Article 54
Rules on the establishment of the supervisory authority

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 54 keyboard_arrow_down Hide the recitals of the Regulation related to article 54 keyboard_arrow_up

(121) The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law. In order to ensure the independence of the supervisory authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. The supervisory authority should have its own staff, chosen by the supervisory authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory authority.

Show the recitals of the Directive related to article 54 keyboard_arrow_down Hide the recitals of the Directive related to article 54 keyboard_arrow_up

(62) Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data;

The GDPR

Article 54 requires that Member States provide by law the conditions of establishment of the supervisory authorities. Each Member State sets the terms of appointment of the members both in regards to the appointment procedure and to the skills required, the term of office, and the prohibitions of employment or activities.

Thus, each Member State must provide by law (Art. 54 (1)):

- the establishment of each supervisory authority (a);

- the qualifications and eligibility conditions required to be appointed as member of each supervisory authority (b);

- the rules and procedures for the appointment of the member or members of each supervisory authority (c);

- the duration of the term of the member or members of each supervisory authority (that cannot be less than four years) and whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment (e); The duration of the first appointment after the entry of the Regulation in force may be less than 4 years where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure (d);

- the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment (f).

Finally, the last paragraph of Article 54 imposes that the member or members and the staff of each supervisory authority shall be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers as already provided by the Directive in its Article 28 (7).  This duty of professional secrecy is applied in particular with respect to reporting by natural persons of infringements of this Regulation (paragraph 2).

The Directive

As already indicated, the Directive says very little about the terms of appointment and the status applicable to the members of the supervisory authority as well as the modes for establishment of the supervisory authorities; at most, Article 28 (7) of the Directive imposed an obligation on the Member States to ensure that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

Potential issues

We do not see a priori any specific implementation difficulties.

Group 29

Guidelines for identifying a controller or processor’s lead supervisory authority (5 april 2017)

Lien : http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611235

CJEU caselaw

C-518/07 (9 march 2010)

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

Opinion of Advocate general 

Judgment of the Court

C-614/10 (16 october 2012)

1.      Declares that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the Datenschutzkommission (Data Protection Commission), more specifically by laying down a regulatory framework under which

–        the managing member of the Datenschutzkommission is a federal official subject to supervision,

–        the office of the Datenschutzkommission is integrated with the departments of the Federal Chancellery, and

–        the Federal Chancellor has an unconditional right to information covering all aspects of the work of the Datenschutzkommission,

the Republic of Austria has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Republic of Austria to pay the costs incurred by the European Commission;

3.      Orders the Federal Republic of Germany and the European Data Protection Supervisor to bear their own respective costs.

Opinion of Advocate general 

Judgment of the Court

C-230/14 (1 october 2015)

1.      Article 4(1)(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one — in the context of which that processing is carried out.

In order to ascertain, in circumstances such as those at issue in the main proceedings, whether that is the case, the referring court may, in particular, take account of the fact (i) that the activity of the controller in respect of that processing, in the context of which that processing takes place, consists of the running of property dealing websites concerning properties situated in the territory of that Member State and written in that Member State’s language and that it is, as a consequence, mainly or entirely directed at that Member State, and (ii) that that controller has a representative in that Member State, who is responsible for recovering the debts resulting from that activity and for representing the controller in the administrative and judicial proceedings relating to the processing of the data concerned.

By contrast, the issue of the nationality of the persons concerned by such data processing is irrelevant.

2.      Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.

3.      Directive 95/46 must be interpreted as meaning that the term ‘adatfeldolgozás’ (technical manipulation of data), used in the Hungarian version of that directive, in particular in Articles 4(1)(a) and 28(6) thereof, must be understood as having the same meaning as that of the term ‘adatkezelés’ (data processing).

Opinion of Advocate general 

Judgment of the Court

Regulation
1e 2e

Art. 54

1.   Each Member State shall provide by law for all of the following:

a) the establishment of each supervisory authority;

b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority;

c) the rules and procedures for the appointment of the member or members of each supervisory authority;

d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;

e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;

f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2.   The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

1st proposal close

Art. 49

Each Member State shall provide by law within the limits of this Regulation:

(a)     the establishment and status of the supervisory authority;

(b)     the qualifications, experience and skills required to perform the duties of the members of the supervisory authority;

(c)     the rules and procedures for the appointment of the members of the supervisory authority, as well the rules on actions or occupations incompatible with the duties of the office;

(d)     the duration of the term of the members of the supervisory authority which shall be no less than four years, except for the first appointment after entry into force of this Regulation, part of which may take place for a shorter period where this is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;

(e)     whether the members of the supervisory authority shall be eligible for reappointment;

(f)      the regulations and common conditions governing the duties of the members and staff of the supervisory authority;

(g)     the rules and procedures on the termination of the duties of the members of the supervisory authority, including in case that they no longer fulfil the conditions required for the performance of their duties or if they are guilty of serious misconduct.

2nd proposal close

1. Chaque État membre prévoit, par voie législative:

a) la création (…) de chaque autorité de contrôle;

b) les qualifications (...) requises pour exercer les fonctions de membre de l'autorité de contrôle;

c) les règles et les procédures pour la nomination du membre ou des membres de chaque autorité de contrôle (…);

d) la durée du mandat du membre ou des membres de chaque autorité de contrôle, qui ne doit pas être (…) inférieure à quatre ans, sauf pour le premier mandat suivant l'entrée en vigueur du présent règlement, qui peut être d'une durée plus courte lorsque cela est nécessaire pour protéger l'indépendance de l'autorité de contrôle au moyen d'une procédure de nominations échelonnées;

e) le caractère renouvelable ou non renouvelable du mandat du membre ou des membres de chaque autorité de contrôle et, dans l'affirmative, pour combien de mandats;

f) (...) les conditions régissant les obligations du membre ou des membres et des agents de chaque autorité de contrôle, les interdictions d'activités ou d'emplois incompatibles avec celles-ci, y compris après la cessation de leurs activités, et les règles régissant la cessation de l'emploi;

g) (…).

2. Le membre ou les membres et les agents de chaque autorité de contrôle sont soumis, conformément au droit de l'Union ou à la législation nationale, au secret professionnel concernant toute information confidentielle dont ils ont eu connaissance dans l'exercice de leurs fonctions (…) ou de leurs pouvoirs, y compris après la cessation de leurs activités.

Directive close

Art. 28

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

51. General duties of Commissioner

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act, and may give advice to any person as to any of those matters.

(3) Where—

(a) the [F1 Secretary of State] so directs by order, or

(b) the Commissioner considers it appropriate to do so, the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.

(4) The Commissioner shall also—

(a) where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice, and

(b) where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.

(5) An order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

[F2(5A)In determining the action required to discharge the duties imposed by subsections (1) to (4), the Commissioner may take account of any action taken to discharge the duty imposed by section 52A (data-sharing code) [F3or section 52AA (direct marketing code)].]

(6) The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of—

(a) any Community finding as defined by paragraph 15(2) of Part II of Schedule 1,

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive, and

(c) such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such sums as he may F4... determine for any [F5 relevant] services provided by the Commissioner by virtue of this Part.

[F6(8A) In subsection (8) “relevant services” means—

(a) the provision to the same person of more than one copy of any published material where each of the copies of the material is either provided on paper, a portable disk which stores the material electronically or a similar medium,

(b) the provision of training, or

(c) the provision of conferences.

(8B)The Secretary of State may by order amend subsection (8A).]

(9) In this section—

“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“trade association” includes any body representing data controllers. 

52. Reports and codes of practice to be laid before Parliament

(1) The Commissioner shall lay annually before each House of Parliament a general report on the exercise of his functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as he thinks fit.

(3) The Commissioner shall lay before each House of Parliament any code of practice prepared under section 51(3) for complying with a direction of the [F1 Secretary of State] , unless the code is included in any report laid under subsection (1) or (2).

Schedule 5 - The Data Protection Commissioner

1 (1) The corporation sole by the name of the Data Protection Registrar established by the M1Data Protection Act 1984 shall continue in existence by the name of the [F2Information Commissioner].

(2) The Commissioner and his officers and staff are not to be regarded as servants or agents of the Crown.

2 (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding [F4seven years] as may be determined at the time of his appointment.

(2) The Commissioner may be relieved of his office by Her Majesty at his own request.

(3) The Commissioner may be removed from office by Her Majesty in pursuance of an Address from both Houses of Parliament.

close