CHAPTER VI

Independent supervisory authorities

 

 

Author: Eva Souhrada-Kirchmayer

 

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedomsof natural persons in relation to processing and to facilitate the free flow of personal datawithin the Union (‘supervisory authority’).
2. Each supervisory authority shall contribute to the consistent applicationof this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.
3. Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Art. 63.
4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

 

 

I. Purpose and importance of the provision

To harmonize European data protection law, the GDPR contains detailed provisions relating to the SAs in particular. The establishment of SAs in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. The provisions on the independent SAs are therefore particularly important from a fundamental rights perspective, since the supervision of the application of data protection law by independent SAs represents the institutional side of the fundamental right to the protection of personal data.

What is new is the express legal stipulation of the second aim of data protection supervision in para. 1, the facilitation of the free movement of personal data within the EU. The principle of uniform application of the GDPR is derived from this objective, the promotion of which is now the express task of the data protection SA.

According to Art. 4 no. 21 ‘‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Art. 51’. “State” means that the tasks of the SA cannot be privatized. A private company or a private trade association could therefore generally not exercise the function of a SA. These authorities are responsible to supervise the public authorities as well as the private controllers and processors.

The independence of SAs should not mean that the SAs cannot be subject to control or monitoring mechanisms regarding their financial expenditure or to judicial review. For example, according to Art. 78, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of the SA affecting them, as well as against inaction of a SA.

The establishment of an independent data protection SA is based on primary Union law. Art. 8 CFR regulates the protection of personal data and the requirements for the processing of personal data. Art. 8 para. 2 CFR provides that compliance with these rules shall be subject to control by an independent authority. According to Art. 16 para. 2 TFEU, the EP and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals regarding the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

 

 

 

[…]