Article 51
Supervisory authority

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 51 keyboard_arrow_down Hide the recitals of the Regulation related to article 51 keyboard_arrow_up

(117) The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

(118) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review.

(119) Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism. That Member State should in particular designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

Show the recitals of the Directive related to article 51 keyboard_arrow_down Hide the recitals of the Directive related to article 51 keyboard_arrow_up

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

The GDPR

As provided for in the Directive, Article 51 requires the Member States to set up one or several independent supervisory authorities responsible for the monitoring of the application of the Regulation.

The supervisory authority is defined in article 4 (21), as "an independent public authority which is established by a Member State pursuant to Article 51”.

The final version of the Regulation specifies that these authorities are intended, on the one hand, to protect the fundamental rights and freedoms of natural persons in relation to processing, and on the other, facilitate the free flow of personal data within the Union (paragraph 1).

According to paragraph 2, each supervisory authority shall contribute to the consistent application of the Regulations throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.

It should be noted that the Regulation expressly allows the Member States to create several control authorities (paragraph 3). In this case, the Member State shall designate the supervisory authority which is to represent those authorities on the European Data Protection Board. The Member State shall also set out the mechanism to ensure compliance by other authorities with the rules relating to the consistency mechanism referred to in Article 63.

All the provisions adopted by a Member State under Chapter VI must be notified to the Commission no later than two years after the entry into force of the Regulation, that is, the 20th day following its publication in the Official Journal of the European Union (Art. 99). Any subsequent changes must be notified to the Commission without delay.

The Directive

The Directive contained an essential element of data protection: the establishment in each Member State of a supervisory authority responsible for monitoring the application of the personal data protection legislation on its territory.

The second paragraph of Article 28 of the Directive already stated that the tasks entrusted to these authorities should be carried out independently.

The Member States have each created a national supervisory authority for the protection of personal data

Potential issues

We do not see a priori any specific implementation difficulties.

Group 29

Guidelines for identifying a controller or processor’s lead supervisory authority (5 April 2017)

(Endorsed by the EDPB)

Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:

- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the

- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.

Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.

Link

CJEU caselaw

C-518/07 (9 March 2010)

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

Opinion of Advocate general

Judgment of the Court

C-614/10 (16 October 2012)

1.      Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which

–        the managing member of the Datenschutzkommission is a federal official subject to supervision,

–        the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and

–        the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Republic of Austria to pay the costs incurred by the European Commission;

3.      Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.

Opinion of Advocate general

Judgment of the Court

C-230/14 (1 October 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

C-210/16 (5 June 2018)

1. Articles 4 and 28 of Directive 95/46 must be interpreted as meaning that, where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Article 28(3) of that directive with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment is responsible solely for the sale of advertising space and other marketing activities in the territory of that Member State and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the European Union, to an establishment situated in another Member State.

2. Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 must be interpreted as meaning that, where the supervisory authority of a Member State intends to exercise with respect to an entity established in the territory of that Member State the powers of intervention referred to in Article 28(3) of that directive, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 51

1.   Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

2.   Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3.   Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

4.   Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

1st proposal close

Art. 46

1.           Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.

2.           Where in a Member State more than one supervisory authority are established, that Member State shall designate the supervisory authority which functions as a single contact point for the effective participation of those authorities in the European Data Protection Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 57.

3.           Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to this Chapter, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

2nd proposal close

Art. 46

1. Each Member State shall provide that one or more independent public authorities are responsible for monitoring the application of this Regulation.

1a. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union (...). For this purpose, the supervisory authorities shall co- operate with each other and the Commission in accordance with Chapter VII.

2. Where in a Member State more than one supervisory authority are established, that Member State shall designate the supervisory authority which shall represent those authorities in the European Data Protection Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 57.

3.  Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant tothis Chapter, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

Directive close

Art. 28

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

Data Protection Authority

Establishment

§ 18 DSG

(1) The Data Protection Authority is established as a national supervisory authority pursuant to Article 51 of the General Data Protection Regulation.

(2) The Data Protection Authority is managed by its head. If the head is absent, his or her deputy shall manage the Data Protection Authority. The rules regarding the head of the Data Protection Authority shall also apply to the deputy.

Old law close

All of the following in force until May 25, 2018:


Control Bodies

Data Protection Authority and Data Protection Council

§ 35 DSG 2000

(1) The Data Protection Authority and the Data Protection Council shall safeguard data protection in accordance with the regulations of this federal law without prejudice to the competence of the Federal Chancellor and the courts of law.

(2) (Constitutional provision) The Data Protection Authority shall exercise its functions vis-á-vis the highest executive authorities enumerated in Art. 19 B-VG.


Establishment of the Data Protection Authority

§ 36 DSG 2000

(1) The Data Protection Authority is managed by its head. He is appointed for a term of five years by the Federal President on a proposal of the Federal Government; re-appointments are permitted. The proposal is to be preceded by an advertisement for the position, which permits general applications. The advertisement for the position falls under the responsibility of the Federal Chancellor. The position of the head of the Data Protection Authority shall be advertised on the public career website of the Federal Chancellery. The position shall also be advertised in the official journal “Wiener Zeitung” .

(2) The head of the Data Protection Authority must

1. have completed his study of law and political science,

2. have the necessary personal and professional aptitude through prior education and appropriate professional experience in the matters to be handled by the Data Protection Authority,

3. possess excellent knowledge of Austrian data protection law, European Union law and fundamental rights and

4. have at least five years of professional experience in the legal field.

(3) The following persons may not be appointed head of the Data Protection Authority:

1. Members of the Federal Government, State Secretaries, Members of a Land Government, National Council, Federal Council or any other General Representative Body or of the European Parliament, as well as a member of the Ombudsman Board and the president of the Public Audit Office;

2. anybody who held one of the positions listed in sub-para. 1 in the last two years;

3. anybody who may not be elected for the National Council.

(4) The head of the Data Protection Authority may not exercise any function that casts doubt on his professional independence or creates the impression of partiality or that keeps him from performing his duties or endangers essential official interests. He is required to report functions that he exercises beside his office as head of the Data Protection Authority to the Federal Chancellor without delay.

(5) The function of the head of the Data Protection Authority ends with the expiry of the period of office, death, abdication and loss of eligibility to the national Council.

(6) Once the function of the head of the Data Protection Authority ends, a new head shall be appointed according to the rules of para. 1 to 3.

(7) The Federal President shall appoint a deputy head of the Data Protection Authority on a proposal of the Federal Government according to the rules of para. 1 to 3. Para. 4 to 6 shall be applied to the deputy head of the Data Protection Authority in equal measure. He shall represent the head of the Data Protection Authority during his absence.


Organisation and Independence of the Data Protection Authority

§ 37 DSG 2000

(1) The head of the Data Protection Authority is independent and not bound by instructions in the exercise of his office.

(2) The Data Protection Authority is an administrative authority und human resource department. The Federal Finance Act shall provide for the necessary expenditures for staff and equipment. The officials of the Data Protection Authority shall be bound only by the instructions of the head. The head shall have the service prerogative over the officials of the Data Protection Authority.

(3) The Federal Chancellor can request information from the head of the Data Protection Authority about the operations of the authority. The head of the Data Protection Authority shall comply such requests only insofar as this does not compromise the independence of the supervisory authority as laid down in Article 28 paragraph 1 sub-paragraph 2 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 31.

(4) The Data Protection Authority shall be heard before laws concerning essential issues of data protection and federal ordinances based on this federal law or which otherwise directly concerns important issues of data protection are enacted.

(5) The Data Protection Authority shall formulate until 31 March every year a report about its workings in the preceding calendar year, submit it to the Federal Chancellor and publish it in an appropriate manner. The report shall be submitted to the National Council and the Federal Council by the Federal Chancellor.

(6) Decisions of the Data Protection Authority of fundamental importance to the general public shall be published by the Data Protection Authority in a suitable manner while respecting official secrecy rules.


Rulings of the Data Protection Authority

§ 38 DSG 2000

(1) Controllers in the public sector always have a position as party in proceedings before the Data Protection Authority.

(2) Rulings that permit transmission and committing of data according to section 13, shall be revoked once the legal or factual prerequisites under which the permit was issued, especially pursuant to a promulgation of the Federal Chancellor according to section 55 no longer apply.

(3) Parties according to para. 1 may file a complaint with the federal administrative court.


Procedure before the Federal Administrative Court

§ 39 DSG 2000

(1) The federal administrative court shall decide on complaints against rulings as well as complaints regarding the obligation to decide in due time regarding matters of this federal law by chamber.

(2) The chamber shall consist of a chairman und one professionally experienced lay judge from the domain of the employers and from the domain of employees each. The professionally experienced lay judges shall be appointed on a proposal by the Austrian Federal Economic Chamber and the Federal Chamber of Labour. Appropriate arrangements shall be made so that a sufficient number of professionally experienced lay judges can be nominated at the right time.

(3) The professionally experienced lay judges must have at least five years of relevant professional experience and special knowledge of data protection law.

(4) The chairman shall transmit all documents relevant to the decision to the professionally experienced lay judges without delay, or, if this is impractical or absolutely necessary to safeguard the confidence of the documents, make them available in some other way.


Appeal before the Supreme Administrative Court

§ 40 DSG 2000

An appeal before the Supreme Administrative Court may be brought by any party according to section 38 para. 1.


Establishment and Duties of the Data Protection Council

§ 41 DSG 2000

(1) A Data Protection Council is established at the Federal Chancellery.

(2) The Data Protection Council shall advise the Federal Government and the Land Governments on requests in political matters of data protection. For this purpose,

1. the Data Protection Council can deliberate on questions of fundamental importance for data protection and may issue opinions by itself or commission an expert to deliver an opinion;

2. the Data Protection Council shall be given opportunity to give its opinion on draft bills of federal ministries, insofar as these are significant for data protection;

3. public sector controllers shall present their projects to the Data Protection Council for evaluation, insofar as these are significant for data protection;

4. the Data Protection Council shall have the right to request information and documents from public sector controllers insofar as this is necessary to evaluate projects of significant impact on data protection in Austria;

4a. (Note: repealed by Federal Law Gazette I Nr. 83/2013)

5. the Data Protection Council may ask private sector controllers or their representations of interest established by law to give their opinion on developments of general importance that give cause for concern or at least call for attention from a data protection perspective;

6. the Data Protection Council may transmit its observations, concerns and suggestions for improvements of data protection in Austria to the Federal Government and the Land Governments, as well as to the legislative bodies by way of these organs.

(3) Para. 2 sub-paras. 3 and 4 shall not apply insofar as the internal affairs of the churches and religious communities acknowledged by law are concerned.


Composition of the Data Protection Council

§ 42 DSG 2000

(1) The Data Protection Council shall have the following members:

1. representatives of the political parties: The party that is most strongly represented in the main committee of the National Council shall delegate four representatives, the second strongest shall delegate three members and all other parties represented in the main committee of the National Council shall delegate one member each, to be determined by the strength of representation at the time of delegation. In case of equal number of deputies of two parties in the main committee the number of votes cast in the most recent election to the Federal Parliament is decisive;

2. each one representative of the Federal Chamber of Labour and from the Austrian Federal Economic Chamber;

3. two representatives of the provinces;

4. one representative each of the Association of Austrian Municipalities and the Austrian Association of towns;

5. one representative of the Federation appointed by the Federal Chancellor.

(2) The representatives mentioned in para. 1 sub-para. 3, 4 and 5 should have professional experience in the field of computer science and data protection.

(3) An alternate representative shall be nominated for every representative.

(4) Members of the Federal Government or of a Land Government or Secretaries of State as well as persons who may not be elected for the National Council shall not be members of the Data Protection Council.

(5) The representatives shall be members of the Data Protection Council until they announce their resignation in writing to the Federal Chancellor, or, if no resignation is announced, until the nominating body (para. 1) has named another representative to the Federal Chancellor. Members according to para 1 sub-para 1 retire also, as soon as the main committee has been newly elected according to § 29 and 30 of the Rules of Procedure Law of 1975, Federal Law Gazette No. 410, and they have not been delegated again.

(6) The members of the Data Protection Council shall serve in an honorary capacity. Members of the Data Protection Council living outside of Vienna shall be entitled to receive compensation for travel expenses (category 3) according to the regulations for federal officials, if they attend meetings of the Data Protection Council.


Chairmanship and Operation of the Data Protection Council

§ 43 DSG 2000

(1) The Data Protection Council shall decide on its rules of procedure.

(2) The Data Protection Council shall elect a chairman and two vice chairmen. The term of office of the chairman and the vice chairmen shall be five years, without prejudice to § 42 para. 5. Reappointments shall be permitted.

(3) The Federal Chancellery shall be responsible for the operation of the Data Protection Council. The Federal Chancellor shall supply the necessary personnel. While working for the Data Protection Council, the officials of the Federal Chancellery shall be bound only by instructions of the chairman of the Data Protection Council with regard to their professional work.


Meetings and Decisions of the Data Protection Council

§ 44 DSG 2000

(1) The meeting of the Data Protection Council shall be convened by the chairman whenever the need arises. If a member requests that a meeting be convened, the chairman shall convene the meeting so that it can take place within four weeks.

(2) The chairman can bring experts into the meeting whenever the need arises.

(3) Deliberations and decisions of the Data Protection Council shall require the presence of at least half of its members. Decisions shall be passed by a simple majority of votes cast. In the case of a parity of votes, the vote of the chairman shall decide the issue. An abstention from the vote is not permitted. A dissenting opinion may be given.

(4) The Data Protection Council may create permanent or ad hoc working groups which it may entrust with the preparation, appraisal and handling of specific issues. An individual member (rapporteur) may be entrusted with executive work, the first appraisal and handling of specific issues.

(5) Every member of the Data Protection Council must – unless justifiably being prevented – attend the meetings of the Council. A member who is unable to attend shall inform his alternate member without delay.

(6) The head of the Data Protection Authority shall have the right to attend meetings of the Data Protection Council or its working groups. He has not the right to vote.

(7) The deliberations of the Data Protection Council shall be confidential as long as the Data Protection Council itself does not decide otherwise.

(8) The members of the Data Protection Council, the head of the Data Protection Authority and experts brought into the meeting according to para. 2 shall be obliged to keep all information confidential of which they have learned solely due to their activities for the Data Protection Council, insofar as secrecy is required in the public interest or in the interest of a party.

close