The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Relationship between domestic and European law

Often, even in the course of this Covid-19 pandemic, we have witnessed uncertainties on the part of the legislators of individual EU member states in identifying ways to intervene in issues and rights already governed by European law. Especially in the field of personal data protection, it is still astonishing that the procedure for the drafting of domestic legislation having an impact on the protection of personal data – bills, draft decree-laws or legislative decrees, draft regulations – must necessarily provide for the prior opinion of the national supervisory authority (“NSA”).


Authority Opinion


The opinion of the Supervisory Authority is not just an opinion necessitated by its technical expertise. First and foremost, the GDPR assigns the NSA the task of overseeing and ensuring the application of the GDPR (Art. 57.1(a)).

In carrying out this primary task, the regulation provides that the NSA “shall advise, in accordance with the law of the Member States, the national parliament, the government and other bodies and institutions on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to processing” [Art. 57.1(c)]. 

The aforementioned tasks, moreover, are supported by the attribution to the NSA of a specific power to “issue, on its own initiative or upon request, opinions to the national parliament, the government of the Member State, or, in accordance with the law of the Member States, to other bodies and institutions and to the public on matters concerning the protection of personal data” [art. 58.3, b), GDPR].

In conclusion, the purpose of NSA’s advisory and consultative work is to enable it to “ensure the application of the Regulation” and to ensure that the Member State’s parliamentary and executive institutions do not introduce legislation that would contradict the GDPR.


Primacy of European law


One might ask what legal basis justifies such a primacy of the rule of EU law over the domestic law of the member state. The answer is to be found in the treaties of accession to the Union.

In matters which the EU Treaties confer on EU law, as in the case of the regulation of personal data protection, EU law takes precedence over national law, so that “rules of national law, even if constitutional, which undermine the unity and effectiveness of that law cannot be accepted” (see, to that effect, CJEU judgments of 26 February 2013, Melloni, C-399/11, EU:C:2013:107, paragraph 59, and of 29 July 2019, Pelham and Others, C-476/17, EU:C:2019:624, paragraph 78).” (CJEU, C-439/19, para. 135).

This also applies to the fundamental rights recognized by the Charter of Fundamental Rights of the European Union (“Nice Charter”), as “(t)he Court has repeatedly held that the fundamental rights now enshrined in the Charter, the observance of which the Court ensures, are inspired by the constitutional traditions common to the Member States and the indications provided by international acts relating to the protection of human rights to which the Member States have cooperated or acceded (see, to that effect, judgment of 27 June 2006, Parliament v Council, C-540/03, EU:C:2006:429, paragraph 35 and the case-law cited therein).” (CJEU, C-467/17, paragraph 61).