Author: Sebastian Bretthauer

(21) ‘supervisory authority’ means: an independent public authority which is established by a Member State pursuant to Article 51;

Art. 4(21) GDPR contains a definition of the term ‘supervisory authority’. The previously applicable European Data Protection Directive 95/46/EC did not contain a comparable definition. In the legislative process, the provision was just slightly changed. Only the Council proposal clarified the provision to the effect that the established public authority must also be independent. The provision is directly related to Art. 51 para. 1 GDPR, as each Member State shall provide that one or more independent authorities are responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to the processing and facilitation of the free flow of personal data within the Union (→ Art. 51 para. 1). In the terminology of European law, these agencies are referred to as supervisory authorities, while colloquially the term data protection authority is more common. In the EU, every Member State has at least one supervisory authority. Finally, the existence of an independent supervisory data protection authority is already prescribed by European primary law (see Art. 8 para. 3 CFR and Art. 16 para. 2 TFEU).

Art. 4(21) GDPR contains three essential elements. First, the supervisory authority must be a public authority (→ mn. 3). Secondly, this authority must be independent (→ mn. 4). And thirdly, this independent authority must have been established by a Member State pursuant to Art. 51 GDPR (→ mn. 5). The provision thus clarifies that by supervisory authority within the meaning of the GDPR, only the authority described in Art. 51 (→ Art. 51) is meant. Therefore, in principle, other authorities can also intervene in the event of unlawful (data protection) conditions. For example, the antitrust authority can intervene in the event that unlawful data processing is an expression of the abuse of a dominant market position. However, in these cases, the supervisory authority is only indirectly linked to the data processing, since it primarily intervenes in an illegal, area-specific situation (such as market abuse).

Art. 4(21) GDPR emphasises that it must be a public authority. The term ‘public authority’ is not defined in the GDPR, and there is also no reference to other European or national laws. Therefore, the term must be interpreted in a European sense. Following the case law of the ECJ, the term ‘public authority’ is understood to mean ‘entities which, organically, are administrative authorities, namely those which form part of the public administration or the executive of the State at whatever level, are public authorities (…). This first category includes all legal persons governed by public law which have been set up by the State and which it alone can decide to dissolve [and] entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, (…), and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law’. Thus, a purely private entity is not eligible to be an independent supervisory data protection authority.

The authority must also be independent. The details of this can be found in Art. 52 GDPR (→ Art. 52). In its previous case law, the ECJ has already commented on the need for independence of supervisory authorities on several occasions. Thus, the characteristic of independence excludes any influence – whether of a governmental or private nature – on the supervisory authority. Likewise, it is a violation of independence if the supervisory authority is subject to state supervision, which it monitors. Furthermore, the premature termination of a supervisory authority’s mandate is only permissible under particularly restrictive conditions. Finally, even a binding decision by the European Commission can be reviewed by the independent national data protection supervisory authorities. The importance of supervisory authorities as independent bodies will continue to increase in the coming years, as European and national supervisory authorities are central elements for the monitoring of and compliance with data protection rules. However, the fact that the supervisory authorities are independent does not mean that they are generally not subject to any control at all. For example, they may be subject to different control or monitoring mechanisms with regard to their financial expenditures. Likewise, their decisions in particular may be subject to court decisions (see recital 118, → Art. 52 mn. 7 et seq.).

Finally, the supervisory authority needs to have been established by a Member State pursuant to Art. 51 (→ Art. 51). The supervisory authority must be established by a legal act. As a general rule, a legislative act is therefore required. Delegated legislation rules, such as exclusively internal regulations establishing the organization of a supervisory authority, are therefore not sufficient.