Data Protection Directive

Article 28

Untitled

Supervisory authority

1\. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

2\. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

3\. Each authority shall in particular be endowed with:

\- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

\- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

\- the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4\. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

5\. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6\. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

7\. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

Holdings

C-210/165 Jun 2018

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH

Where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise its powers under Article 28(3) of Directive 95/46 with respect to the establishment in its territory, even if that establishment is responsible only for selling advertising space and other marketing activities there, and even if another establishment in a different Member State has exclusive responsibility, for the whole territory of the European Union, for collecting and processing personal data.

C-210/165 Jun 2018

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH

Where a supervisory authority of a Member State intends to exercise the intervention powers referred to in Article 28(3) of Directive 95/46 against an entity established in that Member State because a third party responsible for processing the data, whose seat is in another Member State, infringed the rules on the protection of personal data, that authority is competent to assess the lawfulness of that processing independently of the supervisory authority of the other Member State. It may exercise those powers with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

C-362/146 Oct 2015

Maximillian Schrems v Data Protection Commissioner

A Commission adequacy decision under Article 25(6) of Directive 95/46, such as Decision 2000/520, does not prevent a Member State supervisory authority under Article 28 from examining a person's claim that a transfer of personal data relating to that person from a Member State to the third country concerned does not adequately protect that person's rights and freedoms, where the person argues that the third country's law and practice do not ensure an adequate level of protection.

C-230/141 Oct 2015

Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság

If a Member State supervisory authority receives a complaint under Article 28(4) of Directive 95/46 and concludes that another Member State's law governs the processing, it may use its intervention powers only within its own territory. It therefore cannot impose penalties under its own law on a controller not established there. It must instead ask the supervisory authority of the Member State whose law applies to act under Article 28(6).

C-230/141 Oct 2015

Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság

In the Hungarian version of Directive 95/46, 'adatfeldolgozás' (technical manipulation of data), including in Articles 4(1)(a) and 28(6), means the same as 'adatkezelés' (data processing).