Author: Eva Souhrada-Kirchmayer

 

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

 

I. Introduction

The central goal of the GDPR is the uniform application and enforcement of European data protection law. The GDPR as law of the Union is directly applicable in the Member States. According to Art. 55 para. 1, each SA in the territory of its own Member State is spatially responsible for the performance of its tasks and the exercise of its powers. In practice, however, cross-border data processing is the rule. To maintain uniformity of the application of the law and its enforcement, rules were therefore necessary which regulate the question of competence in the case of border crossings.

Arts. 55 and 56 provide for the responsibility of SAs in the form of a so-called “One-Stop Shop”. This means, both in business and in public administration, the ability to carry out all necessary bureaucratic steps that lead to the achievement of a goal in a single place. As a result, data subjects should be able to lodge their complaints with a SA and also receive the result of the complaint procedure from the same SA, even if it is a cross-border processing in which actors from several countries could be involved.[1]

Art. 55 contains the basic rule of general competence. Accordingly, the principle of territoriality applies in principle to international jurisdiction. This means that each SA must exercise its powers within the territory of its own Member State.

According to recital 122 each SA should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with the GDPR. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, the processing affecting data subjects on its territory, or the processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of the GDPR and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

 

II. Legislative history

Art. 55 para. 1 is an additional provision modifying and replacing Art. 28 DPD on the SAs. Art. 28 paras. 1 and 6 DPD only contained rudimentary predecessor provisions. According to this, the SAs were only, but also exclusively, responsible in the respective territory of the Member State. The problem of cross-border data processing was not regulated and was accordingly controversial.[2] There was no equivalent neither to Art. 55 para. 2 nor to Art. 55 para. 3 in the DPD. However, the limited competence of SAs vis-à-vis the judiciary is not new in EU legislation. A similar provision was included in Regulation 45/2001 on data protection within the EU-institutions.[3] This Regulation is now replaced by the EUDPR, which equally provides for an exception to the monitoring competence of the EDPS with regard to the processing of personal data by the Court of Justice acting in its judicial capacity.[4] The same policy – judges should not be supervised by non-judges – was reflected in the provisions in the Eurojust Decision and the Joint Supervisory Body for Eurojust.[5] Members of this body were normally judges and the three permanent members of this body who play a key role in its functioning always had to be judges.

 

 

[…]

 

 

 

[1]Jahnel in Jahnel, Art. 55, para. 1.

[2]Polenz, ‘Art. 55‘, in Simitis/Hornung/Spiecker gen. Döhmann, para. 2.

[3]Regulation (EC) No 45/2001, Art. 46, lit. c.

[4]Regulation (EU) No 2018/1725, Art. 57, para.1.

[5]Decision 2009/426/JHA, Art. 23 (repealed with effect from 12 December 2019).