Who are these actors?
The supervisory authority is an independent public authority established by the member states of the EU. Laws are only effective if compliance is supervised and violations are sanctioned. For this reason, the GDPR constitutes independent supervisory authorities in its Chapter 6. Less formally, they are also called Data Protection Authorities or DPAs. DPAs are part of the executive branch of government and work independently in order to be able to supervise other governmental agencies.
What are their tasks?
Supervisory authorities or DPAs are responsible for monitoring and enforcing the application of the GDPR. Furthermore, they shall promote public awareness and understanding in issues regarding data processing. They also aim to promote awareness about the obligations of controllers and processors of personal data under the GDPR.
The supervisory authority is one of the contact persons for data subjects to lodge a complaint regarding malpractices and is entitled to conduct investigations in such malpractices. The supervisory authority also sets the criteria for certification of demonstrating compliance.
The precise tasks of supervisory authorities are regulated in Art. 57 GDPR. The following subset of the 22 tasks listed in Art. 57(1) shall provide a general idea:
- Monitor and enforce the GDPR.
- Promote awareness of data protection-related rights and obligation to data subjects, the public, controllers, and processors.
- Handle complaints lodged by data subjects.
- Conduct investigations.
- Adopt, authorize, or approve different kinds of contractual clauses, provisions, or binding corporate rules.
In order to enforce the GDPR, supervisory authorities have “corrective powers” (Art. 58(2) GDPR) that range from simple warnings, over administrative fines, up to imposing a ban on processing.
What are their rights and responsibilities?
The supervisory authority is responsible for enforcing the correct application of the GDPR. To do so supervisory authorities shall work together but can act independently in exercising their power. EU member states have to ensure that the supervisory authorities are provided with enough financial, human and technical resources.
The supervisory authority has the power to ban or limit the processing of personal data by other entities, although each measure that it takes, be it a ban, warnings or reprimands, should be appropriate and propitiate to the violation of the GDPR by another entity.
Does every Member State have a Supervisory Authority?
“Each Member State shall provide for one or more independent public [supervisory] authorities to be responsible for monitoring the application of [the GDPR] …”
(Art. 51(1) GDPR, highlighting and words in brackets by authors).
In practice, this means that some Member States have a single national supervisory authority, while others have several. For instance, France has a single supervisory authority called Commission nationale de l’informatique et des libertés (CNIL). Germany on the other hand has multiple supervisory authorities. They are all at the same level but are responsible and competent for different kinds of processing activities: processing activities by federal agencies and certain specific kinds of processing fall under the responsibility of the federal commissioner for data protection and freedom of information (BfDI); competence of other public and private processing activities are subdivided geographically by federal state (Bundesland); specific data protection authorities by churches are responsible for processing activities of churches.
Can I appeal decisions by the supervisory authority? What is the highest court of appeal?
The decisions of a supervisory authority can be appealed in court (Art. 78 GDPR). This is typically done in a national administrative court. The decision of this first instance can be appealed in higher level courts up to the national supreme court. Beyond that, the highest judicial authority is the European Court of Justice.
Note that there is no mechanism for controllers or processors to appeal a decision by a supervisory authority of a member state at the European Data Protection Board.