Introduction

In our twelfth GDPR update, we address the position of the national supervisory authorities, including their competence, (new) tasks and (new) powers.

The GDPR introduces various new rules on the competence of national supervisory authorities and contains wide investigative and enforcement powers, including the possibility to issue substantial fines.

Competence of national supervisory authorities

Under the GDPR, national supervisory authorities continue to exist. There is no single supervisory authority on a European level under the GDPR. Each Member State is obliged to establish an independent supervisory authority that is responsible for monitoring the application of the GDPR.

If a controller or processor carries out cross-border processing activities, the supervisory authority for the main or single establishment of the controller or processor acts as lead supervisory authority in respect of the cross-border processing activities. We will discuss the lead-supervisory authority in more detail in our next GDPR update.

Each supervisory authority has jurisdiction in its own territory to monitor processing activities affecting data subjects on its territory and processing activities carried out by a controller or a processor not established in the EU when targeting data subjects residing in its territory. These local cases must however be notified to the lead authority, which then has three weeks to decide whether it will handle the case. If the lead authority decides not to handle the case, the local authority handles the case using, where necessary, mutual assistance and joint investigation powers.

Tasks

The GDPR contains a comprehensive list of tasks for the supervisory authorities. These tasks include the obligation to:

  • monitor and enforce the application of the GDPR;
  • promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing activities (especially in relation to children);
  • advise national institutions and bodies on the application of the GDPR;
  • promote awareness of controllers and processors of their obligations under the GDPR;
  • upon request, provide information to data subjects concerning their rights under the GDPR;
  • handle complaints lodged by data subjects or their representatives, investigate the complaint and inform the data subjects of the outcome of the claims within a reasonable period;
  • cooperate with other supervisory authorities to ensure the consistent application and enforcement of the GDPR;
  • conduct investigations on the application of the GDPR;
  • monitor relevant developments, insofar as they have an impact on the protection of personal data;
  • adopt model processing agreement;
  • adopt standard clauses for the transfer of personal data to third countries;
  • approve binding corporate rules
  • establish requirements for privacy impact assessments;
  • encourage the creation of codes of conduct; and
  • fulfil any other tasks related to the protection of personal data.

Powers

Many of the powers conferred upon the supervisory authorities under the GDPR relate to the specific tasks listed above. Most powers are a more detailed elaboration of the powers currently conferred on the supervisory authorities under the current privacy framework (the Data Protection Directive 95/46/EC, as implemented in the Netherlands in the Dutch Data Protection Act).

The powers of the supervisory authority under the GDPR include the power to:

  • order controllers and processors to provide information on processing activities;
  • carry out investigatory audits;
  • access any premises of controllers and processors, including any data processing means and equipment;
  • issue warnings and reprimands;
  • impose fines (we will address fines in more detail in our February 2018 GDPR update);
  • order controllers and processors to comply with data subjects requests to their rights under the GDPR (access, rectification, deletion, etcetera);
  • order controllers and processors to bring their processing operations into compliance with the GDPR;
  • order controllers to communicate a personal data breach to the affected data subjects; and
  • order the suspension of data flows to a recipient in a third country.

Member States may provide for additional powers for its supervisory authorities. In the draft GDPR Implementation Act (currently pending before Parliament), the Dutch government used this possibility to uphold the existing power to impose an order subject to a penalty for non-compliance (last onder dwangsom) or, less likely, an order subject to coercive administrative action (bestuursdwang) for non-compliance.

In case of an order subject to a penalty for non-compliance, the organisation will be given a certain period to adjust its working method. If the organisation fails to do so, a penalty will be enforced upon the organisation. In case of an order subject to coercive administrative action, the supervisory authority will itself take the necessary actions to remedy the non-compliance, if the organisation has failed to do so. An example of where this power may be used is the notification to the affected data subjects in case of a data breach. If the controllers fails to comply with the order, the supervisory authority may issue a public statement informing the data subjects of the data breach. Such public statement will likely reach a much broader audience than just the affected data subjects. Therefore, this method may have significant reputational consequences for the controller, making it is a potentially very effective tool for the supervisory authority to enforce compliance with its order. The costs of supervisory authority's actions will be recovered from the controller.

Practical implications

While the GDPR contains an elaborate list of tasks and powers for the supervisory authorities, these tasks and powers are largely similar to the existing tasks and powers of the national supervisory authorities under the current privacy framework. However, under the GDPR some of these powers can be applied in respect of both controllers and processors, whereas under the current legislation this is limited to controllers.

Moreover, some powers may have a significant impact on day-to-day business operations, for instance the power to suspend the transfer of data to recipients in third countries. Furthermore, as we will discuss in our GDPR Update of February 2018, supervisory authorities are empowered to issue substantial administrative fines.

Please click  here to subscribe to our monthly updates on the GDPR.

Overview of subjects

January 2017 Territorial scope of the GDPR
February 2017 The Concept of Consent
March 2017 Sensitive personal data
April 2017 Accountability, Privacy by Design and Privacy by Default
May 2017 Rights of Data Subjects (information notices)
June 2017 Rights of Data Subjects (access, rectification and portability)
July 2017 Rights of Data Subjects (erasure, restriction, object and automated individual decision-making)
August 2017 Data Processors
September 2017 Data Breaches and Notifications
October 2017 Data Protection Officers
November 2017 Transfer of Personal Data (outside the EEA)
December 2017 Regulators (competence, tasks and powers)
January 2018 One Stop Shop
February 2018 Sanctions
March 2018 Processing of Personal Data in Employment
April 2018 Profiling and Retail
May 2018 Overview

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.