menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Ireland) language
Contact our local member in Ireland mail_outline
Visit the website of Acuatus account_balance

arrow_backPrevious Article
Article 51
Next Articlearrow_forward

Supervisory authority

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 51 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 51 keyboard_arrow_up

Key words related to article 51

Show the recitals of the Regulation related to article 51 keyboard_arrow_down Hide the recitals of the Regulation related to article 51 keyboard_arrow_up

(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

(119) Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

Show the recitals of the Directive related to article 51 keyboard_arrow_down Hide the recitals of the Directive related to article 51 keyboard_arrow_up

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

The GDPR

As provided for in the Directive, Article 51 requires the Member States to set up one or several independent supervisory authorities responsible for the monitoring of the application of the Regulation.

The supervisory authority is defined in article 4 (21), as "an independent public authority which is established by a Member State pursuant to Article 51”.

The final version of the Regulation specifies that these authorities are intended, on the one hand, to protect the fundamental rights and freedoms of natural persons in relation to processing, and on the other, facilitate the free flow of personal data within the Union (paragraph 1).

According to paragraph 2, each supervisory authority shall contribute to the consistent application of the Regulations throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.

It should be noted that the Regulation expressly allows the Member States to create several control authorities (paragraph 3). In this case, the Member State shall designate the supervisory authority which is to represent those authorities on the European Data Protection Board. The Member State shall also set out the mechanism to ensure compliance by other authorities with the rules relating to the consistency mechanism referred to in Article 63.

All the provisions adopted by a Member State under Chapter VI must be notified to the Commission no later than two years after the entry into force of the Regulation, that is, the 20th day following its publication in the Official Journal of the European Union (Art. 99). Any subsequent changes must be notified to the Commission without delay.

The Directive

The Directive contained an essential element of data protection: the establishment in each Member State of a supervisory authority responsible for monitoring the application of the personal data protection legislation on its territory.

The second paragraph of Article 28 of the Directive already stated that the tasks entrusted to these authorities should be carried out independently.

The Member States have each created a national supervisory authority for the protection of personal data

Potential issues

We do not see a priori any specific implementation difficulties.

arrow_back Previous ArticleArticle 51Next Article arrow_forward
arrow_back Previous ArticleArticle 51 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on the Lead Supervisory Authority - wp244rev.01 (5 April 2017)

(Endorsed by the EDPB)

Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:

- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the

- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.

Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.

Link

Retour au sommaire
arrow_back Previous Article Article 51 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-518/07 (9 March 2010) - Commission v Germany

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

Opinion of Advocate general

Judgment of the Court

C-614/10 (16 October 2012) - Commission v Austria

1.      Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which

–        the managing member of the Datenschutzkommission is a federal official subject to supervision,

–        the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and

–        the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Republic of Austria to pay the costs incurred by the European Commission;

3.      Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.

Opinion of Advocate general

Judgment of the Court

C-230/14 (1 October 2015) - Weltimmo

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

C-210/16 (5 June 2018) - Wirtschaftsakademie Schleswig-Holstein

1. Articles 4 and 28 of Directive 95/46 must be interpreted as meaning that, where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State.

2. Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 must be interpreted as meaning that, where the supervisory authority of a Member State intends to exercise with respect to an entity established in the territory of that Member State the powers of intervention referred to in Article 28(3) of that directive, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Opinion of Advocate general

Judgment of the Court

C-252/21 (4 July 2023), Meta Platforms e.a. (General terms and conditions of use of a social network)

1.      Article 51 et seq. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as Article 4(3) TEU

must be interpreted as meaning that, subject to compliance with its duty of sincere cooperation with the supervisory authorities, a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking within the meaning of Article 102 TFEU, that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with that regulation, where that finding is necessary to establish the existence of such an abuse.

In view of this duty of sincere cooperation, the national competition authority cannot depart from a decision by the competent national supervisory authority or the competent lead supervisory authority concerning those general terms or similar general terms. Where it has doubts as to the scope of such a decision, where those terms or similar terms are, simultaneously, under examination by those authorities, or where, in the absence of an investigation or decision by those authorities, the competition authority takes the view that the terms in question are not consistent with Regulation 2016/679, it must consult and seek the cooperation of those supervisory authorities in order to dispel its doubts or to determine whether it must wait for them to take a decision before starting its own assessment. In the absence of any objection on their part or of any reply within a reasonable time, the national competition authority may continue its own investigation;

2.      Article 9(1) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person;

3.      Article 9(2)(e) of Regulation 2016/679

must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories set out in Article 9(1) of that regulation relate, the user does not manifestly make public, within the meaning of the first of those provisions, the data relating to those visits collected by the operator of that online social network via cookies or similar storage technologies;

Where he or she enters information into such websites or apps or where he or she clicks or taps on buttons integrated into those sites and apps, such as the ‘Like’ or ‘Share’ buttons or buttons enabling the user to identify himself or herself on those sites or apps using login credentials linked to his or her social network user account, his or her telephone number or email address, that user manifestly makes public, within the meaning of Article 9(2)(e), the data thus entered or resulting from the clicking or tapping on those buttons only in the circumstance where he or she has explicitly made the choice beforehand, as the case may be on the basis of individual settings selected with full knowledge of the facts, to make the data relating to him or her publicly accessible to an unlimited number of persons;

4.      Point (b) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the performance of a contract to which the data subjects are party, within the meaning of that provision, only on condition that the processing is objectively indispensable for a purpose that is integral to the contractual obligation intended for those users, such that the main subject matter of the contract cannot be achieved if that processing does not occur;

5.      Point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party;

6.      Point (c) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, is justified, under that provision, where it is actually necessary for compliance with a legal obligation to which the controller is subject, pursuant to a provision of EU law or the law of the Member State concerned, where that legal basis meets an objective of public interest and is proportionate to the legitimate aim pursued and where that processing is carried out only in so far as is strictly necessary;

7.      Points (d) and (e) of the first subparagraph of Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of those data, cannot, in principle and subject to verification by the referring court, be regarded as necessary in order to protect the vital interests of the data subject or of another natural person, within the meaning of point (d), or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e);

8.      Point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of Regulation 2016/679

must be interpreted as meaning that the fact that the operator of an online social network holds a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent, within the meaning of Article 4(11) of that regulation, to the processing of their personal data by that operator. This is nevertheless an important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove.

Décision of the Court

Opinion of the advocate general

C-313/23 (30 April 2025)  - Inspektorat kam Visshia sadeben savet

1.      The second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union,

must be interpreted as meaning that the principle of judicial independence precludes a Member State’s practice under which the members of a judicial body of that Member State – who are elected by its parliament for terms of office of a specific duration and are competent to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons – continue to perform their functions beyond the legal duration of their terms of office as laid down in the Constitution of that Member State, until that parliament elects new members, where the extension of the expired terms of office does not have an express legal basis in national law containing clear and precise rules such as to circumscribe the performance of those functions and where it is not guaranteed that that extension is, in practice, limited in time.

2.      Article 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation.

3.      Article 4(7) of Regulation 2016/679

must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision.

4.      Article 51 of Regulation 2016/679

must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority within the meaning of that article, where that court is not entrusted by the Member State in which it is situated with monitoring the application of that regulation in order to protect, in particular, the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.

5.      Article 79(1) of Regulation 2016/679, read in conjunction with Article 47 of the Charter of Fundamental Rights,

must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is not required, where an action pursuant to that provision has not been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, including where it is known that that body has, in the past, infringed those provisions.

Opinion of the Advocate General 
Judgment of the Court 

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 51 Next Article arrow_forward
Regulation
1e 2e

Art. 51

1.   Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

2.   Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3.   Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

4.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
1st proposal close

Art. 46

1.           Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.

2.           Where in a Member State more than one supervisory authority are established, that Member State shall designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the European Data Protection Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 57.

3.           Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to this Chapter, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
2nd proposal close

Art. 46

1. Each Member State shall provide that one or more independent public authorities are responsible for monitoring the application of this Regulation.

1a. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union (...). For this purpose, the supervisory authorities shall co- operate with each other and the Commission in accordance with Chapter VII.

2. Where in a Member State more than one supervisory authority are established, that Member State shall designate the supervisory authority which shall represent those authorities in the European Data Protection Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 57.

3.  Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant tothis Chapter, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
Directive close

Art. 28

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.
Ireland
compare_arrows

Austria close

All of the following in force until May 25, 2018:

Control Bodies

Data Protection Authority and Data Protection Council

§ 35 DSG 2000

(1) The Data Protection Authority and the Data Protection Council shall safeguard data protection in accordance with the regulations of this federal law without prejudice to the competence of the Federal Chancellor and the courts of law.

(2) (Constitutional provision) The Data Protection Authority shall exercise its functions vis-á-vis the highest executive authorities enumerated in Art. 19 B-VG.

Establishment of the Data Protection Authority

§ 36 DSG 2000

(1) The Data Protection Authority is managed by its head. He is appointed for a term of five years by the Federal President on a proposal of the Federal Government; re-appointments are permitted. The proposal is to be preceded by an advertisement for the position, which permits general applications. The advertisement for the position falls under the responsibility of the Federal Chancellor. The position of the head of the Data Protection Authority shall be advertised on the public career website of the Federal Chancellery. The position shall also be advertised in the official journal “Wiener Zeitung” .

(2) The head of the Data Protection Authority must

1. have completed his study of law and political science,

2. have the necessary personal and professional aptitude through prior education and appropriate professional experience in the matters to be handled by the Data Protection Authority,

3. possess excellent knowledge of Austrian data protection law, European Union law and fundamental rights and

4. have at least five years of professional experience in the legal field.

(3) The following persons may not be appointed head of the Data Protection Authority:

1. Members of the Federal Government, State Secretaries, Members of a Land Government, National Council, Federal Council or any other General Representative Body or of the European Parliament, as well as a member of the Ombudsman Board and the president of the Public Audit Office;

2. anybody who held one of the positions listed in sub-para. 1 in the last two years;

3. anybody who may not be elected for the National Council.

(4) The head of the Data Protection Authority may not exercise any function that casts doubt on his professional independence or creates the impression of partiality or that keeps him from performing his duties or endangers essential official interests. He is required to report functions that he exercises beside his office as head of the Data Protection Authority to the Federal Chancellor without delay.

(5) The function of the head of the Data Protection Authority ends with the expiry of the period of office, death, abdication and loss of eligibility to the national Council.

(6) Once the function of the head of the Data Protection Authority ends, a new head shall be appointed according to the rules of para. 1 to 3.

(7) The Federal President shall appoint a deputy head of the Data Protection Authority on a proposal of the Federal Government according to the rules of para. 1 to 3. Para. 4 to 6 shall be applied to the deputy head of the Data Protection Authority in equal measure. He shall represent the head of the Data Protection Authority during his absence.

Organisation and Independence of the Data Protection Authority

§ 37 DSG 2000

(1) The head of the Data Protection Authority is independent and not bound by instructions in the exercise of his office.

(2) The Data Protection Authority is an administrative authority und human resource department. The Federal Finance Act shall provide for the necessary expenditures for staff and equipment. The officials of the Data Protection Authority shall be bound only by the instructions of the head. The head shall have the service prerogative over the officials of the Data Protection Authority.

(3) The Federal Chancellor can request information from the head of the Data Protection Authority about the operations of the authority. The head of the Data Protection Authority shall comply such requests only insofar as this does not compromise the independence of the supervisory authority as laid down in Article 28 paragraph 1 sub-paragraph 2 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 31.

(4) The Data Protection Authority shall be heard before laws concerning essential issues of data protection and federal ordinances based on this federal law or which otherwise directly concerns important issues of data protection are enacted.

(5) The Data Protection Authority shall formulate until 31 March every year a report about its workings in the preceding calendar year, submit it to the Federal Chancellor and publish it in an appropriate manner. The report shall be submitted to the National Council and the Federal Council by the Federal Chancellor.

(6) Decisions of the Data Protection Authority of fundamental importance to the general public shall be published by the Data Protection Authority in a suitable manner while respecting official secrecy rules.

Rulings of the Data Protection Authority

§ 38 DSG 2000

(1) Controllers in the public sector always have a position as party in proceedings before the Data Protection Authority.

(2) Rulings that permit transmission and committing of data according to section 13, shall be revoked once the legal or factual prerequisites under which the permit was issued, especially pursuant to a promulgation of the Federal Chancellor according to section 55 no longer apply.

(3) Parties according to para. 1 may file a complaint with the federal administrative court.

Procedure before the Federal Administrative Court

§ 39 DSG 2000

(1) The federal administrative court shall decide on complaints against rulings as well as complaints regarding the obligation to decide in due time regarding matters of this federal law by chamber.

(2) The chamber shall consist of a chairman und one professionally experienced lay judge from the domain of the employers and from the domain of employees each. The professionally experienced lay judges shall be appointed on a proposal by the Austrian Federal Economic Chamber and the Federal Chamber of Labour. Appropriate arrangements shall be made so that a sufficient number of professionally experienced lay judges can be nominated at the right time.

(3) The professionally experienced lay judges must have at least five years of relevant professional experience and special knowledge of data protection law.

(4) The chairman shall transmit all documents relevant to the decision to the professionally experienced lay judges without delay, or, if this is impractical or absolutely necessary to safeguard the confidence of the documents, make them available in some other way.

Appeal before the Supreme Administrative Court

§ 40 DSG 2000

An appeal before the Supreme Administrative Court may be brought by any party according to section 38 para. 1.

Establishment and Duties of the Data Protection Council

§ 41 DSG 2000

(1) A Data Protection Council is established at the Federal Chancellery.

(2) The Data Protection Council shall advise the Federal Government and the Land Governments on requests in political matters of data protection. For this purpose,

1. the Data Protection Council can deliberate on questions of fundamental importance for data protection and may issue opinions by itself or commission an expert to deliver an opinion;

2. the Data Protection Council shall be given opportunity to give its opinion on draft bills of federal ministries, insofar as these are significant for data protection;

3. public sector controllers shall present their projects to the Data Protection Council for evaluation, insofar as these are significant for data protection;

4. the Data Protection Council shall have the right to request information and documents from public sector controllers insofar as this is necessary to evaluate projects of significant impact on data protection in Austria;

4a. (Note: repealed by Federal Law Gazette I Nr. 83/2013)

5. the Data Protection Council may ask private sector controllers or their representations of interest established by law to give their opinion on developments of general importance that give cause for concern or at least call for attention from a data protection perspective;

6. the Data Protection Council may transmit its observations, concerns and suggestions for improvements of data protection in Austria to the Federal Government and the Land Governments, as well as to the legislative bodies by way of these organs.

(3) Para. 2 sub-paras. 3 and 4 shall not apply insofar as the internal affairs of the churches and religious communities acknowledged by law are concerned.

Composition of the Data Protection Council

§ 42 DSG 2000

(1) The Data Protection Council shall have the following members:

1. representatives of the political parties: The party that is most strongly represented in the main committee of the National Council shall delegate four representatives, the second strongest shall delegate three members and all other parties represented in the main committee of the National Council shall delegate one member each, to be determined by the strength of representation at the time of delegation. In case of equal number of deputies of two parties in the main committee the number of votes cast in the most recent election to the Federal Parliament is decisive;

2. each one representative of the Federal Chamber of Labour and from the Austrian Federal Economic Chamber;

3. two representatives of the provinces;

4. one representative each of the Association of Austrian Municipalities and the Austrian Association of towns;

5. one representative of the Federation appointed by the Federal Chancellor.

(2) The representatives mentioned in para. 1 sub-para. 3, 4 and 5 should have professional experience in the field of computer science and data protection.

(3) An alternate representative shall be nominated for every representative.

(4) Members of the Federal Government or of a Land Government or Secretaries of State as well as persons who may not be elected for the National Council shall not be members of the Data Protection Council.

(5) The representatives shall be members of the Data Protection Council until they announce their resignation in writing to the Federal Chancellor, or, if no resignation is announced, until the nominating body (para. 1) has named another representative to the Federal Chancellor. Members according to para 1 sub-para 1 retire also, as soon as the main committee has been newly elected according to § 29 and 30 of the Rules of Procedure Law of 1975, Federal Law Gazette No. 410, and they have not been delegated again.

(6) The members of the Data Protection Council shall serve in an honorary capacity. Members of the Data Protection Council living outside of Vienna shall be entitled to receive compensation for travel expenses (category 3) according to the regulations for federal officials, if they attend meetings of the Data Protection Council.

Chairmanship and Operation of the Data Protection Council

§ 43 DSG 2000

(1) The Data Protection Council shall decide on its rules of procedure.

(2) The Data Protection Council shall elect a chairman and two vice chairmen. The term of office of the chairman and the vice chairmen shall be five years, without prejudice to § 42 para. 5. Reappointments shall be permitted.

(3) The Federal Chancellery shall be responsible for the operation of the Data Protection Council. The Federal Chancellor shall supply the necessary personnel. While working for the Data Protection Council, the officials of the Federal Chancellery shall be bound only by instructions of the chairman of the Data Protection Council with regard to their professional work.

Meetings and Decisions of the Data Protection Council

§ 44 DSG 2000

(1) The meeting of the Data Protection Council shall be convened by the chairman whenever the need arises. If a member requests that a meeting be convened, the chairman shall convene the meeting so that it can take place within four weeks.

(2) The chairman can bring experts into the meeting whenever the need arises.

(3) Deliberations and decisions of the Data Protection Council shall require the presence of at least half of its members. Decisions shall be passed by a simple majority of votes cast. In the case of a parity of votes, the vote of the chairman shall decide the issue. An abstention from the vote is not permitted. A dissenting opinion may be given.

(4) The Data Protection Council may create permanent or ad hoc working groups which it may entrust with the preparation, appraisal and handling of specific issues. An individual member (rapporteur) may be entrusted with executive work, the first appraisal and handling of specific issues.

(5) Every member of the Data Protection Council must – unless justifiably being prevented – attend the meetings of the Council. A member who is unable to attend shall inform his alternate member without delay.

(6) The head of the Data Protection Authority shall have the right to attend meetings of the Data Protection Council or its working groups. He has not the right to vote.

(7) The deliberations of the Data Protection Council shall be confidential as long as the Data Protection Council itself does not decide otherwise.

(8) The members of the Data Protection Council, the head of the Data Protection Authority and experts brought into the meeting according to para. 2 shall be obliged to keep all information confidential of which they have learned solely due to their activities for the Data Protection Council, insofar as secrecy is required in the public interest or in the interest of a party.
arrow_back Previous ArticleArticle 51 Next Article arrow_forward
close

2016 - www.itiplaw.eu.