Author: Sebastian Bretthauer
(22) ‘supervisory authority concerned’ means: a supervisory authority which is concerned by the processing of personal data because:
- (a) the controller or processor is established on the territory of the Member State of that supervisory authority;
- (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- (c) a complaint has been lodged with that supervisory authority;
I. Overview
Art. 4(22) GDPR contains a definition of the term ‘supervisory authority concerned’. The provision is closely systematically related to Art. 60 GDPR (→ Art. 60), which comprehensively standardises the cooperation between the supervisory authorities in the form of the lead supervisory authority (→ Art. 56 mn. 1) and the other supervisory authorities concerned.[1] That is because only the supervisory authorities concerned are forced to participate in the cooperation and consistency mechanism under Art. 60 GDPR et seq.[2] Whether a supervisory authority is a supervisory authority concerned is determined based on the criteria that are exhaustively listed in Art. 4(22) GDPR. A supervisory authority is always a supervisory authority concerned if the controller (Art. 4(7)) or processor (Art. 4(8)) is established on the territory of the Member State of that supervisory authority (→ mn. 3 et seq.), data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing (→ mn. 5 et seq.), or a complaint (→ Art. 77) has been lodged with that supervisory authority (→ mn. 9 et seq.). Only in these three constellations does a supervisory authority become a supervisory authority concerned. The authority in question is ‘concerned’ both in the sense that it is affected by a certain processing operation, as this presents some connection with its jurisdiction, and in the sense that such a connection triggers the authority’s involvement in a decision-making process concerning the ‘processing in hand’.[3] Although Art. 52 para. 5 GDPR also uses the term ‘supervisory authority concerned’, the wording there cannot be equated with the wording of Art. 4(22) GDPR.[4]
II. Legislative history
The previously applicable European Data Protection Directive 95/46/EC did not contain a comparable definition. Likewise, neither the Commission’s proposal nor the Parliament’s proposal contained a corresponding provision. The implementation of the term and the concept of ‘supervisory authority concerned’ is therefore a compromise proposed by the Council[5] for the first time following criticism of the Commission’s ideas to provide for the sole competence of the supervisory authorities of the main establishment.[6] The definition of the term therefore became necessary in order to further develop the system of coordinated cooperation between different supervisory authorities (→ Art. 60 et seq.).[7]
III. Analysis
-
Establishment of the controller or processor on the territory of the Member State of that supervisory authority, lit. a
Art. 4(22)(a) GDPR is based on the territorial connection to the data processor through its establishment.[8] Accordingly, the establishment of a controller or processor who is established in the territory of the member state of this supervisory authority can be linked. In these cases, the competence as the supervisory authority concerned is linked to the term ‘establishment’. The GDPR does not have a definition of this term. Therefore, the criteria established by the ECJ must be considered (see in detail → Art. 4(16) mn. 4 et seq.). The concept of establishment is to be interpreted broadly, so that even minor activity is sufficient.[9]
With the criterion of the establishment, a lead supervisory authority (→ Art. 56 mn. 4 et seq.) also falls within the scope of the definition of ‘supervisory authority concerned’, i.e. the authority of the main or single establishment of the controller or processor in the EU.[10] This view is also maintained by the wording of Art. 60 para. 2 GDPR, which mentions ‘other’ supervisory authorities concerned in addition to a lead supervisory authority.[11] The same applies to Art. 66 GDPR. For example, if the lead supervisory authority is not classified as a ‘supervisory authority concerned’, it would not be able to take urgent interim measures under Art. 66 GDPR, as this provision only empowers the ‘supervisory authority concerned’ to do so.[12]
-
Substantial impact on data subjects residing in the Member State of the supervisory authority, lit. b
Art. 4(22)(b) GDPR presupposes that the processing of personal data has or is likely to have a substantial impact on data subjects residing in the Member State of that supervisory authority. The provision is to be interpreted broadly in order to ensure effective fundamental rights protection for data subjects. The GDPR does not define what is meant by ‘substantially affected or is likely to be substantially affected’ in detail. However, the wording is obviously intended to ensure that not all data processing activities with consequences are addressed.[13] The effect cannot consist solely in the fact that persons are affected by the processing, because otherwise, the characteristic of this term would be superfluous alongside that of ‘data subject’.[14] Therefore, the data processing must be particularly intensive or burdensome, or at least have some kind of negative consequence.[15] This does not have to be exclusively legal consequences, but purely factual consequences are equally sufficient.[16] These consequences do not have to have already occurred, but it is sufficient if they will occur in the near future. However, the effects must be significant. The assumption of a significant consequence is to be affirmed in any case if there are special risks for the rights and freedoms of natural persons which may lead to physical, material or non-material damage (see recital 75).[17] The EDPB may issue guidelines on the criteria to be taken into account when determining whether a data processing operation has or is likely to have a substantial effect on data subjects (see recital 124).
[…]
[1] See also Case C-645/19, Facebook Ireland Ltd and others v Gegevensbeschermingsautoriteit, ECLI:EU:C:2021:483; Bretthauer, CMLR 59 (2022), 1543.
[2]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 1.
[3]Tosoni, ‘Art. 4(22)’, in Kuner/Bygrave/Docksey, 275.
[4]In detail Tosoni, ‘Art. 4(22)’, in Kuner/Bygrave/Docksey, 278.
[5]Council of the European Union, Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), 7920/16, Art. 4(19a).
[6]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 2.
[7]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 2.
[8]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 4.
[9]Case C-230/14, 1.10.2015, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, para. 31; Tosoni, ‘Art. 4(22)’, in Kuner/Bygrave/Docksey, 275 et seq.
[10]Tosoni, ‘Art. 4(22)’, in Kuner/Bygrave/Docksey, 276.
[11]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 8.
[12]Tosoni, ‘Art. 4(22)’, in Kuner/Bygrave/Docksey, 276.
[13]WP 244 rev.01, Guidelines for identifying a controller or processor’s lead supervisory authority, adopted on 13 December 2016, revised and adopted on 5 April 2017, 3.
[14]Ziebarth in Sydow, Art. 4 para. 249.
[15]Ziebarth in Sydow, Art. 4 para. 249.
[16]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 6.
[17]Polenz, ‘Art. 4(22)’, in Simitis/Hornung/Spiecker gen. Döhmann, para. 6.