Article 55 GDPR: Difference between revisions

From GDPRhub
No edit summary
Line 201: Line 201:
Article 55 is a provision on jurisdiction.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> According to the general rule set out in Article 55(1) GDPR a SA has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 provide for two exemptions from the territorial principle.  
Article 55 is a provision on jurisdiction.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> According to the general rule set out in Article 55(1) GDPR a SA has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 provide for two exemptions from the territorial principle.  


Paragraph 2 provides for exclusive competences of a national SAs of a Member State where processing carried out by public authorities or private bodies acting in the public interest of that Member State is concerned. Paragraph 3 addresses the judicial independence in the division of powers. It exempts processing of data by courts related to exercising of their judicial function from the supervision by the SA.
Additionally, GDPR sets out separate rules for cross-border cases.  [[Article 56 GDPR]] in connection with Article 60 GDPR allocates the competences in cross-border cases of SAs, which would be competent according to Article 55 GDPR. It grants the lead role to the supervisory authority of the main or single establishment of the controller as the the lead supervisory authority. Other supervisory authorities participate in the one-stop-shop procedure as supervisory authorities concerned. For allocation of competences of SAs in cross-border cases where processing of personal data takes place in the context of the activities of establishments in more than one Member State or if it substantially affects data subjects in more than one Member State, as defined in  [[Article 4 GDPR|Article 4(23) GDPR]], see Commentary to [[Article 56 GDPR]].  
 
Additionally competences of SAs are governed by Article 56 GDPR that applies in cross border cases. In cross-border cases where processing of personal data takes place in the context of the activities of establishments in more than one Member State or if it substantially affects data subjects in more than one Member State, as defined in  [[Article 4 GDPR|Article 4(23) GDPR]], several SAs could be competent according to Article 55 GDPR. In order to provide for a consistent application of the GDPR throughout the EU/EEA [[Article 56 GDPR]] in connection with the procedure provided in Article 60 GDPR allocates the lead role to the supervisory authority of the main or single establishment of the controller, as the the lead supervisory authority. Other supervisory authorities participate in the role of supervisory authorities concerned. Article 56 GDPR does not apply where processing carried out by public authorities or private bodies acting in the public interest of that Member State is concerned (exemption under Paragraph 55(2) GDPR).


=== (1) Territorial competence of supervisory authorities (SAs) ===
=== (1) Territorial competence of supervisory authorities (SAs) ===
Article 55(1) GDPR clarifies that SAs are competent to act and exercise their jurisdiction on the territory of its own state. This provision reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> Another aspect of the principle of sovereignty is that each state is prohibited to exercise power or authority on the territory of another state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref>  Therefore, the competence of SA ends at the border of it's Member State. The limitation of jurisdiction to the territory of the state ''“confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).</ref>
SAs are competent to act and exercise their jurisdiction on the territory of its own state. This reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. <ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref> Another aspect of the principle of sovereignty is that each state is prohibited to exercise power or authority on the territory of another state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).</ref>  Therefore, the competence of SA ends at the border of it's Member State. The limitation of jurisdiction to the territory of the state ''“confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).</ref>
==== Is competent ====
==== Is competent ====
The GDPR links the competence of a SA with the territory of its Member State. It does not explicitly provide in which situations a SA is to act.
The GDPR links the competence of a SA with the territory of its Member State. It does not explicitly provide in which situations a SA is to act. The territorial limitation of competences does not mean that the data must be physically processed on the  territory of the Member State. Particularly in the digital environment the place of processing of data and the place where the effects of this processing on individuals shows are not necessarily the same.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> The data controller or processor, the data processing as such or individual data subjects can be used as a point of reference for the territorial jurisdiction of the data protection supervisory authority.<ref>xxx</ref> 
 
===== Processing in the context of the activities of an establishment on the territory of its own Member State =====
The territorial limitation of competences does not mean that the data must be physically processed on the  territory of the Member State or that the processor would have to be established in that Member State. Particularly in the digital environment the place of processing of data and the place where the effects of this processing on individuals shows are not necessarily the same.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).</ref> Recital 122 GDPR takes this into account with regard to competences of SAs. It partially follows the same concepts as [[Article 3 GDPR]] determining the scope of the GDPR as Article 55 GDPR provides for the jurisdiction of a SA for every processing that falls under the GDPR. In this regard Recital 122 GDPR specifies that SAs should in particular have jurisdiction over:
===== a) processing in the context of the activities of an establishment on the territory of its own member state =====
<blockquote>Example: Spanish SA has jurisdiction over processing activities of Spanish company ES that collects and stores data of its customers.</blockquote>The concepts of "in the context of its activities" and "establishment" are further discussed in [[Article 4 GDPR]] of this commentary.
<blockquote>Example: Spanish SA has jurisdiction over processing activities of Spanish company ES that collects and stores data of its customers.</blockquote>The concepts of "in the context of its activities" and "establishment" are further discussed in [[Article 4 GDPR]] of this commentary.


===== b) processing carried out by public authorities or private bodies acting in the public interest (see commentary to paragraph 55(2) GDPR below), =====
===== Processing affecting data subjects on its territory, and =====
<blockquote>Example: A Portugese SA is competent to monitor processing of employees data by a Potguese Ministry. </blockquote>
A SA of a Member State is competent when processing affects data subjects on the territory of its state. In general, when the processing in question concerns only residents of one Member State, a SA of that state will be competent to investigate and take a decision in this case. In particularly, if there is no transnational element and also the controller is located on the territory of this Member State. In situations where a complaint was lodged with a SA by one of its residents who was affected and the controller has no establishment in this state, the SA will have to ask the SA of the establishment of the controller for cooperation in accordance with [[Article 61 GDPR|Article 61]] and [[Article 62 GDPR|Article 62]]. A final decision establishing a violation and imposing corrective measures and a fine should be issued by the national SA where the controller is established.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 9 (Nomos 2019).</ref>
 
===== c) processing affecting data subjects on its territory, and =====
A SA of a member state is competent when processing affects data subjects on the territory of its state. In general, when the processing in question concerns only residents of one member state, a SA of that state will be competent to investigate and take a decision in this case. In particularly, if there is no transnational element and also the controller is located on the territory of this member state. In situations where a complaint was lodged with a SA by one of its residents who was affected and the controller has no establishment in this state, the SA will have to ask the SA of the establishment of the controller for cooperation in accordance with [[Article 61 GDPR|Article 61]] and [[Article 62 GDPR|Article 62]]. A final decision establishing a violation and imposing corrective measures and a fine should be issued by the national SA where the controller is established.<ref>''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 9 (Nomos 2019).</ref>


On the other hand, processing of data can affect data subjects in several member states, in particuarly cross-border processing. In such cases SAs have to act and handle cases in accordance with the rules on allocation of competences between the lead supervisory authority (LSA) and other supervisory authorities concerned. For more information see in particularly commentary to [[Article 56 GDPR]] and [[Article 60 GDPR]].<ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']]'','' paragraph 57. See also  CJEU  [[CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit|''C-645/19 - Facebook Ireland and others'']], paragraph 53. </ref>
On the other hand, processing of data can affect data subjects in several Member States, in particuarly cross-border processing. In such cases SAs have to act and handle cases in accordance with the rules on allocation of competences between the lead supervisory authority (LSA) and other supervisory authorities concerned. For more information see in particularly commentary to [[Article 56 GDPR]] and [[Article 60 GDPR]].<ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']]'','' paragraph 57. See also  CJEU  [[CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit|''C-645/19 - Facebook Ireland and others'']], paragraph 53. </ref>


===== d) processing carried out by a controller or processor not established in the EEA when targeting data subjects residing on its territory. =====
===== Processing carried out by a controller or processor not established in the EEA when targeting data subjects residing on its territory. =====
A national SA has also jurisdiction when a controller and processor that is not established in any of the states of the European Economic Area (EEA), is processing the data of its residents in relation to offering goods or services or through monitoring their behavior. This refers to situations when GDPR is applicable according to [[Article 3 GDPR|Article 3(2) GDPR]]. In this situations, several SAs can be competent to act in parallel, each concerning the data processing of their residents.  
A national SA has also jurisdiction when a controller and processor that is not established in any of the states of the European Economic Area (EEA), is processing the data of its residents in relation to offering goods or services or through monitoring their behavior. This refers to situations when GDPR is applicable according to [[Article 3 GDPR|Article 3(2) GDPR]]. In this situations, several SAs can be competent to act in parallel, each concerning the data processing of their residents.  


In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any member state, especially in situations when a controller has not designated a representative on  the territory of the European Union (in breach of [[Article 27 GDPR|Article 27(1) GDPR]]). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.<ref>See ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> It  may also order that the data has to remain within the Union and cannot be transferred to a third country.<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU ''C-293/12 - Digital Rights Ireland,'' paragraph 68, [https://curia.europa.eu/juris/liste.jsf?num=C-293/12&language=de available here].</ref>
In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on  the territory of the European Union (in breach of [[Article 27 GDPR|Article 27(1) GDPR]]). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.<ref>See ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> It  may also order that the data has to remain within the Union and cannot be transferred to a third country.<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU ''C-293/12 - Digital Rights Ireland,'' paragraph 68, [https://curia.europa.eu/juris/liste.jsf?num=C-293/12&language=de available here].</ref>


==== Performance of tasks and the exercise of powers ====
==== Performance of tasks and the exercise of powers ====
The competence of a SA extends to all of the tasks and powers entailed in the GDPR. Majority of tasks of SAs is laid down in [[Article 57 GDPR]] and the powers in [[Article 58 GDPR]]. These include the main tasks of a SA monitoring and enforcement of the GDPR and investigative and corrective powers, such as to impose a ban on processing and an an administrative fine.  
The competence of a SA extends to all of the tasks and powers entailed in the GDPR. Majority of tasks of SAs is laid down in [[Article 57 GDPR]] and the powers in [[Article 58 GDPR]]. These include the main tasks of a SA monitoring and enforcement of the GDPR and investigative and corrective powers, such as to impose a ban on processing and an an administrative fine.  


Case law: In case C-230/14, ''Weltimmo'', CJEU stated that a SA cannot impose penalties outside the territory of its own member state but it can examine a complaint and exercise investigative powers against a company established in another member state which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation.<ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']], paragraphs 53 to 57.</ref>
Case law: In case C-230/14, ''Weltimmo'', CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation.<ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']], paragraphs 53 to 57.</ref>


SA’s tasks and powers include “''handling complaints lodged by a data subject, conducting investigations on the application of this Regulation [GDPR] and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data''”.<ref>See Recital 122 GDPR</ref> Tasks of SAs are listed in [[Article 57 GDPR]]. Powers of SAs are listed in [[Article 58 GDPR]].  
SA’s tasks and powers include “''handling complaints lodged by a data subject, conducting investigations on the application of this Regulation [GDPR] and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data''”.<ref>See Recital 122 GDPR</ref> Tasks of SAs are listed in [[Article 57 GDPR]]. Powers of SAs are listed in [[Article 58 GDPR]].  
As cases can and often have transnational elements the GDPR provides for mechanisms of cooperation between SAs in order to effectively deal with such cases.


==== On the territory of its own Member State ====
==== On the territory of its own Member State ====
This provision applies for each SA. If several SAs co-exist in one member state ([[Article 51 GDPR]]), each of them does not need to be competent for the whole territory of the state. It is a question of national law, how the jurisdiction is divided between SAs within a state.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref>
The jurisdiction of a SA and its coercive power is limited to the territory of its own state. This means that a SA of one Member State cannot investigate on the territory of another state.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref>This provision applies for each SA. If several SAs co-exist in one Member State ([[Article 51 GDPR]]), each of them does not need to be competent for the whole territory of the state. It is a question of national law, how the jurisdiction is divided between SAs within a state.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref>


The jurisdiction of a SA and its coercive power is limited to the territory of its own state. This means that a SA of one member state cannot investigate on the territory of another state.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref><blockquote>Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.</blockquote>It also means that a decision issued by a SA cannot be enforced in another state.<blockquote>Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.</blockquote>At the same time according to the CJEU case law “''the law should make it possible for individuals to enforce their right to protection''”<ref>See [[CJEU - C-230/14 - Weltimmo|''CJEU C-230/14 - Weltimmo'']]'','' paragraph 53''. See also Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> Therefore the GDPR has provided a cooperation and consistency mechanism between SAs under [[Article 56 GDPR]] and Articles 60 to 67 GDPR, which should result in final decisions being issued by the national SA of the establishment of the controller.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref>
<blockquote>Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.</blockquote>It also means that a decision issued by a SA cannot be enforced in another state.<blockquote>Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.</blockquote>At the same time according to the CJEU case law “''the law should make it possible for individuals to enforce their right to protection''”<ref>See [[CJEU - C-230/14 - Weltimmo|''CJEU C-230/14 - Weltimmo'']]'','' paragraph 53''. See also Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> Therefore the GDPR has provided a cooperation and consistency mechanism between SAs under [[Article 56 GDPR]] and Articles 60 to 67 GDPR, which should result in final decisions being issued by the national SA of the establishment of the controller.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref>


==== No rule on applicable law ====
==== No rule on applicable law ====
The GDPR in several provisions mandates member states to adopt more specific national rules on data protection, such as on special categories of data ([[Article 9 GDPR]]) or human resources data ([[Article 88 GDPR]]). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).</ref>
The GDPR in several provisions mandates Member States to adopt more specific national rules on data protection, such as on special categories of data ([[Article 9 GDPR]]) or human resources data ([[Article 88 GDPR]]). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).</ref>


=== (2) Responsibility regarding processing in the public interest ===
=== (2) Exclusive competence regarding processing for compliance with a legal obligation or in the public interest ===
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.<ref>''Körffer'', in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).</ref>  
Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.<ref>''Körffer'', in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).</ref>  


The rule should prevent SAs of another state from monitoring public authorities and other bodies carrying out tasks in public interest. Also, the monitoring of processing of data to comply with a legal obligation imposed by the public law of a member state, such as collection of telecommunication data, should be subject to control by the national SA of that state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin numbers 7 and 10 to 13 (Nomos 2022).</ref>
The rule should prevent SAs of another state from monitoring public authorities and other bodies carrying out tasks in public interest. Also, the monitoring of processing of data to comply with a legal obligation imposed by the public law of a Member State, such as collection of telecommunication data, should be subject to control by the national SA of that state.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin numbers 7 and 10 to 13 (Nomos 2022).</ref>


==== Processing carried out by public authorities ====
==== Processing carried out by public authorities ====
Line 256: Line 247:
==== Processing carried out by private entities performing tasks under a legal obligation or under the public interest ====
==== Processing carried out by private entities performing tasks under a legal obligation or under the public interest ====


Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.<blockquote><u>For example</u>: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the member state on the territory of which the plane will land or take off.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).</ref></blockquote>
Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.<blockquote><u>For example</u>: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the Member State on the territory of which the plane will land or take off.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).</ref></blockquote>


=== (3) Processing by courts in their judicial capacity ===
=== (3) Limited competence for supervision of courts ===
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the member state.<ref>See Recital 20 GDPR and CJEU, in [[CJEU - C-245/20 - Autoriteit Persoonsgegevens|''C-245/20 -'' ''Autoriteit Persoonsgegevens'']], paragraph 24.</ref>
In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.<ref>See Recital 20 GDPR and CJEU, in [[CJEU - C-245/20 - Autoriteit Persoonsgegevens|''C-245/20 -'' ''Autoriteit Persoonsgegevens'']], paragraph 24.</ref>


==== Courts ====
==== Courts ====

Revision as of 16:24, 17 January 2024

Article 55 - Competence
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 55 - Competence

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

Relevant Recitals

Recital 20: Respect to the Independence of the Judiciary
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 128: No Lead Supervisory Authority for Processing Carried Out by Public Authorities or Private Bodies in the Public Interest
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.

Commentary

Article 55 is a provision on jurisdiction.[1] According to the general rule set out in Article 55(1) GDPR a SA has jurisdiction on the territory of its Member State. Paragraphs 2 and 3 provide for two exemptions from the territorial principle.

Additionally, GDPR sets out separate rules for cross-border cases. Article 56 GDPR in connection with Article 60 GDPR allocates the competences in cross-border cases of SAs, which would be competent according to Article 55 GDPR. It grants the lead role to the supervisory authority of the main or single establishment of the controller as the the lead supervisory authority. Other supervisory authorities participate in the one-stop-shop procedure as supervisory authorities concerned. For allocation of competences of SAs in cross-border cases where processing of personal data takes place in the context of the activities of establishments in more than one Member State or if it substantially affects data subjects in more than one Member State, as defined in Article 4(23) GDPR, see Commentary to Article 56 GDPR.

(1) Territorial competence of supervisory authorities (SAs)

SAs are competent to act and exercise their jurisdiction on the territory of its own state. This reflects the basic principle of public international law, the principle of sovereignty: a state has the power to enforce the law within its national borders through its national authorities. [2] Another aspect of the principle of sovereignty is that each state is prohibited to exercise power or authority on the territory of another state.[3] Therefore, the competence of SA ends at the border of it's Member State. The limitation of jurisdiction to the territory of the state “confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”[4]

Is competent

The GDPR links the competence of a SA with the territory of its Member State. It does not explicitly provide in which situations a SA is to act. The territorial limitation of competences does not mean that the data must be physically processed on the territory of the Member State. Particularly in the digital environment the place of processing of data and the place where the effects of this processing on individuals shows are not necessarily the same.[5] The data controller or processor, the data processing as such or individual data subjects can be used as a point of reference for the territorial jurisdiction of the data protection supervisory authority.[6]

Processing in the context of the activities of an establishment on the territory of its own Member State

Example: Spanish SA has jurisdiction over processing activities of Spanish company ES that collects and stores data of its customers.

The concepts of "in the context of its activities" and "establishment" are further discussed in Article 4 GDPR of this commentary.

Processing affecting data subjects on its territory, and

A SA of a Member State is competent when processing affects data subjects on the territory of its state. In general, when the processing in question concerns only residents of one Member State, a SA of that state will be competent to investigate and take a decision in this case. In particularly, if there is no transnational element and also the controller is located on the territory of this Member State. In situations where a complaint was lodged with a SA by one of its residents who was affected and the controller has no establishment in this state, the SA will have to ask the SA of the establishment of the controller for cooperation in accordance with Article 61 and Article 62. A final decision establishing a violation and imposing corrective measures and a fine should be issued by the national SA where the controller is established.[7]

On the other hand, processing of data can affect data subjects in several Member States, in particuarly cross-border processing. In such cases SAs have to act and handle cases in accordance with the rules on allocation of competences between the lead supervisory authority (LSA) and other supervisory authorities concerned. For more information see in particularly commentary to Article 56 GDPR and Article 60 GDPR.[8]

Processing carried out by a controller or processor not established in the EEA when targeting data subjects residing on its territory.

A national SA has also jurisdiction when a controller and processor that is not established in any of the states of the European Economic Area (EEA), is processing the data of its residents in relation to offering goods or services or through monitoring their behavior. This refers to situations when GDPR is applicable according to Article 3(2) GDPR. In this situations, several SAs can be competent to act in parallel, each concerning the data processing of their residents.

In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on  the territory of the European Union (in breach of Article 27(1) GDPR). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.[9] It may also order that the data has to remain within the Union and cannot be transferred to a third country.[10]

Performance of tasks and the exercise of powers

The competence of a SA extends to all of the tasks and powers entailed in the GDPR. Majority of tasks of SAs is laid down in Article 57 GDPR and the powers in Article 58 GDPR. These include the main tasks of a SA monitoring and enforcement of the GDPR and investigative and corrective powers, such as to impose a ban on processing and an an administrative fine.

Case law: In case C-230/14, Weltimmo, CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation.[11]

SA’s tasks and powers include “handling complaints lodged by a data subject, conducting investigations on the application of this Regulation [GDPR] and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data”.[12] Tasks of SAs are listed in Article 57 GDPR. Powers of SAs are listed in Article 58 GDPR.

On the territory of its own Member State

The jurisdiction of a SA and its coercive power is limited to the territory of its own state. This means that a SA of one Member State cannot investigate on the territory of another state.[13]This provision applies for each SA. If several SAs co-exist in one Member State (Article 51 GDPR), each of them does not need to be competent for the whole territory of the state. It is a question of national law, how the jurisdiction is divided between SAs within a state.[14]

Example: French DPA can conduct an investigation on the premises of a controller, if the premises is located in France. At the same time the French DPA cannot on its own conduct an investigation on the premises of a processor, if the premises is located in Spain.

It also means that a decision issued by a SA cannot be enforced in another state.

Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.

At the same time according to the CJEU case law “the law should make it possible for individuals to enforce their right to protection[15] Therefore the GDPR has provided a cooperation and consistency mechanism between SAs under Article 56 GDPR and Articles 60 to 67 GDPR, which should result in final decisions being issued by the national SA of the establishment of the controller.[16]

No rule on applicable law

The GDPR in several provisions mandates Member States to adopt more specific national rules on data protection, such as on special categories of data (Article 9 GDPR) or human resources data (Article 88 GDPR). It is not evident which national law is applicable in such instances as GDPR does not contain any rules on applicable law for data processed within the Union. The SA of one state may have to apply the national rules of another state in such cases concerning such situations.[17]

(2) Exclusive competence regarding processing for compliance with a legal obligation or in the public interest

Article 55(2) GDPR regulates the SA’s competence in case of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest. The provision confirms the competence of the SA in whose Member State the public authority or private body is located. In such cases, Article 56 GDPR will not apply and the only competent SA to exercise its powers should be the one where the public authority or private body is established. This rule thus establishes the exclusive jurisdiction of the national SA.[18]

The rule should prevent SAs of another state from monitoring public authorities and other bodies carrying out tasks in public interest. Also, the monitoring of processing of data to comply with a legal obligation imposed by the public law of a Member State, such as collection of telecommunication data, should be subject to control by the national SA of that state.[19]

Processing carried out by public authorities

This provision applies to public authorities when they perform their public duties by virtue of Article 6(1)(c)(e) GDPR. According to Recital 128 GDPR the rules on the LSA and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities. In such cases the only supervisory authority competent should be the supervisory authority of the state where the public authority is established.[20]

Any other activities by a public body, such as publicly owned undertaking, that would not be performance of public tasks, such as commercial activities, are not subject to the exception under Article 55(2) GDPR. There may be a LSA.[21]

Processing carried out by private entities performing tasks under a legal obligation or under the public interest

Also, private entities performing tasks under a legal obligation or in the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers would not be subject to the one-stop shop procedure. However, when the private entity is processing data under any other legal basis than Article 6(1)(c)(e), for example based on consent or contract (Article 6(1)(b)), the same entity is subject to Article 56. This means that in case of cross-border processing the LSA will be responsible for monitoring the entities' compliance with the GDPR. This can lead to situations where the same entity can be subject to monitoring by different SAs in relation to different processing of same data.

For example: Passenger data that are collected by airlines for commercial purposes are subject to control by the LSA (SA of main establishment of the airline). When data on passengers is transferred to the public authority where the plane will land or take off under Article 8 Directive 2016/681, the transfer is subject to the control of the SA of the Member State on the territory of which the plane will land or take off.[22]

(3) Limited competence for supervision of courts

In order to protect the independence of the judiciary, Article 55(3) GDPR exempts SAs from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) of the Charter of Fundamental Rights (CFR) but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[23]

Courts

Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies – such as the prosecutor office – should be subject to independent supervision separate from the SA.[24] This is confirmed by Article 80 of the Law Enforcement Directive (Directive (EU) 2016/680) that states that courts and other independent judicial authorities should always be subject to independent supervision.

Supervisory authority (SA) is (not) competent

Courts are not totally exempt from control by SAs. They are exempt only when they are acting in their judicial capacity, but not regarding activities that are outside their judicial capacity.

Case law: CJ EU considered in case C-245/20 - Autoriteit Persoonsgegevens that processing of personal data carried out in the context of a court's communication policy on cases falls outside the competence of a SA.[25]

On the other hand, activities of judicial administration, such as practices, procedures and offices that deal with the management of the system of the courts are subject to the control by a SA. Thus, processing of the data of the staff hired by a court remains subject to the supervision of the SA.

Acting in judicial capacity

Case law: In case C-245/20 - Autoriteit Persoonsgegevens CJ EU clarified that processing operations carried out by courts ‘acting in their judicial capacity’ must be understood, as not being limited to the processing of data in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity whose supervision by a SA would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions. [26]

Decisions

→ You can find all related decisions in Category:Article 55 GDPR

References

  1. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).
  2. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
  3. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 3 (Nomos 2022).
  4. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).
  5. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 906 (Oxford University Press 2020).
  6. xxx
  7. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 9 (Nomos 2019).
  8. CJEU C-230/14 - Weltimmo, paragraph 57. See also CJEU C-645/19 - Facebook Ireland and others, paragraph 53.
  9. See Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
  10. See Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU C-293/12 - Digital Rights Ireland, paragraph 68, available here.
  11. CJEU C-230/14 - Weltimmo, paragraphs 53 to 57.
  12. See Recital 122 GDPR
  13. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
  14. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).
  15. See CJEU C-230/14 - Weltimmo, paragraph 53. See also Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
  16. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).
  17. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 908 (Oxford University Press 2020).
  18. Körffer, in Paal, Pauly, DS-GVO BDSG, Article 55 GDPR, margin number 4 (C.H. Beck 2021).
  19. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin numbers 7 and 10 to 13 (Nomos 2022).
  20. See Recital 128 GDPR and Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin number 18 (Nomos 2019). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 5 (Nomos 2022).
  21. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
  22. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020).
  23. See Recital 20 GDPR and CJEU, in C-245/20 - Autoriteit Persoonsgegevens, paragraph 24.
  24. See Directorate-General for Research and Documentation, Research Note on the Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity (available here).
  25. See C-245/20 - Autoriteit Persoonsgegevens, paragraph 37.
  26. See CJEU C-245/20 - Autoriteit Persoonsgegevens, paragraphs 34 to 39.