The meaning and role of the supervisory authority, data protection authority (DPA), lead supervisory authority (LSA), concerned supervisory authority and the consistency mechanism under the GDPR – with examples.
In order to ‘work’ and be consistently applied, the GDPR needs the collaboration of all stakeholders, including the data protection authority (DPA) of each state, member states themselves, controllers and processors, citizens (data subjects), the European Commission and the European Data Protection Board.
And to make sure that there is a uniform and consistent application and enforcement of the GDPR, there are several mechanisms and rules regarding supervisory authorities or data protection authorities – and their roles, duties, powers, funding and far more.
Consistency and thus also a consistent application of the GDPR is very important for the EU. There is even a so-called consistency mechanism which gets a whole section in a Chapter of the final GDPR text.
Table of Contents
Consistency and consistency mechanism
As you could read earlier, with the predecessor of the GDPR, the so-called Data Protection Directive, consistency was, to say the least, a bit of an issue.
“No more” the EU has said, also in the scope of its single market: we put a consistency mechanism in place and that de facto has an impact on, among others, the role and rules with regards to the data protection authorities and the European Data Protection Board (EDPB) where for each member state a national data protection auhority represents it (the EDPB replaces the so-called Article 29 Working Party).
When it boils down to the whole ‘consistent application and enforcement ecosystem’ of stakeholders, the EDPB obviously is a key one as it goes beyond the level of the Member States. It also plays an essential role in what the European Commission dubbed a ‘concerted effort’ early 2018 which you could see as a further effort to ensure that consistent application.
Obviously data protection authorities have a key role in consistency as well and it’s in the scope of this article on supervisory authorities that we encounter the consistency mechanism several times. Time for an overview of DPAs, lead supervisory authorities and more.
Let’s take a quick look at some key elements, tasks and responsibilities of national Data Protection Authorities or DPAs, in relationship with, among others, processors and controllers.
Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism (GDPR Recital 119)
We also take a quick look at how Data Protection Authorities come in the picture where it concerns a few duties and cases, among others cross-border data flows and GDPR fines and penalties, e.g. when data subject rights are clearly not respected, there is a clear lack of a legal ground for lawful processing or a personal data breach has occured.
Attention: we try to stick to the essence so do check out the GDPR Articles and GDPR Recitals to know everything about the supervisory authorities (they do have a lot of powers and tasks) and that mentioned consistency mechanism.
Data Protection Authorities or DPAs obviously are not new. They exist in many countries since many years or even decades and under many different privacy and personal data protection laws.
What is a Data Protection Authority or DPA in the scope of the GDPR?
DPAs are simply public supervisory authorities (with supervisory authority being a more generic term that is also used in other context such as financial regulation) which ensure and enforce the personal data and privacy laws.
They are also the place to go to in case of a violation of data protection legislation (in the scope of the GDPR for EU citizens) and for advice and specific questions and/or assistance from the perspective of organizations.
Each supervisory authority has the investigative power to carry out investigations in the form of data protection audits
In the context of the GDPR all EU Member States have a data protection authority, in general serving as the main point of contact of stakeholders within that Member State. However, there are some exceptions, for example in the scope of a group of enterprises with presences in different EU countries.
In the GDPR text, data protection authorities are not named as such. They are called supervisory authorities. A supervisory authority is defined by the GDPR in GDPR Article 4 (Definitions) as “an independent public authority which is established by a Member State pursuant to Article 51”.
And that Article 51, on, indeed, the supervisory authority, has four simple elements (or paragraphs):
In each EU Member state there should be at least one supervisory authority whereby that supervisory authority is an independent public authority with the following essential duty: monitoring GDPR application to protect the fundamental rights and freedoms of data subjects in the scope of personal data processing and to facilitate the free flow of such personal data within the EU.
And that independent public authority with those fundamental goals is called the supervisory authority. Independent is a keyword here and is detailed in several additional rules and safeguards to ensure that independence, which is among a task of member states.
In order to make sure that the GDPR is applied in a consistent way across the EU each supervisory authority has to work together with the others, with the European Commission and also within the context and environment of that new EDPB where they, as said, are also represented.
Each supervisory authority on its territory must promote public awareness and understanding of the risks, rules, safeguards and rights in relation to personal data processing
In fact, they even have a responsibility in making that EDPB work and succeed. Simply said: if we want a consistent application of the GDPR and make it work, we should foresee a duty and some mechanisms to avoid that each supervisory authority does its own thing. Sounds easy. In practice there are a few rules and mechanisms and, although not specifically mentioned here this consistency mechanism comes back.
As each EU member states needs to have AT LEAST one supervisory authority by definition it can have more as is the case with Germany.
When such is the case than one supervisory authority in that member state needs to be appointed to represent the specific state in that EDPD. Moreover, it needs to have some mechanisms to make sure that those other supervisory authorities, you guessed it, are compliant with that consistency mechanism.
Finally, member states need to inform the European Commission by May 25th, 2018, on the national laws, their provisions and amendments regarding those supervisory authorities as there have been quite a few changes in the GDPR concerning personal data protection authorities such as funding, enablement, their role in the EDPB, the consistency mechanism and duties such as collaborating with others and so forth.
De facto this means work for member states as it affects some laws (and not all member states are that fast really, at the end of January 2018 only two have adopted all the relevant national legislation concerning GDPR in general) as mentioned in that article on the ‘concerted effort’ roadmap of the European Commission.
Those were the basics with regards to supervisory authorities / data protection authorities and that consistency mechanism. As said, there is far more in several contexts.
DPAs have tasks, roles and responsibilities towards all other players in the big GDPR stakeholder picture, mostly in two directions: controllers, processors, the specific member states, citizens, the EDPB, the Commission and, as said other supervisory authorities. Some of the – many – tasks of DPAs ahead of May 25, 2018 (and several beyond) are depicted below and we mention a few more by way of an example.
What data protection authorities need to – continue to – do according to the European Commission in a January 2018 statement – source European Commission GDPR factsheet
The role of the Data Protection Authority in sanctions
One of the most known probably is the role of the DPA in sanctions such as GDPR fines.
Regarding this aspect, do take a look at the image below from one of the other PDFs we mentioned in the article on the ‘concerted effort’ message of the European Commission.
It perfectly illustrates the sanctions mechanism with the well-known administrative fines but most of all the role of the DPA.
The place and role of the national supervisory authority or data protection authority in the flow and mechanism of sanctions and fines under the GDPR – source European Commission
Moreover, in the scope of international data transfers (and approving specific methods making those easier, for instance binding corporate rules) as well as the handling of complaints whereby there are decisions to take with regards to the competent supervisory authority (related with where the main establishment of a controller or processor is in the EU and with where the data subject risks and/or breaches play) we also speak about the LEAD supervisory authority, a.k.a. LSA.
A lead supervisory authority is not the same as the supervisory authority representing a member state at the EDPB. It is the appropriate and concerned DPA in such cases.
By way of an example we tackled before: in case a multinational group of companies has decided to go for binding corporate rules under the GDPR, then the competent supervisory authority is the one to approve such binding corporate rules, again in accordance with that consistency mechanism. On our page regarding BCRs you can for instance find a list of 100 multinationals with such an approved BCR, each time with the LEAD data protection authority next to it and indeed see that leading does not mean the nationally represented DPA in the EDPB in this scope. You will, for instance find several leading supervisory authorities for approved BCRs from Germany which are not the German main authority from the EDPB perspective but are the leading supervisory authority in this particular case.
The lead supervisory authority or LSA needs to be seen in the scope of the one stop shop dimension of the GDPR: in case of international issues, in various contexts, there should be one interlocutor.
The Regulation calls for a greater consistency than the Directive 95/46 when imposing sanctions. In cross border cases, consistency shall be achieved primarily through the cooperation (one-stop-shop) mechanism and to some extent through the consistency mechanism set forth by the new Regulation (WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation)
It has to be easy for organizations too. And removing the complexity of the past in this regard of course is yet another reason to focus on that consistency and consistency mechanism.
Do check out the various GDPR Articles for more on the roles, powers and so on. A final note that directly is related with what we just saw on lead supervisory authorities and the mentioned ‘concerned supervisory authority’. GDPR Article 4 has a formal definition of ‘supervisory authority concerned’.
It defines a concerned supervisory authority as one which is concerned by the processing of personal data because:
- the controller or processor is established on the territory of the Member State of that supervisory authority;
- data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- a complaint has been lodged with that supervisory authority.
And regarding the latter below is another illustration from that same PDF mentioned above but this time from the perspective of the citizen.
The place of the national Data Protection Authority in the complaint mechanism for citizens – source European Commission – PDF opens
When a data subject wants to lodge a complaint there are essentially two ways, to put it simply: he/she gets in touch with the national DPA or he/she goes to court. The DPA where the complaint is lodged of course has to look at it which de facto also means that it checks if it is the proper DPA in the particular case.
We already covered several tasks of the supervisory authorities. They are all mentioned in GDPR Article 57. We summarize a few of them within the scope of the various mechanisms, areas and activities where the data protection authorities have a role to play.
A data protection authority can require a data controller to communicate a personal data breach to citizens if the controller didn’t do so yet and the data protection authority decides that the breach could result in a high risk for concerned data subjects
Do note that, generally speaking, the performance of all these tasks by the DPA is free for the data subject and in several cases also for the data protection officer. However, if requests are proven (and it’s the DPA that needs to prove it) unfounded or excessive then a fee could be charged.
A second note: the GDPR hasn’t limited the tasks of supervisory authorities. After explicitly mentioning specific tasks it has this little paragraph saying “fulfil any other tasks related to the protection of personal data”.
A summary of some explicitly mentioned tasks and duties of data protection authorities in the scope of the GDPR.
A first and obvious, previously mentioned, task is monitoring GDPR compliance and application and enforcing it where needed with all the tools and mechanisms the data protection authority has to do so and of which some could be seen in the graphic above.
A supervisory authority can require a controller, a processor or the representative of one (where applicable) to make its record of processing activities available
The data protection authority must provide information to data subjects when the latter request so in the context of exercising their data subject rights. This could already be where the complaint mechanism starts coming in as citizens typically go to the DPA in such case with the aim to exercise these data subject rights if needed and deemed valid to do so.
When a citizen seeks advice on exercising his or her data subject rights this of course doesn’t mean that there is already a complaint.
However, when the data subject (or an authorized representative) files a complaint with the DPA, obviously the task of the supervisory authority is to handle it. And then the above mentioned mechanism starts whereby the DPA has investigation, information and other duties.
The DPA checks the complaint and can work with other supervisory authorities when such seems to be needed.
Data protection authorities of course don’t sit still until someone lodges a complaint. Watching over the application of the GDPR also means an investigative function: they need to conduct investigations.
How will they prioritize and do that as there are so many organizations and means are limited? One way of prioritizing is working on the basis of information that the DPA receives from other authorities, including other supervisory authorities.
Data protection authorities, within the mentioned scope of the ‘concerted effort’ the European Commission wants to see and the tasks that have been defined in the GDPR text, also have a role in creating GDPR awareness
First, there is the promoting of public awareness and an understanding of all the aspects from the data subject or citizen perspective (e.g. making sure they understand data subject rights, data processing risks when, for instance, granting consent and so forth). In this role towards the public and citizens, DPAs must pay special attention to activities with regards to children.
A second ‘target group’ towards which supervisory authorities have an awareness task are organizations: both processor and controllers, and more specifically with regards to their duties and obligations under the GDPR such as the rules of lawful processing and whatever else. De facto it is to be expected that, just as the European Commission did, particularly smaller organizations might be ‘targeted’ first.
As mentioned, data protection authorities also need to offer advice in several cases. This too goes in various directions.
The DPA, in general, needs to offer advice on the various measures, legislative and administrative, in the scope of the protection of data subject rights and freedoms. In the context of the GDPR that means protection with regards to personal data processing. On top of offering advice in the sense we just described, there is of course also an advice function in the monitoring and enforcement meaning, for instance those requests of data subjects regarding the exercise of their rights.
The role of the Data Protection Authority in encouraging, approving and laying out the rules for specific actions and mechanisms in the GDPR
There is a range of mechanisms and circumstances under the GDPR where the supervisory authority comes in the picture.
Depending on what mechanism/circumstance we exactly talk about this task can be one of defining criteria, approval/authorization, encouragement of using the mechanisms and a mix of all or some.
The DPA specifically has such a role in, among others:
- Codes of conduct: encouraging organizations and others, as explained in our article on codes of conduct, to draw up such codes of conduct, approving the codes of conduct if they of course contain and guarantee what is needed to approve them, and take other measures in this scope such as defining the criteria for bodies that can monitor codes of conduct and accredit those monitoring bodies.
- Certification: pretty much the same as with codes of conduct; so encourage certification mechanisms, define the criteria, also publish the criteria under which a certification body can be accredited and so on.
- Contractual clauses: adoption of standard contractual clauses in the context of processor duties, in accordance with the consistency mechanism and in the scope of appropriate safeguards in international data transfers when there is no adequacy decision.
- Binding corporate rules: we tackled this before and also in an article on the topic of BCRs; one of the tasks of the DPA is to approve BCRs.
- Data Protection Impact Assessments: making and publishing a list of the types of processing operations which require such a data protection impact assessment and communicating the lists to the EDPB.
- Prior consultation: whereby the controller must consult the DPA in the context of personal data processing activities when a data protection impact assessment shows that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (and thus before the processing activity started) and the supervisory authority has to offer advice when it indeed thinks the intended personal data processing would be a breach, especially when the controller didn’t properly identify or mitigate that risk.
- The authorization of some appropriate safeguards in the context of cross-border personal data transfers which are subject to such appropriate safeguards, particularly 1) contractual clauses and 2) provisions to insert into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
Cooperation, record keeping, reporting and remaining up-to-date
Finally, as previously mentioned another task of the supervisory authority is to cooperate with others to ensure that consistency in application and enforcement but also to exchange information, assist each other etc.
The DPA also must keep records of infringements (and the measures taken) and work with the EPDB. And it has to look at developments regarding technologies and commercial evolutions that pertain to personal data protection and thus should be known.
Here too it’s clear that de facto cooperation is important.
Top image: Shutterstock – Copyright: dencg. All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.