Article 57 GDPR

From GDPRhub
Article 57 - Tasks
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 57 - Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);
(l) give advice on the processing operations referred to in Article 36(2);
(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);
(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);
(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);
(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
(r) authorise contractual clauses and provisions referred to in Article 46(3);
(s) approve binding corporate rules pursuant to Article 47;
(t) contribute to the activities of the Board;
(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and
(v) fulfil any other tasks related to the protection of personal data.

2. Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Relevant Recitals

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission
The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

Recital 129: Tasks and Powers of Supervisory Authorities
In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

Recital 132: Awareness-Raising Activities and Specific Measures
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

Recital 133: Mutual Assistance and Provisional Measures
The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory authority.

Commentary

Article 57(1) GDPR contains a detailed, albeit not exhaustive, list of mandatory tasks assigned to the supervisory authorities (SAs).[1] Articles 57(2) to (4) GDPR require SAs to facilitate the submission of complaints and not to charge fees to data subjects, except for manifestly unfounded or excessive requests.

Related Articles

Articles that are related to Article 57 GDPR include Article 4(21) GDPR (definition of a supervisory authority); Article 28(8) GDPR (adoption of processors’ standard contractual clauses); Article 36(2) GDPR (prior consultation); Article 40 GDPR (codes of conduct); Article 42 GDPR (certification); Article 46 GDPR (standard data protection clauses for data transfers); Article 47 GDPR (approval of binding corporate rules); Article 50 GDPR (international cooperation for the protection of personal data); Article 58 GDPR (powers); Article 59 GDPR (activity reports); Article 60 GDPR (cooperation between supervisory authorities); Article 61 GDPR (mutual assistance); Article 62 GDPR (joint operations ); Article 70 GDPR (tasks of the Board), Article 77 GDPR (complaint handling and investigations); and Article 83 GDPR (administrative fines).[2]

(1) Tasks of the supervisory authority (SA)

Article 57(1) GDPR sets out a list of 21 tasks that each SA must ("shall") perform on its territory. The detailed regulation aims at creating an equivalent level of data protection within the EU through a "uniform implementation framework" (Recital 123 GDPR, 129 GDPR).[3] The list of tasks is not closed, as some tasks are set out in other part of the GDPR ("without prejudice to other tasks set out under this Regulation"). An example thereof is drawing up of annual activity reports (Article 59 GDPR). Ensuring free flow of personal data is not entailed among the tasks of the SA.[4]

Tasks listed in Article 57(1) GDPR can be divided into:

  • monitoring and enforcement activities (points a, f, h and g),
  • investigation and audit activities ( points f and h),
  • advisory activities (points c, d, e and l)
  • awareness raising activities (points b and d),
  • cooperation activities (points g and t),
  • performing of activities and instruments envisaged in other Articles of the GDPR (points j to s),
  • documentation requirements (point u), and
  • monitoring of relevant developments that could have an impact on the protection of personal data (point i).[5]

(a) Monitor and enforce the application of the GDPR

Monitoring and enforcement of the GDPR are SA's main tasks. They summarise the core idea of SA's activities. All other tasks entailed in Article 57(1) GDPR can be understood as a manifestation of this general task.[6]

Monitoring

Monitoring of the application of the GDPR refers to controlling controllers and processors and reviewing whether they comply with the GDPR. Monitoring includes data protection audits of controllers and processors, probes of compliance wit certain provisions of the GDPR or types of data processing and reviewing the certifications issued in accordance with Article 42(7) GDPR. When performing this task SA typically uses investigative powers from Article 58(1)(a)(b)(e)(f).[7]

Example: A DPA starts a probe into video surveillance practices in supermarkets to determine whether controllers comply with the principles of lawfulness and data minimisation.[8] Case law: In accordance with Article 8(3) of the Charter and Article 51(1) and Article 57(1)(a) of the GDPR, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data.[9]

Enforce

Enforcement of the application of the GDPR concerns the remedying of infringements of the GDPR that a SA has identified. [10] This means that when a SA determines that the GDPR has been applied incorrectly or not at all by a controller or processor, the SA should not stop there, but ensure compliance.

Enforcement must be effective and, if necessary, coercive. Therefore SA should make use of its corrective powers under Article 58(2) GDPR.[11] This ranges from warning, to issuing a ban on processing and to the imposition of fines. SAs thus become effective supervisors with the possibility to intervene comprehensively.[11] Data protection law, even at the highest level, is of little use if it is not enforced.[12]

Example: Company YX is transferring data to the US without a valid legal basis. After the SA has established the infringement of the GDPR it should ensure that the infringement stops and that the controller brings the processing of personal data in compliance with GDPR. This can be done by ordering return of data to the EU/EEA, baning future processing of respective data outside the EU/EEA and imposing a fine for¨in the event, if YX does not comply with the order.

(b) Promote public awareness

The GDPR assigns the SAs the task of making the public aware of the risks associated with data processing and of safeguards and protections that the GDPR affords to data subjects and children. To provide an example, the knowledge of the functions, possibilities and risks of automated data processing is limited in the general public. The risks arise not only from the technical possibilities of accessing knowledge, but also from the consequences that can result when state, social or economic power obtains knowledge about people in an uncontrolled and asymmetrical manner. Informing the public about this and about the regulations, guarantees and rights of the individual is therefore an important task of the SAs and also an effective means of raising the level of data protection.[13] This can be done with educational events, conferences and also with annual reports that SAs are required to draw up under Article 59 GDPR.[14]With awareness raising also the perception and presence of SAs can be strengthened. Only as publicly known body can the authorities effectively fulfil their task as 'independent guardians of the fundamental right to data protection'.[15]

Example: A SA organises a public campaign "know your rights" on data subject’s rights that includes visits of schools.

(c) Advise Member States and other public bodies

This provision tasks SAs to provide general, preventive advice to public bodies on which measures should be taken to ensure an appropriate level of data protection. SAs should be consulted during preparation of laws and regulations, as well as administrative measures. In this regard Article 36(4) GDPR stipulates that Member States must consult the SA during the preparation of a legislative measure which relates to processing of personal data or of a regulatory measure based on such a legislative measure, which relates to processing. Which institutions and bodies are to be advised is determined by national laws of Member States. [16]

Example: Estonia upgrades its e-governance system. The Estonian Sa should be consulted in the process since the system introduces new technical solutions for processing of data.

(d) Promote the awareness of controllers and processors

SAs should not only shed light on legislative proposals and administrative measures, but also on those actors whose actions are governed by the GDPR (controllers and processors). In practice, this task can be carried out, for example, through training courses, official statements as well as through direct exchange with the obligated parties in the event of obvious difficulties in interpreting of provisions.[17]

Example: Organisation of workshops for data protection officers.

(e) Provide information concerning the exercise of data subject rights

SAs are also tasked to provide specific guidance ("upon request") to data subjects with information about the exercise of their GDPR rights. These includes information regarding material rights, such as the right to be forgotten (Article 17 GDPR) and the right to compensation (Article 82 GDPR), as well as procedural rights and legal enforcement options, for instance, the rights mentioned in Article 77 GDPR, Article 78 GDPR and Article 80 GDPR).[18] Article 57(1)(e) GDPR also refers to the fact that several SAs may have to work together to provide information to data subjects ("if appropriate, cooperate with the supervisory authorities in other Member States to that end"), for example in cross-border where the SA od the main or only establishment of the controller is charged with the investigation (Article 56 GDPR and Article 60 GDPR) and the SA with which the complaint has been lodged with informing the complainant (on the progress and outcome of the complaint (Article 77(2) GDPR).[19]

Example: Provide information in an email about the mandatory requirements of a complaint upon data subject's request.

(f) Handle, investigate complaints and inform the complainant of the progress and outcome

Handle complaints lodged by a data subject

Handling of complaints is one of the main tasks of supervisory authorities.[20] "This key duty of [SAs] corresponds with the right of data subjects pursuant to Article 77 [GDPR] to lodge a complaint with a [SA]."[21] SA's obligation to perform its task under Article 57(1)(f) GDPR is triggered by a complaint being filed with the SA. According to Article 77 GDPR the complaint can be lodged by a data subject or by a non-for-profit body on behalf of a data subject under Article 80 GDPR.

When a SA obtains a complaint it must handle it.[22] SAs have the duty to handle each and every complaint submitted to them.[23] CJEU confirmed that complaints procedure is not similar to that of a petition. It is designed as a mechanism that is capable of effectively safeguarding the rights and interests of data subjects.[24]

Case law: In C-26/22 - Schufa Holding CJEU held that the complaints procedure is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects.[24]

Complaint

GDPR does not define what constitutes a complaint. It only specifies the subject matter of a complaint. According to Article 77(1) GDPR the complaint concerns processing of personal data of the complainant which, in the complainant's view, infringes the GDPR. Consequently, complaints are not restricted to breaches of data subject's rights under Chapter III of the GDPR, but also concern any other violation of the data subject rights due to non-compliance with other obligations under the GDPR by the controller or processor. The complaint can be lodged with a SA either by the data subject (Article 77(1) GDPR) or by a non-for-profit body on behalf of the data subject under Article 80 GDPR. Thus the European Data Protection Board ("EDPB") indicates that a complaint may be defined as a submission to a SA by an identified natural person – or a not-for-profit body, organization or association that fulfils the conditions provided by Article 80 of the GDPR – who considers that the processing of personal data relating to him or her infringes the GDPR. [25] Howevere, as the GDPR does not clarify what constitutes a complaint nor does it provide for the minimal requirements of a complaint, this is determined by Member State law.

Handling of a complaint

Handling refers to the whole complaint procedure and thus covers all stages of the procedure, from checking of admissability of the complaint and investigating its subject matter to taking a decision on the complaint and informing the data subject about the decision.

Also the complaint procedure is regulated to a limited extend in the GDPR. Articles 55 GDPR and 56(1) GDPR contain rules on competence and Articles 60 to 66 GDPR and 56 GDPR rules regarding handling of complaints concerning cross-border processing or with other transnational elements. As the GDPR does not provide for detailed procedural rules for handlinling of a complaint, SAs are handling compliants in accordance with national procedural rules. However, as EDPB Internal Document 02/2021 clarifies, when handling a complaint SAs should always fulfill their procedural obligations under the GDPR, as well as adhere to other applicable rules and principles of EU law, such as the right to be heard (Article 41 CFR).[26]

When a complaint is lodged, the SA first proofs whether the complaint contains all elements that are required for it to be admissable under national law.[27] Second, the SA must identify which SA is competent to handle the complaint in accordance with Article 55 GDPR and 56 GDPR and if applicable sent the complaint to the competent SA. This is done in the EMI system.[28]

Investigate the subject matter of the complaint

Then the competent SA has to investigate the subject matter of the complaint. This "entails taking all necessary and appropriate steps with a view to resolving an issue or establishing whether an infringement has been committed and if so under what circumstances." The investigation can be carried out, for example, by hearing the person responsible, by on-site inspections or by researching the technical and other framework conditions (Article 58(1) GDPR). It is aimed at determining whether the processing and/or the handling of data subjects' rights is in compliance with the law.[29]

The subject matter relates to the facts of the case as presented by the complainant.

The subject matter of the complaint is to be investigated with all due diligence.[30]

Case law: In case C-362/14 - Schrems CJEU considered that where a person lodges with a SA a claim concerning the protection of his rights and freedoms in regard to the processing of his data it is incumbent upon the SA to examine the claim with all due diligence.[31]

To the extent appropriate

SAs are provided with a margin of discretion as regards the extent or depth of the investigation needed. A complaint must be investigated "to the extent appropriate”. Which investigatory steps are to be taken, depends on both the circumstances of the specific case and the requirements under national procedural law, but some degree of investigation must take place if the complaint is deemed admissible.[32]

Example: When a complaint concerns processing of data without a legal basis through a website no on-site investigation is necessary. In the event that the subject matter of the complaint concerns non-compliance of video surveillance with GDPR requirements, an on-site visit can be very helpful or even necessary.

According to EDPB necessary and appropriate steps encompass the measures (investigative powers) mentioned in Article 58 and among others include requesting information from the controller or processor and carrying out an audit or on-site inspection. While a SA "has a discretionary power to decide upon the necessary investigatory steps to be taken, including the extent and kind of information needed in order to provide a reply to the data subject and to decide on the necessity of enforcement action [...] [t]his discretionary power must be exercised with all due diligence. In all cases, the factual and legal issues raised by the complainant must be exemined".[33]

Case law:

Each supervisory authority is required on its territory to handle complaints lodged by a data subject, and is required to examine the nature of that complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence.[34]

Inform the complainant of the outcome of the investigation

Finally, for all admitted complaints that are not withdrawn, SAs must provide a decision or other legally attackable act specifying the facts and legal considerations for confirming the alleged infringements from the complaint or rejecting the complaint or dismissing the complaint (not investigating it further).[35] The controller or processor, if an infringement of the GDPR is found and the complainant in the event that his complaint is rejected or dismissed, in full or in part, have the right to appeal the decision of the SA in accordance with Article 78 GDPR. SA's decision is subject to a full judicial review. The SA must inform the data subject of the outcome of the investigation.

Within a reasonable period

Handling of a complaint should be performed within a reasonable period of time (see also Article 77(2) GDPR and Article 78 GDPR). This reflects a fundamental duty of the SA to process complaints quickly and efficiently and to avoid lengthy proceedings.[36] Whether a reasonable time frame has been observed depends on the complexity of the case, as well as on the intensity of the infringement of the fundamental right, whereby it must also be taken into account whether the violation affects also rights of other data subjects. The aim is to prevent very long proceedings, including in transnational cases when further investigation or coordination with another SA is necessary.[37] Nevertheless, the reasonable period will be somewhat longer if coordination with other SAs is needed, for example pursuant to Article 60 GDPR, in particular if there are reasoned objections from other supervisory authorities concerned and a binding decision of the European Data Protection Board (EDPB) needs to be adopted according to Article 65 GDPR.[38]

Example: If it takes 6 years for a SA to investigate a complaint and take a final decision the complaint was not handled within a reasonable time.

The provision must also be read in conjunction with Article 78 GDPR providing for a legal remedy against legally binding decisions of SAs (see above) and in case of inactivity of a SA.[39] For example, at the latest after three months, the complainant must at least be informed of the state of affairs. If this does not happen, he can file a legal remedy against the SA.

Amicable settlements
(g) Cooperate with other supervisory authorities (SAs)

SAs must share information and cooperate with other authorities in case a processing presents transnational profiles, including through the exchange of information and providing administrative assistance. Proactivity is required as SAs are under the obligation to contribute to the consistent application of the GDPR throughout the EU/EEA according to Article 51(2) GDPR .[40]

GDPR provides rules on cooperation between SAs in Articles 60 to 66 and Article 56(2) to (5). Duty to cooperate is not limited to cases of cross-border processing as per Article 4(21) GDPR.

Example: Austrian SA asks the Danish SA to make an on-side inspection and seize data on controller's server located in Denmark.

For more information on cooperation see commentary to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR.

(h) Conduct investigations

The SA is also tasked to carry out investigations on its own initiative to ensure compliance with the GDPR. A SA can obtain relevant information and initiate an investigation also from another SA (e.g. in accordance with Article 60(1) GDPR and Article 61(1)GDPR), another authority (e.g. a competition SA, consumer protection or telecommunications authority) or from any other source.[41]

Example: A SA initiates an ex officio investigation, after a research study by a NGO reveals that cars are sharing unlimited data with car producers, including video and audio of the driver and passengers.

At the European level, Article 46(b) of Regulation (EC) No 45/2001 contains a similar ex officio duty of investigation for the European Data Protection Supervisor (EDPS).[42]

(i) Monitor relevant development

Another activity SAs are tasked with is to follow any development relevant to data protection field. In particular, the SA shall be updated on new communication technologies and business practices.

Example: Social networks start using pay-or-ok solutions.

This includes new invasive processing methods, for example in the areas of big data, pattern recognition and internet surveillance, as well as technical developments that can be used to ensure data protection requirements, such as options for separate data storage, encryption and pseudonymisation, and use of secure networks. SAs should be aware of new trends for example processing of personal data for purposes of advertising, pay-or-ok solutions, and the use of new consent and contract clauses.[43]

This seems to be necessary in order to adequately carry out the other tasks, particularly monitoring and advice.[44] To do so, the SAs shall be given appropriate human and technical resources (Article 52(4) GDPR).

(j) Adopt standard contractual clauses

Under Article 57(1)(j) SA are given the task to adopt standard contractual clauses as laid down in Article 28(8) GDPR and Article 46(2)(d) GDPR. Both cases require activity by the EDPB, within the consistency mechanism under Article 63 GDPR or by adopting an opinion under Article 64(1)(d) GDPR.

For more information see commentary to Article 28(8) GDPR and Article 46(2)(d) GDPR.

(k) Maintain a list of processing operations requiring a data protection impact assessment

Every SA has to establish and maintain a list of the processing operations for which a data protection impact assessment (DPIA) must always be carried out (Article 35(4) GDPR). On the other hand, maintaining a negative list for cases where a DPIA is not needed is not a mandatory task.[45] According to Article 35(5) GDPR, a SA can also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. These lists are to be submitted to the EDPB.

For more information, please refer to Article 35 GDPR.

(l) Give advice on data protection impact assessment

Advising controllers and processors with regard to high-risk processing operations referred to in Article 36(2) GDPR is one of the tasks of SAs. This includes receiving and reviewing the data protection impact assessment notified to it and advising the controller in accordance with Article 36(2) GDPR, in particularly making proposals to mitigate the risk. [46] SA can also make use of any of its powers referred to in Article 58 GDPR. This includes its corrective powers, in particularly, if the written recommendations of the SA are not taken into account and the controller or processor continuously fails to properly identify and mitigate the risk.[47]

For more details see commentary to Article 36 GDPR.

(m) Encourage the drawing up of codes of conduct and regulate the use of codes of conduct

SAs have the task of promoting development of codes of conduct by associations and other organisations representing categories of controllers or processors pursuant to Article 40(1) GDPR. SA receives the draft, examines it, issues opinions on the question if it is compatible with the GDPR and, if so, approves it.[48]

See comment under Article 40 GDPR.

(n) Regulate the use of data protection certification mechanisms

This task is directly connected with Article 42(1) GDPR that stipulates that SAs are to encourage the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance of processing operations by controllers and processors with the GDPR. The SA is also to issue certifications and approve criteria according to which the process to be certified is to be examined pursuant to Article 42(5) GDPR.[49]

See comment under Article 42 GDPR.

(o) Carry out reviews of certifications

This task is further specified in Article 42 GDPR. A SA must periodically review the certifications granted under Article 42 GDPR (see also point (n) above), which is followed by a renewal or withdrawal of the certification in accordance with Article 42(7) GDPR.[50]

For more information see comment under Article 42 GDPR.

(p) Draft the requirements for accreditation of monitoring bodies and certification bodies

Tis task concerns codes of conduct under Article 41 GDPR and certifications under Article 43 GDPR, which can be approved and issued by bodies other than SAs. These bodies require accreditation for this purpose. The SA determines and publishes the requirements these bodies must fulfil for accreditation.[51]

See also commentary to Article 41 GDPR and Article 43 GDPR.

(q) Accredit of monitoring bodies and certification bodies

SAs are tasked to carry out the accreditation of a body for monitoring of compliance with a code of conduct pursuant to Article 41 GDPR and a certification body pursuant to Article 43 GDPR on the basis of the requirements formulated under Article 57(1)(p) (see point (p) above).

For more information see also comments under Article 41 GDPR and Article 43 GDPR.

(r) Authorise contractual clauses and provisions

Similarly, SAs are in charge of authorisation of contractual clauses and provisions referred to in Article 46(3) GDPR providing a legal basis for transfers of data to third countries (outside EU/EEA) or to international organisations.

See comment under Article 46 GDPR.

(s) Approve binding corporate rules

This task concerns the role of SAs assigned to them by Article 47 GDPR with regard to binding corporate rules for internal transfers of data outside EU/EEA within one group of undertakings or group of enterprises engaged in a joint economic activity, which have to be approved by a SAs.

See commentary to Article 47 GDPR.

(t) Contribute to the activities of the EDPB

Pursuant to Article 57(1)(t) GDPR SAs contribute to the activities of the EDPB ("the Board"). The concept of contributions is to be understood comprehensively. It refers among other to the entire coherence procedure (Articles 63 to 66 GDPR), as well as to the numerous tasks of the EDPB.[52] EDPB's tasks are listed in Article 70 GDPR and include, in particular, the preparation and publication of opinions, guidelines, recommendations and best practices. The SAs should actively contribute to the fulfilment of these tasks. This concerns both the meetings of the EDPB itself and their preparation, in particular within the framework of expert subgroups.[53]

The EDPB itself has the task of promoting cooperation and exchange between data protection supervisory authorities.[54]

(u) Keep records of infringements

Furthermore, SAs have the task of keeping internal records of infringements of the GDPR and measures taken against controllers and processors under Article 58(2) GDPR, which lays down corrective powers of SAs. The content of internal records is not further specified. It seems that a bullet point description of the infringements and the type of measures taken (e.g. warning, reprimand, orders, imposition of fines) would be sufficient. It is not mandatory to include the amount of fines imposed. The records can be used as a basis for the activity report (Article 59 GDPR) and for diverse advisory tasks of the SAs. It can also be used to make strategic decisions on the future direction of SA's activities, its effectiveness, cooperation with other SAs and to follow general developments.[55]

(v) Fulfil other tasks

Finally, Article 57(1)(v) GDPR constitutes the residual provision for all “other tasks related to the protection of personal data”. The list of tasks is therefore not exhaustive and Member States can provide for further tasks in national law. However, these should be chosen carefully with a view to the respective financial resources and the already far-reaching tasks.[56] An example of other tasks is the prior authorisation of data processing in the public interest if required under national law (Article 36(5) GDPR and Article 58(3)(c) GDPR).[57]

On its territory

The wording ("on its territory") is intended to clarify that the tasks of the supervisory authority do not extend beyond the territory of its Member State.[58]

(2) Submission of complaints to be facilitated

Article 57(2) GDPR provides for facilitation of the filing of a complaint on the formal side.[59] This means that the SA should be able to provide simple and intuitive solutions for uploading and filing the complaint as well as relevant attachments. The provision expressly mentions a “complaint submission form” which should be easy to understand and gain access to. [60] The provision of a complaint form is a variant for making the submission of complaints unbureaucratic and simple. It can also make it easier for the SA to fulfil its tasks because it can use standardisation to make the complaints procedure more effective. The design of a complaints form can provide the complainant with instructions on how to complete the form, which makes the work of the SA easier and keeps the need for queries in limits. For example, it can be listed which information is required on the respondent and the subject of the complaint and which evidence, if any, may be relevant.[61] The provision, however, does not exclude “other means of communications”, such as the e-mail. In order to facilitate the filing, the SA’s IT systems should be able to receive the complaints with the least number of obstacles possible. It should allow the upload of the most commonly used file formats and avoid setting unreasonable restrictions on the amount of files that can be uploaded and their dimension.[62]

Additionally, data subject's right to file a complaint and seek protection following an infringement of the GDPR is widely mentioned and protected throughout the GDPR. Data subjects are informed about the existence of the right to complaint (Article12(4) GDPR and Article 13(2)(d)(e) GDPR). The SAs deal with every complaint, investigating it to an appropriate extent and informing the complainant about the progress and result of the investigation (Article 57(1)(f) GDPR). Data subject can lodge a complaint with a SA of his choice (Article 77 GDPR).[63]

(3) Free of charge principle for data subjects

The right to file a complaint is granted free of charge. This supports the idea of data protection as a fundamental right that must be enforced without undue hindrance by both controllers and SAs. On the other side, since controllers and processors are not mentioned, it seems reasonable to conclude that the SA may charge them with some fees for the performance of their tasks.[64] However, SAs should take into account that the performance of tasks free of charge, including where controllers and processors are involved, can encourage them to consult with the SA regarding their processing activities and thus contribute to GDPR-compliant processing.[65]

(4) Exception: manifestly unfounded or excessive requests

Article 57(4) GDPR provides for an exception to the “free of charge” principle. In particular, if the requests are manifestly unfounded or excessive, in particular if they are repetitive, the authority may charge a reasonable fee or refuse to act on the request. This is to prevent the activity of a SA from being seriously impaired or even paralysed by troublemakers who make nonsensical or repeated requests. However, since the task of the SAs is to protect fundamental rights, this exception rule may only be used in clearly defined situations.[66] The above exception may limit the protection of the data subject's right to file a complaint. For this reason, Article 57(4) GDPR provides that the data protection SA bears the burden of proof and must demonstrate that a request is manifestly unfounded or excessive.

Decisions

→ You can find all related decisions in Category:Article 57 GDPR

References

  1. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 1 (Nomos 2022).
  2. See Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 929 (Oxford University Press 2020).
  3. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 1-3 (C.H. Beck 2021).
  4. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 4 (Nomos 2022).
  5. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  6. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 9 (C.H. Beck 2020).
  7. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019). See also Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 58 GDPR, margin number 7 (Nomos 2022).
  8. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 8 (Nomos 2019).
  9. C‑311/18 - Schrems, paragraph 107. See also C-26/22 - xx, para 55.
  10. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 7 and 9 (Nomos 2019).
  11. 11.0 11.1 Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 7 (C.H. Beck 2018).
  12. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 6 (Nomos 2022).
  13. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 15 and 16 (Nomos 2022).
  14. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 13 (2nd Edition, C.H. Beck 2018).
  15. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition).
  16. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57, margin numbers 9-11 (C.H. Beck, 36th edition).
  17. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 14-19 (C.H. Beck 2020).
  18. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 23 and 24 (Nomos 2022).
  19. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 18 (C.H. Beck 2020, 3rd Edition).
  20. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 10 (C.H. Beck 2020, 3rd Edition).
  21. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 4, available here.
  22. xxxxx
  23. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
  24. 24.0 24.1 C-26/22 - Schufa Holding, paras 56 and 58.
  25. See Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints, pages 3 and 4, available here. See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 13, available here.
  26. Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
  27. xxx
  28. xxx
  29. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 32-33 (Nomos 2022).
  30. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition). See also Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 11, available here.
  31. CJEU, case C- 362/ 14 - Schrems I, paragraph 63.
  32. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
  33. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 16, available here.
  34. C‑311/18 - Schrems, paragraph 109.
  35. See Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, page 15, available here.
  36. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 6-11 (C.H. Beck 2017).
  37. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 13 (C.H. Beck 2020, 3rd Edition).
  38. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 29 (Nomos 2019).
  39. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 12 (C.H. Beck 2020, 3rd Edition).
  40. Zerdick, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 57 GDPR, p. 931 (Oxford University Press 2020).
  41. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 9 (2nd Edition, C.H. Beck 2018).
  42. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, available here.
  43. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin numbers 35-37 (Nomos 2019).
  44. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
  45. xxxx
  46. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 55 GDPR, margin number 48 (Nomos 2022).
  47. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 40 (Nomos 2019).
  48. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 41 (Nomos 2019).
  49. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 50-52 (Nomos 2022).
  50. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 53 (Nomos 2022).
  51. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 54 (Nomos 2022).
  52. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 49 (Nomos 2019).
  53. Eichler, in Wolff, Brink, BeckOK Datenschutzrecht, Article 57 GDPR, margin numbers 36-37 (C.H. Beck 2021, 39th Edition)
  54. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 57 GDPR, margin number 11 (2nd Edition, C.H. Beck 2018).
  55. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 57 (Nomos 2019).
  56. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 57 GDPR, margin number 24 (C.H. Beck 2020).
  57. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 66 (Nomos 2022).
  58. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin number 13 (Nomos 2022).
  59. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  60. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  61. Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 52 (Nomos 2019).
  62. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  63. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 57 GDPR, margin numbers 41-43 (C.H. Beck 2021).
  64. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, (C.H. Beck 2017). See also Polenz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 57 GDPR, margin number 53-55 (Nomos 2019).
  65. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 57 GDPR, margin numbers 71 and 72 (Nomos 2022).
  66. Selmayr, in Ehmann, Selmayr, DS-GVO, Article 57, margin numbers 22-24 (C.H. Beck 2017); Körffer, Paal, Pauly, DS-GVO BDSG, Article 57 GDPR, margin number 31, who also advocates a cautious application of the exception to the principle of free of charge.