The General Data Protection Regulation (“GDPR”) empowers supervisory authorities established in each EU country to perform tasks and to exercise their powers with complete independence.
Having these supervisory authorities is an essential element of protecting natural persons with regard to the processing of their personal data. So what are their tasks and powers exactly, and who are competent?
In principle, each supervisory authority has jurisdiction in its own territory to monitor any local data processing that affects data subjects or that is carried out by a non-EU controller or processor when their processing targets data subjects residing on its territory. Their scope of tasks and powers includes conducting investigations and promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means. Also, each supervisory authority must facilitate the submission of data subjects’ complaints by making a complaint form available, which can also be completed electronically. In addition, the authority must keep the complainant informed about the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary.
But what happens if the personal data processing, which is done in the context of an entity’s activities, affects “substantially” the data subjects in more than one EU country? Or, if the controller or processor concerned has multiple establishments across Europe? In these two scenarios, and unless the processing is carried out by public authorities or private bodies in the public interest, there is in principle one supervisory authority that shall act as the leading authority, i.e., the one competent to supervise the single entity in the first scenario or the one competent to supervise the main establishment in the second scenario.
What does that mean in practice? It means close cooperation with the other authorities concerned so that this lead authority can adopt binding decisions that have been jointly discussed and agreed upon beforehand. This is the so-called “one-stop-shop” mechanism, which could imply, in some circumstances, that an authority has the possibility to submit a draft for a decision, and the lead supervisory authority should consider this draft to the farthest extent when preparing its decision.
As a matter of fact, according to the European legislature’s opinion, the supervisory authorities should assist each other in performing their tasks and should mutually assist so that the consistent application and enforcement of the GDPR can be ensured. How? For instance, by participating in joint operations where appropriate or by responding to another supervisory authority’s request within a specified deadline, notably when that supervisory authority is willing to adopt a measure whose aim is to produce legal effects as regards processing operations that “substantially” affect a significant number of data subjects in several EU countries.
Surely, this all looks appealing, but what if these different supervisory authorities disagree with each other? If this happens, then the European Data Protection Board (“Board”) should normally intervene by issuing an opinion or by adopting legally binding decisions (by a two-thirds majority of its members), or both, again for consistency purposes. But who is or who makes up this Board? Another supervisory authority? Not exactly; the Board is an independent body that mainly consists of the head of a supervisory authority of each EU country and the European Data Protection Supervisor, or their respective representatives and that replaces the advisory committee, the Article 29 Data Protection Working Party, which was established by the Directive 95/46/EC.
Are the Board’s decisions final? Not necessarily because any natural or legal person (including the supervisory authority concerned) has the right to bring an action for annulment before the European Court of Justice within a certain period of time. Similarly, any natural or legal person should have an effective judicial remedy before the competent national court against a supervisory authority’s decision that has adverse legal effects concerning that person, such as the dismissal of complaints. What’s more is that if the court seized has a reason to believe that there is a similar proceeding in another EU country concerning the same subject matter as regards processing by the same controller or processor, the court first seized should be the only one to rule the case at stake so that the risk of there being irreconcilable judgments can be avoided.
In conclusion, there are still national supervisory authorities, but their tasks and powers have been redefined more comprehensively than in the past. Also, because of the increasing amount of cross-border processing, they must endorse a consistency mechanism for a better cooperation between them and the Board, which sounds good, but it might take some time before such collaboration becomes seamless. Finally, it is worth noting that the right of every data subject to lodge a complaint with a supervisory authority remains without prejudice to the right to seek any other administrative or judicial remedy, including the right to seek an effective judicial remedy against a supervisory authority.