The GDPR empowers supervisory authorities established in each EU country to perform tasks and to exercise their powers with complete independence.
These supervisory authorities play an important role in protecting data subject rights with regard to the processing of their personal data. So what are their tasks and powers exactly, and which national authority is competent?
In principle, each supervisory authority has jurisdiction in its own territory to monitor any local data processing or that is carried out by a non-EU data controller or processor when their processing targets data subjects residing on its territory. Their scope of tasks and powers includes conducting investigations and promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as gaining access to any premises of the data controller and the processor, including any data processing equipment and means. Also, each supervisory authority must facilitate the submission of data subjects’ complaints by making a complaint form available, which can also be completed electronically. In addition, the authority must keep the complainant informed about the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary.
But what happens if the personal data processing by one simple entity “substantially” affects the data subjects in more than one EU country? Or, if the data controller or processor has multiple establishments across Europe? In these two scenarios, and unless the data processing is carried out by public authorities or private bodies acting in the public interest, one supervisory authority must act as the lead authority. This will then be the authority that is competent to supervise the single entity in the first scenario or the one competent to supervise the main establishment in the second scenario.
What does that mean in practice? It means that there must be close cooperation with the other authorities concerned so that this lead authority can adopt binding decisions that have been jointly discussed and agreed upon beforehand between the relevant authorities. This is the so-called “one-stop-shop” mechanism, which could imply, in some circumstances, that a cooperating authority has the possibility to submit a draft decision to the lead authority, and the latter should consider this draft to the farthest extent possible when preparing its decision.
According to the European legislature, supervisory authorities should assist each other in performing their tasks so that the consistent application and enforcement of the GDPR can be ensured.
How? For instance, by participating in joint operations where appropriate or by responding to another supervisory authority’s request within a specified deadline, for example, when that supervisory authority intends to adopt a measure relating to processing operations that “substantially” affect a significant number of data subjects in several EU countries.
Surely, this all looks appealing, but what if these different supervisory authorities disagree with each other? If this happens, then the European Data Protection Board (“Board”) should intervene by issuing an opinion or by adopting legally binding decisions (by a two-thirds majority of its members), or both. But what is this Board? Another supervisory authority?
Not exactly; the Board is an independent body that mainly consists of representatives from the supervisory authority in each EU country and the European Data Protection Supervisor.
It replaces the Article 29 Data Protection Working Party advisory committee, which was established by Directive 95/46/EC.
Are the Board’s decisions final? Not necessarily because any natural or legal person (including the supervisory authority concerned) has the right to bring an action for annulment before the Court of Justice of the European Union within a certain period of time.
Similarly, any natural or legal person should have an effective judicial remedy (such as the dismissal of complaints) before the competent national court against a supervisory authority’s decision that has adverse legal effects concerning that person. Moreover, if the court seized has a reason to believe that there is a similar proceeding pending in another EU country concerning the same subject matter, then, to avoid conflicting decisions,, the court first seized should be the only one to rule on the matter.
Hence, under the GDPR, there are still national supervisory authorities, but their tasks and powers have been redefined in a more comprehensive way. Also, because of the increasing amount of cross- border data processing, consistency and a smooth cooperation between them and the Board are essential.
Obviously, it might take some time before all required processes will be up and running smoothly.
To read more about this series of articles (and the articles that were published previously), please click here