Article 51
Autorité de contrôle
(62) considérant que l'institution, dans les États membres, d'autorités de contrôle exerçant en toute indépendance leurs fonctions est un élément essentiel de la protection des personnes à l'égard du traitement des données à caractère personnel.
Règlement
Art. 51 1. Chaque État membre prévoit qu'une ou plusieurs autorités publiques indépendantes sont chargées de surveiller l'application du présent règlement, afin de protéger les libertés et droits fondamentaux des personnes physiques à l'égard du traitement et de faciliter le libre flux des données à caractère personnel au sein de l'Union. 2. Chaque autorité de contrôle contribue à l'application cohérente du présent règlement dans l'ensemble de l'Union. À cette fin, les autorités de contrôle coopèrent entre elles et avec la Commission conformément au chapitre VII. 3. Lorsqu'un État membre institue plusieurs autorités de contrôle, il désigne celle qui représente ces autorités au comité et définit le mécanisme permettant de s'assurer du respect, par les autres autorités, des règles relatives au mécanisme de contrôle de la cohérence visé à l'article 63. 4. Chaque État membre notifie à la Commission les dispositions légales qu'il adopte en vertu du présent chapitre, au plus tard, le … [deux ans à compter de la date d'entrée en vigueur du présent règlement], et, sans tarder, toute modification ultérieure les affectant. |
Directive
Art. 28 1. Chaque État membre prévoit qu'une ou plusieurs autorités publiques sont chargées de surveiller l'application, sur son territoire, des dispositions adoptées par les États membres en application de la présente directive. Ces autorités exercent en toute indépendance les missions dont elles sont investies. 2. Chaque État membre prévoit que les autorités de contrôle sont consultées lors de l'élaboration des mesures réglementaires ou administratives relatives à la protection des droits et libertés des personnes à l'égard du traitement de données à caractère personnel. 3. Chaque autorité de contrôle dispose notamment: - de pouvoirs d'investigation, tels que le pouvoir d'accéder aux données faisant l'objet d'un traitement et de recueillir toutes les informations nécessaires à l'accomplissement de sa mission de contrôle, - de pouvoirs effectifs d'intervention, tels que, par exemple, celui de rendre des avis préalablement à la mise en oeuvre des traitements, conformément à l'article 20, et d'assurer une publication appropriée de ces avis ou celui d'ordonner le verrouillage, l'effacement ou la destruction de données, ou d'interdire temporairement ou définitivement un traitement, ou celui d'adresser un avertissement ou une admonestation au responsable du traitement ou celui de saisir les parlements nationaux ou d'autres institutions politiques, - du pouvoir d'ester en justice en cas de violation des dispositions nationales prises en application de la présente directive ou du pouvoir de porter ces violations à la connaissance de l'autorité judiciaire. Les décisions de l'autorité de contrôle faisant grief peuvent faire l'objet d'un recours juridictionnel. 4. Chaque autorité de contrôle peut être saisie par toute personne, ou par une association la représentant, d'une demande relative à la protection de ses droits et libertés à l'égard du traitement de données à caractère personnel. La personne concernée est informée des suites données à sa demande. Chaque autorité de contrôle peut, en particulier, être saisie par toute personne d'une demande de vérification de la licéité d'un traitement lorsque les dispositions nationales prises en vertu de l'article 13 de la présente directive sont d'application. La personne est à tout le moins informée de ce qu'une vérification a eu lieu. 5. Chaque autorité de contrôle établit à intervalles réguliers un rapport sur son activité. Ce rapport est publié. 6. Indépendamment du droit national applicable au traitement en cause, chaque autorité de contrôle a compétence pour exercer, sur le territoire de l'État membre dont elle relève, les pouvoirs dont elle est investie conformément au paragraphe 3. Chaque autorité peut être appelée à exercer ses pouvoirs sur demande d'une autorité d'un autre État membre. Les autorités de contrôle coopèrent entre elles dans la mesure nécessaire à l'accomplissement de leurs missions, notamment en échangeant toute information utile. 7. Les États membres prévoient que les membres et agents des autorités de contrôle sont soumis, y compris après cessation de leurs activités, à l'obligation du secret professionnel à l'égard des informations confidentielles auxquelles ils ont accès. |
Belgique
Loi du 03.12.17 portant création de l'Autorité de protection des données Art. 3 Il est institué auprès de la Chambre des représentants une "Autorité de protection des données". Elle succède à la Commission de la protection de la vie privée. Elle a la personnalité juridique. Son siège est établi dans l'arrondissement administratif de Bruxelles-Capitale. |
Austria
All of the following in force until May 25, 2018: Control Bodies Data Protection Authority and Data Protection Council § 35 DSG 2000 (1) The Data Protection Authority and the Data Protection Council shall safeguard data protection in accordance with the regulations of this federal law without prejudice to the competence of the Federal Chancellor and the courts of law. (2) (Constitutional provision) The Data Protection Authority shall exercise its functions vis-á-vis the highest executive authorities enumerated in Art. 19 B-VG. Establishment of the Data Protection Authority § 36 DSG 2000 (1) The Data Protection Authority is managed by its head. He is appointed for a term of five years by the Federal President on a proposal of the Federal Government; re-appointments are permitted. The proposal is to be preceded by an advertisement for the position, which permits general applications. The advertisement for the position falls under the responsibility of the Federal Chancellor. The position of the head of the Data Protection Authority shall be advertised on the public career website of the Federal Chancellery. The position shall also be advertised in the official journal “Wiener Zeitung” . (2) The head of the Data Protection Authority must 1. have completed his study of law and political science, 2. have the necessary personal and professional aptitude through prior education and appropriate professional experience in the matters to be handled by the Data Protection Authority, 3. possess excellent knowledge of Austrian data protection law, European Union law and fundamental rights and 4. have at least five years of professional experience in the legal field. (3) The following persons may not be appointed head of the Data Protection Authority: 1. Members of the Federal Government, State Secretaries, Members of a Land Government, National Council, Federal Council or any other General Representative Body or of the European Parliament, as well as a member of the Ombudsman Board and the president of the Public Audit Office; 2. anybody who held one of the positions listed in sub-para. 1 in the last two years; 3. anybody who may not be elected for the National Council. (4) The head of the Data Protection Authority may not exercise any function that casts doubt on his professional independence or creates the impression of partiality or that keeps him from performing his duties or endangers essential official interests. He is required to report functions that he exercises beside his office as head of the Data Protection Authority to the Federal Chancellor without delay. (5) The function of the head of the Data Protection Authority ends with the expiry of the period of office, death, abdication and loss of eligibility to the national Council. (6) Once the function of the head of the Data Protection Authority ends, a new head shall be appointed according to the rules of para. 1 to 3. (7) The Federal President shall appoint a deputy head of the Data Protection Authority on a proposal of the Federal Government according to the rules of para. 1 to 3. Para. 4 to 6 shall be applied to the deputy head of the Data Protection Authority in equal measure. He shall represent the head of the Data Protection Authority during his absence. Organisation and Independence of the Data Protection Authority § 37 DSG 2000 (1) The head of the Data Protection Authority is independent and not bound by instructions in the exercise of his office. (2) The Data Protection Authority is an administrative authority und human resource department. The Federal Finance Act shall provide for the necessary expenditures for staff and equipment. The officials of the Data Protection Authority shall be bound only by the instructions of the head. The head shall have the service prerogative over the officials of the Data Protection Authority. (3) The Federal Chancellor can request information from the head of the Data Protection Authority about the operations of the authority. The head of the Data Protection Authority shall comply such requests only insofar as this does not compromise the independence of the supervisory authority as laid down in Article 28 paragraph 1 sub-paragraph 2 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 31. (4) The Data Protection Authority shall be heard before laws concerning essential issues of data protection and federal ordinances based on this federal law or which otherwise directly concerns important issues of data protection are enacted. (5) The Data Protection Authority shall formulate until 31 March every year a report about its workings in the preceding calendar year, submit it to the Federal Chancellor and publish it in an appropriate manner. The report shall be submitted to the National Council and the Federal Council by the Federal Chancellor. (6) Decisions of the Data Protection Authority of fundamental importance to the general public shall be published by the Data Protection Authority in a suitable manner while respecting official secrecy rules. Rulings of the Data Protection Authority § 38 DSG 2000 (1) Controllers in the public sector always have a position as party in proceedings before the Data Protection Authority. (2) Rulings that permit transmission and committing of data according to section 13, shall be revoked once the legal or factual prerequisites under which the permit was issued, especially pursuant to a promulgation of the Federal Chancellor according to section 55 no longer apply. (3) Parties according to para. 1 may file a complaint with the federal administrative court. Procedure before the Federal Administrative Court § 39 DSG 2000 (1) The federal administrative court shall decide on complaints against rulings as well as complaints regarding the obligation to decide in due time regarding matters of this federal law by chamber. (2) The chamber shall consist of a chairman und one professionally experienced lay judge from the domain of the employers and from the domain of employees each. The professionally experienced lay judges shall be appointed on a proposal by the Austrian Federal Economic Chamber and the Federal Chamber of Labour. Appropriate arrangements shall be made so that a sufficient number of professionally experienced lay judges can be nominated at the right time. (3) The professionally experienced lay judges must have at least five years of relevant professional experience and special knowledge of data protection law. (4) The chairman shall transmit all documents relevant to the decision to the professionally experienced lay judges without delay, or, if this is impractical or absolutely necessary to safeguard the confidence of the documents, make them available in some other way. Appeal before the Supreme Administrative Court § 40 DSG 2000 An appeal before the Supreme Administrative Court may be brought by any party according to section 38 para. 1. Establishment and Duties of the Data Protection Council § 41 DSG 2000 (1) A Data Protection Council is established at the Federal Chancellery. (2) The Data Protection Council shall advise the Federal Government and the Land Governments on requests in political matters of data protection. For this purpose, 1. the Data Protection Council can deliberate on questions of fundamental importance for data protection and may issue opinions by itself or commission an expert to deliver an opinion; 2. the Data Protection Council shall be given opportunity to give its opinion on draft bills of federal ministries, insofar as these are significant for data protection; 3. public sector controllers shall present their projects to the Data Protection Council for evaluation, insofar as these are significant for data protection; 4. the Data Protection Council shall have the right to request information and documents from public sector controllers insofar as this is necessary to evaluate projects of significant impact on data protection in Austria; 4a. (Note: repealed by Federal Law Gazette I Nr. 83/2013) 5. the Data Protection Council may ask private sector controllers or their representations of interest established by law to give their opinion on developments of general importance that give cause for concern or at least call for attention from a data protection perspective; 6. the Data Protection Council may transmit its observations, concerns and suggestions for improvements of data protection in Austria to the Federal Government and the Land Governments, as well as to the legislative bodies by way of these organs. (3) Para. 2 sub-paras. 3 and 4 shall not apply insofar as the internal affairs of the churches and religious communities acknowledged by law are concerned. Composition of the Data Protection Council § 42 DSG 2000 (1) The Data Protection Council shall have the following members: 1. representatives of the political parties: The party that is most strongly represented in the main committee of the National Council shall delegate four representatives, the second strongest shall delegate three members and all other parties represented in the main committee of the National Council shall delegate one member each, to be determined by the strength of representation at the time of delegation. In case of equal number of deputies of two parties in the main committee the number of votes cast in the most recent election to the Federal Parliament is decisive; 2. each one representative of the Federal Chamber of Labour and from the Austrian Federal Economic Chamber; 3. two representatives of the provinces; 4. one representative each of the Association of Austrian Municipalities and the Austrian Association of towns; 5. one representative of the Federation appointed by the Federal Chancellor. (2) The representatives mentioned in para. 1 sub-para. 3, 4 and 5 should have professional experience in the field of computer science and data protection. (3) An alternate representative shall be nominated for every representative. (4) Members of the Federal Government or of a Land Government or Secretaries of State as well as persons who may not be elected for the National Council shall not be members of the Data Protection Council. (5) The representatives shall be members of the Data Protection Council until they announce their resignation in writing to the Federal Chancellor, or, if no resignation is announced, until the nominating body (para. 1) has named another representative to the Federal Chancellor. Members according to para 1 sub-para 1 retire also, as soon as the main committee has been newly elected according to § 29 and 30 of the Rules of Procedure Law of 1975, Federal Law Gazette No. 410, and they have not been delegated again. (6) The members of the Data Protection Council shall serve in an honorary capacity. Members of the Data Protection Council living outside of Vienna shall be entitled to receive compensation for travel expenses (category 3) according to the regulations for federal officials, if they attend meetings of the Data Protection Council. Chairmanship and Operation of the Data Protection Council § 43 DSG 2000 (1) The Data Protection Council shall decide on its rules of procedure. (2) The Data Protection Council shall elect a chairman and two vice chairmen. The term of office of the chairman and the vice chairmen shall be five years, without prejudice to § 42 para. 5. Reappointments shall be permitted. (3) The Federal Chancellery shall be responsible for the operation of the Data Protection Council. The Federal Chancellor shall supply the necessary personnel. While working for the Data Protection Council, the officials of the Federal Chancellery shall be bound only by instructions of the chairman of the Data Protection Council with regard to their professional work. Meetings and Decisions of the Data Protection Council § 44 DSG 2000 (1) The meeting of the Data Protection Council shall be convened by the chairman whenever the need arises. If a member requests that a meeting be convened, the chairman shall convene the meeting so that it can take place within four weeks. (2) The chairman can bring experts into the meeting whenever the need arises. (3) Deliberations and decisions of the Data Protection Council shall require the presence of at least half of its members. Decisions shall be passed by a simple majority of votes cast. In the case of a parity of votes, the vote of the chairman shall decide the issue. An abstention from the vote is not permitted. A dissenting opinion may be given. (4) The Data Protection Council may create permanent or ad hoc working groups which it may entrust with the preparation, appraisal and handling of specific issues. An individual member (rapporteur) may be entrusted with executive work, the first appraisal and handling of specific issues. (5) Every member of the Data Protection Council must – unless justifiably being prevented – attend the meetings of the Council. A member who is unable to attend shall inform his alternate member without delay. (6) The head of the Data Protection Authority shall have the right to attend meetings of the Data Protection Council or its working groups. He has not the right to vote. (7) The deliberations of the Data Protection Council shall be confidential as long as the Data Protection Council itself does not decide otherwise. (8) The members of the Data Protection Council, the head of the Data Protection Authority and experts brought into the meeting according to para. 2 shall be obliged to keep all information confidential of which they have learned solely due to their activities for the Data Protection Council, insofar as secrecy is required in the public interest or in the interest of a party. |