Article 57 GDPR: Difference between revisions

Revision as of 09:10, 6 December 2023

← Article 57 - Tasks →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 57 - Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;

(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d) promote the awareness of controllers and processors of their obligations under this Regulation;

(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l) give advice on the processing operations referred to in Article 36(2);

(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r) authorise contractual clauses and provisions referred to in Article 46(3);

(s) approve binding corporate rules pursuant to Article 47;

(t) contribute to the activities of the Board;

(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v) fulfil any other tasks related to the protection of personal data.

2. Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Relevant Recitals

Recital 122: Competence of Supervisory Authorities

Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission

The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

Recital 129: Tasks and Powers of Supervisory Authorities

In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

Recital 132: Awareness-Raising Activities and Specific Measures

Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

Recital 133: Mutual Assistance and Provisional Measures

The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority.

Commentary

Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).^[1] Article 57(2) to (4) specify that the submission of complaints should be facilitated, tasks should be performed free of charge for data subjects, as wll as rules regarding excesive requests.

Articles that are related to this provision, include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR (codes of conduct); Article 42 GDPR (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).^[2]

(1) Tasks of the supervisory authority (SA)

Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its teritory, without prejudice to other tasks set out under the GDPR.

The tasks can be devided into monitoring and enforcement, investigation and audit activities, advisory activities, cooperation requirements, execution of the activities and instruments envisaged in other Articles of the GDPR, documentation requirements and following current developments.^[3]

The aim of the detailed regulation is to create an equivalent level of data protection within the EU through a "uniform implementation framework" (Recital 123 GDPR, 129 GDPR and Article 57(1)(g)(h) GDPR).^[4]

Ensuring free flow of personal data is not entailed among the tasks of the SA.^[5]

Without prejudice to other tasks

The provision does not provide for a closed list, as other tasks and responsibilities may arise from other provisions included in the GDPR, such as drawing up of annual activity reports under Article 59 GDPR.

Tasks of SAs

(a) Monitor and enforce the GDPR

According to Article 57(1)(a) GDPR, the SAs must ("shall") monitor and enforce the application of the GDPR. These are SA's main tasks. The collocation of these tasks (letter a) reflects its prominence. It summarises the core idea of SAs activities. Other tasks envisaged by the provision are almost all preordained to the fulfilment of these main tasks.^[6]

Monitor

Monitoring means checking compliance with the GDPR. In particular, the performance of data protection reviews.^[7]

Example: Reviewing the certifications granted under Article 42(7) GDPR.^[8]

This provision takes into account that data protection law, even at the highest level, is of little use if it is not enforced.^[9]

Enforce

Enforcement means remedying identified infringements of the GDPR, including coercive enforcement. ^[10] This means that if the SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, it should not stop there. Its activities include the effective enforcement of the GDPR against entities. The SA should make use of its corrective powers under Article 58(2) GDPR.^[11] This ranges from warning, to issuing a ban on processing and to the imposition of fines.

Example: Company YX is transfering data to the US without a valid legal basis. SA can establish an infringment of the GDPR, order return of data to the EU/EEA, ban future processing of respective data outside the EU/EEA and impose a fine.

SAs thus become effective supervisors with the possibility to intervene comprehensively and, if necessary, with coercive measures for the purpose of the effective application of the GDPR.^[11]

(b) Promote public awareness

Raising public awareness is explicitly regulated as a task. The GDPR expressly assigns the SAs the task of making the public aware not only of the risks associated with data processing but also of safeguards and protections that the GDPR affords to data subjects and children.

Example: A SA organises a public campaign "know your rights" on data subjects rights that includes visits of schools.

The focus can be placed on sensitive areas and thus also the perception and presence of SAs can be strengthened. Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'.^[12] The annual report that SAs are required to draw up under Article 59 GDPR can be used to promote and raise awareness, but also educational events on data protection issues. For example on the European Data Protection Day, which is celebrated on 28 January.^[13] To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection. ^[14]

(c) Advise member states and other public bodies

The wording includes general, preventive advice to the bodies mentioned on which measures should be taken to ensure an appropriate level of data protection. A confirmation to this can be found in Article 36(4) GDPR which stipulates that member states must consult the SA during the preparation of a legislative measure which relates to processing of personal data.^[15] SAs should be consulted during preparation of laws and regulations, as well as administrative measures. The advisory activities of the SAs are intended to make data processing transparent and enable the addressees of the advisory service to conduct legal and administrative activities in compliance with data protection.

Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the sytem introduces new technical solutions for processing of data.

Which institutions and bodies are to be advised is determined by member state law.

(d) Promote the awareness of controllers and processors

SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct contacts with the obligated parties in the event of obvious difficulties in interpreting new and controversial provisions.^[16]

Example: Provision of workshops for data protection officers.

(e) Provide information concerning the exercise of data subject rights

Not only do data protection authorities raise public awareness but they also provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. The term “rights” includes material rights (such as the right to be forgotten, Article 17 GDPR) as well as procedural rights and legal enforcement options (for instance, the rights mentioned in Article 77 GDPR, Article 78 GDPR and Article 80 GDPR), as well as the right to compensation (Article 80 GDPR).^[17] Article 57(1)(e) GDPR refers to the fact that several SAs may have to work together to provide information to data subjects ("if appropriate, cooperate with the supervisory authorities in other Member States to that end").^[18]

Example: Answering an email about the mandatory requirements of a complaint or if a company has an establishment in another member state.

(f) Handle, investigate complaints and inform the complainant of the progress and outcome

Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under Article 80 GDPR).^[19] Handling of complaints is one of the main tasks of supervisory authorities.^[20] According to the EDPB's Internal Document 02/2021 "[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to Article 77 [GDPR] to lodge a complaint with a [SA]."^[21] This implies that the subject matter of the complaint is investigated with all due dilligence and the complainant is informed about the progress and result of the investigation.^[22]

Case law: In case C-362/14 - Schrems CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.^[23]

Complaint

GDPR does not define what constitutes a complaint. According to EDPB guideliness complaint may be defined as a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.^[24] "An infringement is a violation, a non-respect of the GDPR’s provisions including both the failure to accommodate the data subject as well as non-compliance with other controller or processor obligations."^[25] "As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint." ^[26]

GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). Article 77 GDPR ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.^[27]

Investigate the subject matter of the complaint

EDPB confirms in the Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringementsthat that SAs have pursuant to Article 57(1)(f) a duty to handle each and every complaint submitted to them.^[28] To handle a complaint refers to the whole procedure for dealing with complaints and thus covers all stages. This includes the investigation of the subject matter of the complaint, which "entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances." ^[29] The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions (Article 58(1) GDPR). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.^[30] While handling the complaint SAs should always fulfill their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).^[31]

To the extent appropriate

SAs are provided with a margin of discretion as regards the extent or depth of the investigation needed. A complaint must be investigated "to the extent appropriate”. Which investigatory steps are to be taken, depends on both the circumstances of the specific case and the requirements under national procedural law, but some degree of investigation must take place if the complainant is deemed admissible.^[32]

Example: When a complaint concerns proccessing of data without a legal basis through a website no on-site investigation is neccessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even necessary.

According to EDPB necessary and appropriate steps encompass the measures (investigative powers) mentioned in Article 58 and among others include requesting information from the controller or processor and carrying out an audit or on-site inspection. While a SA "has a discretionary power to decide upon the necessary investigatory steps to be taken, including the extent and kind of information needed in order to provide a reply to the data subject and to decide on the necessity of enforcement action [...] [t]his discretionary power must be exercised with all due diligence. In all cases, the factual and legal issues raised by the complainant must be exemined".^[33]

Finally, for all admitted complaints that are not withdrawn, SAs must provide a decision or other legally attacable act specifying the facts and legal considerations for confirming the alledged infringments from the complaint or rejecting the complaint or dismissing the complaint (not investigating it further).^[34] The controller or processor, if an infringment of the GDPR is found and the complainant in the event that his complaint is rejected or dismissed, in full or in part, have the right to appeal the decision of the SA in accordance with Article 78 GDPR.

Within a reasonable period

Handling of a complaint should be performed within a reasonable period of time (see also Article 77(2) GDPR and Article 78 GDPR). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.^[35]

Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringment of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.^[36] Nevertheless, the reasonable period will be somewhat longer if coordination with other SAs is needed, for example pursuant to Article 60 GDPR, in particular if there are reasoned objections from other supervisory authorities concerned and a binding decision of the European Data Protection Board (EDPB) needs to be adopted according to Article 65 GDPR.^[37]

Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled withing a reasonable time.

The provision must also be read in conjunction with Article 78 GDPR providing for a legal remedy against legaly binding decisions of SAs (seee above) and in case of inactivity of a SA.^[38] For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA.

For more information regading legal remedies see commentary to Article 78 GDPR.

(g) Cooperate with other supervisory authorities to ensure consistency and enforcement

SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Duty to cooperate is not limited to cases of cross-border processing as per Article 4(21) GDPR.

Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.

The inter-agency cooperation can be regarded as a necessary instrument that allows SAs to exercise their general role of contributing to the consistent application of the GDPR throughout the EEA (Article 51(2) GDPR). Such aim would be impossible without a proactive cooperation. To that end GDPR provides for the cooperation and consistency mechanisms in Articles 60 to 66 GDPR (Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR).^[39]

(h) Conduct investigations

The SA is also tasked to carry out ex officio investigations to ensure compliance with the GDPR. To start the investigation, a SA can obtain the information out of its own initiative or from another SA (e.g. in accordance with Article 60(1) GDPR and Article 61(1)GDPR). Relevant information can also be obtained by another authority (e.g. a competition SA, consumer protection or telecommunications authority). In any of these cases, the SA can start an investigation.^[40]

Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passangers.

At the European level, Article 46(b) of Regulation (EC) No 45/2001 contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).^[41]

(i) Monitor relevant development

Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA shall be updated on new communication technologies and business practices.

Example: Social networks start using pay-or-ok solutions.

This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should be aware of new trends for example processing of personal data for purposes of advertising, pay-or-ok soutions, and the use of new consent and contract clauses.^[42]

This seems to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.^[43] To do so, the SAs shall be given appropriate human and technical resources (Article 52(4) GDPR).

(j) Adopt standard contractual clauses

Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in Article 28(8) GDPR and Article 46(2)(d) GDPR. Both cases require activitly bax the EDPB, either in the consistency mechanism under Article 63 GDPR or by adopting an opinion under Article 64(1)(d) GDPR.

For more information see commentary to Article 28(8) GDPR and Article 46(2)(d) GDPR.

(k) Establish and maintain a list of processing operations requiring a data protection impact assessment

Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out (Article 35(4) GDPR). On the other hand, maintaining a negative list for cases where a DPIA is not needed is not a mandatory task.^[44] According to Article 35(5) GDPR, a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.

For more information, please refer to Article 35 GDPR.

(l) Give advice on data protection impact assessment

Advising controllers and processors with regard to high-risk processing opertions referred to in Article 36(2) GDPR is one of the tasks of SAs. This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with Article 36(2) GDPR, in particularly making proposals to mitigate the risk. ^[45] SA can also make use of any of its powers referred to in Article 58 GDPR. This includes its corrective powers, in particulatly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.^[46]

For more details see commentary to Article 36 GDPR.

(m) Encourage the drawing up of codes of conduct and regulate the use of codes of conduct

SAs have the task of promoting development of codes of conduct by associations and other organisations representing categories of controllers or processors pursuant to Article 40(1) GDPR. SA receives the draft, examines it, issues opinions on the question if it is compatible with the GDPR and, if so, approves it.^[47]

See comment under Article 40 GDPR.

(n) Encourage and regulate the use of data protection certification mechanisms

This task is directly connected with Article 42(1) GDPR that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined pursuant to Article 42(5) GDPR.^[48]

See comment under Article 42 GDPR.

(o) Carry out periodic reviews of certifications

This task is further specified in Article 42 GDPR. A SA must periodically review the certifications granted under Article 42 GDPR (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with Article 42(7) GDPR.^[49]

For more information see comment under Article 42 GDPR.

(p) Draft and publish the requirements for accreditation of a body for monitoring codes of conduct and of a certification body

Tis task concerns codes of conduct under Article 41 GDPR and certifications under Article 43 GDPR, which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA establises and publishes the requirements these bodies must fulfil for accreditation.^[50]

See also commentary to Article 41 GDPR and Article 43 GDPR.

(q) Accreditation of a body for monitoring codes of conduct and of a certification body

SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to Article 41 GDPR and a certification body pursuant to Article 43 GDPR on the basis of the requiremens formulated under Article 57(1)(p) (see point (p) above).

For more information see also comments under Article 41 GDPR and Article 43 GDPR.

(r) Authorise contractual clauses and provisions

Similarly, SAs are in charge of authorisation of contractual clauses and provisions referred to in Article 46(3) GDPR providing a legal basis for transfers of data to third countries (outside EU/EEA) or to international organisations.

See comment under Article 46 GDPR.

(s) Approve binding corporate rules

This task concerns the role of SAs assigned to them by Article 47 GDPR with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.

See commentry to Article 47 GDPR.

(t) Contribute to the activities of the EDPB

Pursuant to Article 57(1)(t) GDPR SAs contribute to the activities of the EDPB ("the Board"). The concept of contributions is to be understood comprehensively. It refers among other to the entire coherence procedure (Articles 63 to 66 GDPR), as well as to the numerous tasks of the EDPB.^[51] EDPB's tasks are listed in Article 70 GDPR and include, in particular, the preparation and publication of opinions, guidelines, recommendations and best practices. The SAs should actively contribute to the fulfilment of these tasks. This concerns both the meetings of the EDPB itself and their preparation, in particular within the framework of expert subgroups.^[52]

The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.^[53]

(u) Keep internal records of infringements of the GDPR and measures taken

Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under Article 58(2) GDPR, which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimend, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report (Article 59 GDPR) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.^[54]

(v) Fulfil any other tasks related to the protection of personal data

Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “other tasks related to the protection of personal data”. The list of tasks is therefore not exhaustive and member states can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.^[55] An example of other tasks is the prior authorisation of data processing in the public interest if required under national law (Article 36(5) GDPR and Article 58(3)(c) GDPR).^[56]

On its territory

The wording ("on its terrirory") is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its member state.^[57]

(2) Submission of complaints is to be facilitated

Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.^[58] This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “complaint submission form” which should be easy to understand and gain access to. ^[59] The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.^[60] The provision, however, does not exclude “other means of communications”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.^[61]

Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint (Article12(4) GDPR and Article 13(2)(d)(e) GDPR). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice (Article 77 GDPR).^[62]

(3) Free of charge principle (for the data subject)

The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.^[63] However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.^[64]

(4) Exception: manifestly unfounded or excessive requests

Article 57(4) GDPR provides for an exception to the “free of charge” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.^[65] The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive.

Decisions

→ You can find all related decisions in Category:Article 57 GDPR

References

↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).
↑ See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).
↑ ^11.0 ^11.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).
↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
↑ Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available here.
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
↑ CJEU, case C- 362/ 14 - Schrems I, paragraph 63.
↑ See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 3, available here. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available here.
↑ Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 4, available here.
↑ Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available here.
↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).
↑ See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
↑ See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, pages 11 and 14, available here.
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).
↑ Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
↑ See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
↑ See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
↑ See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
↑ Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).
↑ Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
↑ xxxx
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 49 (Nomos 2019).
↑ Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)
↑ Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).
↑ Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
↑ Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
↑ Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).
↑ Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).
↑ Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.

[1] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).

[2] See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).

[3] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).

[4] Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).

[5] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).

[6] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).

[7] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).

[8] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).

[9] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).

[10] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).

[:0-11] 11.0 ^11.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).

[12] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).

[13] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).

[14] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).

[15] Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).

[16] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).

[17] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).

[18] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).

[19] Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).

[20] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).

[21] Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available here.

[22] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.

[23] CJEU, case C- 362/ 14 - Schrems I, paragraph 63.

[24] See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 3, available here. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available here.

[25] Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 4, available here.

[26] Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available here.

[27] Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).

[28] See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.

[29] See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, pages 11 and 14, available here.

[30] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).

[31] Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.

[32] See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.

[33] See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.

[34] See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.

[35] Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).

[36] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).

[37] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).

[38] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).

[39] Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).

[40] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).

[41] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.

[42] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).

[43] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).

[44] xxxx

[45] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).

[46] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).

[47] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).

[48] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).

[49] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).

[50] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).

[51] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 49 (Nomos 2019).

[52] Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)

[53] Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).

[54] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).

[55] Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).

[56] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).

[57] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).

[58] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).

[59] Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).

[60] Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).

[61] Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).

[62] Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).

[63] Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).

[64] Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).

[65] Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]

[63]

[64]

[65]

@@ Line 185: / Line 185: @@
 ==Legal Text==
-<br /><center>'''Article 57 - Tasks'''</center>
+'''Article 57 - Tasks'''
 <span id="1">1.   Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:</span>
@@ Line 289: / Line 289: @@
 ===== (f) Handle, investigate complaints and inform the complainant of the progress and outcome =====
-Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under [[Article 80 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref> Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> According to the EDPB's Internal Document 02/2021 "''[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to [[Article 77 GDPR|Article 77 [GDPR]]] to lodge a complaint with a [SA].''"<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  This implies that the subject matter of the complaint is investigated and the complainant is informed about the progress and result of the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>
+Under Article 57(1)(f) GDPR, SAs should deal with data subjects’ complaints and complaints filed by non-for-profit bodies on behalf of a data subject under [[Article 80 GDPR]]).<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref> Handling of complaints is one of the main tasks of supervisory authorities.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).</ref> According to the EDPB's Internal Document 02/2021 "''[t]his key duty of [SAs] corresponds with the right of data subjects pursuant to [[Article 77 GDPR|Article 77 [GDPR]]] to lodge a complaint with a [SA].''"<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  This implies that the subject matter of the complaint is investigated with all due dilligence and the complainant is informed about the progress and result of the investigation.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> <blockquote>Case law: In case ''C-362/14 - Schrems'' CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.<ref>CJEU, case ''C- 362/ 14 - Schrems I'', paragraph 63.</ref></blockquote>
 ====== Complaint ======
-GDPR does not define what constitutes a complaint. According to EDPB gudance complaint may be defined as: a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.<ref>See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 3, available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_062020_on_admissibility_and_preliminary_vetting_of_complaints_en.pdf here]. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> ''"An infringement is a violation, a non-respect of the GDPR’s provisions including both the failure to accommodate the data subject as well as non-compliance with other controller or processor obligations."''<ref>Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-62020-preliminary-steps_en here].</ref> "''As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint.''" <ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
+GDPR does not define what constitutes a complaint. According to EDPB guideliness complaint may be defined as a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. Meaning that a complaint is not restricted to a breach of the rights of the data subject under Chapter III of the GDPR but is, more generally, an infringement of the GDPR by a processing of the complainant’s personal data.<ref>See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 3, available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_062020_on_admissibility_and_preliminary_vetting_of_complaints_en.pdf here]. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> ''"An infringement is a violation, a non-respect of the GDPR’s provisions including both the failure to accommodate the data subject as well as non-compliance with other controller or processor obligations."''<ref>Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, page 4, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-62020-preliminary-steps_en here].</ref> "''As regards the level of proof required to admit a complaint, it is necessary and sufficient that the complainant provides a substantiated complaint.''" <ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
 GDPR creates a wide possibility for data subjects to make complaints. Article 57(2) GDPR require SAs to facilitate the submission of complaints and not to charge fees (Artice 57(3) GDPR), except for manifestly unfounded or excessive requests (Artice 57(4) GDPR). [[Article 77 GDPR]] ensures that a data subject can issue a complaint before the SA of his residence, whilst not excluding complaints before other SAs.<ref>''Zerdick'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 936 (Oxford University Press 2020).</ref>
 ====== Investigate the subject matter of the complaint ======
-EDPB confirms in the Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringementsthat that SAs have pursuant to Article 57(1)(f) a duty to handle each and every complaint submitted to them.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>  To handle a complaint refers to the whole procedure for dealing with complaints and thus covers all stages. This includes the investigation of the subject matter of the complaint, which ''"entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances."'' <ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, pages 11 and 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions ([[Article 58 GDPR|Article 58(1) GDPR]]). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).</ref> While handling the complaint SAs should always fulfill their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
+EDPB confirms in the Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringementsthat that SAs have pursuant to Article 57(1)(f) a duty to handle each and every complaint submitted to them.<ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> To handle a complaint refers to the whole procedure for dealing with complaints and thus covers all stages. This includes the investigation of the subject matter of the complaint, which ''"entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances."'' <ref>See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, pages 11 and 14, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref> The subject matter relates to the facts of the case as presented by the complainant. The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions ([[Article 58 GDPR|Article 58(1) GDPR]]). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.<ref>''Ziebarth,'' in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).</ref> While handling the complaint SAs should always fulfill their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available [https://edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en here].</ref>
 ====== To the extent appropriate ======