Thanks to the threat of fines ranging up to 20 million euros or 4 percent of the company’s annual global turnover, many are nowadays aware of the existence of the GDPR – which is a miracle in and of itself. How many other EU regulations can you list off the top of your head?
However, instead of mulling over the threat of huge fines, we feel it is best to provide our readers with an overview of the proverbial boogeymen who are responsible for dishing out fines. Under the GDPR, these are called ‘supervisory authorities’ and every Member State is required to appoint one.
In most cases these will be the privacy agencies (such as the UK’s ICO); countries with more than one agency, like Germany, will divide theirs on a federal level and select one as a lead agency.
Regulatory Tasks
Article 57 of the GDPR outlines the tasks that the supervisory authorities must fulfil. In a nutshell, they must fulfil all tasks ‘related to the protection of personal data’. This includes, among others:
- Monitoring compliance
- Advice to political entities
- Handling individual complaints
- Promoting awareness
- Cooperation with other SAs
- Monitoring new technological developments
- Developing contractual clauses
- Facilitating the adoption of codes of conduct and certifications
- Keeping records of infringements
The SA’s are envisioned to take a proactive role in the application of the GDPR. Their tasks include not only monitoring, but active involvement in dialogue with the general public and the politicians, which hasn’t been the case under the current legislation. They serve as a contact point between the companies and the individuals.
This is similar to the current responsibilities of supervisory authorities, albeit more formalised. We do not expect major changes in communication and relationships with the SA.
Supervisory authorities must process complaints made by individuals and communicate with data protection officers free of charge.
Regulatory Powers
The supervisory authorities are endowed with three types of powers under the GDPR: investigative, advisory, and corrective powers. These are listed in Article 58 of the GDPR, but the list is not comprehensive. Member States can further increase the scope of powers the supervisory authority will have, but they cannot reduce it.
These powers are linked with and necessary for the performance of regulatory tasks. All companies and organisations are subject to the SA’s oversight.
The investigative powers comprise the rights to:
- demand information from data controllers and processors
- review certifications
- notify the companies of infringements
- access personal data required for investigations
- access the premises of the controller or processor
Corrective powers outline the rights of the SAs when breaches are found. The SAs can:
- issue warnings to companies that their operations could result in infringements
- issue reprimands when infringements are detected
- issue orders to companies to comply with data subjects’ requests
- order the company to ensure compliance within a specified period
- order the company to communicate the existence of a data breach
- impose temporary or permanent processing limitations or bans
- order the notification of other data recipients when the data subject exercises the right to be forgotten
- impose administrative fines
- suspend cross-border data flows
In order to exercise their powers, SAs must be allowed to bring the matters to court independently – in accordance with the local legislation, of course.
The administrative powers mostly concern, as mentioned above, advisory and certification functions of the authorities. They are tasked with authorising contractual clauses and binding corporate rules for data transfers to third countries.
Supervisory authorities are required to make annual reports summarising their activities and decisions. They are also obligated to cooperate with other supervisory authorities in cases where multiple countries are affected, such as when dealing with multinational corporations.
Conclusion
Supervisory authorities have the most important role under the GDPR. They will serve as a contact point between the companies and the individuals, solving practical issues and providing advice.
New responsibilities include the comprehensive activities behind the scenes, that include providing expert advice and requests to politicians and institutions, as well as to keep the public informed and educated about their rights.
