Article 55 GDPR: Difference between revisions

From GDPRhub
No edit summary
(7 intermediate revisions by 4 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 55 - Competence'''</center><br />
<br /><center>'''Article 55 - Competence'''</center>


<span id="1">1.  Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.</span>
<span id="1">1.  Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.</span>
Line 194: Line 194:


== Relevant Recitals==
== Relevant Recitals==
<span id="r20">
{{Recital/20 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 20:''' Respecting the Independence of the Judiciary</div>
{{Recital/122 GDPR}}
<div class="mw-collapsible-content">
{{Recital/128 GDPR}}
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. 2The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
</div></div>
 
 
<span id="r122">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 122:''' Responsibility of the Supervisory Authorities</div>
<div class="mw-collapsible-content">
 
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
</div></div>
 
 
<span id="r128">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 128:''' Responsibility Regarding Processing in the Public Interest</div>
<div class="mw-collapsible-content">
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.</div></div>


== Commentary ==
== Commentary ==
Pursuant to Article 55(1) GDPR, the Supervisory Authority (“SA”) has jurisdiction on the territory of its Member State. This rule echoes the provision in Article 3(1) GDPR on the territorial application of the GDPR. In particular, the SA’s jurisdiction applies to the processing of personal data carried out in the context of the activities of an establishment of the controller in that Member State. With respect to that establishment, therefore, the SAs may perform the tasks and exercise the powers conferred by the GDPR. Article 55(2) GDPR confirms the above rule for processing carried out in the public interest and for the exercise of an official task of the SA (Article 6(1)(c) and (e) GDPR), with the only clarification that the cooperation mechanism of Article 56 does not apply in these cases. Finally, Article 55(3) GDPR excludes SAs from supervising the work of the courts in the exercise of their judicial function.


Article 55 of the GDPR stipulates the general competence of the supervisory authority. According to its wording, each SA shall be competent to i) perform the tasks and ii) exercise the powers on the territory of its own Member State.
=== (1) Competence of the Supervisory Authority ===
 
Article 55(1) GDPR expresses a basic principle of public international law: a State has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1) GDPR, the competence of the national SA follows the principle of establishment expressed in Article 3 GDPR.  
 
'''(1)''' '''Competence of the supervisory authority'''
 
Article 55 is not as such on territorial competence of the SA, but should be read together with Article 56, which derogates to Article 55 in case of cross border processing. The exception to this general rule is envisaged by Article 56 which regulates a specific procedure for cross-border processing.<ref>see CJEU, 15 June 2021, ''Facebook vs. Belgian SA''., C-645/19, §45</ref>
 
The competence of supervisory authority on a territory of its own Member State includes ‘handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data’.<ref>See Recital 120</ref>
 
'''(2)''' '''Responsibility Regarding Processing in the Public Interest'''
 
Article 55 (2) introduces an exception to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 shall not apply. However, cooperation under Articles 60 and 61 is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.


This provision applies to public authorities when they perform their public duties by virtue of Article 6 (1)(c) or (e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to article 55(2) GDPR.
In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of a SA on a territory of its own Member State includes’ among the others, “''handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data''”.<ref>See Recital 120 GDPR.</ref>


Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.
However, it should be pointed out that Article 55 GDPR has an important derogation, provided for in the subsequent Article 56 GDPR (the so-called, “''one-stop shop procedure''”).<ref>CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 35 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref> The latter applies when a cross-border processing of data takes place and the main establishment of the controller (or its single establishment within the European Union) is located in another Member State. In such cases, the SA competence is assigned to the authority of the main establishment.<ref>Or its single establishment within the European Union (Article 56 GDPR).</ref>


'''(3) Processing by the judiciary in their judicial capacity'''
=== (2) Responsibility Regarding Processing in the Public Interest ===
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.<ref>''Körffer'', in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).</ref>


In order to protect the independence of the judiciary, Article 55 (3) exempts supervisory authorities from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) CFR but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.<ref>See Recital 20</ref>
This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure.
=== (3) Processing by the Judiciary in Their Judicial Capacity ===
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.<ref>See Recital 20 GDPR.</ref>


Moreover, Article 80 of the Law Enforcement Directive states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies - such as the prosecutor office - should be subject to independent supervision separate from the SA.<ref>See Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity, Research note of the of the Directorate general for Research and Documentation of the CJEU, available at <nowiki>https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-004_synthese-neutralisee-en.pdf</nowiki>.</ref>
Moreover, Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies such as the prosecutor office should be subject to independent supervision separate from the SA.<ref>See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available [https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-004_synthese-neutralisee-en.pdf here]).</ref> However, Article 55(3) GDPR does not define what the term “''acting in their judicial capacity''” determines.  Whereas the processing of the data of the staff hired by a court remains subject to the supervision of the SA, it remains unclear whether that is the case with the publication of a court’s decisions on its website.


Unfortunately, Article 55(3) does not define what the terms ‘acting in their judicial capacity’ mean.  Whereas we can affirm that the processing of the data of the staff hired by a court remains subject to the supervision of the SA, what about the publication of the decisions of a court on its website ?
In this context, a preliminary ruling is pending before the CJEU. The referring court asks the CJEU whether Article 55(3) GDPR must be interpreted as meaning that “''processing operations of courts acting in their judicial capacity''” can be understood to mean the “''provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist''”.<ref>See Rechtbank Midden-Nederland, 7 August 2020, Request for a preliminary ruling from the rechtbank Midden-Nederland (Netherlands) lodged on 29 May 2020, C-297/27 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=230717&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=110307 here]).</ref>


An interesting question has been asked to the CJEU in this context. The referring court asks the Court of Justice whether Article 55(3) GDPR must be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist'.<ref>See Request for a preliminary ruling in Case C-245/20, ''O.J.'', 7 August 2020, C-297/27, available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=230717&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=110307</ref>
== Decisions ==
== Decisions ==
→ You can find all related decisions in [[:Category:Article 55 GDPR]]
→ You can find all related decisions in [[:Category:Article 55 GDPR]]

Revision as of 16:09, 28 April 2022

Article 55 - Competence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 55 - Competence

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

Relevant Recitals

Recital 20: Respect to the Independence of the Judiciary
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 128: No Lead Supervisory Authority for Processing Carried Out by Public Authorities or Private Bodies in the Public Interest
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.

Commentary

Pursuant to Article 55(1) GDPR, the Supervisory Authority (“SA”) has jurisdiction on the territory of its Member State. This rule echoes the provision in Article 3(1) GDPR on the territorial application of the GDPR. In particular, the SA’s jurisdiction applies to the processing of personal data carried out in the context of the activities of an establishment of the controller in that Member State. With respect to that establishment, therefore, the SAs may perform the tasks and exercise the powers conferred by the GDPR. Article 55(2) GDPR confirms the above rule for processing carried out in the public interest and for the exercise of an official task of the SA (Article 6(1)(c) and (e) GDPR), with the only clarification that the cooperation mechanism of Article 56 does not apply in these cases. Finally, Article 55(3) GDPR excludes SAs from supervising the work of the courts in the exercise of their judicial function.

(1) Competence of the Supervisory Authority

Article 55(1) GDPR expresses a basic principle of public international law: a State has the power to enforce the law within its national borders through the authorities with which it has entrusted itself. In terms of data protection, under Article 55(1) GDPR, the competence of the national SA follows the principle of establishment expressed in Article 3 GDPR.

In particular, if a controller has an establishment within a Member State, the authority of that State will have jurisdiction over it, regardless of where the processing is carried out. The competence of a SA on a territory of its own Member State includes’ among the others, “handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data”.[1]

However, it should be pointed out that Article 55 GDPR has an important derogation, provided for in the subsequent Article 56 GDPR (the so-called, “one-stop shop procedure”).[2] The latter applies when a cross-border processing of data takes place and the main establishment of the controller (or its single establishment within the European Union) is located in another Member State. In such cases, the SA competence is assigned to the authority of the main establishment.[3]

(2) Responsibility Regarding Processing in the Public Interest

Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.[4]

This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to Article 55(2) GDPR. Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure.

(3) Processing by the Judiciary in Their Judicial Capacity

In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[5]

Moreover, Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies – such as the prosecutor office – should be subject to independent supervision separate from the SA.[6] However, Article 55(3) GDPR does not define what the term “acting in their judicial capacity” determines.  Whereas the processing of the data of the staff hired by a court remains subject to the supervision of the SA, it remains unclear whether that is the case with the publication of a court’s decisions on its website.

In this context, a preliminary ruling is pending before the CJEU. The referring court asks the CJEU whether Article 55(3) GDPR must be interpreted as meaning that “processing operations of courts acting in their judicial capacity” can be understood to mean the “provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist”.[7]

Decisions

→ You can find all related decisions in Category:Article 55 GDPR

References

  1. See Recital 120 GDPR.
  2. CJEU, 15 June 2021, Facebook vs. Belgian SA, C-645/19, margin number 35 (available here).
  3. Or its single establishment within the European Union (Article 56 GDPR).
  4. Körffer, in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).
  5. See Recital 20 GDPR.
  6. See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
  7. See Rechtbank Midden-Nederland, 7 August 2020, Request for a preliminary ruling from the rechtbank Midden-Nederland (Netherlands) lodged on 29 May 2020, C-297/27 (available here).