Blog

2016. October 17.

Új lap


Teszt

 
2016. January 14.

Competition Authority publishes draft study on online accommodation booking services HU


Early December 2015 the Hungarian Competition Authority (“GazdaságiVersenyhivatal”; abbrev. HCA) published its draft study regarding the market of online accommodation booking services.

Pursuant to the Hungarian antitrust act[1], the HCA may launch a so-called business branch investigation in the event price changes or other market movements suggest, that on any of the markets in the given business branch the competition deteriorates or lessens. Based on this, the president of the HCA ordered a respective investigation with respect to the market of online booking services in April 2013. This has become necessary after the HCA has realized along with the ever growing importance and publicity of online booking services the possibility of market restrictions, deteriorations has increased alike. Nearly half of all accommodation bookings in Hungary were done online during the period of the procedure.

In the course of the investigation the HCA has approached several market players for data supply, ordered a market survey from a professional advisory company and has also used data of the Central Statistics Office and other kind of researches. The authority has established that through the appearance of online booking services the market has become more transparent than ever and it has also supported a price competition among accommodation providers. However, no competition was detected among the online services and also the prices of the individual accommodations were basically the same at all online providers, at least during the period under investigation.

Based on the findings of the HCA the lack of price competition was to a great extent a result of the so-called rate parity applied by the online booking providers in which the accommodations would abstain from offering their services at a lower price at other online booking providers. Accommodations may only adhere thereto by setting a uniform price on all online sales channels, which then leads to the termination of price competition between online booking providers offering the very same accommodation. Since this practice is not only applied by international, but also by domestic online booking providers, the HCA’s investigation draw the conclusion that even a single rate parity agreement with a major online booking provider may lead to uniform accommodation prices on the entire market, on all available sales channels.

The investigation has also shown that on the one hand the rate parity has a rather negative effect from the point of view of accommodations, since they could reach higher profits by using their own sales channels or platforms applying lower commissions, whereas on the other hand as a result of online booking providers the occupancy ratios have increased.

The HCA has also reviewed the European practice in this regard and found that it rather tends to accept the so-called restricted parity conditions, i.e. requiring accommodations not to offer their services on online booking platforms at lower rates than they do on their own websites.

In its general assessment the HCA establishes, that full scale rate parity agreements may restrict competition by standardizing prices and raising the constraints on market entry. These are not associated with efficiency advantages and positive effects on consumer welfare to such extent that would provide reason for the complete restriction of competition within a brand.

As a final conclusion the HCA points out that since it has experienced that Hungarian-owned market players and international market players in their operations on the Hungarian market have not followed the restricted parity practice of international companies, it is not excluded that it will intervene in order to change the distorting market practices in the event market players shall not alter their actions in this regard.

Source: www.gvh.hu

[1]Section 43/D of the Act No. LVII of 1996

 
2015. October 22.

The ECJ’s milestone decision on the territorial scope of the Directive theWeltimmo case


On 1 October 2015 the ECJ published its decision in case No. C-230/2014[1]. In the decision the ECJ followed the argumentation of Advocat General Pedro Cruz Villalón[2] and came to the conclusion that the principle of establishment should be applied by the authorities of the Member States, and consequently a data controller could be investigated solely in the Member State where it has its established office.

The so called Weltimmo case will be an important reference and precedent regarding the interpretation of the territorial scope of the Directive[3]. The argumentation of the court is particularly important for companies providing service on or through the Internet.

  1. Facts

1.1 History and backgound of the case

Weltimmos.r.o. was a company registered in Slovakia, operating several web sites[4]for real estate advertisements. The language of the web site is Hungarian and its servers are located in another Member State (Austria). No Hungarian company belongs to Weltimmo.  In the Weltimmo case[5], NAIH, the Hungarian Data Protection Authority[6] imposed its highest fine on a Slovakian company (Weltimmos.r.o. as defendant)[7]. The national procedure was relatively difficult to follow, since the first decision of the NAIH[8] was overruled by the administrative court for procedural reasons[9], however, it stated that the NAIH was right to find that it has competence over the case[10]. Although Weltimmo “won” the administrative court procedure, it appealed the judgment and asked the Supreme Court of Hungary to state that the NAIH did not have competence and jurisdiction over the case.

  • Decision of the national DPA

The NAIH also stated in the decision that the fact that Weltimmo had handed over the data of the non-paying users to private executors qualifies as unlawful transfer of personal data. This conclusion gave an end to the evergreen dispute of Hungarian law: whether the private executors are (sui generis) data controllers or they are just acting on behalf of the data controller in the position of a technical data processor. In the decision NAIH had taken the position that the executors are sui generis data controllers and the consent from the debtor would be required for their activity[11]. It is important that in the DPA’s conclusion Weltimmo is subject to Slovakian data protection law.

1.3. Decision of the First Instance Court

Weltimmo appealed the decision, but not only on the merits. It also stated that in its opinion NAIH has no jurisdiction. It cited the own Bylaw of the authority and also made a direct reference to article 4 (1) of the Directive together with the practice of the Article 29 Working Party. The court held that the web site of Weltimmo contains data of Hungarian real estates, which belong to Hungarian citizens. The first instance court stated that “article 4 (1) of the Directive does not have direct effect to Hungary” and “it is not relevant whether Weltimmo has a registered seat or servers in Hungary since it did not restrict the registration and data collecting activity from Hungary”.

1.4. Questions of the National Curiae

The Supreme Court (National Curiae) ex officio turned to the ECJ regarding an ongoing case with seven questions about whether the NAIH had authority over a company registered in another Member State and without having any presence in Hungary. The NAIH filed its comments to the ECJ mainly stating that, if the ECJ stated that article 4 (1) of the directive applies, that would allow a so called “forum shopping”, which would allow the defendants to opt out from a national law very easily.

  1. Arguments of the Parties

 

The Hungarian DPA made clear during the procedure that in its view the real activity of Wetimmo is in Hungary and the registered office is just an administrative basis for it: Weltimmo did not carry out any activity in Slovakia; Weltimmo developed two property dealing websites, written exclusively in Hungarian; it opened a bank account in Hungary and had a letter box in that Member State for its everyday business affairs. Moreover, the advertisers (data subjects) themselves not only had to enter the data relating to their properties on Weltimmo’s website, but also had to delete those data from that website if they did not want those data to continue to appear on the website after the end of the one-month period mentioned above.

  1. Decision of the ECJ
    • Concept of Establishment

The ECJ came to the conclusion that Weltimmo’s activity can be considered as establishment in Hungary[12].

The ECJ highlighted that the issue is, in essence, whether Articles 4(1)(a) and 28(1) of Directive 95/46 must be interpreted as permitting the data protection authority of a Member State to apply its national law on data protection with regard to a data controller whose company is registered in another Member State and who runs a property dealing website concerning properties situated in the territory of the first of those two States.

In its answer the ECJ came to the conclusion that the national law applicable to the controller in respect of that processing must therefore be determined not in the light of Article 28 of Directive 95/46, but in the light of Article 4 of that directive[13]. To this extent the ECJ applied the same test as laid down by the Google-case and followed the conclusion of the AG. As the Advocate General observed[14], the definition of the concept of ‘establishment’ is flexible and departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. In order to establish whether a company, the data controller, has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. The court highlighted that this conclusion is particularly true for undertakings offering services exclusively over the Internet.

The subsequent step of the test applied by the court was to decide whether the processing of personal data at issue is carried out ‘in the context of the activities’ of that establishment. The ECJ found that the processing at issue is, inter alia, of the publication, on Weltimmo’s property dealing websites, of personal data relating to the owners of those properties and, in some circumstances, of the use of those data for the purpose of the invoicing of the advertisements after a period of one month. In this respect, the Court highlighted that the operation of loading personal data on an Internet page must be considered to be ‘processing’ within the meaning of Article 2(b) of Directive. 

  • Applicable national law

The ECJ came to the conclusion that Hungarian law may be applied to the data processing by Weltimmo. 

The Hungarian court referred in particular to Slovak and Hungarian law, Slovak law being the law of the Member State in which the controller of the personal data concerned is registered and Hungarian law being the law of the Member State mentioned by the websites at issue in the main proceedings, in the territory of which the properties forming the subject-matter of the published advertisements are situated. In the ECJ’s view, the national law applicable to the controller in respect of that processing must be determined not in the light of Article 28 of the Directive but in the light of Article 4.

Since the processing is carried out in the context of the activities of that establishment and that Article 4(1)(a) of Directive 95/46 permits, in a situation such as that at issue in the main proceedings, the application of the Hungarian law on the protection of personal data, whilst the nationality of the data subjects is irrelevant.

  1. Investigation powers of the Hungarian Authority (iuspuniendi)

The ECJ came to the conclusion that when a supervisory authority receives a complaint, in accordance with Article 28(4) of Directive 95/46, that authority may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question.

However, if a national authority reaches the conclusion that the law of another Member State is applicable, it cannot impose penalties outside the territory of its own Member State. “In such a situation, it must, in fulfillment of the duty of cooperation laid down in Article 28(6) of that directive, request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State has transmitted to the authority of that other Member State”[15].

In a situation such as that at issue in the main proceedings, if the applicable law is that of a Member State other than Hungary, the Hungarian Data Protection Authority will not be able to exercise the powers to impose penalties which Hungarian law has conferred on it.

[1]http://curia.europa.eu/juris/document/document.jsf?text=&docid=154887&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=319558

[2]Weltimmo s.r.o. v. NAIH (National Authority for Data Protection and Freedom of Information Hungary) E.C.J., No. C-230/14, advocate general recommended opinion 6/25/15). The Hungarian version is available:  http://curia.europa.eu/juris/celex.jsf?celex=62014CC0230&lang1=hu&type=TXT&ancre=

[3] DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[4] ingatlanbazar.com, ingatlandepo.com

[5] For Hungarian language commentary please see, Dr. András Jóri: The Weltimmo case available at  http://www.jema.hu/article.php?c=257

[6] www.naih.hu

[7] Worth to note that the websites have already been investigated by several Hungarian authorities. In December 2011 the Hungarian Competition Authority imposed EUR 20,000 on the defendant and stated that it had violated the Competition Act with its behavior, since the company offered free services but invoiced high fees after the expiry of a trial period. The scope of the Hungarian legislation covers any communication “aiming” the territory of Hungary. It is the consistent practice of the Hungarian competitionand consumer protection authorities that any Hungarian language web site may be investigated under the laws of Hungary. Also, the competition authority filed a class action against the company requesting the competent court to declare the terms and conditions of the company invalid. The court agreed with the Competition Authority and ruled that certain clauses of the terms applied by these entities were unfair, accordingly it also declared these clauses invalid.

[8] http://www.naih.hu/files/510_2012_jogellenes-adatkezeles-webes-tevekenyseg.pdf

[9] http://www.naih.hu/files/FKMB_2K29_113_2013_3weltimmo-itelet.pdf

[10] The NAIH repeated its procedure, rectified the procedural mistakes and adopted the same decision.

[11] This conclusion can be questioned, in particular in light of the provisions of article 7 of the Directive, which provides for the legal ground for data controlling without consent (or after the withdrawal of such consent) if it is necessary for the legal interest of the data controller. In our conclusion, debt collection obviously falls under the legal interests clause of the directive and therefore the handover of clients data to a private executor would not qualify as unlawful data processing under the European law.

[12] Point 32 and 38: „In the present case, the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month. It must therefore be held that that company pursues a real and effective activity in Hungary”.

[13] Point 23 of the judgement

[14] points 28 and 32 to 34 of his opinion

[15] Point 57.

 
2015. September 29.

Résumé of the resolution of the National Authority for Data Protection and Freedom of Information on data processing in course of lending


Resolution

The National Authority for Data Protection and Freedom of Information (hereinafter referred to as: “Authority”), has imposed a fine of HUF 2,000,000 on (_________) company (hereinafter referred to as: “Defendant”) in its resolution (no. NAIH/2015/328/20/H) as a result of its unlawful data processing activities. Furthermore, it has prohibited the unlawful processing of data by the Defendant and ordered the publication of its resolution, indicating the identification data of the Defendant as well.

According to the resolution the Defendant shall perform the following obligations:

  • In the absence of statutory authorization, even if in possession of the data subject’s express consent, processing of data involving gathering copies of personal identification documents of clients appearing personally in the Defendants premises, breaches the principle of purpose limitation, therefore the Defendant is obliged to cease its practice of document copying and destroy the copies of personal identification documents which were gathered from the clients.
  • In the absence of statutory authorization even if in possession of the data subject’s express consent, the application of the contract condition related to clean criminal record of the loan applicants breaches the principle of purpose limitation, therefore the Defendant is obliged to refrain from the application of this condition in its business regulations and general contract conditions resulting in the processing of special data for the future.
  • The Defendant is also obliged to delete the data content of the loan applications rejected in 2015 and to amend its processing method for the future in order to comply with the provisions of the Privacy Act.
  • Due to the infringement of the disclosure obligation prior to the commencement of data processing, the Defendant is obliged to amend its disclosure process regarding data processing according to the provisions of the Privacy Act. In the future, it shall give proper information to the clients about the legal basis adn the aim of information gathering and data processing, (in particular, it shall make a difference between personal data provided voluntarily or mandatory), about the rights of data subjects and legal remedies when personal data is recorded in its business regulations, in its forms, and in course of providing information through telephone or internet as well.
  • In the future any data processing not aiming lending (direct marketing purpose) shall be performed by the Defendant based on the voluntary, informed and express prior consent granted by the data subjects.
  • The Defendant shall notify its data processing operation to the Authority in order to be registered.

Establishments

  1. The Authority has established that the Defendant processes data of a wider range in course of its general procedural practice than needed for evaluating the loan applications, concluding contracts, enforcing claims arising out of the lending.
  2. The business regulations and general contract conditions of the Defendant contained the provision that “By signing the contract the Client shall declare that he/she has no criminal record”. The Authority has considered that the aforementioned declaration has not served the objective of the reduction of risks of lending, since the lending could have taken place without processing special data related to clean criminal record because special data had to be declared not in course of the credit assessment but upon concluding the contract. Therefore the Defendant breaches the principle of purpose limitation.
  3. The Authority has furthermore established that copying of personal identification documents of the clients appearing in person breaches Section 4 para. (2) of the Privacy Act. Copying of personal identification documents cannot serve the objective of preventing fraud or more effective enforcement of claims, because in the absence of direct suspicion the indirect, remote possibility of abuse cannot be a basis for data processing.
  4. Upon acceptance of the loan application, the Defendant asks the debtor’s consent in the Declaration about client information to be authorized to receive data about the result of the enforcement of claims, which contains data about the debtor to be qualified as bank secrets, for the purpose of risk management and analysis, in case the Defendant confers its claims to an assigned third party. These data are relevant in case of evaluating a new loan application of the debtor, but this occurrence is unforeseeable and occasional, therefore it cannot serve as basis for data processing.
  5. The Authority has established several types of problems regarding the provision of information. The Defendant breaches its disclosure obligation in its business regulations since it does not provide complete and unambiguous information for the data subjects. Therefore consents granted by the data subjects cannot be deemed as informed consents.
  6. With regard to the obligatory data processing, the Authority has established that the Defendant (and all financial institutions) shall record the data of the credit agreement, or any contracts related to leasing, securities, lending etc. to the Central Credit Information System of consumer credit agreements (hereinafter referred to as “KHR”). However accessing of these data from the KHR depends on the consent granted by the client. The positive occurrence about the data subject can only be known from the KHR if the data subject provides its consent thereto, while the negative occurrence can be known from the KHR without any restriction.
  7. Pursuant to the Act No. CCXXXVII of 2013 on Credit Institutions and Financial Enterprises the Defendant (as well as all financial institutions) is obliged to record the telephone conversations about costumer complaints between the financial institution or independent intermediary and the client,and shall retain this recording for a period of one year. This rule is not applicable to the telephone conversations between the financial institution and the client which are not deemed as complaints.
  8. The Authority has established that the practice of the Defendant is unlawful when by signing the contract, the loan applicant provides his/her consent automatically to data processing having different aims, because the Defendant does not ensure the possibility of voluntary consent for the client, therefore it breaches Section 3 point 7 of the Privacy Act.

In the course of applying sanctions, the Authority has to consider all the circumstances of the case, including the range of data subjects affected by the infringement, the significance of the infringement, and whether it has been a recurring breach. In this case, it has established that data processing has affected several thousands of persons, which has caused serious and recurring infringement, since the Defendant has unlawful data processing practice.

Applicable laws and basic regulations

  • Data Protection Directive 95/46/EC
  • Constitution of Hungary
  • Act CXII of 2011 ("Privacy Act")
  • Act V of 2013 (“New Civil Code”)
  • Act CLXII of 2009 on Consumer Credits
  • Act CXII of 1996 on Credit Institutions and Financial Enterprises (“Old Hpt.”)
  • Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises („New Hpt.”)
  • Act CXXXVI of 2007 on the Prevention and Combating of Money Laundering and Terrorist Financing (“Pmtv.”)
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Grt.”)

Government Decree 361/2009 (XII. 30.) on the conditions of prudent retail lending and the examination of creditworthiness

 
2015. August 23.

TRANSFER OF PERSONAL DATA BASED ON THE LEGAL BASE OF SAFE HARBOUR IS DECLARED INVALID BY THE CJEU


  1. facts

The underlying procedure concerns an Austrian citizen, Mr.Schrems, a Subscriber of the social network, Facebook and the Irish Data Protection Authority (hereinafter: the “DPA”). Facebook subscribers residing in the European Union are asked to sign a contract with Facebook Ireland, a subsidiary of Facebook Inc. established in the United States (‘Facebook USA’). Some or all of the data of subscribers to Facebook Ireland residing in the EU is transferred to Facebook USA’s servers in the United States, where it is kept on the basis of „Safe Harbour Treaty”[1]. Mr.Schrems filed a complaint to the Irish Commissioner (hereinafter referred to as: the “DPA”) stating that the law and practices of the US offer no real protection of the data kept in the US against State surveillance as he deemed that his data were accessed by the National Security Agency (NSA)and therefore the DPA’s obligation is to protect his fundamental rights.

The DPA rejected the complaint stating that the adequate level of protection in the US is ensured by the Safe Harbor Decision of the Commission and as such, it is bound by the Commission’s Decision.

  1. Questions raised by the case

Assessing the arguments of the parties in the underlying case the High Court of Ireland referred the following questions to the CJEU:

  1. Does the so called Safe Harbour Decision of the Commission has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection with regard to Article 7, 8 and 47 of the CHFR and Article 25(6) of the DPA Directive; or

 

  1. Shall the national supervisory authority investigate such complaints in the light of the factual developments, which occurred since the Safe Harbour Decision was first published in the year 2000.

 

III. rights invoked in question

The factual basis of the case raises the concern for the evaluation of the Safe Harbor Decision in the light of Articles 7[2], 8[3] and 47[4] of the Charter of Fundamental Rights of the European Union (‘the Charter’) and of Article 25(6)[5] of Directive 95/46 (“DPA Directive”).

  1. analyses of the advocate general yves bot

AG Bot determines that in his view the existence of a decision adopted by the Commission on the basis of Article 25(6) of DPA Directive cannot eliminate or even reduce the national supervisory authorities’ powers under that directive. On the contrary, if the national supervisory authorities receive complaints, it does not prevent them of their independence, from forming their own opinion on the general level of protection ensured by a third country. In this regard it makes reference to the recital of the DPA Directive as to “the establishment of national supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data” and concludes that this requirement derives also from the primary law of the European Union, in particular from the invoked Article 8(3)[6] of the ChFR, from TFEU[7] itself and the CJEU’s practice as well, when it states that “the supervisory authorities are the guardians of those fundamental rights and freedoms”.

AG Bot calls that the Member States must be able to take the measures necessary to safeguard the fundamental rights protected by the ChFR of the EU, ie. the right to respect for private and family life and the right to the protection of personal data. However, it states that it is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU, without those citizens benefiting from effective judicial protection.

Such access of the US intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data and that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by those intelligence services is mass, indiscriminate surveillance.

Conclusively, AG Bot states that should the CJEU find infringements of the fundamental rights of EU citizens, the Commission shall suspend the application of the Safe Harbour Decision.

  1. Judgment of the cjeu

The Court of Justice upholds the main findings of the Advocat General and states the following.

It is now expressed by the CJEU that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the ChFR of the EU and the DPA directive and thus prevent their oversight on the transfer of personal data to third countries.

Thus, even if the Commission has adopted a decision, the national supervisory authorities, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the DPA Directive.

the Court observes that the scheme provided by the Safe Harbour Decision is applicable solely to the United States undertakings, which adhere to it, and United States public authorities are not themselves subject to it, albeit national security, public interest of the United States prevail over the safe harbour scheme, so the United States undertakings are bound to disregard, without limitation, the rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

  1. summary

The above ruling of the CJEU serves as a landmark decision, whereas it clarifies the powers of the national supervisory authorities vis-à-vis of a decision adopted by the Commission on adequate level of protection and thus have a great impact on the domestic regulation of the legal basis on the transfer of personal data to third countries and the respective practice of the Hungarian data protection authority.

[1]             In Hungary, the Section 8.§ (1-2) of the Data Protection Act provides for the possibility of data transfer to USA on the legal basis of the Safe Harbor.

[2]              Article 7 of the ChFR„Everyone has the right to respect for his or her private and family life, home and communications”

[3]              Article 8 of the ChFREveryone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.”

[4]             Article 47 of the ChFR „Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article. Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.

Legal aid shall be made available to those who lack sufficient resources in so far as such aid is necessary to ensure effective access to justice.”

[5]             Article 25 (6) of the DPA Directive „The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.”

[6]             Article 8 (3) of the DPA Directive „Compliance with these rules shall be subject to control by an independent authority”

[7]             Article 16 (2) of the TFEU „The European Parliament and the Council, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”