Supervisory authorities under the GDPR

Each MS must provide for at least one independent public authority (Supervisory Authority) responsible for monitoring the consistent application of the data-protection laws. Doing so serves the protection of the fundamental rights and freedoms of individuals regarding processing, and it facilitates the free flow of personal data in the EU. In order to achieve the aims, all SAs in the respective countries must cooperate with each other and the Commission.

SAs are appointed through national legislation, so their powers are limited to their MS’s territory. However, under the one-stop-shop rule, the powers of the supervisory authority may extend to the processing taking place in another EU country.

WP29 provides for more details at:

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf

The list of all national SAs can be found at:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

Powers of the SA

The SA may order controllers and processors (and/or their representatives) to provide any information it requires for the performance of its tasks. The authority may be also carrying out investigations, in the form of data protection audits, or a review of certifications. Further, the SA has the power to notify the controller/processor of an alleged GDPR infringement. The SA is entitled not only to get (from the controller and the processor) access to all personal data and information necessary for the performance of its tasks, but also to get access to any premises of the controller and the processor, including any data- processing equipment and means.

Where the controllers’ or processors’ operations have infringed the GDPR, the SA may issue warnings, reprimands, orders to comply with the data subject’s requests to exercise his/her rights under the GDPR or bring processing operations into compliance with the GDPR, as well as communicate a data breach to the data subject. The SA may also impose a temporary/definitive limitation, including a ban on processing, and order the rectification/erasure of personal data or restriction of processing and notification of such action to recipients to whom the data has been disclosed. The SA has the power to withdraw a certification, impose an administrative fine or order the suspension of data flows to a recipient in a third country/to an international organization.

Further, the SAs authorization and advisory powers include:

  • advising the controller in accordance with the prior consultation
  • issuing opinions to the national parliament, the MS government or to other institutions and bodies, as well as to the public on any issue related to the protection of personal data
  • prior authorization (36(5) GDPR)
  • issuance of an opinion and approval of draft codes of conduct
  • accreditation of certification bodies
  • issuance of certifications and approval criteria of certifications
  • adoption of standard data-protection clauses
  • authorization of contractual clauses
  • authorization of administrative arrangements
  • approval of binding corporate rules