(122) The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.
(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;
Article 55 begins by restating the rule contained in Article 28, paragraphs 1 and 3, of the Directive that each supervisory authority shall be competent for the performance of the tasks assigned and the exercise of the powers conferred on it.
In its first version, Article 55 of the draft Regulation also provides a new competence, that of lead authority when the controller or the processor is established in several Member States, in order to ensure uniform application ("single window").
This new competence of the lead supervisory authority is now subject to a specific provision in Article 56 and will therefore be discussed under that provision. It was already noted that Article 55 makes Article 56 inapplicable where the processing is carried out by public authorities or private bodies acting on the basis of article 6, paragraph 1, point (c) (i.e. when the processing is necessary for compliance with a legal obligation to which the controller is subject) or (e) (i.e. when the processing is necessary for the performance of a task in the public interest or in the exercise of public
authority which is vested to the controller). In this case, the supervisory authority of the Member State concerned remains responsible.
Finally, pursuant to the terms of paragraph 3 of Article 55, the courts acting in their judicial capacity are not subject to the competence of the supervisory authorities to supervise processing operations but they shall still apply the material rules relating to the data protection.
The question of the competence of the national supervisory authority was already addressed by Article 28, paragraphs 1 and 3, of the Directive. Accordingly, each supervisory authority shall have all the powers conferred on it in the territory of the relevant Member State, in order to ensure the compliance with the data protection rules of that territory.
Pursuant to this provision, each national authority is territorially competent to exercise its powers in accordance with the procedural law of the relevant Member State, whatever the national law applicable to the processing in question.
We do not see a priori any specific implementation difficulties.
Guidelines for identifying a controller or processor’s lead supervisory authority (5 April 2017)
(Endorsed by the EDPB)
Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.
Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.
Guidelines on Personal data breach notification under Regulation 2016/679 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.
The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach7. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.
Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals8, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.
The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.
In its Opinion 03/2014 on personal data breach notification9, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.
The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
C-230/14 (1 October 2015)
1. Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.
In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.
By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.
2. Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.
3. Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).
1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.
1st proposal close
1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.
2nd proposal close
1. Each supervisory authority shall be competent to perform the tasks and exercise the powers conferred on it in accordance with this Regulation on the territory of its own Member State. (...)
2. Where the processing is carried out by public authorities or private bodies acting on the basis of points (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 51a does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity. (...).
6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.
51. General duties of Commissioner
(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.
(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.
(a) the [F1 Secretary of State] so directs by order, or
(b) the Commissioner considers it appropriate to do so, the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.
(4) The Commissioner shall also—
(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and
(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.
(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.
[F2(5A)In determining the action required to discharge the duties imposed by subsections (1) to (4), the Commissioner may take account of any action taken to discharge the duty imposed by section 52A (data-sharing code) [F3or section 52AA (direct marketing code)].]
(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—
(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,
(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and
(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.
(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.
(8) The Commissioner may charge such sums as he may F4... determine for any [F5 relevant] services provided by the Commissioner by virtue of this Part.
[F6(8A) In subsection (8) “relevant services” means—
(a) the provision to the same person of more than one copy of any published material where each of the copies of the material is either provided on paper, a portable disk which stores the material electronically or a similar medium,
(b) the provision of training, or
(c) the provision of conferences.
(8B)The Secretary of State may by order amend subsection (8A).]
(9) In this section—
“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;
“trade association” includes any body representing data controllers.
52. Reports and codes of practice to be laid before Parliament
(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.
(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F1 Secretary of State] , unless the code is included in any report laid under subsection (1) or (2).
Schedule 5 - The Data Protection Commissioner
1 (1) The corporation sole by the name of the Data Protection Registrar established by the M1Data Protection Act 1984 shall continue in existence by the name of the [F2Information Commissioner].
(2) The Commissioner and his officers and staff are not to be regarded as servants or agents of the Crown.
2 (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding [F4seven years] as may be determined at the time of his appointment.
(2) The Commissioner may be relieved of his office by Her Majesty at his own request.
(3) The Commissioner may be removed from office by Her Majesty in pursuance of an Address from both Houses of Parliament.