The GDPR
Article 52 is intended to clarify the conditions guaranteeing the independence of the supervisory authorities, in accordance with the case law of the Court of Justice of the European Union (CJEU, 9 March 2010, C-518/07), and also on the basis of Article 44 of Regulation (EC) No. 45/200135.
In this case, the Court considered that the Federal Republic of Germany had failed to fulfil the obligations imposed under Article 28, paragraph 1, second subparagraph of Directive 95/46 by submitting to the guardianship of the State the supervisory authorities competent for monitoring the personal data processing by the non-public sector in the different countries, thus transposing incorrectly the requirement that these authorities exercise their tasks “with complete independence”.
Furthermore, Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data provides in details the conditions of independence of the European data protection controller.
Article 52 codifies that the supervisory authority of each Member State shall act with complete independence in performing its tasks and exercising its powers, in accordance with this Regulation. Accordingly, the second paragraph of Article 52 specifies that member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
The third paragraph obliges the members of the supervisory authority to refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether profitable or not (Art. 52 (3)). Pursuant to paragraph 4, each Member State shall ensure that each supervisory authority is provided with the staff, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the European Data Protection Board.
Each supervisory authority must also be able to choose and have its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned (paragraph 5).
Finally, as stated in recital 118, the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial management. Accordingly, Article 52, paragraph 6 provides that each supervisory authority is subject to financial control which does not affect its independence. For this purpose, each supervisory authority shall have a separate, public annual budget, which may be part of the overall state or national budget.
The Directive
According to Article 28, paragraph 1, second subparagraph of the Directive, the national authorities shall act with complete independence in exercising the functions entrusted to them.
Potential issues
We do not see a priori any specific implementation difficulties.
European Union
CJEU caselaw
C-518/07 (9 march 2010) - Commission v Germany
1. Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
2. Orders the Federal Republic of Germany to pay the costs of the Commission;
3. Orders the European Data Protection Supervisor (EDPS) to bear his own costs.
Opinion of Advocate general
Judgment of the Court
C-614/10 (16 october 2012) - Commission v Austria
1. Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which
– the managing member of the Datenschutzkommission is a federal official subject to supervision,
– the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and
– the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,
the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
2. Orders the Republic of Austria to pay the costs incurred by the European Commission;
3. Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.
Opinion of Advocate general
Judgment of the Court
C-230/14 (1 october 2015) - Weltimmo
1. Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
2. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
3. Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).
Opinion of Advocate general
Judgment of the Court
Retour au sommaire
Retour au sommaire