Article 55 GDPR: Difference between revisions

From GDPRhub
Line 202: Line 202:


=== (1) Competence of the Supervisory Authority ===
=== (1) Competence of the Supervisory Authority ===
Article 55(1) expresses a basic principle of public international law: a state has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1), the competence of the national SA follows the principle of establishment enunciated in Article 3 GDPR. In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of supervisory authority on a territory of its own Member State includes ‘''handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data''’.<ref>See Recital 120 GDPR.</ref> Having said this in general terms, it should however be pointed out that Article 55 discounts an important derogation, provided for in the subsequent Article 56 GDPR, which is taken into account when there is a cross-border processing of data and the main establishment of the controller<ref>Or its single establishment within the European Union (Article 56 GDPR).</ref> is located in another Member State, in such cases, jurisdiction is transferred to the authority of the principal establishment.<ref>CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 45 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref>
Article 55(1) expresses a basic principle of public international law: a state has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1), the competence of the national SA follows the principle of establishment enunciated in Article 3 GDPR.  
 
In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of supervisory authority on a territory of its own Member State includes ‘''handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data''’.<ref>See Recital 120 GDPR.</ref>  
 
Having said this in general terms, it should however be pointed out that Article 55 has an important derogation, provided for in the subsequent Article 56 GDPR (the so-called, "one-stop-shop-procedure").<ref>CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 45 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref> The latter applies when there is a cross-border processing of data and the main establishment  of the controller (or its single establishment within the European Union) is located in another Member State. In such cases, the DPA competence is assigned to the authority of the main establishment.<ref>Or its single establishment within the European Union (Article 56 GDPR).</ref>


=== (2) Responsibility Regarding Processing in the Public Interest ===
=== (2) Responsibility Regarding Processing in the Public Interest ===
Article 55(2) GDPR introduces an exception to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 GDPR shall not apply. However, cooperation under [[Article 60 GDPR|Articles 60 and 61 GDPR]] is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.
Article 55(2) GDPR introduces an exemption to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 GDPR shall not apply. However, cooperation under [[Article 60 GDPR|Articles 60 and 61 GDPR]] is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.


This provision applies to public authorities when they perform their public duties by virtue of [[Article 6 GDPR|Article 6(1)(c)(e) GDPR]]. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.
This provision applies to public authorities when they perform their public duties by virtue of [[Article 6 GDPR|Article 6(1)(c)(e) GDPR]]. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.

Revision as of 18:04, 8 March 2022

Article 55 - Competence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 55 - Competence

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

Relevant Recitals

Recital 20: Respect to the Independence of the Judiciary
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 128: No Lead Supervisory Authority for Processing Carried Out by Public Authorities or Private Bodies in the Public Interest
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.

Commentary

Pursuant to Article 55(1) GDPR, the DPA has jurisdiction on the territory of its Member State. This rule echoes the provision in Article 3(1) on the territorial application of the GDPR. In particular, the DPA's jurisdiction applies to processing of personal data carried out in the context of the activities of an establishment of the controller on that Member State. With respect to that establishment, therefore, the authorities may perform the tasks and exercise the powers conferred by the GDPR. Paragraph two confirms the above rule for processing carried out in the public interest and for the exercise of an official task of the authority (Article 6(1)(c) and (e) GDPR), with the only clarification that the cooperation mechanism of Article 56 does not apply in these cases. Finally, paragraph 3, excludes supervisory authorities from monitoring the work of the courts in the exercise of their judicial function.

(1) Competence of the Supervisory Authority

Article 55(1) expresses a basic principle of public international law: a state has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1), the competence of the national SA follows the principle of establishment enunciated in Article 3 GDPR.

In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of supervisory authority on a territory of its own Member State includes ‘handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data’.[1]

Having said this in general terms, it should however be pointed out that Article 55 has an important derogation, provided for in the subsequent Article 56 GDPR (the so-called, "one-stop-shop-procedure").[2] The latter applies when there is a cross-border processing of data and the main establishment of the controller (or its single establishment within the European Union) is located in another Member State. In such cases, the DPA competence is assigned to the authority of the main establishment.[3]

(2) Responsibility Regarding Processing in the Public Interest

Article 55(2) GDPR introduces an exemption to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 GDPR shall not apply. However, cooperation under Articles 60 and 61 GDPR is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.

This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.

(3) Processing by the Judiciary in Their Judicial Capacity

In order to protect the independence of the judiciary, Article 55(3) GDPR exempts supervisory authorities from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[4]

Moreover, Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies - such as the prosecutor office - should be subject to independent supervision separate from the SA.[5] However, Article 55(3) GDPR does not define what the terms ‘acting in their judicial capacity’ mean.  Whereas we can affirm that the processing of the data of the staff hired by a court remains subject to the supervision of the SA, what about the publication of the decisions of a court on its website?

An interesting question has been asked to the CJEU in this context. The referring court asks the Court of Justice whether Article 55(3) GDPR must be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist'.[6]

Decisions

→ You can find all related decisions in Category:Article 55 GDPR

References

  1. See Recital 120 GDPR.
  2. CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 45 (available here).
  3. Or its single establishment within the European Union (Article 56 GDPR).
  4. See Recital 20 GDPR.
  5. See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
  6. See Rechtbank Midden-Nederland, 7 August 2020, Request for a preliminary ruling from the rechtbank Midden-Nederland (Netherlands) lodged on 29 May 2020, C-297/27 (available here).