(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.
(63) Whereas such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings; whereas such authorities must help to ensure transparency of processing in the Member States within whose jurisdiction they fall;
Article 59 of the Regulation confirms the obligation for each supervisory authority to prepare an annual report and to transmit it to the national parliament, the government and other authorities designated by the national legislation. The report shall be made available to the public, to the Commission and to the European Data Protection Board.
The final version of the Regulation states that the report may include a list of types of infringement notified and types of measures taken in accordance with the powers vested in the supervisory authorities by Article 58 (2).
The Directive already provided that an activity report be provided at regular intervals by the supervisory authorities (Article 28 of the Directive).
We do not see a priori any difficulties with this provision, which merely confirms an existing practice in most Member States.
Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.
1st proposal close
Each supervisory authority must draw up an annual report on its activities. The report shall be presented to the national parliament and shall be made be available to the public, the Commission and the European Data Protection Board.
2nd proposal close
Each supervisory authority shall draw up an annual report of its activities. The report shall be transmitted to the national Parliament, the government and other authorities as designated by national law. It shall be made available to the public, the European Commission and the European Data Protection Board.
5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.
Activity reports and the publication of decisions
§ 23 DSG
(1) The Data Protection Authority shall prepare an activity report complying with Article 59 of the General Data Protection Regulation by 31 March of every year and submit it to the Federal Chancellor. The Federal Chancellor shall submit the report to the Federal Government, the National Council and the Federal Council. The Data Protection Authority shall make the report accessible to the public, the European Commission, the European Data Protection Board (Article 68 of the General Data Protection Regulation) and the Data Protection Council.
(2) Decisions made by the Data Protection Authority which are of fundamental importance to the general public shall be published by the Data Protection Authority in an appropriate manner while respecting official secrecy rules.
Old law close
In force until May 25, 2018:
Organisation and Independence of the Data Protection Authority
§ 37 DSG 2000
(1) The head of the Data Protection Authority is independent and not bound by instructions in the exercise of his office.
(2) The Data Protection Authority is an administrative authority und human resource department. The Federal Finance Act shall provide for the necessary expenditures for staff and equipment. The officials of the Data Protection Authority shall be bound only by the instructions of the head. The head shall have the service prerogative over the officials of the Data Protection Authority.
(3) The Federal Chancellor can request information from the head of the Data Protection Authority about the operations of the authority. The head of the Data Protection Authority shall comply such requests only insofar as this does not compromise the independence of the supervisory authority as laid down in Article 28 paragraph 1 sub-paragraph 2 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 31.
(4) The Data Protection Authority shall be heard before laws concerning essential issues of data protection and federal ordinances based on this federal law or which otherwise directly concerns important issues of data protection are enacted.
(5) The Data Protection Authority shall formulate until 31 March every year a report about its workings in the preceding calendar year, submit it to the Federal Chancellor and publish it in an appropriate manner. The report shall be submitted to the National Council and the Federal Council by the Federal Chancellor.
(6) Decisions of the Data Protection Authority of fundamental importance to the general public shall be published by the Data Protection Authority in a suitable manner while respecting official secrecy rules.