Author: Eva Souhrada-Kirchmayer
- Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
(c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;
(d) promote the awareness of controllers and processors of their obligations under this Regulation;
(e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;
(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
(i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
(j) adopt standard contractual clauses referred to in Art. 28 para. 8 and in point (d) of Art. 46 para. 2;
(k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Art. 35 para. 4;
(l) give advice on the processing operations referred to in Art. 36 para. 2;
(m) encourage the drawing up of codes of conduct pursuant to Art. 40 para. 1 and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Art. 40 para. 5;
(n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Art. 42 para. 1, and approve the criteria of certification pursuant to Art. 42 para. 5;
(o) where applicable, carry out a periodic review of certifications issued in accordance with Art. 42 para. 7;
(p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Art. 41 and of a certification body pursuant to Art. 43;
(q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Art. 41 and of a certification body pursuant to Art. 43;
(r) authorise contractual clauses and provisions referred to in Art. 46 para. 3;
(s) approve binding corporate rules pursuant to Art. 47;
(t) contribute to the activities of the Board;
(u) keep internal records of infringements of this Regulation and of measures taken in accordance with Art. 58 para. 2; and
(v) fulfil any other tasks related to the protection of personal data.
- Each supervisory authority shall facilitate the submission of complaints referred to in point (f) of para. 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
- The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
- Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
I. Introduction
Art. 57 links the provisions on international matters and on competence of the SAs to the exercise of their powers. The tasks included in Art. 57 give meaning to the powers of these authorities, whereas the powers are needed to make the assignment of tasks meaningful.[1] While Art. 57 standardizes the tasks of the SAs, Art. 58 regulates the corresponding powers in order to be able to perform these tasks.[2] Art. 57 lists 21 single tasks of the SA (para. 1 lit. a to lit. u). As a general clause, para. 1 lit. v represents a standard rule. Art. 58 then defines 26 single powers. Both the tasks and the powers thus arise directly and uniformly from the directly applicable Union law.
While the provisions on tasks regulate the general aim and the field of sovereign activity, the provisions on powers represent the respective legal basis for sovereign action, i.e. that task provisions do not authorise official interventions on their own, but only in combination with a provision which empowers the SA to act. Conversely, an exercised power can also be illegal, if it does not coincide with a specific task.[3]
The list of tasks is a minimum list, not an exhaustive catalogue of tasks. This is to ensure that all SAs in the Union have the same catalogue of tasks that may not be curtailed by national legislators. According to the intention of the Union legislator, this serves uniform monitoring and enforcement of the GDPR[4] and this regulation represents an important step towards harmonization.[5]
Art. 57 regulates the tasks that each SA must fulfil. According to para. 1 lit. v, the SAs also must perform any other tasks in connection with the protection of personal data. In this area, a specification by national regulations is possible.[6] Art. 57, however, also contains references to other articles of the GDPR which specify the tasks regulated in Art. 57. It also includes opening clauses for the Member States. The list of Art. 57 para. 1 is also completed by other task-related provisions scattered in the GDPR, such as the task of preparing an annual activity report (in accordance with Art. 59).
Under Art. 57 the SAs ‘shall’ perform all their tasks. This is mandatory. The GDPR does not permit the SA to disregard one of the tasks as such. However, Art. 57 does not address the question of how these tasks shall be performed. The Independence of SAs makes it possible for them to prioritise their tasks, despite the fact that this is not mentioned in Art. 57 (nor in any other GDPR article).[7] The order in which the tasks are listed does not indicate a prioritization by the legislator.[8] However, according to CJEU ruling in Schrems, complaints of data subjects should be handled with due diligence.[9] SAs should not act in a non-controllable and arbitrary manner.[10]
[…]
[1]Hijmans, ‘Art. 56’, in Kuner/Bygrave/Docksey, 932.
[2]Cf. a summary in Schmidl, ÖBA 2017, 27 (27 et seq.).
[3]Cf. Selmayr in Ehmann/Selmayr, Art. 57, para. 1 et seq.
[4]See recital 123 first sentence and recital 129 first sentence.
[5]Souhrada-Kirchmayer, ‘Der Entwurf eines neuen Datenschutz-Rechtsrahmens der Europäischen Union – Schwerpunkt Datenschutzbehörden’, in Jahnel (ed), Jahrbuch Datenschutzrecht und E-Government (2013), 9 (13 et seq.).
[6]Cf. recital 129 second sentence: ‘Member States may specify other tasks related to the protection of personal data under this Regulation’.
[7]Hijmans, ‘Art. 56’, in Kuner/Bygrave/Docksey, 933.
[8]Cf. Polenz, ‘Art. 57’ in Simitis/Hornung/Spiecker gen. Döhmann, para. 42.
[9]Judgment of 6 October 2015, Schrems v Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650, para. 63.
[10]Judgment of 9 March 2010, European Commission v Germany, C-518/07, ECLI:EU:C:2010:125, para. 41 et seq.