Language of document : ECLI:EU:C:2010:125

JUDGMENT OF THE COURT (Grand Chamber)

9 March 2010 (*)

(Failure of a Member State to fulfil obligations – Directive 95/46/EC – Protection of individuals with regard to the processing of personal data and the free movement of such data – Article 28(1) – National supervisory authorities – Independence – Administrative scrutiny of those authorities)

In Case C‑518/07,

ACTION under Article 226 EC for failure to fulfil obligations, brought on 22 November 2007,

European Commission, represented by C. Docksey, C. Ladenburger and H. Krämer, acting as Agents, with an address for service in Luxembourg,

applicant,

supported by:

European Data Protection Supervisor, represented by H. Hijmans and A. Scirocco, acting as Agents, with an address for service in Luxembourg,

intervener,

v

Federal Republic of Germany, represented by M. Lumma and J. Möller, acting as Agents, with an address for service in Luxembourg,

defendant,

THE COURT (Grand Chamber),

composed of V. Skouris, President, A. Tizzano, J.N. Cunha Rodrigues, K. Lenaerts, J.-C. Bonichot and E. Levits, Presidents of Chambers, A. Rosas, K. Schiemann (Rapporteur), J.-J. Kasel, M. Safjan and D. Šváby, Judges,

Advocate General: J. Mazák,

Registrar: R. Grass,

having regard to the written procedure,

after hearing the Opinion of the Advocate General at the sitting on 12 November 2009,

gives the following

Judgment

1        By its application, the Commission of the European Communities requests the Court to declare that, by making the authorities responsible for monitoring the processing of personal data outside the public sector in the different Länder subject to State oversight, and by thus incorrectly transposing the requirement of ‘complete independence’ of the supervisory authorities responsible for ensuring the protection of that data, the Federal Republic of Germany has failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) (‘Directive 95/46’).

 Legal context

 Community legislation

2        Directive 95/46 was adopted on the basis of Article 100a of the EC Treaty (now, after amendment, Article 95 EC) and seeks to harmonise the national laws on the processing of personal data.

3        The 3rd, 7th, 8th, 10th and 62nd recitals in the preamble to Directive 95/46 are worded as follows:

‘(3)      Whereas the establishment and functioning of an internal market in which, in accordance with Article 7a of the Treaty [(now Article 14(2) EC)], the free movement of goods, persons, services and capital is ensured require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of individuals should be safeguarded;

(7)      Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions;

(8)      Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; whereas this objective is vital to the internal market but cannot be achieved by the Member States alone, especially in view of the scale of the divergences which currently exist between the relevant laws in the Member States and the need to coordinate the laws of the Member States so as to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market as provided for in Article 7a of the Treaty; whereas Community action to approximate those laws is therefore needed;

(10)      Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms [signed at Rome on 4 November 1950 (‘the ECHR’)] and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;

(62)      Whereas the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data’.

4        Article 1 of Directive 95/46, entitled ‘Object of the Directive’, is worded as follows:

‘(1)      In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

(2)      Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.’

5        Article 28 of Directive 95/46, entitled ‘Supervisory authority’, provides:

‘(1)      Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.

(2)      Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data.

(3)      Each authority shall in particular be endowed with:

–        investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

–        effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

–        the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

(4)      Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.

(5)      Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

(6)      Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

(7)      Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.’

6        Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1) was adopted on the basis of Article 286 EC. Article 44(1) and (2) of that regulation provide:

‘(1)      The European Data Protection Supervisor shall act in complete independence in the performance of his or her duties.

(2)      The European Data Protection Supervisor shall, in the performance of his or her duties, neither seek nor take instructions from anybody.’

 National legislation

7        Concerning the protection of individuals with regard to the processing of personal data of individuals, German law makes a distinction depending on whether or not that processing is carried out by public bodies.

8        There is therefore a difference between the authorities responsible, on the one hand, for monitoring compliance with the provisions concerning data protection by public bodies and, on the other hand, for monitoring compliance with data protection by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) (‘outside the public sector’).

9        The processing of data by public bodies is supervised, at Federal level, by the Federal representative responsible for the protection of personal data and freedom of information (‘Bundesbeauftragter für den Datenschutz und die Informationsfreiheit’) and, at regional level, by the representatives responsible for the protection of regional data (‘Landesdatenschutzbeauftragte’). Those representatives are solely responsible to their respective parliament and are not normally subject to any scrutiny, instruction or other influence from the public bodies which are the subjects of their supervision.

10      On the other hand, the organisation of the authorities responsible for supervising the processing of data by non-public bodies varies among the Länder. However, all the laws at Länder level expressly subject those supervisory authorities to State scrutiny.

 Pre-litigation procedure and proceedings before the Court

11      As it considers that it is an infringement of the second subparagraph of Article 28(1) of Directive 95/46 for the authority responsible for ensuring that non-public bodies comply with the provisions on the protection of individuals with regard to the processing of personal data to be subject to State scrutiny, as is the case in all the German Länder, on 5 July 2005 the Commission sent a letter of formal notice to the Federal Republic of Germany. The latter replied by letter dated 12 September 2005 maintaining that the relevant German system of supervision complies with the requirements of that directive. On 12 December 2006, the Commission then sent a reasoned opinion to the Federal Republic of Germany, reiterating the complaint made previously. In its reply of 14 February 2007, the Federal Republic of Germany reaffirmed its original position.

12      It was in those circumstances that the Commission decided to bring the present action.

13      By order of 14 October 2008, the President of the Court granted leave to the European Data Protection Supervisor (‘the EDPS’) to intervene in the present case in support of the form of order sought by the Commission.

 The action

 Arguments of the parties

14      The present dispute concerns two different interpretations that the Commission, supported by the EDPS, and the Federal Republic of Germany have of the words ‘with complete independence’ in the second subparagraph of Article 28(1) of Directive 95/46 and of the exercise of the supervisory authorities’ functions concerning protection of individuals with regard to the processing of personal data.

15      In the view of the Commission and the EDPS, which rely on a broad interpretation of the words ‘with complete independence’, the requirement that the supervisory authorities exercise their functions ‘with complete independence’ must be interpreted as meaning that a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration. The fact that the authorities responsible for ensuring compliance with the provisions on the protection of individuals with regard to the processing of personal data outside the public sector are subject to State scrutiny in Germany constitutes an infringement of that requirement.

16      The Federal Republic of Germany proposes, on the contrary, a narrower interpretation of the words ‘with complete independence’ and maintains that the second subparagraph of Article 28(1) of Directive 95/46 requires the supervisory authorities to have functional independence in the sense that those authorities must be independent of bodies outside the public sector which are under their supervision and that they must not be exposed to external influences. However, in the view of the Federal Republic of Germany, the State scrutiny exercised in the German Länder does not constitute such an external influence, but rather the administration’s internal monitoring mechanism, implemented by the authorities attached to the same administrative machinery as the supervisory authorities and required, like the latter, to fulfil the aims of Directive 95/46.

 Findings of the Court

 The scope of the requirement of independence of the supervisory authorities

17      The assessment of the substance of the present action depends on the scope of the requirement of independence contained in the second subparagraph of Article 28(1) of Directive 95/46 and, therefore, on the interpretation of that provision. In that context, the wording itself of that provision and the aims and scheme of Directive 95/46 should be taken into account.

18      With regard, in the first place, to the wording of the second subparagraph of Article 28(1) of Directive 95/46, because the words ‘with complete independence’ are not defined by that directive, it is necessary to take their usual meaning into account. In relation to a public body, the term ‘independence’ normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure.

19      Contrary to the position taken by the Federal Republic of Germany, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, the concept of ‘independence’ is complemented by the adjective ‘complete’, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority.

20      In the second place, concerning the objectives of Directive 95/46, it is apparent from the third, seventh and eighth recitals in the preamble thereto that, through the harmonisation of national provisions on the protection of individuals with regard to the processing of personal data, that directive seeks principally to ensure the free movement of such data between the Member States, which is necessary for the establishment of and the functioning of the internal market, within the meaning of Article 14(2) EC (see, to that effect, Joined Cases C‑465/00, C‑138/01 and C‑139/01 Österreichischer Rundfunk and Others [2003] ECR I‑4989, paragraphs 39 and 70).

21      However, the free movement of personal data is liable to interfere with the right to private life as recognised, inter alia, in Article 8 of the ECHR (see, to that effect, the following judgments of the European Court of Human Rights: Amann v Switzerland, 16 February 2000, ECHR 2000-II, §§ 69 and 80, and Rotaru v Romania, 4 May 2000, ECHR 2000-V, §§ 43 and 46) and the general principles of European Community law.

22      For that reason, and as is apparent in particular from the 10th recital in the preamble to, and from Article 1 of, Directive 95/46, the latter seeks also not to weaken the protection guaranteed by the existing national rules, but on the contrary to ensure, in the European Community, a high level of protection of fundamental rights and freedoms with respect to the processing of personal data (see, to that effect, Österreichischer Rundfunk and Others, paragraph 70, and Case C‑73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR I‑0000, paragraph 52).

23      The supervisory authorities provided for in Article 28 of Directive 95/46 are therefore the guardians of those fundamental rights and freedoms, and their existence in the Member States is considered, as is stated in the 62nd recital in the preamble to Directive 95/46, as an essential component of the protection of individuals with regard to the processing of personal data.

24      In order to guarantee that protection, the supervisory authorities must ensure a fair balance between, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data. Furthermore, under Article 28(6) of Directive 95/46, the different national authorities are called upon to cooperate with one another and even, if necessary, to exercise their powers at the request of an authority of another Member State.

25      The guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies.

26      Concerning, in the third place, the scheme of Directive 95/46, the latter must be understood as the equivalent of Article 286 EC and Regulation No 45/2001. The latter concern the processing of personal data by European Community institutions and organs and the free movement of that data. Directive 95/46 also seeks to achieve those aims, but with regard to the processing of such data within the Member States.

27      In the same way as supervisory bodies exist at national level, a supervisory body responsible for ensuring the application of the rules on the protection of individuals with regard to the processing of personal data is also provided for at European Community level, namely, the EDPS. In accordance with Article 44(1) of Regulation No 45/2001, that body is to perform its duties in complete independence. Article 44(2) thereof clarifies that concept of independence by adding that, in the performance of its duties, the EDPS may neither seek nor take instructions from anybody.

28      In view of the fact that Article 44 of Regulation No 45/2001 and Article 28 of Directive 95/46 are based on the same general concept, those two provisions should be interpreted homogeneously, so that not only the independence of the EDPS, but also that of the national authorities, involve the lack of any instructions relating to the performance of their duties.

29      By relying on the wording itself of the second subparagraph of Article 28(1) of Directive 95/46 and on the aims and scheme of that directive, it is possible to reach a clear interpretation of the second subparagraph of Article 28(1) thereof. It is therefore not necessary to take into account the origins of that directive, or to rule on the arguments presented by the Commission and the Federal Republic of Germany, which are contradictory on that point.

30      In the light of the foregoing, the second subparagraph of Article 28(1) of Directive 95/46 is to be interpreted as meaning that the supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.

 State Scrutiny

31      It is next necessary to assess whether the State scrutiny to which the supervisory authorities are subject in Germany is consistent with the requirement of independence as defined above.

32      It should be noted that the State scrutiny, whatever form it takes, in principle allows the government of the respective Land or an administrative body subject to that government to influence, directly or indirectly, the decisions of the supervisory authorities or, as the case may be, to cancel and replace those decisions.

33      Admittedly, it should be acknowledged a priori, as is claimed by the Federal Republic of Germany, that the State seeks only to guarantee that acts of the supervisory authorities comply with the applicable national and European Community provisions, and that it therefore does not aim to oblige those authorities potentially to pursue political objectives inconsistent with the protection of individuals with regard to the processing of personal data and with fundamental rights.

34      However, the possibility remains that the scrutinising authorities, which are part of the general administration and therefore under the control of the government of their respective Land, are not able to act objectively when they interpret and apply the provisions relating to the processing of personal data.

35      As stated by the EDPS in its observations, the government of the Land concerned may have an interest in not complying with the provisions with regard to the protection of personal data where the processing of such data by a non-public body is at issue. That government may itself be an interested party in that processing if it actually or potentially participates therein, for example, in the case of a public-private partnership or in the case of public contracts with the private sector. That government may also have a specific interest if it is necessary or even merely useful for it to have access to databases in order to fulfil certain of its functions, in particular for taxation or law enforcement purposes. Furthermore, that government may also tend to favour economic interests in the application of the provisions on the protection of individuals with regard to the processing of personal data by certain companies which are economically important for the Land or region.

36      Furthermore, it should be pointed out that the mere risk that the scrutinising authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter authorities’ independent performance of their tasks. First, as was stated by the Commission, there could be ‘prior compliance’ on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality.

37      In light of the foregoing considerations, it must be held that the State scrutiny exercised over the German supervisory authorities responsible for supervising the processing of personal data outside the public sector is not consistent with the requirement of independence as defined in paragraph 30 of the present judgment.

 The principles of Community law pleaded by the Federal Republic of Germany

38      The Federal Republic of Germany contends that it would be contrary to various principles of European Community law to interpret the requirement of independence in the second subparagraph of Article 28(1) of Directive 95/46 in a way which would oblige that Member State to renounce its tried and tested system of scrutiny of the supervisory authorities with regard to the processing of personal data outside the public sector.

39      First, in the opinion of that Member State, the principle of democracy, in particular, precludes a broad interpretation of that requirement of independence.

40      That principle, which is enshrined not only in the German constitution, but also in Article 6(1) EU, requires that the administration be subject to the instructions of the government which is accountable to its parliament. Thus, the legality of interventions concerning the rights of citizens and undertakings should be subject to the scrutiny of the competent minister. Since the supervisory authorities responsible for the protection of individuals with regard to the processing of personal data have certain powers of intervention with regard to citizens and entities outside the public sector under Article 28(3) of Directive 95/46, a heightened scrutiny of the legality of their activities by means of instruments for monitoring legality or substance is absolutely necessary.

41      It should be noted that the principle of democracy forms part of European Community law and was expressly enshrined in Article 6(1) EU as one of the foundations of the European Union. As one of the principles common to the Member States, it must be taken into consideration when interpreting acts of secondary law such as Article 28 of Directive 95/46.

42      That principle does not preclude the existence of public authorities outside the classic hierarchical administration and more or less independent of the government. The existence and conditions of operation of such authorities are, in the Member States, regulated by the law or even, in certain States, by the Constitution and those authorities are required to comply with the law subject to the review of the competent courts. Such independent administrative authorities, as exist moreover in the German judicial system, often have regulatory functions or carry out tasks which must be free from political influence, whilst still being required to comply with the law subject to the review of the competent courts. That is precisely the case with regard to the tasks of the supervisory authorities relating to the protection of data.

43      Admittedly, the absence of any parliamentary influence over those authorities is inconceivable. However, it should be pointed out that Directive 95/46 in no way makes such an absence of any parliamentary influence obligatory for the Member States.

44      Thus, first, the management of the supervisory authorities may be appointed by the parliament or the government. Secondly, the legislator may define the powers of those authorities.

45      Furthermore, the legislator may impose an obligation on the supervisory authorities to report their activities to the parliament. In that regard, a comparison may be made with Article 28(5) of Directive 95/46 which provides that each supervisory authority is to draw up a report on its activities at regular intervals which will then be made public.

46      In view of the foregoing, conferring a status independent of the general administration on the supervisory authorities responsible for the protection of individuals with regard to the processing of personal data outside the public sector does not in itself deprive those authorities of their democratic legitimacy.

47      Secondly, the principle of conferred powers enshrined in the first paragraph of Article 5 EC, also pleaded by the Federal Republic of Germany, obliges the Community to act within the limits of the powers conferred on it and of the objectives assigned to it by the EC Treaty.

48      The Federal Republic of Germany contends in that regard that the independence of the supervisory authorities in relation to the higher administrative authorities could not be required on the basis of Article 100A of the EC Treaty, which serves as the basis of Directive 95/46.

49      That provision empowers the Community legislature to adopt measures to improve the conditions for the establishment and functioning of the internal market and they must genuinely have that object, contributing to the elimination of obstacles to the economic freedoms guaranteed by the EC Treaty (see, in particular, Case C‑376/98 Germany v Parliament and Council [2000] ECR I‑8419, paragraphs 83, 84 and 95; Case C‑491/01 British American Tobacco (Investments) and Imperial Tobacco [2002] ECR I‑11453, paragraph 60; and Case C‑436/03 Parliament v Council [2006] ECR I‑3733, paragraph 38).

50      As has already been stated, the independence of the supervisory authorities, in so far as they must be free from any external influence liable to have an effect on their decisions, is an essential element in light of the objectives of Directive 95/46. That independence is necessary in all the Member States in order to create an equal level of protection of personal data and thereby to contribute to the free movement of data, which is necessary for the establishment and functioning of the internal market.

51      In light of the foregoing, a broad interpretation of the requirement of independence of the supervisory authorities does not go beyond the limits of the powers granted to the European Community under Article 100a of the EC Treaty, which is the legal basis of Directive 95/46.

52      In the third place, the Federal Republic of Germany pleads the principles of subsidiarity and proportionality, in the second and third paragraphs of Article 5 EC, and the principle of cooperation in good faith between the Member States and the Community institutions enshrined in Article 10 EC.

53      It notes in particular Paragraph 7 of the Protocol on the application of the principles of subsidiarity and proportionality, annexed to the EU Treaty and the EC Treaty by the Treaty of Amsterdam, according to which, without prejudice to Community law, care should be taken to respect well established national arrangements and the organisation and working of Member States’ legal systems.

54      It would be inconsistent with that requirement to oblige the Federal Republic of Germany to adopt a system which is foreign to its legal order and, thus, to give up an effective supervisory system established for almost 30 years and which has acted as a model for legislation on the protection of data, well beyond the national level.

55      Those arguments cannot be accepted. As was stated in paragraphs 21 to 25 and 50 of the present judgment, the interpretation of the requirement of independence enshrined in the second subparagraph of Article 28(1) of Directive 95/46 as meaning that it precludes State scrutiny does not go beyond what is necessary to achieve the objectives of the EC Treaty.

56      Having regard to all of the foregoing considerations, it must be held that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46.

 Costs

57      Under Article 69(2) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the Commission has applied for costs and the Federal Republic of Germany has been unsuccessful, the latter must be ordered to pay the costs.

58      The EDPS is ordered to bear its own costs.

On those grounds, the Court (Grand Chamber) hereby:

1.      Declares that, by making the authorities responsible for monitoring the processing of personal data by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) in the different Länder subject to State scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions ‘with complete independence’, the Federal Republic of Germany failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

2.      Orders the Federal Republic of Germany to pay the costs of the Commission;

3.      Orders the European Data Protection Supervisor (EDPS) to bear his own costs.

[Signatures]


* Language of the case: German.