Article 59 GDPR

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Article 59 - Activity reports
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 59 - Activity reports

Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.

Relevant Recitals

No recitals seem to be available for this provision.

Commentary

The main goal of the activity reports regulated by Article 59 GDPR consists of informing national and EU authorities as well as the larger public about the activities the supervisory authority (SA) has performed over the previous year. The obligation of SAs to submit an annual report thus primarily serves to ensure democratic control and transparency.[1]

Case law: The CJEU in Commission v Germany, considered tha the obligation of independent SAs to regularly submit and publish a report on their activities, provided for in Article 28(5) of the Data Protection Directive, to be part of the accountability required by the principle of democracy as a counterpart to complete independence of SAs.[2]

The activity report can also contribute to a harmonised and consistent implementation and enforcement of the GDPR across the EEA and to developing a common opinion among different SAs over new or contentious data protection issues. Additionally, the reports can be a good reference point for data protection officers. If a breach has occurred in processing by other controller, possibly even in the same sector, it may be a good idea to check the proccessing in one's own organisation in this regard as well. The activity reports usually also contain information on how a measure can be implemented in compliance with the law. Finally, the reports can also help to avoid unnecessary costs (in private detectives, video cameras, etc.), if the practice is considered illegal by the SA. Similarly, the reports help everyone to assert their rights as data subjects, as they often raise awareness of the situations in which data processing is (un)permissible.[3]

Contents of the report

The wording does not impose the authority a tight constraint in terms of contents. In the black-letter of the law, the report ”may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2) [GDPR]”. These is a reference to the information that SAs must keep in internal records according to Article 57(1)(u) GDPR.[4] The report may include that information but if it does not, it is unlikely to be invalid. However, the report cannot end up resulting in a sterile formalistic exercise, carrying no substantive information. This would conflict with the accountability and transparency purpose enshrined by the provision itself and should therefore be avoided.[5]

Adressees of the report

The report is to be transmitted to the national parliament, the government and other authorities as designated by member state law. In addition to transparency and accountability of SAs, the report is a source of information for legislators in the further development of data protection law.[6]

Furthermore, the report must be made available to the public, the Commission and the EDPB ("the Board"). In this context, SAs must send the report to the Commission and the EDPB, wherea publication on a website will be sufficient to fulfil the obligation towards the public.  Making the report accessible to the EDPB will enable the other SAs to take note of it and thus enable a uniform interpretation and and enforcement of the GDPR.[7]

Decisions

→ You can find all related decisions in Category:Article 59 GDPR

References

  1. Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 59 GDPR, margin number 1 (2nd Edition, C.H. Beck 2018).
  2. CJEU in case C-518/07 - Commission v Germany, paragraphs 45 and 46, available here.
  3. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 59 GDPR, margin numbers 4 and 5 (Nomos 2022).
  4. Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 59 GDPR, margin number 8 (Nomos 2022).
  5. Similarly, see Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 59 GDPR, margin number 4 (C.H. Beck 2020).
  6. Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 59 GDPR, margin number 7 (C.H. Beck 2020, 3rd Edition).
  7. See Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 59 GDPR, margin numbers 11 and 12 (Nomos 2022).