Article 56 GDPR: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 223: Line 223:
== Commentary ==
== Commentary ==


''You can help us fill this section!''
Article 55 of the GDPR stipulates the general competence of the supervisory authority. According to its wording, each SA shall be competent to i) perform the tasks and ii) exercise the powers on the territory of its own Member State.
 
 
'''(1)''' '''Competence of the supervisory authority'''
 
Article 55 is not as such on territorial competence of the SA, but should be read together with Article 56, which derogates to Article 55 in case of cross border processing. The exception to this general rule is envisaged by Article 56 which regulates a specific procedure for cross-border processing.<ref>see CJEU, 15 June 2021, ''Facebook vs. Belgian SA''., C-645/19, §45</ref>
 
The competence of supervisory authority on a territory of its own Member State includes ‘handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data’.<ref>See Recital 120</ref>
 
'''2)''' '''Responsibility Regarding Processing in the Public Interest'''
 
Article 55 (2) introduces an exception to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 shall not apply. However, cooperation under Articles 60 and 61 is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.
 
This provision applies to public authorities when they perform their public duties by virtue of Article 6 (1)(c) or (e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to article 55(2) GDPR.
 
Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.
 
'''(3) Processing by the judiciary in their judicial capacity'''
 
In order to protect the independence of the judiciary, Article 55 (3) exempts supervisory authorities from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) CFR but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.<ref>See Recital 20</ref>
 
Moreover, Article 80 of the Law Enforcement Directive states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies - such as the prosecutor office - should be subject to independent supervision separate from the SA.<ref>See Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity, Research note of the of the Directorate general for Research and Documentation of the CJEU, available at <nowiki>https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-004_synthese-neutralisee-en.pdf</nowiki>.</ref>
 
Unfortunately, Article 55(3) does not define what the terms ‘acting in their judicial capacity’ mean.  Whereas we can affirm that the processing of the data of the staff hired by a court remains subject to the supervision of the SA, what about the publication of the decisions of a court on its website ?
 
An interesting question has been asked to the CJEU in this context. The referring court asks the Court of Justice whether Article 55(3) GDPR must be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist'.<ref>See Request for a preliminary ruling in Case C-245/20, ''O.J.'', 7 August 2020, C-297/27, available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=230717&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=110307</ref> 


== Decisions ==
== Decisions ==

Revision as of 14:57, 9 July 2021

Article 56 - Competence of the lead supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 56 - Competence of the lead supervisory authority


1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

Relevant Recitals

Recital 20: Respecting the Independence of the Judiciary

While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. 2The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.


Recital 122: Responsibility of the Supervisory Authorities

Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.


Recital 128: Responsibility Regarding Processing in the Public Interest
The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases the only supervisory authority competent to exercise the powers conferred to it in accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is established.

Commentary

Article 55 of the GDPR stipulates the general competence of the supervisory authority. According to its wording, each SA shall be competent to i) perform the tasks and ii) exercise the powers on the territory of its own Member State.


(1) Competence of the supervisory authority

Article 55 is not as such on territorial competence of the SA, but should be read together with Article 56, which derogates to Article 55 in case of cross border processing. The exception to this general rule is envisaged by Article 56 which regulates a specific procedure for cross-border processing.[1]

The competence of supervisory authority on a territory of its own Member State includes ‘handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data’.[2]

2) Responsibility Regarding Processing in the Public Interest

Article 55 (2) introduces an exception to the one-stop-shop procedure. In the context of processing carried out by public authorities or private bodies complying with a legal obligation or performing a task in the public interest, provisions of the one-stop-shop mechanism of Article 56 shall not apply. However, cooperation under Articles 60 and 61 is still possible. In such cases the only supervisory authority competent to exercise its powers should be the supervisory authority of the Member State where the public authority or private body is established.

This provision applies to public authorities when they perform their public duties by virtue of Article 6 (1)(c) or (e) GDPR. Any other activities that would not be performing public tasks, such as commercial activities, are not subject to article 55(2) GDPR.

Also, private entities performing tasks under a legal obligation or under the public interest will not be subject to the cooperation mechanism. That would imply that the obligation of air carriers to retain data or data retention obligation of electronic communication providers will not be subject to the one-stop-shop procedure.

(3) Processing by the judiciary in their judicial capacity

In order to protect the independence of the judiciary, Article 55 (3) exempts supervisory authorities from supervising the activities of courts and other judicial authorities when they are acting in their judicial capacity. That does not mean that their activities are not subject to the GDPR, since this would be contrary to Article 8(3) CFR but rather that the monitoring of personal data by the judiciary should be entrusted to specific bodies within the judicial system of the Member State.[3]

Moreover, Article 80 of the Law Enforcement Directive states that courts and other independent judicial authorities should always be subject to independent supervision. Even if Article 55(3) GDPR only mention courts, it seems obvious that other judicial bodies - such as the prosecutor office - should be subject to independent supervision separate from the SA.[4]

Unfortunately, Article 55(3) does not define what the terms ‘acting in their judicial capacity’ mean.  Whereas we can affirm that the processing of the data of the staff hired by a court remains subject to the supervision of the SA, what about the publication of the decisions of a court on its website ?

An interesting question has been asked to the CJEU in this context. The referring court asks the Court of Justice whether Article 55(3) GDPR must be interpreted as meaning that ‘processing operations of courts acting in their judicial capacity’ can be understood to mean the provision by a judicial authority of access to procedural documents containing personal data, where such access is granted by making copies of those procedural documents available to a journalist'.[5]

Decisions

→ You can find all related decisions in Category:Article 56 GDPR

References

  1. see CJEU, 15 June 2021, Facebook vs. Belgian SA., C-645/19, §45
  2. See Recital 120
  3. See Recital 20
  4. See Supervision of courts’ compliance with personal data protection rules when acting in their judicial capacity, Research note of the of the Directorate general for Research and Documentation of the CJEU, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-11/ndr_2018-004_synthese-neutralisee-en.pdf.
  5. See Request for a preliminary ruling in Case C-245/20, O.J., 7 August 2020, C-297/27, available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=230717&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=110307