Article 54 GDPR: Difference between revisions

Revision as of 13:35, 27 October 2023

← Article 54 - Rules on the establishment of the supervisory authority →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 54 - Rules on the establishment of the supervisory authority

1. Each Member State shall provide by law for all of the following:

(a) the establishment of each supervisory authority;

(b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority;

(c) the rules and procedures for the appointment of the member or members of each supervisory authority;

(d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;

(e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;

(f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities

The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 121: General Conditions for the Member(s) of Supervisory Authorities

The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Commentary

Article 54 GDPR lays down the requirements for the organisational framework of supervisory authorities ("SAs").^[1] However, in doing so, it combines two notably different objectives under its ambit. The first of which, under Article 54(1) GDPR, is to list the specifications to be legislated for by each Member States through their national legislation for the establishment and governance of SAs. This provision is largely repetitive of requirements outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality obligations of SA members and staff. These confidentiality obligations were already in place under Article 28(7) of the GDPR's predecessor, Directive 95/46/EC.^[2]

(1) Elements provided by Member States law

Article 54(1) GDPR mandates Member States to provide for all the elements listed below through their national law. Points (a) to (c) are mainly reiterations of the obligations outlined under Articles 51- 53 GDPR, while points (d) to (f) introduce new provisions that are not contained in other Articles.

(a) Establishment of the supervisory authority (SA)

The criteria regulating the establishment of SAs are set out in Article 51(1) and 52 GDPR, Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law.^[3] Under the GDPR, Member States are permitted to appoint several different types of SAs, for example, sector specific SAs.^[4] In these instances, the law should provide for the conditions and rules regarding the establishment of each type. In addition, commentators have noted that the functional nature of an SA should also be legislated for through national law. For instance, Member States should legislate for whether their SAs are monocratic or collegial bodies, or whether they have any competences in addition to the monitoring of the enforcement of the GDPR.^[5]

For more information regarding the establishment of SAs, please refer to Article 51(1) GDPR and Article 52 GDPR in this Commentary.

(b) Qualifications and eligibility conditions for SA members

Article 54(1)(b) GDPR echoes Article 53(2) GDPR, which outlines the qualificatory and experiential requirements for SA members.^[6] However, unlike Article 53(2) GDPR, Article 54(1)(b) GDPR explicitly clarifies that these eligibility requirements are to be determined by national law.^[7]

For more information on the eligibility requirements for SA members, please refer to Article 53(2) GDPR.

(c) The rules and procedures for the appointment of SA members

Pursuant to Article 54(1)(c) GDPR, Member States must legislate for the rules and procedures governing the appointment of SA members. This provision is, in essence, a restatement of Article 53(1) GDPR, with the difference that Article 53(1) GDPR further stipulates that any procedure legislated for is 'transparent'.

For more information on the procedural requirements for the appointment of SA members, please refer to Article 53(1) GDPR.

(d) Duration of the term

Pursuant to Article 54(1)(d) GDPR, each Member State is obliged to legislate for SA member(s) term of office. The provision specifies that the minimum term is four years; nonetheless, Member States are free to set longer terms.^[8] However, any attempt to legislate for a term of office that is for life or until retirement should be excluded, as Article 54(1)(e) GDPR addresses the question of reappointment. Therefore, the GDPR assumes a limited term for the position.^[9]

(e) Reappointment

Article 54(1)(e) GDPR imposes on the Member States to regulate by means of a law whether and how often the reappointment of the member or members of a SA is permissible.

A reappointment ban (only one mandate being possible) is conceivable, but also a limitation of the number of reappointments and limitation of consecutive reappointments can be laid down in the law. The possibility of reappointment can impair the independence of a member, in particularly when the re-election time is approaching. On the other hand, a reappointed member will have the capacity to work efficiently from the first day of the term.^[10]

(f) Rules on members' occupation, prohibitions, incompatible actions and benefits

Under Article 54(1)(f) GDPR, Member States must ('shall') provide by law the conditions governing the obligations of members and staff of each SA, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office, and rules governing the cessation of employment.

Member(s) of SA and staff

Member State rules governing members of SAs, i.e. the lead personnel, must be in line with provisions of Article 52(3) GDPR and Article 53(3)(4) GDPR. According to Article 54(1)(f) GDPR the subject matter must be regulated also for staff. However the conditions and rules for staff does not need to comply with the strict criteria provided for in Article 52(3) GDPR and Article 53(3)(4) GDPR with regard to member(s) of SAs.^[11]

More information regarding members and staff of SAs can be found in the commentary on Article 52(2) GDPR (member(s) of SAs) and on Article 52(5) GDPR (staff of SAs).

Obligations

With regard to this mandate, for members of SAs Member States’ law must stipulate the obligation to serve their office with integrity and independence as provided for in Article 52 GDPR.^[12] Additionally Article 51(1) GDPR is relevant, as it lays down the mandate of the SAs, namely the monitoring of the application of the GDPR, in order to protect data protection rights on the one hand, and to the other hand to facilitate the free flow of personal data within the Union.^[13] Relevant are also Article 57 GDPR and Article 58 GDPR,determining the tasks and powers of SAs.^[14]

Prohibitions on incompatible actions, occupations and benefits

The rules laid down by national law for members of SAs are to be linked with Article 52(3) GDPR. It is particularly important that the national legislation does not limit itself to reproducing the text of Articles 52(3) GDPR and 54(2)(f) GDPR, but further specifies what is to be understood as “incompatible”, and “prohibited occupations, actions and benefits”. For more information regarding conflict of interest rules please refer to commentary to Article 52(3) GDPR.^[15]

During and after the term of office

Member States must adopt appropriate conflict of interest rules for the time during the term in office, as well as rules addressing the issue of "revolving doors" and other incompatibilities for the time after member(s) and staff stop working at a SA.^[16] When an official moves to the private sector, this can present a risk to the integrity of SA because "valuable inside knowledge can move into the private sector, or because former officials may lobby their former colleagues or existing officials may be influenced by possible future employment."^[17] It is not compatible with the requirement that the "authorities should remain above any suspicion of partiality" if a data protection officer starts working for an entity he was supervising directly after leaving the SA .^[18]

For example: A data protection supervisor investigates an alleged violation of GDPB by company X while working at the SA. No infringement of GDPR was found. Two weeks later the officer's term expires and one week later he becomes the DPO of the company X. This raises serious doubts about the officer's impartiality.

A possible solution could be a “cooling off” period specified after the end of the term of office as data protection supervisor, whereby periods of 18-24 months can be viewed as a minimum standard.^[19] At the same time, it is important that the rules do not lead to a ban on all professional activities.^[20]

Cessation of employment rules

Cessation of employment rules concern in particularly staff of SAs. Member States are free to regulate it. In this regard, the GDPR does not contain any specific requirements. Naturally, these rules should not impair the independence of the SA, as required by Article 52 GDPR. ^[21]

Members of SAs can also be employed at the SA. Then the conditions set out in Article 53(3)(4) GDPR regarding the end of term of members of SAs must be taken into account. For more information regarding the conditions for the end of term of members of SAs please refer to commentary on Article 53 GDPR.

(2) Duty of professional secrecy

The provision evidently prohibits any member or staff of a SA to share confidential information with a third party or to disclose it to the public without prior authorisation. The duty to keep information confidential is at the essence of a trust-based exercise of the investigative powers of SAs. Similar obligations exist regarding competition authorities and other regulatory bodies supervising economic operators.^[22]

When SAs exchange information pursuant to the cooperation mechanism under Article 60, Article 61, Article 64, and Article 65 GDPR they are not bound by the prohibition to share confidential information.

The obligation of confidentiality is intertwined with the right to access one's file under the right to good administration (Article 41(2)(b) CFR) and the right to access to documents (Article 42 CFR and Regulation 1049/2001), but also with the right to data protection. Access to documents can be limited on the basis of the obligation of confidentiality and/or the protection of personal data of individuals. Balancing these rights can however be difficult in practice since the right to be heard implies that the complainant can access the file, which in turn could include confidential information.

Obligation of secrecy should also “not unduly restrict the transparency of DPA [SA] performance, one of the main elements of public accountability of DPAs [SAs].”^[23]

For another GDPR provision concerning an obligation of secrecy, in this case with regard to the DPO, please refer to commentary on Article 38(5) GDPR.

Members and the staff of supervisory authority (SA)

The obligation of confidentiality only applies to the staff and the members of the SA. Thus, subject to restrictions under national law, nothing appears to prevent the parties to the proceedings (including the complainant) from sharing the information obtained from the SA.

Union or Member State law

Member states can regulate the obligation of confidentiality in their national legislation. In any case EU law applies as a minimum floor.

Union law

According to Article 339 TFEU officials and holders of public offices at EU level are "required, even after their duties have ceased, not to disclose information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components." Other relevant legislation includes Article 17 of the EU Staff Regulations^[24] and Article 56 EUDPR^[25].

National law

In general, secrecy obligations exist in regulations of each Member State for professionals which handle confidential information on a regular basis, such as doctors, lawyers and public officials.

Duty of professional secrecy

Duty of professional secrecy applies to any confidential information which has come to SA members' and staff's knowledge in the course of the performance of their tasks or exercise of their powers.

Confidential information

As recognised by the CJEU, information should be considered as confidential if it fulfills the following conditions: (i) The information is known only to a limited number of people; (ii) disclosure of the information can cause serious harm to the person who has provided it or to third parties; (iii) the interests likely to be harmed by disclosure must, objectively, be worthy of protection. The test of Article 339 TFEU requires a reinforced protection for business secrets.^[26]

In the course of the performance of their tasks or exercise of their powers

Information is only protected if it has come to the knowledge of a member or an employee of a SA “in the course of the performance of their tasks or exercise of their powers”. Considering the broad dimension of powers under Article 58 GDPR, this protection will apply to a large range of information.

Reporting by natural persons of infringements

Such confidentiality shall also apply in particular to reporting of infringements of the GDPR by natural persons. That is due to the core activity of the SA: it should pay particular attention to the protection of the holders of fundamental rights, whose rights could be impaired if their names were disclosed to the public.^[27]

During and after their term of office

The obligation of confidentiality also applies after the end of the activity. In this case, a specific duration of the duty of confidentiality should be determined in each individual case based on the need for protection of the information and the consequences to be expected from disclosure.

Decisions

→ You can find all related decisions in Category:Article 54 GDPR

References

↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
↑ For more on this point, please refer to Article 51 GDPR.
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).
↑ This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).
↑ See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).
↑ See Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 14 to 16. (C.H. Beck 2020, 3rd Edition).
↑ See also Recital 121 GDPR.
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 13 (Nomos 2019).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).
↑ Article 52(3) GDPR is already containing rules on conflict of interest for members of SAs. Article 54(1)(f) GDPR is widening the scope by obliging the member states to adopt national rules on this subject matter for members of SAs and for staff, as well as on the issue of revolving doors.
↑ The European Ombudsman's work on revolving doors (2022), available at https://www.ombudsman.europa.eu/webpub/2022/revolving-doors/en/.
↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, page 898 (Oxford University Press 2020).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 46 (Nomos 2022).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 47 (Nomos 2022).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).
↑ Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 899 (Oxford University Press 2020).
↑ Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community, available here.
↑ Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, available here.
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 and 13 (C.H. Beck 2017).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 14 (C.H. Beck 2017).

[1] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition).

[2] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 2 (C.H. Beck 2020, 3rd Edition).

[3] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).

[4] For more on this point, please refer to Article 51 GDPR.

[5] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).

[6] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).

[7] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).

[8] This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).

[9] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).

[10] See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).

[11] See Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers 14 to 16. (C.H. Beck 2020, 3rd Edition).

[12] See also Recital 121 GDPR.

[13] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).

[14] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 13 (Nomos 2019).

[15] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).

[16] Article 52(3) GDPR is already containing rules on conflict of interest for members of SAs. Article 54(1)(f) GDPR is widening the scope by obliging the member states to adopt national rules on this subject matter for members of SAs and for staff, as well as on the issue of revolving doors.

[17] The European Ombudsman's work on revolving doors (2022), available at https://www.ombudsman.europa.eu/webpub/2022/revolving-doors/en/.

[18] Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, page 898 (Oxford University Press 2020).

[19] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 11 (C.H. Beck 2017).

[20] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 46 (Nomos 2022).

[21] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 47 (Nomos 2022).

[22] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 (C.H. Beck 2017).

[23] Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 899 (Oxford University Press 2020).

[24] Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Economic Community and the European Atomic Energy Community, available here.

[25] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, available here.

[26] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 12 and 13 (C.H. Beck 2017).

[27] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 14 (C.H. Beck 2017).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

@@ Line 216: / Line 216: @@
 ====(a) Establishment of the supervisory authority (SA)====
-The criteria regulating the establishment of SAs are set out in [[Article 51 GDPR|Article 51(1)]] and [[Article 52 GDPR|52 GDPR]], Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref> Considering that the Member State may have appointed several different types of SAs, the law should provide for the conditions and rules regarding the establishment of each of them.
+The criteria regulating the establishment of SAs are set out in [[Article 51 GDPR|Article 51(1)]] and [[Article 52 GDPR|52 GDPR]], Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).</ref> Under the GDPR, Member States are permitted to appoint several different types of SAs, for example, sector specific SAs.<ref>For more on this point, please refer to [[Article 51 GDPR]].</ref> In these instances, the law should provide for the conditions and rules regarding the establishment of each type. In addition, commentators have noted that the functional nature of an SA should also be legislated for through national law. For instance, Member States should legislate for whether their SAs are monocratic or collegial bodies, or whether they have any competences in addition to the monitoring of the enforcement of the GDPR.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).</ref>
-Other items that should be specified by law include among others whether the SA is a monocratic or a collegial body and if it has any competences in addition to the monitoring of the enforcement of the GDPR.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 7 to 10 (Nomos 2022).</ref>
+For more information regarding the establishment of SAs, please refer to [[Article 51 GDPR|Article 51(1) GDPR]] and [[Article 52 GDPR]] in this Commentary.
-For more information regarding the establishment of SAs we refer to [[Article 51 GDPR|Article 51(1) GDPR]] and [[Article 52 GDPR]] in this commentary.
+====(b) Qualifications and eligibility conditions for SA members====
+Article 54(1)(b) GDPR echoes [[Article 53 GDPR|Article 53(2) GDPR]], which outlines the qualificatory and experiential requirements for SA members.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> However, unlike Article 53(2) GDPR, Article 54(1)(b) GDPR explicitly clarifies that these eligibility requirements are to be determined by national law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).</ref>
-====(b) Qualifications and eligibility conditions for SA's members====
+For more information on the eligibility requirements for SA members, please refer to [[Article 53 GDPR|Article 53(2) GDPR]].
-Article 54(1)(b) GDPR is connected to [[Article 53 GDPR|Article 53(2) GDPR]] according to which the members of the SA will require qualifications, experience and skills as a prerequisite for being appointed as a member of a SA.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> This provision clarifies that qualifications and eligibility conditions should be further specified in national law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 16 to 19 (Nomos 2022).</ref> A clear specification of qualifications, experience and skills in the law results in the pool of potential candidates to be determined by law and not subject to arbitrary political decision.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin number 15 (Nomos 2022).</ref>
-For more information about qualifications and eligibility conditions for SA members please see commentary on [[Article 53 GDPR|Article 53(2) GDPR]].
+====(c) The rules and procedures for the appointment of SA members ====
+Pursuant to Article 54(1)(c) GDPR, Member States must legislate for the rules and procedures governing the appointment of SA members. This provision is, in essence, a restatement of [[Article 53 GDPR|Article 53(1) GDPR]], with the difference that Article 53(1) GDPR further stipulates that any procedure legislated for is '<nowiki/>''transparent'''.
-====(c) The rules and procedures for the appointment of SA's members ====
+For more information on the procedural requirements for the appointment of SA members, please refer to [[Article 53 GDPR|Article 53(1) GDPR]].
-Additionally, Member States must regulate by law the rules and procedures for the appointment of the member or members of each SA. This provision should be read in conjunction with [[Article 53 GDPR|Article 53(1) GDPR]] that contains the basic rule regarding the appointment of SA members.
-For more information please refer to commentary on [[Article 53 GDPR|Article 53(1) GDPR]].
 ====(d) Duration of the term====
-According to Article 54(1)(d) each Member State is also obliged to regulate by law the term of office of the member or members of each SA. The provision specifies that the minimum term is four years. <ref>This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).</ref> Member States are free to set longer terms. However, a term of office that is in principle for life or is to last until retirement should be excluded since subsequent Article 54(1)(e) GDPR addresses the question of reappointment and therefore assumes a limited duration of the position.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).</ref>
+Pursuant to Article 54(1)(d) GDPR, each Member State is obliged to legislate for SA member(s) term of office. The provision specifies that the minimum term is four years; nonetheless, Member States are free to set longer terms.<ref>This presumably corresponds to the regular length of a legislative period in most EU Member States. It seems to create a link between data protection supervision and the parliament or, where the case, the executive branch responsible for the appointment. See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 25 to 27 (Nomos 2022).</ref> However, any attempt to legislate for a term of office that is for life or until retirement should be excluded, as Article 54(1)(e) GDPR addresses the question of reappointment. Therefore, the GDPR assumes a limited term for the position.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 8 (Nomos 2019). Dissenting views can be found in ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 54 GDPR, p. 897 (Oxford University Press 2020).</ref>
 ====(e) Reappointment====
-Article 54(1)(e) GDPR imposes on the Member States to regulate by means of a law whether and how often the reappointment of the member or members of a SA is permissible. A reappointment ban (only one mandate being possible) is conceivable, but also a limitation of the number of reappointments and limitation of consecutive reappointments can be laid down in the law. The possibility of reappointment can impair the independence of a member, in particularly when the re-election time is approaching. On the other hand, a reappointed member will have the capacity to work efficiently from the first day of the term.<ref>See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).</ref>
+Article 54(1)(e) GDPR imposes on the Member States to regulate by means of a law whether and how often the reappointment of the member or members of a SA is permissible.
+A reappointment ban (only one mandate being possible) is conceivable, but also a limitation of the number of reappointments and limitation of consecutive reappointments can be laid down in the law. The possibility of reappointment can impair the independence of a member, in particularly when the re-election time is approaching. On the other hand, a reappointed member will have the capacity to work efficiently from the first day of the term.<ref>See ''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 54 GDPR, margin numbers 35 to 39 (Nomos 2022). See also ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 54 GDPR, margin number 9 (Nomos 2019).</ref>
 ====(f) Rules on members' occupation, prohibitions, incompatible actions and benefits====