Article 58 GDPR

From GDPRhub
Revision as of 06:29, 29 April 2022 by SR (talk | contribs) (→‎Commentary)
Article 58 - Powers
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 58 - Powers

1. Each supervisory authority shall have all of the following investigative powers:

(a) to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
(b) to carry out investigations in the form of data protection audits;
(c) to carry out a review on certifications issued pursuant to Article 42(7);
(d) to notify the controller or the processor of an alleged infringement of this Regulation;
(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2. Each supervisory authority shall have all of the following corrective powers:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

3. Each supervisory authority shall have all of the following authorisation and advisory powers:

(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;
(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;
(d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);
(e) to accredit certification bodies pursuant to Article 43;
(f) to issue certifications and approve criteria of certification in accordance with Article 42(5);
(g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);
(h) to authorise contractual clauses referred to in point (a) of Article 46(3);
(i) to authorise administrative arrangements referred to in point (b) of Article 46(3);
(j) to approve binding corporate rules pursuant to Article 47.

4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

Relevant Recitals

Recital 132: Awareness-Raising Activities and Specific Measures
Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

Commentary

Article 58 GDPR standardises the powers that data protection SAs (“SA”) can use in performing their tasks under Article 57 GDPR. The provision includes a comprehensive catalogue of investigative, corrective and advisory powers. Such powers result directly from the GDPR and therefore do not need implementation by Member States’ law. Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers.[1] In this regard, all the SA’s powers are important. However, under Article 83(5)(e) GDPR, non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR, may result in the highest fines possible.[2] It seems, therefore, that the legislator considers some of the powers described in Article 58 GDPR to be crucial for the functioning of SAs and, in turn, the entire GDPR system.

(1) Investigative powers

A necessary step to enforcing the GDPR and handling data subjects’ complaints is the possibility of carrying out investigations. Article 58(1) GDPR differentiates between different types of investigations.

(a) Information Request

The SA can instruct the controller, processor and, if applicable, the representative to provide all information that is necessary for the performance of their tasks. Information can be provided, for example, by transmitting documents to the SA, submitting written statements or replying to questionnaires. In addition to this, Article 30(4) GDPR stipulates that the controller or processor or, if applicable, the representative shall make the record of processing activities available to the SA on request.[3]

(b) Data Protection Audits

The SAs can carry out investigations in the form of data protection audits. An audit is commonly understood to be a comprehensive qualitative examination of the effectiveness of procedures within an organization or company.[4] The initial version of Article 58 GDPR limited the scope of the audit to the business premises of the controller. After the Corrigendum of the GDPR,[5] however, the term “business premises” was replaced by “premises”. It follows that private rooms, where at least a part of the processing takes place, are also included.[6]

(c) Review of Certifications

Under Article 58(1)(c) GDPR a supervisory authority can review certifications issued in accordance with Article 42(7) GDPR as well as the activities of accredited certification bodies within the meaning of Article 43(1) GDPR.

(d) Notification of an Alleged Infringement

In accordance with Article 58(1)(d) GDPR, a SA can inform a controller or processor about an alleged – i.e. possible, but not yet determined – infringement of the Regulation. Such a notice can be given, for example, directly in connection with a data protection audit, a data subject’s complaint or official information from another SA. The notice establishes a presumption of a violation of the GDPR, which, however, can be rejected by the controller or the processor.[7] This appears to be a constructive and proportional approach which gives controllers and processors a chance to know the provisional understanding of the authority and react accordingly, making submissions or bringing the processing into compliance.

(e) Access to Personal Data and All Relevant Information

The powers of investigation of the SAs also include a right of access to personal data and information in accordance with Article 58(1)(e) GDPR. This type of investigation includes the right to directly access personal data, inspect internal documents, databases and procedures, and therefore is wider and more incisive than the right to (request and) obtain information under Article 58(1)(a) GDPR. Controllers and processors must cooperate with the SA during the inspection. However, if the cooperation yields a violation of the nemo tenetur principle, it seems possible for the investigated party to lawfully refuse such cooperation.[8]

(f) Access to Premises Including Equipment and Means

Finally, data protection SAs – similarly to the European Commission and the national competition authorities in EU antitrust proceedings – are given the power to search the controller’s (or processor’s) premises in accordance with Article 58(1)(f) GDPR. According to Körffer,[9] the search is no longer restricted to the business premises but a judge’s authorization is indispensable with regard to the inviolability of the home and comparable places.[10] The term “premises” includes all data processing systems and all data processing devices.

(2) Corrective Powers

The corrective powers provided for in Article 58(2) GDPR enable the SAs to restore GDPR-compliant conditions in the event of violations. For this purpose, Article 58(2) GDPR builds a system of powers which should be proportionally used having in mind the type of the envisaged violation and the risks for the data subjects. In doing so, a SA has to decide at its due discretion whether exercising a milder remedial power is sufficient to ensure the application and enforcement of the GDPR, or whether a higher escalation level must trigger.

(a) Warnings

The mildest expression of the authority’s powers is the warning. The SA issues it if an intended processing operation is “likely” to violate the GDPR. There are no specifics as to the form of the warning. It follows that it can be issued in writing or orally (although a formal approach appears sensible). The controller can react to a warning by stopping the intended processing operation or bringing it into conformity with the law.[11]

(b) Reprimands

If the SA identifies a violation of the GDPR, it may, under Article 58(2)(b) GDPR, issue a reprimand to a controller or a processor. Contrary to what happens in case of a warning, the reprimand indicates that one (or more rarely, several) violation of the GDPR has already occurred. The SA will issue a reprimand if the threshold for imposing a fine has not yet been reached. For these reasons, scholars have defined the reprimand as the “little sister of the fine” or compared it to a “yellow card” from the SA.[12] However, if a reprimand is disregarded, the SA can respond by exercising more stringent remedial powers and taking into account the conduct as a factor for a possible administrative fine (Article 83 GDPR).

(c) Orders to Comply with Data Subject’s Requests

Article 58(2)(c) GDPR serves as a second-level remedy in case a controller or processor violates the rights of the data subject. Should that happen, the SA can then instruct the controller or the processor to comply with the data subject’s request regarding the right to information (Article 13, 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability (Article 20 GDPR). In these cases, the SA acts through an “order”. In accordance with Article 83(5)(6) GDPR, ignoring it would expose the controller to a high-fines scenario.

(d) Order to Restore Compliance

The SA can instruct the controller or processor to bring processing operations in line with the GDPR. There is no limit to the type of instruction. The wording of the law appears to authorise any request that could serve the scope of (re-)establishing GDPR compliance. Measures include, for example, instructions to take technical and organisational measures within the meaning of Article 32 GDPR, to appoint a data protection officer according to Article 37 GDPR, to create and maintain a record of processing activities according to Article 30 GDPR, to regulate the relationship with a processor by means of a contract, to change the alignment of surveillance cameras, or to change the use of pre-formulated consent within the meaning of Article 7 GDPR.[13] In accordance with Article 83(5)(6) GDPR, ignoring an instruction would also expose the controller to the risk of potentially high-fines.

(e) Communication of a Data Breach to the Data Subject

According to Article 58(2)(e) GDPR of the GDPR, the SA can instruct the controller to notify persons affected by a data breach which triggers the notification obligations under Articles 33, 34 GDPR.

(f) Ban on Processing

The SA can also order a restriction or ban on data processing in accordance with Article 58(2)(f) GDPR. The restriction on data processing can be temporary or permanent. These measures are strict and should be considered only if the controller or processor has shown a particularly disrespectful conduct, as it happens when a previous warning, reprimand or order has been issued and the recipient has disregarded it.

(g) Order to Rectify or Erase Personal Data

Article 58(2)(g) GDPR authorises the SA to order a correction or deletion of data or a restriction of data processing. This especially comes into consideration if an instruction or other order has been disregarded previously.

(h) Withdrawal of Certification

If a SA comes to the conclusion that the prerequisites of a previously issued certification are no longer met, it may, in accordance with Article 42(7) GDPR, revoke the certification. If the certification is granted by a certification body, the SA can do so in accordance with Article 58(2) GDPR and instruct the body to revoke the certification or not to issue it.

(i) Administrative Fine

The most renowned (although probably not most important) remedy introduced by the GDPR is the imposition of a fine under Article 58(2) GDPR in conjunction with Article 83 GDPR. Their amount, which can go to up to EUR 20 million or, if superior, up to 4 % of the undertaking’s total worldwide annual turnover, is determined taking into account the type of violation (Article 83(4)(5) GDPR) as well as other qualitative factors listed in Article 83(2) GDPR, in particular according to the type, gravity and duration of the infringement. The SA can, but does not have to, impose fines for violations. The relevant decision is at the discretion of the SA, whereby the considerations mentioned in Article 83 GDPR are to be taken into account. The fine can be imposed in addition to or instead of further remedial measures within the meaning of Article 58(2)(a)-(h) GDPR.[14]

(j) Suspension of Data Flows to a Recipient in a Third Country

A final remedy is provided for in Article 58(2)(j) GDPR. According to this, a SA can order the suspension of data transfer to a third country or to an international organisation if the third country or international organisation concerned does not or no longer offers an appropriate level of protection within the meaning of Article 45 GDPR.

(3) Advisory Powers

The authorisation and advisory powers in Article 58(3) GDPR supplement the investigative and corrective measures SAs are afforded with. Article 58(3) GDPR lists all those cases in which authorisation or approval from a SA is a prerequisite for acting in accordance with the GDPR. In these cases, the SA carries out a prior check in order to preventively ensure the application and enforcement of the GDPR. In detail, this concerns the following powers (cf. Article 58(3)(c)-(j) GDPR): Approval of processing that is particularly risky for the fundamental data protection right, provided that a member state has made use of the optional specification clause (Article 36(5) GDPR); Opinion on and approval of drafts for rules of conduct in accordance with Article 40(5) GDPR and, where relevant, Article 64(1)(b) GDPR; Accreditation of certification bodies in accordance with Article 43 GDPR; Issuing of certifications in accordance with Article 42(5), if relevant, in accordance with Article 64(1)(c) GDPR; Standard contractual clauses in accordance with Article 28(8) GDPR and, if the case, Article 46(2) GDPR; Approval of standard contractual clauses for international data transfer in accordance with Article 46(3)(a) GDPR and Article 64(1)(e) GDPR; Approval of administrative agreements for international data transfer in accordance with Article 46(3) (b) GDPR; Approval of binding corporate rules in accordance with Article 47 GDPR.

(4) Appropriate Safeguards

In the absence of a uniform European administrative procedural law, the powers of the SAs must in principle be exercised in accordance with the national procedural law of the respective Member State. National procedural law must meet certain requirements; in particular, it must provide for due process and effective judicial remedies.[15]

(5) DPAs in Courts

Article 58(5) GDPR contains an opening clause that must be filled out by the legislators of the Member States. According to this, SAs must always have the power to bring violations of the GDPR to court. Specifying national legal provisions must decide whether a SA itself has a right of action or whether it has to involve the national judicial authorities, which in turn have to initiate judicial proceedings. The GDPR allows the Member States to insert the enforcement powers of the national SAs into the national legal system.

(6) Additional Powers Provided by National Law

According to Article 58(6) GDPR, each Member State can stipulate that its SA receives further powers in addition to those mentioned in paragraphs 1-3, provided that this not impair the effective implementation of Chapter VII of the GDPR on cooperation and coherence. Based on the express wording of paragraph 6, it can be assumed that the SAs may be given additional powers, but that the existing powers may not be restricted. A contrary view cannot be derived from any other provision of the GDPR.[16]

Decisions

→ You can find all related decisions in Category:Article 58 GDPR

References

  1. Under Article 70(1)(k) GDPR, the EDPB should in principle adopt guidelines regarding the concrete and consistent application of such powers. See, Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 3 (Manz 2021).
  2. Feiler, Forgó, EU-DSGVO, Article 83 GDPR, margin number 17 (Verlag Österreich 2016).
  3. Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
  4. Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 13 (C.H. Beck 2018).
  5. Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
  6. Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 17 f. (Manz 2021).
  7. Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 16 (C.H. Beck 2018).
  8. Eichler, in Wolff/Brink, BeckOK DatenschutzR, Article 35 GDPR, margin number 14 (C.H. Beck, 36th edition).
  9. Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 14 (C.H. Beck 2021).
  10. Also following the Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4 May 2016 (available here).
  11. Selmayr, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 58 GDPR, margin number 19 (C.H. Beck 2018).
  12. Martini, Wenzel, „Gelbe Karte“ von der Aufsichtsbehörde: Die Verwarnung als datenschutzrechtliches Sanktionenhybrid, in PinG, 5 (2017), p. 92-96.
  13. Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 20 (C.H. Beck 2021).
  14. As Zavadil clarifies, the Åkerberg Fransson ECJ ruling shows that the principle ne bis in idem does not apply if a measure with a punitive nature is imposed in addition to one without a punitive nature. It is therefore permissible to impose a fine alongside an administrative measure that is not punitive; Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 14 (Manz 2021).
  15. Körffer, in Paal, Pauly, GDPR BDSG, Article 58 GDPR, margin number 31 (C.H. Beck 2021).
  16. Zavadil, in Knyrim, DatKomm, Article 58 GDPR, margin number 56 (Manz 2021).