the candidates based on a test.
==== (c) The Rules and Procedures for the Appointment of SA's Members ====
As already seen under Article 53(1) GDPR, Member States shall establish rules and procedures for the appointment of the member or members of each SA.  


'''(c) the rules and procedures for the appointment of the member or members of each supervisory authority'''
==== (d) Duration of the Term ====
Each Member State is obliged to regulate by law the term of office of the member or members of each SA. The minimum term is four years which presumably corresponds to the regular length of a legislative period in most EU Member States.<ref>This seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment.</ref> Member States are free to set longer terms. However, a term of office that is in principle for life or is to last until retirement should be excluded since subsequent Article 54(1)(e) GDPR addresses the question of reappointment and therefore assumes a limited duration of the position.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin numbers 8 (Nomos 2019).</ref>


The appointment procedure for the appointment of the members should be regulated in Article 54(1)(c) of the GDPR, choosing one of the four possible variants (appointment by parliament, the government, the head of state or by an independent body).  
==== (e) Whether and, if so, for how Many Reappointment is Possible ====
Article 54(1)(e) GDPR imparts on the Member States to regulate through national law whether and how often the reappointment of the member or members of a SA is permissible. A reappointment ban (only one mandate being possible) is conceivable, but also a limitation of the number of reappointment can be laid down in the law.  


<span id="1d">'''(d)   the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure'''</span>
==== (f) Rules on Members' Occupation, Prohibitions, Incompatible Actions and Benefits ====
Under Article 54(1)(f) GDPR, Member States shall provide by law the conditions governing the obligations of the member or members and staff of each SA, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office, and rules governing the cessation of employment. Such conditions can be laid down in national law or in a contract (where the staff is subject to an employment contract). They concern:


Each Member state is obliged to regulate by law the term of office of the member or members of each data protection supervisory authority. As per Article 54(2), the term of the office of the members shall only expire  at the occasion of the end of the term, resignation or compulsory retirement. A minimum term of four years ago. This is a period that corresponds to the regular length of a legislative period in most EU member states and is creates therefore a link between data protection supervision and the parliament or the executive branch responsible for it.
===== i) The Obligations of the Members and the Staff of the Supervisory Authority =====
With regard to this mandate, Member States’ law must stipulate the obligation to exercise their office with integrity and independence. The mandate of the SAs is laid down in Article 51(1) GDPR, namely the monitoring of the application of the GDPR, in order to protect the data protection rights on the one hand, and on the other hand, to facilitate the free flow of personal data within the Union.


As an exception, Member states can provide for a shorter term of office than the four-year minimum term of office, only once, namely for the first appointments after May 25, 2016, and only if the aim of a shorter appointment is to stagger the terms of office to strengthen the independence of the supervisory authority. Obviously, such possibility can no longer be used for later appointments.
===== ii) Prohibitions on Actions, Occupations and Benefits Incompatible Therewith During and After the Term of Office =====
The rules laid down by national law are to be linked with Article 52(3) GDPR. It is particularly important that the national legislation does not limit itself to reproducing the text of Articles 52(3) GDPR and 54(2)(f) GDPR, but further specifies what is to be understood as “''incompatible''”, and “''prohibited occupations, actions and benefits''”. A “cooling off” period should also be specified after the end of the term of office as data protection supervisor, whereby periods of 18-24 months can be viewed as an EU-wide minimum standard.  


<span id="1e">'''(e)   whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment'''</span>
===== iii) The Termination Rules =====
The ordinary and extraordinary reasons for termination of office are regulated in Article 53(3) GDPR. Therefore, Member States only have to regulate the procedure in the event of dismissals, (i.e. in particular who decides on the existence of the extraordinary reasons for termination, the period within which a dismissal is to be decided and under which procedure). Naturally, these rules should not impair the independence of the SA, as required by Article 52 GDPR. 


This provision leaves it to the Member states to regulate through national legislation whether and how often the reappointment of the member or members of a data protection supervisory authority is permissible. A re appointment ban (only one mandate being possible) is conceivable but also a limitation of the number of reappointment can be laid down in the law.  
=== (2) Duty of Professional Secrecy ===
The duty to keep information confidential is of the essence for a trust-based exercise of the investigative powers of SAs. Similar obligations exist regarding competition authorities and other regulatory bodies supervising economic operators.  


<span id="1f">'''(f)   the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment'''</span>
The notion of confidential information, which is the subject of this obligation, is to be linked with the notion of confidential obligation under Article 339 TFEU. As recognised by the CJEU, information should be considered as confidential if it fulfills the following conditions: (i) The information is known only to a limited number of people; (ii) disclosure of the information can cause serious harm to the person who has provided it or to third parties; (iii) the interests likely to be harmed by disclosure must, objectively, be worthy of protection. The test of Article 339 TFEU requires a reinforced protection for business secrets.


Such conditions can be laid down in national law or in a contract (where the staff is subject to an employment  contract). They concern :
The definition of Article 339 TFEU can be applied on the obligation of secrecy and confidentiality of the SAs. In this context, such confidentiality shall also apply in particular to reporting of infringements of the GDPR by natural persons. That is due to the core activity of the SA: its staff should pay particular attention to the protection of the holders of fundamental rights, whose rights could be impaired if their names were disclosed to the public.


''i) the obligations of the members and the staff of the supervisory authority''
A link between the obligation of confidentiality should be established with the right to access one's file under the right to good administration (Article 41(2)(b) CFR) and the right to access to documents (Article 42 CFR and Regulation 1049/2001), but also with the right to data protection. Access to documents can be limited on the basis of the obligation of confidentiality and/or the protection of personal data of individuals. Balancing these rights can however be difficult in practice since the right to be heard implies that the complainant can access the file, which in turn could include confidential information.


With regard to this mandate, the Member states law must stipulate the obligation to exercise their office with integrity and independence. The mandate of the data protection supervisory authorities is laid down in Article 51(1), namely the monitoring of the application of the GDPR, in order to protect the data protection rights on the one hand, and on the other hand, to facilitate the free flow of personal data within the Union.
Information is only protected if it has come to the knowledge of a member or an employee of a SA “''in the course of the performance of their tasks or exercise of their powers''”. Considering the broad dimension of powers under Article 58 GDPR, this protection will apply to a large range of information.


''ii) prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office''
The wording of Article 54(2) GDPR both refers to EU law and national law. Therefore, in order to fully understand the implication of this provision, one should also read Member States’ legislation. The provision evidently prohibits any member or staff of an SA to share the confidential information with a third party or to disclose it to the public without prior authorisation. However, this prohibition will not apply when SAs exchange information pursuant to the cooperation mechanism under Articles 60, 61, 64, 65 GDPR.


The rules laid down by national law are to be linked with [[Article 52(3)]]. It is particularly important that the national legislation does not limit itself to reproduce the text of Article 52(3) and 54(2)(f), but further specifies what is to be understood as "incompatible", and "prohibited occupations, actions and benefits".
Furthermore, the obligation of confidentiality only applies to the staff and the members of the SA. Thus, subject to restrictions under national law, nothing appears to prevent the parties to the proceedings (including the complainant) from sharing the information obtained from the SA.
 
A “cooling off” period should also be specified after the end of the term of office as data protection supervisor, whereby periods of 18–24 months can be viewed as an EU-wide minimum standard.
 
''iii) the termination rules''
 
The ordinary and extraordinary reasons for termination of office are are regulated in [[Article 53 (3) and (4)]]. Therefore, the Member states only have to regulate the procedure in the event of dismissals, (i.e. in particular who decides on the existence of the extraordinary reasons for termination, the period within which a dismissal is to be decided and under which procedure). Of course, these rules should not impair the independence of the supervisory authority, as required by Article 52. 
 
 
<span id="2">'''Article 54(2): duty of professional secrecy'''</span>
 
The duty to keep information confidential is of the essence for a trust-based exercise of the investigation powers of supervisory authorities. Similar obligations exists regarding competition authorities and other regulatory bodies supervising economic operators.
 
The notion of confidential information, which is the subject of this obligations, is to be linked with the notion of confidential obligation under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12016E339 Article 339 TFEU.] As recognised by the [https://curia.europa.eu/juris/document/document.jsf;jsessionid=ED42DC3332D7191F9F41B87972F8D2CB?text=&docid=57554&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2454075 CJEU], information shouldbe considered as confidential if it fulfills the following conditions: (i) The information is known only to a limited number of people; (ii) Disclosure of the information can seriously cause serious harm to the person who has provided it or to third parties; (iii) the interests liable to be harmed by disclosure must, objectively, be worthy of protection. The test of Article 339 TFEU requires a reinforced protection for business secrets.
 
The definition of Article 339 TFEU can be applied ot the obligation of secrecy and confidentiality of the supervisory authorities.
 
In this context, we also see that the such confidentiality shall also apply in <span id="2">particular to reporting by natural persons of infringements of this Regulation. That is due to the core activity of a supervisory authority: their staff should pay particular attention to the protection of the holders of fundamental rights, whose rights could be impaired if their names would be disclosed to the public.</span>
 
<span id="2">Information is only protected according if it has come to the knowledge of a member or an employee of a supervisory authority “in the course of the performance of their tasks or exercise of their powers". Considering the broad range of powers under Article 58, this protection will apply to a large range of information.</span> 
 
The wording of Article 54(2) leaves both refers to EU law and national law. Therefore, in order to fully understand the implication of this provision, one should also read Member states legislation. The provision obviously prohibits any member or staff of an supervisory authority to


Finally, the obligation of confidentiality also applies after the end of the activity. In this case, a specific duration of the duty of confidentiality should be determined in each individual case based on the need for protection of the information and the consequences to be expected from disclosure.
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 54 GDPR]]
→ You can find all related decisions in [[:Category:Article 54 GDPR]]


==References==
==References==
<references />Ehmann / Selmayr, General Data Protection Regulation, 2nd edition 2018, Rn. 5-11
<references />
 
[[See ECJ, 02/14/2008, C-450/06 , ECLI: EU: C: 2008: 91, Varec SA / Belgium, § 28.|ECJ, 02/14/2008, C-450/06 , ECLI: EU: C: 2008: 91, Varec SA / Belgium, § 28.]]
 
[https://curia.europa.eu/juris/document/document.jsf;jsessionid=ED42DC3332D7191F9F41B87972F8D2CB?text=&docid=57554&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2454075 CFI, 30 May 2006, T-198/03, ECLI:EU:T:2006:136, Bank Austria Creditanstalt AG vs. Commission]
[[Category:GDPR Articles]]
[[Category:GDPR Articles]]

Revision as of 16:02, 28 April 2022

Article 54 - Rules on the establishment of the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 54 - Rules on the establishment of the supervisory authority

1. Each Member State shall provide by law for all of the following:

(a) the establishment of each supervisory authority;
(b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority;
(c) the rules and procedures for the appointment of the member or members of each supervisory authority;
(d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;
(e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;
(f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

Relevant Recitals

Recital 121: General Conditions for the Member(s) of Supervisory Authorities
The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Commentary

Article 54 GDPR combines two very different objectives under the heading “Establishment of the supervisory authority”. Article 54(1) GDPR contains a list of the individual specifications to be made by the Member States in national legislation regarding Articles 51-53 GDPR in order to ensure the establishment of an independent supervisory authority (“SA”). Article 54(2) GDPR regulates the special data protection confidentiality obligation of the respective member or members of the SA. Such confidentiality obligations already existed in Article 28(7) Directive 95/46. Whereas this provisions seems to be of direct application, it does not preclude national legislation to further specify the confidentiality obligations of the members of the SA and its staff.

(1) Elements Provided by Member States Law

Article 54(1) GDPR mandates Member States’ law to provide for all the elements listed below.

(a) Establishment of the Supervisory Authority

Article 54(1)(a) GDPR repeats the content of Article 51(1) GDPR. Considering that the Member State may have appointed several authorities, the law should provide for the conditions and rules regarding the establishment of each of them. Member States are free to choose for a monocratic or a collegial body.

(b) Qualifications and Eligibility Conditions for SA's Members

Article 54(1)(b) GDPR  clearly refers to Article 53(2) GDPR according to which the members of the SA will require qualifications, experience and skills as a prerequisite for being hired as a data protection supervisor. “Qualification”, “experience” and “skills” are vague legal terms that, in the absence of comprehensive EU competence for general and vocational education, should be further specified in national law. It seems (from the use of “and” in Article 53(2) GDPR) that these conditions are cumulative. The way the law will construct the assessment of these competence is still not clear and does not preclude the Member States from establishing an assessment of the candidates based on a test.

(c) The Rules and Procedures for the Appointment of SA's Members

As already seen under Article 53(1) GDPR, Member States shall establish rules and procedures for the appointment of the member or members of each SA.

(d) Duration of the Term

Each Member State is obliged to regulate by law the term of office of the member or members of each SA. The minimum term is four years which presumably corresponds to the regular length of a legislative period in most EU Member States.[1] Member States are free to set longer terms. However, a term of office that is in principle for life or is to last until retirement should be excluded since subsequent Article 54(1)(e) GDPR addresses the question of reappointment and therefore assumes a limited duration of the position.[2]

(e) Whether and, if so, for how Many Reappointment is Possible

Article 54(1)(e) GDPR imparts on the Member States to regulate through national law whether and how often the reappointment of the member or members of a SA is permissible. A reappointment ban (only one mandate being possible) is conceivable, but also a limitation of the number of reappointment can be laid down in the law.

(f) Rules on Members' Occupation, Prohibitions, Incompatible Actions and Benefits

Under Article 54(1)(f) GDPR, Member States shall provide by law the conditions governing the obligations of the member or members and staff of each SA, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office, and rules governing the cessation of employment. Such conditions can be laid down in national law or in a contract (where the staff is subject to an employment contract). They concern:

i) The Obligations of the Members and the Staff of the Supervisory Authority

With regard to this mandate, Member States’ law must stipulate the obligation to exercise their office with integrity and independence. The mandate of the SAs is laid down in Article 51(1) GDPR, namely the monitoring of the application of the GDPR, in order to protect the data protection rights on the one hand, and on the other hand, to facilitate the free flow of personal data within the Union.

ii) Prohibitions on Actions, Occupations and Benefits Incompatible Therewith During and After the Term of Office

The rules laid down by national law are to be linked with Article 52(3) GDPR. It is particularly important that the national legislation does not limit itself to reproducing the text of Articles 52(3) GDPR and 54(2)(f) GDPR, but further specifies what is to be understood as “incompatible”, and “prohibited occupations, actions and benefits”. A “cooling off” period should also be specified after the end of the term of office as data protection supervisor, whereby periods of 18-24 months can be viewed as an EU-wide minimum standard.

iii) The Termination Rules

The ordinary and extraordinary reasons for termination of office are regulated in Article 53(3) GDPR. Therefore, Member States only have to regulate the procedure in the event of dismissals, (i.e. in particular who decides on the existence of the extraordinary reasons for termination, the period within which a dismissal is to be decided and under which procedure). Naturally, these rules should not impair the independence of the SA, as required by Article 52 GDPR.

(2) Duty of Professional Secrecy

The duty to keep information confidential is of the essence for a trust-based exercise of the investigative powers of SAs. Similar obligations exist regarding competition authorities and other regulatory bodies supervising economic operators.

The notion of confidential information, which is the subject of this obligation, is to be linked with the notion of confidential obligation under Article 339 TFEU. As recognised by the CJEU, information should be considered as confidential if it fulfills the following conditions: (i) The information is known only to a limited number of people; (ii) disclosure of the information can cause serious harm to the person who has provided it or to third parties; (iii) the interests likely to be harmed by disclosure must, objectively, be worthy of protection. The test of Article 339 TFEU requires a reinforced protection for business secrets.

The definition of Article 339 TFEU can be applied on the obligation of secrecy and confidentiality of the SAs. In this context, such confidentiality shall also apply in particular to reporting of infringements of the GDPR by natural persons. That is due to the core activity of the SA: its staff should pay particular attention to the protection of the holders of fundamental rights, whose rights could be impaired if their names were disclosed to the public.

A link between the obligation of confidentiality should be established with the right to access one's file under the right to good administration (Article 41(2)(b) CFR) and the right to access to documents (Article 42 CFR and Regulation 1049/2001), but also with the right to data protection. Access to documents can be limited on the basis of the obligation of confidentiality and/or the protection of personal data of individuals. Balancing these rights can however be difficult in practice since the right to be heard implies that the complainant can access the file, which in turn could include confidential information.

Information is only protected if it has come to the knowledge of a member or an employee of a SA “in the course of the performance of their tasks or exercise of their powers”. Considering the broad dimension of powers under Article 58 GDPR, this protection will apply to a large range of information.

The wording of Article 54(2) GDPR both refers to EU law and national law. Therefore, in order to fully understand the implication of this provision, one should also read Member States’ legislation. The provision evidently prohibits any member or staff of an SA to share the confidential information with a third party or to disclose it to the public without prior authorisation. However, this prohibition will not apply when SAs exchange information pursuant to the cooperation mechanism under Articles 60, 61, 64, 65 GDPR.

Furthermore, the obligation of confidentiality only applies to the staff and the members of the SA. Thus, subject to restrictions under national law, nothing appears to prevent the parties to the proceedings (including the complainant) from sharing the information obtained from the SA.

Finally, the obligation of confidentiality also applies after the end of the activity. In this case, a specific duration of the duty of confidentiality should be determined in each individual case based on the need for protection of the information and the consequences to be expected from disclosure.

Decisions

→ You can find all related decisions in Category:Article 54 GDPR

References

  1. This seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment.
  2. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin numbers 8 (Nomos 2019).