menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Denmark) language
Contact our local member in Denmark mail_outline
Visit the website of Integra account_balance

arrow_backPrevious Article
Article 57
Next Articlearrow_forward

Tasks

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 57 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 57 keyboard_arrow_up

Key words related to article 57

Show the recitals of the Regulation related to article 57 keyboard_arrow_down Hide the recitals of the Regulation related to article 57 keyboard_arrow_up

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

(130) Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should closely cooperate with the supervisory authority with which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the supervisory authority with which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.

(131) Where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States, the supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of this Regulation should seek an amicable settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This should include: specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or processing that has to be assessed taking into account relevant legal obligations under Member State law.

There is no recital in the Directive related to article 57.

The GDPR

Article 57 defines the tasks assigned to the supervisory authorities. These tasks can be summarized as follows:

- tasks of monitoring, investigation and control (a and h), which applies in particular to keeping internal records of infringements of this Regulation and of enforcement measures taken (warnings, sanctions, action, etc.) (u);

- tasks of information and advice with regard to the public (b), to the legislative and executive authorities (c) and with regards to the controllers and processors (d); and on the technological developments related to personal data protection (i);

- tasks of handling and management of complaints and claims (f), which implies in particular the provision of a claim form (paragraph 2);

- tasks of mutual assistance to other national authorities (g);

- tasks for the certification, in compliance with the binding corporate rules (s), standard contractual clauses (j and r) and codes of conduct (m): mechanisms of certification seals and marks for data protection (n) approval, regular review of certifications granted (o); accreditation of certification bodies (p), and of bodies responsible for monitoring the codes of conduct (q);

- tasks relating to processing that is subject to the requirement for prior consultation (k): advice (l);

- tasks related to the activities of the European Data Protection Board (t);

Paragraph 5 states that the performance of the tasks of each supervisory authority shall be free of charge for the data subject (paragraph  3), unless the requests are manifestly excessive or unfounded, in which case the authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. It is the responsibility of the authority however to demonstrate the excessive or unfounded character of the request (paragraph 4).

The Directive

Pursuant to the Directive, each national supervisory authority was responsible for monitoring the application within its territory of the provisions transposing the Directive as adopted by the Member States (Article 28 (1)). On this basis, the application of the measures could be referred to the relevant national supervisory authority by any person for verification of the lawfulness of personal data processing or with any request relating to the protection of his or her rights and freedoms with regard to such processing (Article 28 (4)).

Those authorities should also be consulted on all proposed legislative, administrative or regulatory drafts relating to the protection of rights and freedoms of individuals with regard to personal data processing (Article 28 (2)).

Potential issues

The tasks of the supervisory authorities have been increased significantly with the new Regulation. They operate at all the levels of protection: they release or assist in the development of rules, they inform, they manage complaints and claims. They become real regulatory authorities. They must be provided with the means, which was not obvious in many Member States.

arrow_back Previous ArticleArticle 57Next Article arrow_forward
arrow_back Previous ArticleArticle 57 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Retour au sommaire
arrow_back Previous Article Article 57 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-230/14 (1 October 2015) - Weltimmo

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general

Judgment of the Court

C-645/19 (15 June 2021) - Facebook Ireland e.a.

1.      Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

2.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller or processor with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.

3.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.

4.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regards the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.

5.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

Opinion of Advocate General 

Judgment of the Court

C-768/21 (26 September 2024) - Land Hessen (Obligation d’agir de l’autorité de protection des données)

Article 57(1)(a) and (f), Article 58(2) and Article 77(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that when a breach of personal data has been established, the supervisory authority is not required to exercise a corrective power, in particular the power to impose an administrative fine, under that Article 58(2) where such action is not appropriate, necessary or proportionate to remedy the shortcoming found and to ensure that that regulation is fully enforced.

Opinion of Advocate General 

Judgment of the Court

C-416/23 (9 January 2025) - Österreichische Datenschutzbehörde (Demandes excessives)

1.      Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the concept of a ‘request’ contained in that provision covers the complaints referred to in Article 57(1)(f) and Article 77(1) of that regulation.

2.      Article 57(4) of Regulation 2016/679 must be interpreted as meaning that requests cannot be classified as ‘excessive’, within the meaning of that provision, solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the supervisory authority’s demonstrating the existence of an abusive intention on the part of the person who submitted those requests.

3.      Article 57(4) of Regulation 2016/679 must be interpreted as meaning that, when faced with excessive requests, a supervisory authority may choose, by reasoned decision, between charging a reasonable fee based on administrative costs and refusing to act on those requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate, necessary and proportionate.

Opinion of Advocate General 

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 57 Next Article arrow_forward
Regulation
1e 2e

Art. 57

1.   Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation;

(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d) promote the awareness of controllers and processors of their obligations under this Regulation;

(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l) give advice on the processing operations referred to in Article 36(2);

(m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r) authorise contractual clauses and provisions referred to in Article 46(3);

(s) approve binding corporate rules pursuant to Article 47;

(t) contribute to the activities of the Board;

(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v) fulfil any other tasks related to the protection of personal data.

2.   Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3.   The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4.   Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
1st proposal close

Art. 52 

1.           The supervisory authority shall:

(a)     monitor and ensure the application of this Regulation;

(b)     hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;

(c)     share information with and provide mutual assistance to other supervisory authorities and ensure the consistency of application and enforcement of this Regulation;

(d)     conduct investigations either on its own initiative or on the basis of a complaint or on request of another supervisory authority, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;

(e)     monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(f)      be consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;

(g)     authorise and be consulted on the processing operations referred to in Article 34;

(h)     issue an opinion on the draft codes of conduct pursuant to Article 38(2);

(i)      approve binding corporate rules pursuant to Article 43;

(j)      participate in the activities of the European Data Protection Board.

2.           Each supervisory authority shall promote the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention.

3.           The supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.

4.           For complaints referred to in point (b) of paragraph 1, the supervisory authority shall provide a complaint submission form, which can be completed electronically, without excluding other means of communication.

5.           The performance of the duties of the supervisory authority shall be free of charge for the data subject.

6.           Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.
2nd proposal close

Art. 52  

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a) monitor and enforce the application of this Regulation; (aa) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention;

(ab) advise, in accordance with national law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data;

(ac) promote the awareness of controllers and processors of their obligations under this Regulation;

(ad) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end;

(b) deal with complaints lodged by a data subject, or body, organisation or association representing a data subject in accordance with Article 73, and investigate, to the extent appropriate, the subject matter of the complaint and inform the data subject or the body, organisation or association of the progress and the outcome of the investigation within a reasonable period , in particular if further investigation or coordination with another supervisory authority is necessary;

(c) cooperate with, including sharing information, and provide mutual assistance to other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(d) conduct investigations on the application of this Regulation, including on the basis of a information received from another supervisory or other public authority;

(e) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;

(f) adopt standard contractual clauses referred to in Article 26(2c); (fa) establish and make a list in relation to the requirement for data protection impact assessment pursuant to Article 33(2a);

(g) give advice on the processing operations referred to in Article 34(3);

(ga) encourage the drawing up of codes of conduct pursuant to Article 38 and give an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 38 (2);

(gb) promote the establishment of data protection certification mechanisms and of data protection seals and marks, and approve the criteria of certification pursuant to Article 39 (2a);

(gc) where applicable, carry out a periodic review of certifications issued in accordance with Article 39(4);

(h) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 38a and of a certification body pursuant to Article 39a;

(ha) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 38a and of a certification body pursuant to Article 39a;

(hb) authorise contractual clauses referred to in Article 42(2a)(a);

(i) approve binding corporate rules pursuant to Article 43;

(j) contribute to the activities of the European Data Protection Board;

(k) fulfil any other tasks related to the protection of personal data.

2. (…)

3. (…).

4. Each supervisory authority shall facilitate the submission of complaints referred to in point (b) of paragraph 1, by measures such as providing a complaint submission form which can be completed also electronically, without excluding other means of communication.

5. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and for the data protection officer, if any.

6. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Directive close

Art. 28

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.
Denmark
compare_arrows

55. - (1)  The Data Protection Agency, which consists of a Council and a Secretariat, is responsible for the supervision of all processing operations covered by this Act, cf., however chapter 17.

(2) The day-to-day business is attended to by the Secretariat, headed by a Director.

(3) The Council, which shall be set up by the Minister of Justice, is composed of a chairman, who shall be a legally qualified judge, and of six other members. Substitutes may be appointed for the members of the Council. The members and their substitutes shall be appointed for a term of 4 years.

(4) The Council shall lay down its own rules of procedure and detailed rules on the division of work between the Council and the Secretariat.

56.  The Data Protection Agency shall act with complete independence in executing the functions entrusted to it.

57.  The opinion of the Data Protection Agency shall be obtained when Orders, Circulars or similar general regulations of importance for the protection of privacy in connection with the processing of data are to be drawn up.

58. – (1)  The Data Protection Agency shall supervise, on its own initiative or acting on a complaint from a data subject, that the processing is carried out in compliance with the provisions of this Act and any rules issued by virtue of this Act.

(2) The Data Protection Agency may at any time revoke a decision made in accordance with section 27 (4) or section 50 (2), cf. section 27 (1) or (3) 2 to 4, if the European Commission decides that transfer of data to specific third countries may not take place or whether such transfers may lawfully take place. This, however, shall only apply where the revocation is necessary in order to comply with the decision of the Commission.

(3) In special cases, the Data Protection Agency may prohibit or suspend the transfer of personal data within the scope of Section 27 (5).

59. – (1)  The Data Protection Agency may order a private data controller to discontinue a processing operation which may not take place under this Act and to rectify, erase or block specific data undergoing such processing.

(2) The Data Protection Agency may prohibit a private data controller from using a specified procedure in connection with the processing of data if the Data Protection Agency finds that the procedure in question involves a considerable risk that data are processed in violation of this Act.

(3) The Data Protection Agency may order a private data controller to implement specific technical and organizational security measures to protect data which may not be processed against processing, and to protect data against accidental or unlawful destruction or accidental loss, alteration, and disclosure to any unauthorized person, abuse or any other unlawful forms of processing.

(4) The Data Protection Agency may in special cases issue a prohibitory or mandatory injunction against data processors, cf. subsections (1) to (3).

60.  – (1)  The Data Protection Agency shall make decisions in relation to the relevant authority in cases concerning section 7 (7), section 9 (3), section 10 (3), section 13 (1), section 27 (4), sections 28 to 31, section 32 (1), (2) and (4), sections 33 to 37, section 39 and section 58 (2).

(2) In other cases, the Data Protection Agency shall give opinions to the authority acting as controller.

61.  No appeals may be brought before any other administrative authority against the decisions made by the Data Protection Agency under the provisions of this Act.

62. –  (1)  The Data Protection Agency may require to be furnished with any information of importance to its activities, including for the decision as to whether or not a particular matter falls under the provisions of this Act.

(2) The members and the staff of the Data Protection Agency shall at any time, against appropriate proof of identity and without any court order, have access to all premises from which processing operations carried out on behalf of the public administration are administered, or from which there is access to the data subject to processing, and to all premises where data or technical equipment are stored or used.

(3) Subsection (2) shall apply correspondingly as regards processing operations carried out on behalf of private data controllers to the extent that such processing is covered by section 50 or is carried out in connection with video surveillance.

(4) Subsection (2) shall also apply to processing operations carried out by processors as referred to in section 53.

63. – (1) The Data Protection Agency may decide that notifications and applications for authorizations under the provisions of this Act and any changes therein may or shall be submitted in a specified manner.

(2) An amount of DKK 2,000 shall be payable in connection with the submission of the following notifications and applications for authorizations under this Act:

  1. Notifications under section 48.
  2. Authorizations under section 50.
  3. Notifications under section 53.

(3) Notifications as referred to in subsection (2) 1 and 3 shall be deemed to have been submitted only when payment has been effected. The Data Protection Agency may decide that authorizations as referred to in subsection (2) 2 shall not be granted until payment has been effected.

(4) The provisions of subsection (2) 1 and 2 do not apply to processing of data which takes place exclusively for scientific or statistical purposes.

(5) Where a processing operation shall both be notified under section 48 and authorized under section 50, only a single fee shall be payable.

64. – (1)  The Data Protection Agency may, on its own initiative or at the request of another Member State, check that a processing operation of data taking place in Denmark is lawful, irrespective of whether or not the processing operation is governed by the legislation of another Member State. The provisions laid down in sections 59 and 62 shall be correspondingly applicable.

(2) The Data Protection Agency may further disclose data to supervisory authorities in other Member States to the extent that this is required in order to ensure compliance with the provisions of this Act or those of the data protection legislation of the Member State concerned.

65.  The Data Protection Agency shall submit an annual report on its activities to Folketinget (the Danish Parliament). The report shall be made public. The Data Protection Agency may also make its opinions accessible to the general public. Section 30 shall be correspondingly applicable.

66.  The Data Protection Agency and the Danish Court Administration shall co-operate to the extent required to fulfil their obligations, particularly through the exchange of all relevant data.

 
Belgique close

Art. 29

§ 1er. La Commission émet soit d'initiative, soit sur demande du Gouvernement, des Chambres législatives, des (Gouvernements de communauté ou de région), des (Parlements de communauté ou de région), du Collège réuni ou de l'Assemblée réunie visés à l'article 60 de la loi spéciale du 12 janvier 1989 relative aux institutions bruxelloise ou d'un comité de surveillance, des avis sur toute question relative à l'application des principes fondamentaux de la protection de la vie privée dans le cadre de la présente loi, ainsi que des lois contenant des dispositions relatives à la protection de la vie privée à l'égard des traitements de données à caractère personnel.

§ 2. Toute demande est adressée à la Commission par pli recommandé à la poste.

Sauf si la loi en dispose autrement, la Commission émet ses avis dans un délai de soixante jours après que toutes les données nécessaires à cet effet lui auront été communiquées.

§ 3. Dans tous les cas ou l'avis de la Commission est requis par ou en vertu d'une loi, d'un décret ou d'une ordonnance, il peut être dérogé à cette obligation lorsque l'avis n'a pas été rendu dans le délai prévu au paragraphe 2.

Dans les cas où l'avis de la Commission est requis par une disposition de la présente loi, à l'exception de l'article 11, le délai visé au § 2 est réduit à quine jours au minimum dans des cas d'urgence spécialement motivés.

§ 4. Les avis de la Commission sont motivés.

§ 5. La Commission communique son avis à l'autorité concernée.

Une copie de l'avis est adressée au Ministre de la Justice.

Dans les cas où l'avis de la Commission est requis, l'avis doit être publié au Moniteur belge en même temps que l'acte réglementaire auquel il se rapporte.

Art. 30

§ 1er. La Commission peut émettre, soit d'initiative, soit sur demande du Gouvernement, des Chambres législatives, des (Gouvernements de communauté ou de région), des (Parlements de communauté ou de région), du Collège réuni ou de l'Assemblée réunie visés à l'article 60 de la loi spéciale du 12 janvier 1989 relative aux institutions bruxelloises ou d'un comité de surveillance, des recommandations sur toute question relative à l'application des principes fondamentaux de la protection de la vie privée dans le cadre de la présente loi, ainsi que des lois contenant des dispositions relatives à la protection de la vie privée à l'égard des traitements de données à caractère personnel.

§ 2. Avant d'adresser une recommandation au (responsable du traitement), la Commission lui donne l'occasion de faire connaître son point de vue.

§ 3. Les recommandations de la Commission sont motivées. Une copie de chaque recommandation est transmise au Ministre de la Justice.

Art. 31

§ 1er. Sans préjudice de toute action devant les tribunaux et sauf si la loi en dispose autrement, la Commission examine les plaintes signées et dates qui lui sont adressées. Ces plaintes peuvent avoir trait à sa mission de protection de la vie privée à l'égard des traitements de données à caractère personnel ou à d'autres missions qui lui sont confiées par la loi.

§ 2. La procédure est réglée par le règlement d'ordre intérieur. Celui-ci prévoit l'exercice d'un droit de défense.

§ 3. La Commission examine la recevabilité de la plainte. Si la plainte est recevable, la Commission accomplit toute mission de médiation qu'elle juge utile. En cas de conciliation des parties, fondée sur le respect de la vie privée, elle dresse un procès-verbal dans lequel la solution retenue est explicitée. En l'absence de conciliation, la Commission émet un avis sur la caractère fondé de la plainte. Son avis peut être accompagné de recommandations à l'intention du (responsable du traitement)

§ 4. Les décisions, avis et recommandations de la Commission sont motivés.

§ 5. La Commission communique sa décision, son avis ou ses recommandations au plaignant, au (responsable du traitement) et à toutes les autres parties à la cause.  Une copie de la décision, de l'avis des recommandations est adressée au Ministre de la Justice.

Art. 31bis

§ 1er. La loi institue au sein de la Commission des comités sectoriels compétents pour instruire et statuer sur des demandes relatives au traitement ou à la communication de données faisant l'objet de législations particulières, dans les limites déterminées par celle-ci.

§ 2. Sans préjudice de l'article 37 de la loi du 15 janvier 1990 relative à l'institution et à l'organisation d'une Banque-Carrefour de la sécurité sociale, chaque comité sectoriel est composé de trois membres de la Commission, effectifs ou suppléants, dont le président ou un membre désigné en qualité de président par la commission ainsi que de trois membres externes désignés par la Chambre des représentants conformément aux conditions et modalités prévues par ou en vertu de la législation particulière qui régit le comité concerné. En cas de parité des voix, la voix du président est prépondérante.

Le fonctionnaire dirigeant de l'institution de gestion du secteur concerné peut être invité aux réunions du comité avec voix consultative.

§ 3. Les demandes relatives au traitement ou à la communication de données réglementées par une législation particulière, introduites auprès de la Commission, sont transmises par celle-ci au comité sectoriel compétent s'il a été constitué ainsi qu'à l'institution de gestion du secteur concerné; celle-ci transmet au comité un avis technique et juridique endéans les quinze jours et pour autant que le dossier soit en état. Le comité statue, sous la même réserve, endéans les trente jours de la réception de cet avis ou, le cas échéant, de l'expiration du délai de quinze jours précité; à défaut, sa décision est réputée conforme à l'avis technique et juridique précité.

Si une demande visée à l'alinéa précédent doit être traitée, pour raisons urgentes, dans un délai plus court que celui fixé à cet alinéa, le président communique, le plus rapidement possible, la demande, l'avis juridique et technique et le projet de décision aux membres, lesquels sont invités à communiquer au président, dans le délai qu'il détermine, leur position quant au projet de décision.

Le projet de décision ne devient définitif que si aucun membre ne fait connaître, dans le délai prescrit par le président, son désaccord avec les éléments essentiels de ce projet. Si les circonstances le justifient, le président organise une réunion extraordinaire du comité sectoriel. Le président apprécie, en concertation avec le fonctionnaire dirigeant de l'institution concernée, l'existence de raisons urgentes de nature à justifier l'application des deux alinéas précédents. Sans préjudice de l'article 44 de la loi précitée du 15 janvier 1990, le président du comité peut décider de suspendre l'examen d'un dossier afin de le soumettre à la Commission qui rend sa décision dans le délai d'un mois.

§ 4. Hors le cas où elle est assumée par le président ou le vice-président de la Commission, la présidence d'une section donne droit à un double jeton de présence.

§ 5. Sans préjudice de l'article 41 de la loi précitée du 15 janvier 1990, les Comités sectoriels sont établis et se réunissent au siège de la Commission, sauf si l'institution de gestion concernée demande que le comité sectoriel dont elle relève soit établi et se réunisse auprès d'elle.

La Commission peut accéder à cette demande, pour autant que l'institution de gestion mette préalablement à la disposition du président du comité sectoriel les bureaux et moyens bureautiques nécessaires au fonctionnement dudit comité et à sa présidence, un secrétaire que le président choisit en concertation avec le fonctionnaire dirigeant de l'institution concernée ainsi que du personnel spécialisé, notamment des juristes et des informaticiens, dans la mesure requise par la réalisation des missions du comité sectoriel. Le président du comite sectoriel a la responsabilité fonctionnelle de ce personnel en ce qui concerne les tâches qu'il assume pour ce comité.
arrow_back Previous ArticleArticle 57 Next Article arrow_forward
close

2016 - www.itiplaw.eu.