GDPR Update: Regulators (competence, tasks and powers)




In our twelfth GDPR update, we address the position of the national supervisory authorities, including their competence, (new) tasks and (new) powers.

The GDPR introduces various new rules on the competence of national supervisory authorities and contains wide investigative and enforcement powers, including the possibility to issue substantial fines.

Competence of national supervisory authorities

Under the GDPR, national supervisory authorities continue to exist. There is no single supervisory authority on a European level under the GDPR. Each Member State is obliged to establish an independent supervisory authority that is responsible for monitoring the application of the GDPR.

If a controller or processor carries out cross-border processing activities, the supervisory authority for the main or single establishment of the controller or processor acts as lead supervisory authority in respect of the cross-border processing activities. We will discuss the lead-supervisory authority in more detail in our next GDPR update.

Each supervisory authority has jurisdiction in its own territory to monitor processing activities affecting data subjects on its territory and processing activities carried out by a controller or a processor not established in the EU when targeting data subjects residing in its territory. These local cases must however be notified to the lead authority, which then has three weeks to decide whether it will handle the case. If the lead authority decides not to handle the case, the local authority handles the case using, where necessary, mutual assistance and joint investigation powers.


The GDPR contains a comprehensive list of tasks for the supervisory authorities. These tasks include the obligation to:

  • monitor and enforce the application of the GDPR;
  • promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing activities (especially in relation to children);
  • advise national institutions and bodies on the application of the GDPR;
  • promote awareness of controllers and processors of their obligations under the GDPR;
  • upon request, provide information to data subjects concerning their rights under the GDPR;
  • handle complaints lodged by data subjects or their representatives, investigate the complaint and inform the data subjects of the outcome of the claims within a reasonable period;
  • cooperate with other supervisory authorities to ensure the consistent application and enforcement of the GDPR;
  • conduct investigations on the application of the GDPR;
  • monitor relevant developments, insofar as they have an impact on the protection of personal data;
  • adopt model processing agreement;
  • adopt standard clauses for the transfer of personal data to third countries;
  • approve binding corporate rules
  • establish requirements for privacy impact assessments;
  • encourage the creation of codes of conduct; and
  • fulfil any other tasks related to the protection of personal data.


Many of the powers conferred upon the supervisory authorities under the GDPR relate to the specific tasks listed above. Most powers are a more detailed elaboration of the powers currently conferred on the supervisory authorities under the current privacy framework (the Data Protection Directive 95/46/EC, as implemented in the Netherlands in the Dutch Data Protection Act).

The powers of the supervisory authority under the GDPR include the power to:

  • order controllers and processors to provide information on processing activities;
  • carry out investigatory audits;
  • access any premises of controllers and processors, including any data processing means and equipment;
  • issue warnings and reprimands;
  • impose fines (we will address fines in more detail in our February 2018 GDPR update);
  • order controllers and processors to comply with data subjects requests to their rights under the GDPR (access, rectification, deletion, etcetera);
  • order controllers and processors to bring their processing operations into compliance with the GDPR;
  • order controllers to communicate a personal data breach to the affected data subjects; and
  • order the suspension of data flows to a recipient in a third country.

Member States may provide for additional powers for its supervisory authorities. In the draft GDPR Implementation Act (currently pending before Parliament), the Dutch government used this possibility to uphold the existing power to impose an order subject to a penalty for non-compliance (last onder dwangsom) or, less likely, an order subject to coercive administrative action (bestuursdwang) for non-compliance.

In case of an order subject to a penalty for non-compliance, the organisation will be given a certain period to adjust its working method. If the organisation fails to do so, a penalty will be enforced upon the organisation. In case of an order subject to coercive administrative action, the supervisory authority will itself take the necessary actions to remedy the non-compliance, if the organisation has failed to do so. An example of where this power may be used is the notification to the affected data subjects in case of a data breach. If the controllers fails to comply with the order, the supervisory authority may issue a public statement informing the data subjects of the data breach. Such public statement will likely reach a much broader audience than just the affected data subjects. Therefore, this method may have significant reputational consequences for the controller, making it is a potentially very effective tool for the supervisory authority to enforce compliance with its order. The costs of supervisory authority’s actions will be recovered from the controller.

Practical implications

While the GDPR contains an elaborate list of tasks and powers for the supervisory authorities, these tasks and powers are largely similar to the existing tasks and powers of the national supervisory authorities under the current privacy framework. However, under the GDPR some of these powers can be applied in respect of both controllers and processors, whereas under the current legislation this is limited to controllers.

Moreover, some powers may have a significant impact on day-to-day business operations, for instance the power to suspend the transfer of data to recipients in third countries. Furthermore, as we will discuss in our GDPR Update of February 2018, supervisory authorities are empowered to issue substantial administrative fines.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.