Article 52
Independence

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 52 keyboard_arrow_down Hide the recitals of the Regulation related to article 52 keyboard_arrow_up

(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

Show the recitals of the Directive related to article 52 keyboard_arrow_down Hide the recitals of the Directive related to article 52 keyboard_arrow_up

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

The GDPR

Article 52 is intended to clarify the conditions guaranteeing the independence of the supervisory authorities, in accordance with the case law of the Court of Justice of the European Union (CJEU, 9 March 2010, C-518/07), and also on the basis of Article 44 of Regulation (EC) No. 45/200135.

In this case, the Court considered that the Federal Republic of Germany had failed to fulfil the obligations imposed under Article 28, paragraph 1, second subparagraph of Directive 95/46 by submitting to the guardianship of the State the supervisory authorities competent for monitoring the personal data processing by the non-public sector in the different countries, thus transposing incorrectly the requirement that these authorities exercise their tasks “with complete independence”.

Furthermore, Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data provides in details the conditions of independence of the European data protection controller.

Article 52 codifies that the supervisory authority of each Member State shall act with complete independence in performing its tasks and exercising its powers, in accordance with this Regulation. Accordingly, the second paragraph of Article 52 specifies that member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

The third paragraph obliges the members of the supervisory authority to refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether profitable or not (Art. 52 (3)). Pursuant to paragraph 4, each Member State shall ensure that each supervisory authority is provided with the staff, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the European Data Protection Board.

Each supervisory authority must also be able to choose and have its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned (paragraph 5).

Finally, as stated in recital 118, the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial management. Accordingly, Article 52, paragraph 6 provides that each supervisory authority is subject to financial control which does not affect its independence. For this purpose, each supervisory authority shall have a separate, public annual budget, which may be part of the overall state or national budget.

The Directive

According to Article 28, paragraph 1, second subparagraph of the Directive, the national authorities shall act with complete independence in exercising the functions entrusted to them.

Potential issues

We do not see a priori any specific implementation difficulties.

CJEU caselaw

C-518/07 (9 march 2010)

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

Opinion of Advocate general

Judgment of the Court

C-614/10 (16 october 2012)

1.      Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which

–        the managing member of the Datenschutzkommission is a federal official subject to supervision,

–        the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and

–        the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Republic of Austria to pay the costs incurred by the European Commission;

3.      Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.

Opinion of Advocate general

Judgment of the Court 

C-230/14 (1 october 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general 

Judgment of the Court

Regulation
1e 2e

Art. 52

1.   Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2.   The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3.   Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4.   Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5.   Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6.   Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

1st proposal close

Art. 47

1.           The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it.

2.           The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody.

3.           Members of the supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4.           Members of the supervisory authority shall behave, after their term of office, with integrity and discretion as regards the acceptance of appointments and benefits.

5.           Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board.

6.           Each Member State shall ensure that the supervisory authority has its own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority.

7.           Member States shall ensure that the supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that the supervisory authority has separate annual budgets. The budgets shall be made public.

2nd proposal close

Art. 47

1. Each supervisory authority shall act with complete independence in performing the duties and exercising the powers entrusted to it in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their duties and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody.

3. (...)

4. (...)

5. Each Member State shall ensure that each supervisory authority is provided with the (...) human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and exercise of its powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board.

6. Each Member State shall ensure that each supervisory authority has its own staff which shall (...) be subject to the direction of the member or members of the supervisory authority.

7. Member States shall ensure that each supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that each supervisory authority has separate, public, annual budgets, which may be part of the overall state or national budget.

Directive close

Art. 28

(…).

These authorities shall act with complete independence in exercising the functions entrusted to them.

 

 

Art. 153 - Garante per la protezione dei dati personali


1.    Il Garante è composto dal Collegio, che ne costituisce il vertice, e dall’Ufficio. Il Collegio è costituito da quattro componenti, eletti due dalla Camera dei deputati e due dal Senato della Repubblica con voto limitato. I componenti devono essere eletti tra coloro che presentano la propria candidatura nell’ambito di una procedura di selezione il cui avviso deve essere pubblicato nei siti internet della Camera, del Senato e del Garante almeno sessanta giorni prima della nomina. Le candidature devono pervenire almeno trenta giorni prima della nomina e i curricula devono essere pubblicati negli stessi siti internet. Le candidature possono essere avanzate da persone che assicurino indipendenza e che risultino di comprovata esperienza nel settore della protezione dei dati personali, con particolare riferimento alle discipline giuridiche o dell’informatica.
2.    I componenti eleggono nel loro ambito un presidente, il cui voto prevale in caso di parità. Eleggono altresì un vice presidente, che assume le funzioni del presidente in caso di sua assenza o impedimento.
3.    L’incarico di presidente e quello di componente hanno durata settennale e non sono rinnovabili. Per tutta la durata dell’incarico il presidente e i componenti non possono esercitare, a pena di decadenza, alcuna attività professionale o di consulenza, anche non remunerata, né essere amministratori o dipendenti di enti pubblici o privati, né ricoprire cariche elettive.
4.    I membri del Collegio devono mantenere il segreto, sia durante sia successivamente alla cessazione dell’incarico, in merito alle informazioni riservate cui hanno avuto accesso nell’esecuzione dei propri compiti o nell’esercizio dei propri poteri.
5.    All’atto dell’accettazione della nomina il presidente e i componenti sono collocati fuori ruolo se dipendenti di pubbliche amministrazioni o magistrati in attività di servizio; se

professori universitari di ruolo, sono collocati in aspettativa senza assegni ai sensi dell’articolo 13 del decreto del Presidente della Repubblica 11 luglio 1980, n. 382. Il personale collocato fuori ruolo o in aspettativa non può essere sostituito.
6.    Al presidente compete una indennità di funzione pari alla retribuzione in godimento al primo Presidente della Corte di cassazione, nei limiti previsti dalla legge per il trattamento economico annuo omnicomprensivo di chiunque riceva a carico delle finanze pubbliche emolumenti o retribuzioni nell’ambito di rapporti di lavoro dipendente o autonomo con pubbliche amministrazioni statali. Ai componenti compete una indennità pari ai due terzi di quella spettante al Presidente.
7.    Alle dipendenze del Garante è posto l’Ufficio di cui all’articolo 155.
8.    Il presidente, i componenti, il segretario generale e i dipendenti si astengono dal trattare, per i due anni successivi alla cessazione dell’incarico ovvero del servizio presso il Garante, procedimenti dinanzi al Garante, ivi compresa la presentazione per conto di terzi di reclami richieste di parere o interpelli.

Old law close

Art. 153 D.Lgs 196/2003 - The Garante

1. The Garante shall act fully autonomously and independently in its decisions and assessments.

2. The Garante shall be a collegiate body composed of four members, of whom two shall be elected by the Chamber of Deputies and two by the Senate through a specific voting procedure. The members shall be persons ensuring independence and with proven experience in the field of law or computer science; experts from both sectors shall have to be included.

3. The members shall elect their President, who shall have the casting vote in the case where votes are equal. They shall also elect a Vice-President, who shall discharge the functions of the President if the latter is absent or hindered.

4. President and members shall hold office for seven years; their appointment shall not be renewable. For the entire term of their office, President and members shall not be allowed - under penalty of losing office - to carry out professional or advisory activities, manage or be employed by public or private entities or hold elective offices.

5. Once President and members have accepted their appointment, they shall be assigned to the temporary staff if they are employees in the public administration or judges/prosecutors not yet retired; if they are faculty professors at an University, they shall be put on leave of absence with no allowances pursuant to Section 13 of Presidential decree no. 382 of 11.07.1980 as subsequently amended. Staff who have been assigned to the temporary staff or put on leave of absence may not be replaced.

6. The President shall be entitled to an allowance not exceeding the one paid to the judge presiding over the Court of Cassation (Corte di Cassazione). Members shall be entitled to an allowance not exceeding two-thirds of that paid to the President. The aforementioned allowances shall be determined pursuant to Section 6 of Presidential Decree no. 501 of 31 March 1998 in such a way as to be included in the ordinary budget.

7. The Office referred to in Section 156 shall be under the authority of the Garante.

Art. 176 D.Lgs. 196/2003 - Public Bodies

1. In section 24(3) of Act no. 241 of 7 August 1990, after the words "by computerised means" there shall be inserted the following: "except for the cases in which a data subject requests access to the personal data concerning him or her,".

2. In Section 2 of legislative decree no. 165 of 30 March 2001 concerning employment by public administrative agencies, after paragraph 1 there shall be inserted the following: "1-bis. The organisational criteria referred to in this Section shall be implemented by complying with the provisions on processing of personal data.".

3. For Section 4(1) of legislative decree no. 39 of 12 February 1993, as subsequently amended, there shall be substituted the following: "1. The National Centre for Information Science in the Public Administration shall be hereby set up at the Prime Minister's Office with a view to implementing the policies made by the Minister for Innovation and Technology. Said Centre shall be autonomous as to its technical, operational, administrative, accounting and financial regulations and independent in its judgments.".

4. Section 6 of legislative decree no. 39 of 12 February 1993 as well as the financing mechanisms in force within the framework of the budget drawn up by the Minister of Economy and Finance shall further apply to the National Centre for Information Science in the Public Administration.

5. For Section 5(1) of legislative decree no. 39 of 12 February 1993, as subsequently amended, there shall be substituted the following: "1. Regulations applying to organisation, operation, personnel management, careers and expenditures shall be drawn up and submitted to the Prime Minister for adoption by the National Centre, subject to the constraints referred to in this decree.".

6. As regards laws and regulations in force, for the words "Autorità per l'informatica nella pubblica amministrazione" there shall be substituted the words "Centro nazionale per l'informatica nella pubblica amministrazione [National Centre for Information Science in the Public Administration]".

close