Data Protection Authorities

Introduction

Data protection authorities can be categorised into three levels:

  1. European Union (EU) level: the European Data Protection Board
  2. National level: the national data protection authorities, designated by the European Union’s General Data Protection Regulation (GDPR) as ‘supervisory authorities’
  3. Regional level: some countries have regional data protection authorities

Stakeholders

The European Data Protection Board (EDPB) is an independent European body, entrusted with guaranteeing the consistent application of the data protection rules (not only the GDPR but also the Law Enforcement Directive, which rules matters of data protection in the specific domain of law enforcement) across the European Union and the European Economic Area (involving Iceland, Lichtenstein, Norway additionally). For that purpose, it issues guidelines and opinions on matters of relevant importance and issues binding decisions in case of dispute between national data protection authorities.

It is composed of representatives of the different national data protection authorities and the European Data Protection Supervisor. The European Commission also participates in its meetings, but it does not have voting powers.

The EDPB has been established by the GDPR. During the period in which the previous Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) was in force, the European data protection authority was the so-called Article 29 Data Protection Working Party which ceased to exist as of 25 May 2018.

The national data protection authorities (Recitals 117 to 123, Articles 51 to 59 of the GDPR) are public independent authorities, set up by Member States, to supervise compliance with the GDPR. Their main competencies are:

  1. Investigate possible violations of the data protection norms;
  2. Sanction the wrongdoers;
  3. Handle complaints presented against legal and natural persons under their authority;
  4. Provide expert advice on data protection issues

Their geographical competence is determined by the country where the data processing activities take place. The list of all national data protection authorities can be found here.

An issue that arose regarding the competence of national data protection authorities involves their competence to investigate potential breaches of the GDPR (in the particular case, unlawful data transfers to third countries) when there is already a position in this regard taken by the European Commission. As per the judgment of the Grand Chamber of the Court of Justice of the European Union (Maximillian Schrems v. Data Protection Commissioner, 6 October 2015), the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities. However, it is ultimately for the Court of Justice to decide whether or not a Commission decision is valid.

Besides data protection authorities with national scope, there can also exist regional authorities, as allowed by Article 51(3) of the GDPR, which establishes that when there are several data authorities in one Member State there should be one main authority that represents all other authorities in the EDPB.

However, up until now, only Germany used this possibility. Germany is composed of 16 states (Bundesländer) and all have their own Data Protection Authority, alongside one federal supervisory authority.

The EDPB shall not be confused with the European Data Protection Supervisor (EDPS), an independent supervisory authority originally established by Regulation (EC) No 45/2001, and currently regulated by Regulation (EU) No 2018/1725. The main functions of the EDPS are:

  1. Ensure the protection of personal data and privacy rights within the activities performed by European bodies and institutions;
  2. Advise EU institutions and bodies in various matters related to data protection;
  3. Intervene before the European Court of Justice to provide expert advice on data protection issues;
  4. Supervise new technologies, able to put at risk person data;
  5. Cooperate with national data protection authorities.

Definitions

‘Supervisory authority’: ‘an independent public authority which is established by a Member State pursuant to’. (Article 4(21) GDPR)

‘Supervisory authority concerned’'a supervisory authority which is concerned by the processing of personal data because:

  1. the controller or processor is established on the territory of the Member State of that supervisory authority;
  2. member data subjects residing in the State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
  3. a complaint has been lodged with that supervisory authority.(Article 4(22) GDPR)

‘Processor’: ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. (Article 4(8) GDPR)

‘Controller’: ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. (Article 4(7) GDPR)

Challenges

Some processors are established in more than one Member State and potentially their processing activities can be supervised by different national data protection authorities (Article 56 of the GDPR). In this regard, a distinction should be made between two different scenarios:

  1. If the means and purpose of the data processing are determined in one specific establishment only, it will be the competent data protection authority in that territory to supervise the data processing activities;
  2. If the means and purpose of the data processing are determined in more than one establishment (as it happens with some multinationals for instance), multiple data protection authorities will intervene, each one supervising the data processing activities taking place in its territory.

Opportunities and incentives

At the EU level, EDPB notably issues general guidance in order to clarify the law and to promote common understanding of EU data protection laws. More generally, and in accordance with its current Strategy (2021-2023), EDPB has set out the four main pillars of its strategic objectives and key actions to achieve them:

  • Pillar 1: Advancing harmonisation and facilitating compliance
  • Pillar 2: Supporting effective enforcement and efficient cooperation between national supervisory authorities
  • Pillar 3: A fundamental rights approach to new technologies
  • Pillar 4: The global dimension

Its activities contribute to the clarification of the regulation for every actor involved in data protection, especially data protection authorities, data processors and controllers, data subjects.

At the national levels, each national and regional supervisory authority provides resources and is a key contact point to clarify the rules applicable regarding data protection on its territory.

Interactions with regulators

Data protection authorities are in charge of monitoring compliance with the GDPR. For that purpose, it is essential for stakeholder to record their data processing activities, aimed to demonstrate how data controllers are complying with their obligations under the GDPR.

For this purpose, it might be useful for data controllers:

  1. to make inventories and data mapping of all data being processed in their organization;
  2. to create internal written policies to guide all staff members in matters such as data retentions periods, forms and timings of data deletion;
  3. to clearly define their responsibilities when there is more than one data controller.

Practical steps

In some cases, data controllers are required to do a prior consultation to the data protection authority before starting the data processing, when the data protection impact assessment described in Article 35 of the GDPR reveals that the processing would result in high risk if adequate measures by the data controller are not put in place.

Another relevant interaction between data controllers and data protection authorities refers to the notification of data breaches. (See also here subentry on “Mission creep/Data misuse” (in prep))

No organization is immune to cyberattacks and thus data controllers must prepare beforehand for that event. It is important to have in place robust cybersecurity policies, to comply with the principle of integrity and confidentiality (Article 5(1)(f) of the GDPR).

In case of a data breach, the competent data protection authority must be notified within 72 hours, counting from the moment in which the data controller became aware of it, whenever the breach is likely to result in risks to the rights and freedoms of natural persons (Article 33 of the GDPR).

Affected data subjects must also be notified by the data controller (Article 34 of the GDPR). For the latter, the GDPR does not set a time limit, but it does refer that communication must be done ‘without undue delay’. There might be cases in which data controllers are not required to notify the data subjects of the data breach (Article 34(3) of the GDPR):

  1. When the data controller has previously put in place adequate measures to protect the data (e.g., encryption) and thus the data breach will not affect the data subjects;
  2. When after the data breach the data controller took measures to eliminate its negative effects on the rights and interests of the data subject;
  3. When the individual notification would involve a disproportionate effort, and it can be satisfactorily substituted by public communication or a similar procedure.

European Union Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1-88, CELEX number: 32016R0679

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89-131, CELEX number: 32016L0680

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12.1.2001, p. 1-22, CELEX number: 32001R0045

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance.), PE/31/2018/REV/1, OJ L 295, 21.11.2018, p. 39-98, CELEX number: 32018R1725

European Union Guidance

Relevant literature

More

Acknowledgements

Published: 21/03/2023

Authors: 

Vera Lúcia Raposo, NOVA School of Law - NOVA University of Lisbon; FutureHealthlaw / WhatNext.Law

and Tomás de Brito Paulo, LL.M Law & Technology at Tilburg University, Tilburg, the Netherlands; Associate at Vieira de Almeida & Associados, Lisbon, Portugal

Reviewed by Aurélie Mahalatchimy, EuroGCT WP4 Convenor 

Table of contents

Back to top