menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Austria) language
Contact our local member in Austria mail_outline
Visit the website of Geistwert account_balance

arrow_backPrevious Article
Article 57
Next Articlearrow_forward

Tasks

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 57 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 57 keyboard_arrow_up

Key words related to article 57

Show the recitals of the Regulation related to article 57 keyboard_arrow_down Hide the recitals of the Regulation related to article 57 keyboard_arrow_up

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

(130) Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely cooperate with the supervisory authority with which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.

(131) Where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States, the supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of this Regulation should seek an amicable settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This should include: specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or processing that has to be assessed taking into account relevant legal obligations under Member State law.

There is no recital in the Directive related to article 57.

The GDPR

Article 57 defines the tasks assigned to the supervisory authorities. These tasks can be summarized as follows:

- tasks of monitoring, investigation and control (a and h), which applies in particular to keeping internal records of infringements of this Regulation and of enforcement measures taken (warnings, sanctions, action, etc.) (u);

- tasks of information and advice with regard to the public (b), to the legislative and executive authorities (c) and with regards to the controllers and processors (d); and on the technological developments related to personal data protection (i);

- tasks of handling and management of complaints and claims (f), which implies in particular the provision of a claim form (paragraph 2);

- tasks of mutual assistance to other national authorities (g);

- tasks for the certification, in compliance with the binding corporate rules (s), standard contractual clauses (j and r) and codes of conduct (m): mechanisms of certification seals and marks for data protection (n) approval, regular review of certifications granted (o); accreditation of certification bodies (p), and of bodies responsible for monitoring the codes of conduct (q);

- tasks relating to processing that is subject to the requirement for prior consultation (k): advice (l);

- tasks related to the activities of the European Data Protection Board (t);

Paragraph 5 states that the performance of the tasks of each supervisory authority shall be free of charge for the data subject (paragraph  3), unless the requests are manifestly excessive or unfounded, in which case the authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. It is the responsibility of the authority however to demonstrate the excessive or unfounded character of the request (paragraph 4).

The Directive

Pursuant to the Directive, each national supervisory authority was responsible for monitoring the application within its territory of the provisions transposing the Directive as adopted by the Member States (Article 28 (1)). On this basis, the application of the measures could be referred to the relevant national supervisory authority by any person for verification of the lawfulness of personal data processing or with any request relating to the protection of his or her rights and freedoms with regard to such processing (Article 28 (4)).

Those authorities should also be consulted on all proposed legislative, administrative or regulatory drafts relating to the protection of rights and freedoms of individuals with regard to personal data processing (Article 28 (2)).

Potential issues

The tasks of the supervisory authorities have been increased significantly with the new Regulation. They operate at all the levels of protection: they release or assist in the development of rules, they inform, they manage complaints and claims. They become real regulatory authorities. They must be provided with the means, which was not obvious in many Member States.

arrow_back Previous ArticleArticle 57Next Article arrow_forward
arrow_back Previous ArticleArticle 57 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Retour au sommaire
arrow_back Previous Article Article 57 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-230/14 (1 October 2015) - Weltimmo

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 57 Next Article arrow_forward
Regulation
1e 2e

Art. 57

1.   Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;

(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d) promote the awareness of controllers and processors of their obligations under this Regulation;

(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l) give advice on the processing operations referred to in Article 36(2);

(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r) authorise contractual clauses and provisions referred to in Article 46(3);

(s) approve binding corporate rules pursuant to Article 47;

(t) contribute to the activities of the Board;

(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v) fulfil any other tasks related to the protection of personal data.

2.   Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3.   The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4.   Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
1st proposal close

Art. 52 

1.           The supervisory authority shall:

(a)     monitor and ensure the application of this Regulation;

(b)     hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(c)     share information with and provide mutual assistance to other supervisory authorities and ensure the consistency of application and enforcement of this Regulation;

(d)     conduct investigations either on its own initiative or on the basis of a complaint or on request of another supervisory authority, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;

(e)     monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(f)      be consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;

(g)     authorise and be consulted on the processing operations referred to in Article 34;

(h)     issue an opinion on the draft codes of conduct pursuant to Article 38(2);

(i)      approve binding corporate rules pursuant to Article 43;

(j)      participate in the activities of the European Data Protection Board.

2.           Each supervisory authority shall promote the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention.

3.           The supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.

4.           For complaints referred to in point (b) of paragraph 1, the supervisory authority shall provide a complaint submission form, which can be completed electronically, without excluding other means of communication.

5.           The performance of the duties of the supervisory authority shall be free of charge for the data subject.

6.           Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.
2nd proposal close

Art. 52  

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation; (aa) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention;

(ab) advise, in accordance with national law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data;

(ac) promote the awareness of controllers and processors of their obligations under this Regulation;

(ad) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end;

(b) deal with complaints lodged by a data subject, or body, organisation or association representing a data subject in accordance with Article 73, and investigate, to the extent appropriate, the subject matter of the complaint and inform the data subject or the body, organisation or association of the progress and the outcome of the investigation within a reasonable period , in particular if further investigation or coordination with another supervisory authority is necessary;

(c) cooperate with, including sharing information, and provide mutual assistance to other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(d) conduct investigations on the application of this Regulation, including on the basis of a information received from another supervisory or other public authority;

(e) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(f) adopt standard contractual clauses referred to in Article 26(2c); (fa) establish and make a list in relation to the requirement for data protection impact assessment pursuant to Article 33(2a);

(g) give advice on the processing operations referred to in Article 34(3);

(ga) encourage the drawing up of codes of conduct pursuant to Article 38 and give an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 38 (2);

(gb) promote the establishment of data protection certification mechanisms and of data protection seals and marks, and approve the criteria of certification pursuant to Article 39 (2a);

(gc) where applicable, carry out a periodic review of certifications issued in accordance with Article 39(4);

(h) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 38a and of a certification body pursuant to Article 39a;

(ha) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 38a and of a certification body pursuant to Article 39a;

(hb) authorise contractual clauses referred to in Article 42(2a)(a);

(i) approve binding corporate rules pursuant to Article 43;

(j) contribute to the activities of the European Data Protection Board;

(k) fulfil any other tasks related to the protection of personal data.

2. (…)

3. (…).

4. Each supervisory authority shall facilitate the submission of complaints referred to in point (b) of paragraph 1, by measures such as providing a complaint submission form which can be completed also electronically, without excluding other means of communication.

5. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and for the data protection officer, if any.

6. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Directive close

Art. 28

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.
Austria
compare_arrows
visibility Old law

Tasks

§ 21 DSG

(1) At their request, the Data Protection Authority advises the committees of the National Council and the Federal Council, the Federal Government and the provincial governments on legislative and administrative measures. Before federal laws as well as regulations to be implemented by the Federal Government that directly concern issues of data protection law are adopted, the Federal Data Protection Authority shall be consulted.

(2) The Data Protection Authority shall make public, by way of a regulation in the Federal Law Gazette, the lists pursuant to Article 35 paras. 4 and 5 of the General Data Protection Regulation.

(3) The Data Protection Authority shall make public, by way of a regulation, the criteria to be specified pursuant to Article 57 para. 1 (p) of the General Data Protection Regulation. At the same time, the Data Protection Authority shall serve as the only national accreditation body pursuant to Article 43 para. 1 (a) of the General Data Protection Regulation.

Complaints with the Data Protection Authority

§ 24 DSG

(1) Every data subject has the right to lodge a complaint with the Data Protection Authority if the data subject is of the opinion that the processing of the personal data concerning the data subject infringes the General Data Protection Regulation or § 1 or Chapter 1, Article 2.

(2) The complaint must contain:

  1. the description of the right considered to have been infringed,
  2. to the extent reasonable, the description of the legal entity or the executive body or officer that is deemed to be responsible for the alleged infringement (respondent to the complaint),
  3. the facts from which the infringement is derived,
  4. the reasons for which the unlawfulness is alleged,
  5. the request to find that the alleged infringement has been committed, and
  6. the details which are necessary in order to decide whether the complaint has been lodged in due time.

(3) A complaint must be accompanied by the request on which it is based and the answer of the respondent to the complaint, if any. In the case of a complaint, the Data Protection Authority shall provide further assistance on request of the data subject.

(4) The right to have a complaint dealt with expires if the intervening party does not lodge the complaint within a year after having gained knowledge of the incident that gave rise to the complaint, but no later than within three years after the incident allegedly occurred. Late complaints shall be rejected.

(5) To the extent the complaint is shown to be justified, it is to be granted. If an infringement can be attributed to a private-sector controller, the controller shall be instructed to comply with the complainant’s requests for information, rectification, erasure, restriction or data communication to the extent required to eliminate the infringement that has been found to exist. To the extent that the complaint is not found to be justified, it shall be rejected.

(6) A respondent to the complaint can subsequently eliminate the alleged infringement until the end of the proceedings before the Data Protection Authority by complying with the complainant’s requests. If the Data Protection Authority deems the complaint to be settled thereby, it shall hear the complainant on this. Simultaneously, the complainant is to be informed that the Data Protection Authority will informally end the proceedings unless the complainant states reasons, within a reasonable period, why the complainant still considers the originally alleged infringement or at least parts of it as not having been eliminated. If such a statement by the complainant modifies the merits of the case (§ 13 para 8 of the General Administrative Procedure Act), the original complaint is to be deemed withdrawn and simultaneously a new complaint to be deemed lodged. In this case the original complaint procedure is also to be ended informally and the complainant is to be informed thereof. Late statements are to be ignored.

(7) The data subject shall be informed by the Data Protection Authority of the progress and the outcome of the investigation within three months of filing the complaint.

(8) Each data subject can apply to the Federal Administrative Court if the Data Protection Authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.

(9) To the extent required, the Data Protection Authority can engage official experts to assist in the proceedings.

(10) The term allowed for the decision pursuant to § 73 of the General Administrative Procedure Act shall not include:

  1. the time during which proceedings are suspended until a final decision on a preliminary issue has been made;
  2. the duration of proceedings pursuant to Articles 56, 60 and 63 of the General Data Protection Regulation.

Accompanying measures in the complaint procedure

§ 25 DSG

(1) If, in the context of a complaint, the complainant satisfactorily demonstrates a serious infringement of his or her interests in confidentiality which deserve protection due to the processing of the complainant’s personal data, the Data Protection Authority may proceed according to § 22 para. 4.

(2) If the correctness of personal data is disputed in proceedings, the respondent to the complaint shall submit, by the end of the proceedings, a note stating that the correctness is disputed. If required, the Data Protection Authority shall order, by an administrative decision pursuant to § 57 para. 1 of the General Administrative Procedure Act, such note to be submitted at the request of the complainant.

(3) If a controller invokes a restriction pursuant to Article 23 of the General Data Protection Regulation in relation to the Data Protection Authority, the Data Protection Authority shall examine the lawfulness of the application of the restrictions. If the Data Protection Authority comes to the conclusion that it was not justified in keeping the processed personal data secret from the data subject, the disclosure of the data shall be ordered by an administrative decision. If the administrative decision by the Data Protection Authority is not complied with within eight weeks, the Data Protection Authority shall disclose the personal data to the data subject and shall communicate to the data subject the desired information or inform the data subject of the personal data that have already been rectified or erased.

(4) Administrative decisions that permit the transfer of data abroad shall be revoked once the legal or factual prerequisites for the issue of the permit no longer apply.
Old law close

See explanations concerning Art 51 GDPR (Link).
arrow_back Previous ArticleArticle 57 Next Article arrow_forward
close

2016 - www.itiplaw.eu.