menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Spain) language
Contact our local member in Spain mail_outline
Visit the website of RPCC Estudio Jurídico account_balance

arrow_backPrevious Article
Article 52
Next Articlearrow_forward

Independence

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 52 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 52 keyboard_arrow_up

Key words related to article 52

Show the recitals of the Regulation related to article 52 keyboard_arrow_down Hide the recitals of the Regulation related to article 52 keyboard_arrow_up

(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

Show the recitals of the Directive related to article 52 keyboard_arrow_down Hide the recitals of the Directive related to article 52 keyboard_arrow_up

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

The GDPR

Article 52 is intended to clarify the conditions guaranteeing the independence of the supervisory authorities, in accordance with the case law of the Court of Justice of the European Union (CJEU, 9 March 2010, C-518/07), and also on the basis of Article 44 of Regulation (EC) No. 45/200135.

In this case, the Court considered that the Federal Republic of Germany had failed to fulfil the obligations imposed under Article 28, paragraph 1, second subparagraph of Directive 95/46 by submitting to the guardianship of the State the supervisory authorities competent for monitoring the personal data processing by the non-public sector in the different countries, thus transposing incorrectly the requirement that these authorities exercise their tasks “with complete independence”.

Furthermore, Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data provides in details the conditions of independence of the European data protection controller.

Article 52 codifies that the supervisory authority of each Member State shall act with complete independence in performing its tasks and exercising its powers, in accordance with this Regulation. Accordingly, the second paragraph of Article 52 specifies that member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

The third paragraph obliges the members of the supervisory authority to refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether profitable or not (Art. 52 (3)). Pursuant to paragraph 4, each Member State shall ensure that each supervisory authority is provided with the staff, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the European Data Protection Board.

Each supervisory authority must also be able to choose and have its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned (paragraph 5).

Finally, as stated in recital 118, the independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial management. Accordingly, Article 52, paragraph 6 provides that each supervisory authority is subject to financial control which does not affect its independence. For this purpose, each supervisory authority shall have a separate, public annual budget, which may be part of the overall state or national budget.

The Directive

According to Article 28, paragraph 1, second subparagraph of the Directive, the national authorities shall act with complete independence in exercising the functions entrusted to them.

Potential issues

We do not see a priori any specific implementation difficulties.

arrow_back Previous ArticleArticle 52Next Article arrow_forward
arrow_back Previous ArticleArticle 52 Next Article arrow_forward
arrow_back Previous Article Article 52 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-518/07 (9 march 2010) - Commission v Germany

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

Opinion of Advocate general

Judgment of the Court

C-614/10 (16 october 2012) - Commission v Austria

1.      Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which

–        the managing member of the Datenschutzkommission is a federal official subject to supervision,

–        the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and

–        the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Republic of Austria to pay the costs incurred by the European Commission;

3.      Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.

Opinion of Advocate general

Judgment of the Court 

C-230/14 (1 october 2015) - Weltimmo

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general 

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 52 Next Article arrow_forward
Regulation
1e 2e

Art. 52

1.   Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2.   The member or members of each supervisory authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3.   Member or members of each supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4.   Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5.   Each Member State shall ensure that each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned.

6.   Each Member State shall ensure that each supervisory authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.
1st proposal close

Art. 47

1.           The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it.

2.           The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody.

3.           Members of the supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4.           Members of the supervisory authority shall behave, after their term of office, with integrity and discretion as regards the acceptance of appointments and benefits.

5.           Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board.

6.           Each Member State shall ensure that the supervisory authority has its own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority.

7.           Member States shall ensure that the supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that the supervisory authority has separate annual budgets. The budgets shall be made public.
2nd proposal close

Art. 47

1. Each supervisory authority shall act with complete independence in performing the duties and exercising the powers entrusted to it in accordance with this Regulation.

2. The member or members of each supervisory authority shall, in the performance of their duties and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody.

3. (...)

4. (...)

5. Each Member State shall ensure that each supervisory authority is provided with the (...) human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and exercise of its powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board.

6. Each Member State shall ensure that each supervisory authority has its own staff which shall (...) be subject to the direction of the member or members of the supervisory authority.

7. Member States shall ensure that each supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that each supervisory authority has separate, public, annual budgets, which may be part of the overall state or national budget.
Directive close

Art. 28

(…).

These authorities shall act with complete independence in exercising the functions entrusted to them.

 

 
Spain
compare_arrows
visibility Old law

Artículo 45. Régimen jurídico.

1. La Agencia Española de Protección de Datos se rige por lo dispuesto en el Reglamento (UE) 2016/679, la presente ley orgánica y sus disposiciones de desarrollo.

Supletoriamente, en cuanto sea compatible con su plena independencia y sin perjuicio de lo previsto en el artículo 63.2 de esta ley orgánica, se regirá por las normas citadas en el artículo 110.1 de la Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público.

2. El Gobierno, a propuesta de la Agencia Española de Protección de Datos, aprobará su Estatuto mediante real decreto.

 

Artículo 46. Régimen económico presupuestario y de personal.

1. La Agencia Española de Protección de Datos elaborará y aprobará su presupuesto y lo remitirá al Gobierno para que sea integrado, con independencia, en los Presupuestos Generales del Estado.

2. El régimen de modificaciones y de vinculación de los créditos de su presupuesto será el establecido en el Estatuto de la Agencia Española de Protección de Datos.

Corresponde a la Presidencia de la Agencia Española de Protección de Datos autorizar las modificaciones presupuestarias que impliquen hasta un tres por ciento de la cifra inicial de su presupuesto total de gastos, siempre que no se incrementen los créditos para gastos de personal. Las restantes modificaciones que no excedan de un cinco por ciento del presupuesto serán autorizadas por el Ministerio de Hacienda y, en los demás casos, por el Gobierno.

3. La Agencia Española de Protección de Datos contará para el cumplimiento de sus fines con las asignaciones que se establezcan con cargo a los Presupuestos Generales del Estado, los bienes y valores que constituyan su patrimonio y los ingresos, ordinarios y extraordinarios derivados del ejercicio de sus actividades, incluidos los derivados del ejercicio de las potestades establecidos en el artículo 58 del Reglamento (UE) 2016/679.

4. El resultado positivo de sus ingresos se destinará por la Agencia Española de Protección de Datos a la dotación de sus reservas con el fin de garantizar su plena independencia.

5. El personal al servicio de la Agencia Española de Protección de Datos será funcionario o laboral y se regirá por lo previsto en el texto refundido de la Ley del Estatuto Básico del Empleado Público, aprobado por Real Decreto Legislativo 5/2015, de 30 de octubre, y demás normativa reguladora de los funcionarios públicos y, en su caso, por la normativa laboral.

6. La Agencia Española de Protección Datos elaborará y aprobará su relación de puestos de trabajo, en el marco de los criterios establecidos por el Ministerio de Hacienda, respetando el límite de gasto de personal establecido en el presupuesto. En dicha relación de puestos de trabajo constarán, en todo caso, aquellos puestos que deban ser desempeñados en exclusiva por funcionarios públicos, por consistir en el ejercicio de las funciones que impliquen la participación directa o indirecta en el ejercicio de potestades públicas y la salvaguarda de los intereses generales del Estado y de las Administraciones Públicas.

7. Sin perjuicio de las competencias atribuidas al Tribunal de Cuentas, la gestión económico-financiera de la Agencia Española de Protección de Datos estará sometida al control de la Intervención General de la Administración del Estado en los términos que establece la Ley 47/2003, de 26 de noviembre, General Presupuestaria.

 

Disposición adicional vigésima. Especialidades del régimen jurídico de la Agencia Española de Protección de Datos.

1. No será de aplicación a la Agencia Española de Protección de Datos el artículo 50.2.c) de la Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público.

2. La Agencia Española de Protección de Datos podrá adherirse a los sistemas de contratación centralizada establecidos por las Administraciones Públicas y participar en la gestión compartida de servicios comunes prevista en el artículo 85 de la Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público.

---

Article 45. Legal Regime.

1. The Spanish Data Protection Agency is governed by the provisions of Regulation (EU) 2016/679, this Organic Law and its implementing provisions.

In addition, insofar as it is compatible with its full independence and without prejudice to the provisions of Article 63.2 of this Organic Law, it shall be governed by the rules referred to in Article 110.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector.

2. The Government, at the proposal of the Spanish Data Protection Agency, will approve its Statute by Royal Decree.

 

Article 46. Economic, budgetary and personnel regime.

1. The Spanish Data Protection Agency will prepare and approve its budget and will send it to the Government so that it may be integrated, independently, in the General State Budget.

2. The system of modifications and linkage of the appropriations of its budget shall be that established in the Statute of the Spanish Data Protection Agency.

The Presidency of the Spanish Data Protection Agency is responsible for authorizing budgetary modifications involving up to three percent of the initial figure of its total expenditure budget, provided that the appropriations for personnel expenses are not increased. The remaining modifications that do not exceed five per cent of the initial figure of the The budget shall be authorized by the Ministry of Finance and, in other cases, by the Government.

3. The Spanish Data Protection Agency will count for the fulfillment of its purposes with the allocations that are established from the General State Budget, the assets and securities that constitute its patrimony and the income, ordinary and extraordinary derived from the exercise of its activities, including those derived from the exercise of the powers established in Article 58 of Regulation (EU) 2016/679.

4. The positive result of its income will be allocated by the Spanish Data Protection Agency to the endowment of its reserves in order to guarantee its full independence.

5. The personnel at the service of the Spanish Data Protection Agency shall be civil servants or employees and shall be governed by the provisions of the revised text of the Law of the Basic Statute of the Public Employee, approved by Royal Legislative Decree 5/2015, of October 30, and other regulations governing civil servants and, where appropriate, by labor regulations.

6. The Spanish Data Protection Agency shall draw up and approve its list of posts, within the framework of the criteria established by the Ministry of Finance, respecting the limit of personnel expenditure established in the budget. This list of posts will include, in any case, those posts that must be held exclusively by civil servants, as they consist of the exercise of functions that imply direct or indirect participation in the exercise of public powers and the safeguarding of the general interests of the State and of the Public Administrations.

7. Without prejudice to the powers attributed to the Court of Auditors, the economic- financial management of the Spanish Data Protection Agency shall be subject to the control of the General Comptroller of the State Administration under the terms established in Law 47/2003, of 26 November, General Budgetary Law.

 

Twentieth Additional Provision. Specialties of the legal regime of the Spanish Data Protection Agency.

1. The Spanish Data Protection Agency shall not be subject to the provisions of Article 50.2.c) of Law 40/2015, of October 1, of the Public Sector Legal Regime.

2. The Spanish Data Protection Agency may adhere to the centralized contracting systems established by the Public Administrations and may participate in the shared management of common services provided for in Article 85 of Law 40/2015, of October 1, of the Public Sector Legal Regime.
Old law close

Organic Law 15/1999 on Personal Data Protection regulated. This law has been repealed by Organic Law 3/2018.
arrow_back Previous ArticleArticle 52 Next Article arrow_forward
close

2016 - www.itiplaw.eu.