Supervisory authority

The supervisory authority is also referred to as the Data Protection Authority.

According to Article 51 of the GDPR, the supervisory authority is responsible for monitoring the application of the General Data Protection Regulation – GDPR and protecting the fundamental rights and freedoms of individuals (data subjects) related to the processing of personal data, and process the complaints made by data subjects.

Supervisor authority role and tasks

Supervisory authorities are expected to have a more proactive role and constantly monitor the pulse of the general public as well as creating a dialog with the national legislative authorities.

Each EU Member State is obligated to appoint one or more independent public authorities.

Supervisory authorities are responsible for supervising the application of the GDPR in each Member State, contribute to the consistent application of GDPR throughout the European Union, and cooperate with each other and the EU Commission.

If a Member State appoints more than one supervisory authority, the Member State will have to choose the supervisory authority that will represent those authorities in the Board and set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

Article 57 of the GDPR defines the tasks of the supervisory authorities, which includes, among others:

  • Monitor and enforce the application of the GDPR;
  • Promote public awareness
  • Understand the risks, rules, safeguards, and rights in relation to the processing
  • Advise the national parliament, the government, and other institutions
  • Provide information to any data subject concerning the exercise of their rights
  • Cooperate with other supervisory authorities, including sharing information and provide mutual assistance to ensure the consistency of application of the GDPR
  • Conduct investigations on the application of the GDPR
  • Monitoring the development of information and communication technologies
  • Adopting contractual clauses
  • Establish and maintain a list in relation to data protection impact assessment 
  • Facilitating the adoption of codes of conduct and certifications
  • approve binding corporate rules pursuant to Article 47;
  • Keeping records of infringements
  • Fulfill any other tasks related to the protection of personal data.

The supervisory authority is obligated to provide the electronic complaint form where the data subject can submit his/her case, and provide other means for submitting the complaint.

Supervisor authority powers

The GDPR has given each supervisory authority has 3 types of powers, defined in Article 58 of the GDPR.

1. Investigative powers

  • to order the controller and the data processor to provide the required information
  • to carry out data protection audits
  • to carry out a review on certifications
  • to notify the controller or the processor of an alleged infringement
  • to obtain, from the controller and the processor, access to all personal data and to all information necessary
  • to obtain access to any premises of the controller and the processor

2. Corrective powers

  • to issue warnings to a data controller or data processor
  • to issue reprimands to a controller or a processor for non-compliant data processing or GDPR violations
  • order the controller or the processor to comply with the data subject’s requests
  • order the controller or processor to bring processing operations into compliance
  • order the controller to communicate a personal data breach to the data subject;
  • impose a temporary or definitive limitation or ban on processing
  • order the rectification or erasure of personal data or restriction of processing
  • to impose an administrative fine
  • to order the suspension of data flows to a recipient in a third country or to an international organization

3. Advisory powers

  • to advise the controller in accordance with the prior consultation procedure
  • to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or to other institutions and bodies and the public on issues related to the protection of personal data
  • to issue an opinion and approve draft codes of conduct
  • to issue data protection certifications