The GDPR articles explained: Chapter 6 - Independent supervisory authorities

Chapter 6 of the GDPR focuses on establishing and defining the role of independent supervisory authorities (SAs) in ensuring compliance with data protection laws. This chapter has two sections:

• Section one (independent status), outlined in Articles 51 to 54, emphasizes the independent status of these authorities, which mandate their establishment, independence from external influence, and the criteria for the members' qualifications and tenure.
• Section two (competence, tasks and powers), comprising Articles 55 to 59, delineates the competence, tasks, and powers of these SAs. This includes their ability to monitor compliance, provide guidance to data controllers and processors, handle complaints, and enforce the GDPR through various powers, such as issuing fines and activity reporting (Article 59).

These sections collectively provide a comprehensive framework for the establishment, independence, competence, and enforcement capabilities of SAs, ensuring effective protection of individuals' data rights across the EU.

Article 51: Supervisory authority

Article 51 establishes the concept of SAs—independent public bodies responsible for overseeing the application of the regulation within each EU member state.

Here's a breakdown of the key points covered in this article:

Establishment of supervisory authorities: EU member states are required to set up one or more independent public authorities to monitor GDPR compliance. These SAs act as watchdogs for data protection rights.

Objectives: The SAs have two main objectives:

• Protect individual rights: Ensure the processing of personal data respects the fundamental rights and freedoms of data subjects.
• Facilitate data flow: Promote the free flow of personal data within the EU by ensuring consistent application of the GDPR across member states.

Cooperation: SAs are obligated to cooperate with each other and the European Commission to ensure consistent interpretation and enforcement of the GDPR throughout the European Union (EU). This fosters a unified approach to data protection.

Multiple supervisory authorities within a member state: If a member state has more than one SA, they must designate a lead authority to represent them in the European Data Protection Board (EDPB), a central body coordinating SAs activities. Additionally, they need to establish a mechanism to ensure all SAs within their jurisdiction comply with the GDPR's consistency rules.

Notification requirement: Member states must notify the European Commission of their national laws implementing Article 51.

Example

Imagine a large online retailer headquartered in Germany also has operations in France. They collect customer data from both countries. Here's how Article 51 might apply:

• Lead SA : The German SA would be the lead authority due to the company's headquarters being located there.
• Cooperation between SAs: The German and French SAs might cooperate to ensure the retailer is complying with the GDPR throughout its operations, potentially involving joint investigations or information sharing.
• Business impact: The retailer needs to be prepared to interact with both SAs and ensure their data processing practices comply with the GDPR in both Germany and France.

Article 52: Independence

Article 52 of the GDPR emphasizes the independence, a crucial principle for SAs.

Here's a breakdown of the key points of this article.

Complete independence: SAs must act completely independent when performing their tasks and exercising their powers under the GDPR. This ensures they make decisions objectively and without external pressure.

Freedom from influence: SA members must be free from any external influence, whether direct or indirect. They cannot be swayed by political or commercial interests and cannot take instructions from anyone outside the SA.

Focus on duties: SA members must avoid any actions incompatible with their duties and refrain from engaging in any conflicting activities during their term.

Resources for effectiveness: EU member states are obligated to provide SAs with the necessary human, technical, and financial resources to function effectively. This includes infrastructure, staff, and funding to carry out their duties, including collaboration with other SAs and the EDPB.

Independent staffing: SAs must have the authority to choose and manage their own staff. This ensures they have a team that aligns with their needs and independence.

Financial control with safeguards: While SAs may be subject to financial controls, these controls must not compromise their independence. Additionally, they must have separate and publicly available annual budgets, even if these budgets are part of the national budget.

Example

Imagine a major cloud service provider experiences a data breach affecting customers across the EU. Here's how Article 52 might apply:

• Independent investigations: The SAs of each member state with affected customers would conduct independent investigations into the breach, ensuring each investigation is free from external influence.
• Collaboration without pressure: While the SAs might collaborate to share information and resources, Article 52 ensures they do so without external pressure and can make independent decisions based on their findings.
• Business impact: The cloud service provider needs to be prepared to cooperate with multiple independent SAs during their investigations and address their concerns to avoid potential penalties.

Article 53: General conditions for the members of the supervisory authority

Article 53 of the GDPR outlines the requirements for appointing members of the SA.

Transparent appointment process: EU member states must ensure a transparent procedure for appointing SA members. This could involve selection by:

• Parliament
• Government
• Head of state
• An independent body specifically entrusted with the appointment process.

Qualifications and expertise: Each SA member must possess the necessary qualifications, experience, and skills, particularly in the area of data protection. This ensures they have the knowledge and expertise to effectively fulfill their duties and exercise their powers under the GDPR.

Term limits and dismissal: The term of office for SA members will end naturally upon expiry, resignation, or compulsory retirement, following the specific laws of each member state. Dismissal can only occur in cases of serious misconduct or if a member no longer meets the qualifications required to perform their duties.

Implications

Quality of data protection enforcement: The qualifications and expertise required for SA members can influence the quality and consistency of data protection enforcement across the EU. Businesses can benefit from a well-equipped SA workforce that understands the complexities of data protection and enforces the GDPR effectively.

Reduced risk of arbitrary decisions: Transparent appointment procedures and clear conditions for dismissal help to minimize the risk of SAs being influenced by political or other external factors. This fosters a more predictable data protection environment for businesses.

Importance of cooperation: Regardless of the specific appointment process, businesses should still strive to build positive and cooperative relationships with their relevant SAs.

Article 54: Rules on the establishment of the supervisory authority

Article 54 of the GDPR outlines the legal framework that EU member states must establish for their SAs—the independent public bodies responsible for overseeing data protection compliance within their jurisdictions.

Establishment and governance

• Legal basis: Member states must create national laws to establish their SAs.
• Qualifications and appointment: These laws will define the qualifications and eligibility requirements for SA members, along with the appointment process.
• Term limits: SA member terms must be at least four years, with the option for staggered appointments initially to safeguard independence.
• Reappointment: Member states can decide whether and how many terms SA members can be reappointed for.
• Obligations and cessation of employment: The laws will also establish the obligations of SA members and staff, including potential conflicts of interest limitations during and after their terms and rules for employment termination.

Confidentiality

• Duty of professional secrecy: Both SA members and staff are subject to a duty of professional secrecy. This means they must keep confidential any information they encounter during their work, protecting data subject privacy and sensitive information.
• Reporting infringements: This duty applies even to reports of GDPR infringements submitted by individuals.

Example

Imagine a large e-commerce company receives an inquiry from their SA regarding a data breach notification from a customer. Here's how Article 54 might apply.

Supervisory authority legitimacy: The company can be assured that the inquiry is coming from a legitimate SA with a legal basis for investigating potential GDPR infringements.

Transparency and qualifications: The defined qualifications for SA members can give the company some confidence that the inquiry is being handled by individuals with the necessary expertise.

Confidentiality: When responding to the inquiry, the company can be confident that any sensitive information they share with the SA will be kept confidential under the duty of professional secrecy.

Article 55: Competence

Article 55 defines the jurisdictional scope and limitations of SAs—the independent public bodies responsible for overseeing data protection compliance within the EU.

Territorial competence

National focus: Each SA is limited to its own member state's territory. They can only enforce the GDPR within their national jurisdiction.

Competence exceptions

• Public authorities and specific legal bases : For processing activities carried out by public authorities or private bodies acting under specific legal bases (Article 6(1)(c) - legal obligations or (e) - public interest tasks), theSA of the member state where the processing occurs is competent. This exception applies when the processing is tied to a specific member state's public interest or legal obligations.
• Article 56 not applicable: In these exceptional cases, the "one-stop-shop" mechanism (Article 56) described in the GDPR does not apply. This means there's no single lead SA for cross-border processing when these specific legal bases are used.

Judicial exclusion

Court independence: SAs are not authorized to oversee data processing activities conducted by courts acting in their judicial capacity. This safeguards the independence of the judiciary.

Example

Imagine a large healthcare provider with operations in several EU member states. They collect and share patient data for medical research, a public interest task under Article 6(1)(e).

• The supervisory authority of each member state where the healthcare provider processes patient data would have competence for overseeing that processing.
• Since the legal basis for sharing is a public interest task, the "one-stop-shop" mechanism would not apply. The healthcare provider might need to interact with multiple supervisory authorities in different member states.
• The healthcare provider needs to ensure their data sharing practices comply with the GDPR requirements in all relevant member states to avoid potential issues with multiple supervisory authorities.

Article 56: Competence of the lead supervisory authority

Article 56 establishes the concept of a lead supervisory authority (LSA) for cross-border data processing activities. This streamlines the GDPR enforcement process for businesses operating in multiple EU member states.

Lead supervisory authority: The GDPR designates an LSA for each data controller or processor engaged in cross-border processing activities. This authority is usually located in the member state where the main establishment of the controller or processor is situated.

Competence of lead supervisory authority: The LSA has primary responsibility for overseeing compliance with the GDPR for cross-border processing activities of a controller or processor. This includes handling complaints and addressing potential infringements of the GDPR related to such activities.

Exceptions to LSA

Complaints and infringements: Despite the LSA mechanism, any SA can handle complaints or potential GDPR infringements if they solely relate to an establishment in their member state or primarily affect data subjects there.

Procedures for exceptions: In these exceptional cases, the SA must inform the LSA and follow specific procedures (outlined in Articles 60-62) to either:

• Transfer the case; if the LSA decides to handle it.
• Retain the case; if the LSA decides not to handle it.

LSA as sole interlocutor

The LSA serves as the main point of contact for the controller or processor in matters related to cross-border processing activities, simplifying communication and coordination for businesses operating across multiple EU member states.

Implications

Streamlined compliance: Businesses operating across multiple EU member states can benefit from having a single SA overseeing their GDPR compliance efforts. This can streamline the compliance process and reduce administrative burdens.

Consistent enforcement: Having an LSA helps ensure consistent interpretation and application of the GDPR across different jurisdictions, promoting a level playing field for businesses.

Efficient resolution of disputes: The designated LSA facilitates efficient resolution of disputes and investigations related to cross-border data processing activities, reducing the risk of delays and uncertainties for businesses.

Example

Consider a multinational technology company with its headquarters in Ireland and subsidiaries in several other EU countries. If a data subject in France files a complaint regarding the company's data processing practices, the French SA would handle the complaint initially. However, since the company's main establishment is in Ireland, the French authority would inform the Irish Data Protection Commission, which would then decide whether to handle the case as the LSA or delegate it back to the French authority. This ensures an efficient handling of the complaint while respecting the GDPR's principles of cooperation and consistency.

Article 57: Tasks

Article 57 outlines the extensive responsibilities and tasks entrusted to SAs within the EU. These independent public bodies play a crucial role in enforcing the GDPR and safeguarding the data protection rights of data subjects.

• Monitoring and enforcement : SAs are tasked with monitoring and enforcing the application of the GDPR within their respective territories. This means they are responsible for ensuring that businesses comply with the regulation's requirements regarding the processing of personal data.
• Promoting public awareness: SAs are required to promote public awareness and understanding of the risks, rules, safeguards, and rights concerning data processing. This includes specific attention to activities targeted at children.
• Advisory role: SAs advise national parliaments, governments, and other institutions on legislative and administrative measures related to data protection.
• Assisting data subjects: SAs must provide information to data subjects upon request regarding the exercise of their rights under the GDPR. They are also responsible for handling complaints from data subjects and investigating them as necessary.
• Cooperation with other authorities: SAs are required to cooperate with other SAs to ensure the consistent application and enforcement of the GDPR across the EU.
• Conducting investigations: SAs have the authority to conduct investigations into the application of the GDPR, including those initiated based on information received from other authorities.
• Encouraging compliance measures: SAs encourage the development of codes of conduct, certification mechanisms, and data protection seals and marks to facilitate GDPR compliance by businesses.
• Approval and oversight: SAs approve codes of conduct, certification mechanisms, and binding corporate rules. They also conduct accreditations and periodic reviews of certifications.
• Facilitating complaint submission: SAs must facilitate the submission of complaints by providing means such as complaint submission forms, including electronic forms, to ensure accessibility.
• Cost implications: The performance of SA tasks is generally free of charge for data subjects and, if applicable, for data protection officers. However, in cases of manifestly unfounded or excessive requests, the authority may charge a reasonable fee or refuse to act on the request.

Example

Imagine a multinational IT company that provides cloud services to clients across the EU. One of its clients, a healthcare provider based in Germany, submits a complaint to the German SA alleging a data breach involving sensitive patient information stored on the company's servers. The German authority would investigate the complaint and may collaborate with other SAs in the EU, particularly if the breach affects data subjects in multiple member states. The IT company would need to cooperate fully with the authorities, provide necessary information, and take corrective measures as required by the GDPR to address the breach and ensure compliance with data protection regulations.

Article 58: Powers

Article 58 equips SAs with a robust set of investigative, corrective, authorization, and advisory powers. These powers empower SAs to effectively enforce the GDPR and ensure data protection compliance across the EU.

Investigative powers

• Information gathering: SAs can demand information from controllers, processors, and their representatives to fulfill their tasks.
• Data protection audits: SAs can conduct audits to assess data processing practices.
• Certification reviews: SAs can review and evaluate data protection certifications.
• Alleged infringement notifications: SAs can notify controllers or processors of suspected GDPR violations.
• Access to data and premises: SAs can access personal data, processing equipment, and relevant premises with legal authorization.

Corrective powers

• Warnings and reprimands: SAs can issue warnings for potential violations and reprimands for confirmed ones.
• Enforcing data subject rights: SAs can order controllers or processors to comply with data subject requests for rights like access or erasure.
• Data breach communication : SAs can mandate controllers to notify data subjects of personal data breaches.
• Processing restrictions: SAs can impose temporary or permanent limitations—including bans—on data processing activities.
• Data rectification/erasure: SAs can order the rectification, erasure, or restriction of personal data.
• Certification withdrawal: SAs can withdraw data protection certifications for non-compliance.
• Administrative fines: SAs can impose administrative fines for GDPR violations (covered in Article 83).
• Suspension of data flows: SAs can suspend data transfers to third-party countries or international organizations in non-compliant situations.

Authorization and advisory powers

• Prior consultation advice: SAs can advise controllers during the prior consultation process for specific data processing activities.
• Opinions and authorizations: SAs can issue opinions on data protection issues and authorize certain processing activities (if required by national law).
• Approving codes of conduct: SAs can review and approve data protection codes of conduct.
• Certification body accreditation: SAs can accredit certification bodies for data protection schemes.
• Standard data protection clauses: SAs can adopt standard data protection clauses for data transfers.
• Authorizing contractual clauses: SAs can authorize specific contractual clauses for data transfers under specific circumstances.
• Approving binding corporate rules: SAs can approve Binding Corporate Rules for intra-group data transfers.

Safeguards and enforcement

• Judicial oversight and due process: The exercise of these powers must be subject to legal safeguards, ensuring judicial review and fair procedures.
• Bringing infringements to justice: Member states can authorizeSAs to report violations to judicial authorities and initiate legal proceedings.
• Additional national powers: Member states can grant SAs additional powers beyond those listed in the GDPR, as long as they don't hinder Chapter VII (transfer of personal data).

Example

Suppose a large IT company based in the EU is found to be processing personal data without adequate security measures, resulting in a data breach affecting thousands of individuals. Upon investigation by the SA, it is discovered that the company failed to implement proper encryption protocols and access controls, violating the GDPR's requirements for data security. In response, the SA issues a reprimand to the company, orders the implementation of specific security measures within a specified period, and imposes a significant fine for the infringement. Additionally, the authority may suspend data flows to certain third-party service providers until adequate safeguards are in place, highlighting the substantial consequences of non-compliance with GDPR provisions in the IT sector.

Implications

Data protection measures: Organizations need to implement robust data protection measures and mechanisms to facilitate cooperation with SAs and address any non-compliance issues effectively.

Risk management: Given the authority of SAs to issue fines and impose corrective measures, businesses should prioritize risk management and compliance efforts to mitigate potential legal and financial risks.

Article 59: Activity reports

Article 59 outlines the requirement for supervisory authorities to prepare and publish annual reports on their activities.

Here's a breakdown of its key points and implications for businesses:

• Annual activity reports: Each SA is mandated to create an annual report summarizing its activities related to data protection enforcement and oversight. These reports may include details such as the types of infringements notified to the authority and the measures taken by the authority in response to these infringements, as outlined in Article 58, which includes corrective measures and enforcement actions.
• Transmission and accessibility: The reports generated by SAs must be transmitted to various governmental bodies as designated by member state law, which typically includes the national parliament and government. Furthermore, these reports must be made available to the public, the European Commission, and the EDPB.

Example

An IT company that provides cloud services reviews the annual activity report of the SA in its jurisdiction. The report highlights a significant increase in data breach notifications related to inadequate security measures among cloud service providers. In response to this trend, the SA has intensified its enforcement actions, including imposing fines and ordering remedial measures to enhance data security practices among cloud service providers.

As a result, the IT company recognizes the importance of prioritizing investments in enhancing its data security measures to mitigate the risk of non-compliance with the GDPR. It proactively engages with the SA to seek guidance on implementing industry best practices and participates in relevant forums or working groups to contribute to the development of standards for secure cloud computing.