(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.
(63) Whereas such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings; whereas such authorities must help to ensure transparency of processing in the Member States within whose jurisdiction they fall;
Article 59 of the Regulation confirms the obligation for each supervisory authority to prepare an annual report and to transmit it to the national parliament, the government and other authorities designated by the national legislation. The report shall be made available to the public, to the Commission and to the European Data Protection Board.
The final version of the Regulation states that the report may include a list of types of infringement notified and types of measures taken in accordance with the powers vested in the supervisory authorities by Article 58 (2).
The Directive already provided that an activity report be provided at regular intervals by the supervisory authorities (Article 28 of the Directive).
We do not see a priori any difficulties with this provision, which merely confirms an existing practice in most Member States.United Kingdom
52. Reports and codes of practice to be laid before Parliament
(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.
(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.
(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F1 Secretary of State] , unless the code is included in any report laid under subsection (1) or (2).
Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.
1st proposal close
Each supervisory authority must draw up an annual report on its activities. The report shall be presented to the national parliament and shall be made be available to the public, the Commission and the European Data Protection Board.
2nd proposal close
Each supervisory authority shall draw up an annual report of its activities. The report shall be transmitted to the national Parliament, the government and other authorities as designated by national law. It shall be made available to the public, the European Commission and the European Data Protection Board.
5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.
54. International co-operation
(1) The Commissioner—
(a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and
(b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive [F1 and the Data Protection Framework Decision].
(2) The [F2 Secretary of State] may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.
(3) The [F2 Secretary of State] may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—
(a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, F3...
(b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order [F4, and
(c) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases falling within the scope of the Data Protection Framework Decision as it applies to that State, of functions of the Commissioner specified in the order. ]
(4) The Commissioner shall also carry out any data protection functions which the [F2 Secretary of State] may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.
(5) The Commissioner shall, if so directed by the [F2 Secretary of State] , provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the [F2 Secretary of State] may direct or approve, on such terms (including terms as to payment) as the [F2 Secretary of State] may direct or approve.
(6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.
(7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—
(a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and
(b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.
(8) In this section—
“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;
[F5 “the Data Protection Framework Decision” means the Council Framework Decision 2008/977/ JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; ]
“data protection functions” means functions relating to the protection of individuals with respect to the processing of personal information.