Under the GDPR, enforcement is the responsibility of the national data protection authorities (DPAs). Each EEA country has its own independent data protection authority, which oversees the application of the GDPR, including the handling of complaints. For data processing taking place in more than one EEA country, the GDPR provides a system of cooperation between the competent DPAs, within which they cooperate in order to reach consensus. Find an overview of the DPAs.
The GDPR provides certain rights to individuals, including the right to lodge a complaint with the competent authority when they fear there has been an infringement of their data protection rights.
Tasks and powers of the Data Protection Authorities (DPAs)
Tasks of the DPAs
Each EEA DPA has the responsibility to monitor and enforce the application of the GDPR and promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data. DPAs also have tasks to advise the national parliament, the government, and other institutions and bodies and to provide information to any individual concerning the exercise of their rights. DPAs also promote the awareness of data controllers and processors of their obligations under the GDPR. DPAs handle complaints from individuals, conduct investigations regarding the proper application of the GDPR and cooperate with other DPAs on the application of the GDPR. The authorities are also responsible for:
- adopting and authorising standard contractual clauses;
- approving binding corporate rules;
- approving codes of conduct;
- encouraging the establishment of data protection certification mechanisms;
- contributing to the activities of the EDPB;
- fulfilling any other tasks related to the protection of personal data.
Read more
Powers of the DPAs
Under the GDPR, the national DPAs saw their enforcement powers significantly increased. Art. 58 GDPR defines the powers of each of those national authorities, by distinctly dividing them into three major groups:
- investigative powers;
- corrective powers;
- advisory powers.
Investigative powers
The DPAs exercise their investigative powers in order to determine if there is an infringement of the GDPR, its exact scope and nature. Among others, DPAs can:
- Order organisations to provide any information relating to the investigation;
- Conduct investigations in the form of data protection audits and notify the organisations of an alleged infringement of the GDPR.
- Obtain access to all personal data held by an organisation and to all information necessary to perform its tasks, including access to any of the organisation’s premises, including to any data processing equipment and means, in accordance with EU and national procedural law.
- Carry out a review on certifications issued under Art. 42.7 GDPR
Corrective powers
When an infringement of the GDPR provisions is established as a result of the investigation, or it is considered that a processing operation carries risk or does not meet specific requirements, the DPAs have the right to exercise one or more of their corrective powers, for example:
- Warning or ban on processing: in case of existing risks, DPAs could issue warnings to organisations, in order to prevent their processing operations from infringing the provisions of the GDPR. DPAs may also order a temporary or definitive limitation, including a ban on processing activities of organisations, as well as order them to communicate the data breaches that have occurred to the individuals concerned.
- Compliance order: in order to ensure compliance with the GDPR or to handle cases where certain criteria or requirements are not met, DPAs have the power to order organisations to comply with individuals’ requests to exercise their rights under the GDPR. Where appropriate organisations could be ordered to bring their processing operations into compliance with the provisions of the GDPR in a specified manner and within a specified time period.
- Suspension of data flows or withdrawal of certification: additionally, DPAs could also exercise their powers to suspend any data flows to recipients in third countries or to international organisations. Moreover, they could withdraw certification or order the certification body to withdraw an issued certification in line with Art. 42 and 43 GDPR. In cases where certification requirements are not met or no longer met, to order the certification body not to issue certification.
- Reprimands: in the case of established infringements, DPAs can reprimand organisations.
- Administrative fines: DPAs can also impose administrative fines defined in accordance with Art. 83 GDPR, in addition to or instead of the other measures listed above. The administrative sanction regime requires a case-by-case assessment of the circumstances of each individual infringement. The assessment should take into account factors such as the nature, gravity and duration of the infringement, the intentional or negligent nature, any damage mitigation steps which may have been implemented, the technical and organisational (i.e. security) measures which have been implemented, and how the DPA became aware of the issue.
The maximum level of the potential sanction will depend on the type of the breach:
- it can go up to a maximum of €10 million or 2% of total worldwide annual turnover in the previous financial year (for example, for a breach of “privacy by design and by default”, non-compliance with the obligation to conclude a data processing agreement, or failure to conduct a data protection impact assessment or to appoint a Data Protection Officer) under Art. 83.4 GDPR; or
- it can go up to a maximum of 20 million or 4% of total worldwide annual turnover in the previous financial year (for example, for a breach of the basic principles relating to processing, for processing personal data unlawfully without a legal basis, or for breaches of data subject rights) under Art. 83.5 GDPR.
You can find more details about the administrative fines associated with breaches of various GDPR articles in Art. 83 GDPR and the EDPB guidelines on the calculation of administrative fines under the GDPR
Advisory powers
Each DPA has a certain authorisation and advisory role under the GDPR, through which they can provide support to organisations, and or authorise specific processing activities. Some examples are:
- Prior consultation: advise data controllers in accordance with the prior consultation procedure under Art. 36 GDPR.
- Opinions on legislative activities: issue, either on their own initiative or upon request, opinions to their national parliament, government or, in accordance with national law - to other institutions and bodies as well as to the public on any issue related to the protection of personal data.
- Codes of conduct and certification: approve draft codes of conduct, accredit certification bodies or issue certifications and approve criteria of certification.
The exercise of the abovementioned powers of DPAs is subject to appropriate safeguards, including effective judicial remedy and due process, as set out in EU and national law in accordance with the EU Charter of Fundamental Rights. Each DPA has the power to bring infringements of the GDPR to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of the GDPR. Additional powers may be provided to DPAs by their national law.
Read more
Cooperation and One-Stop-Shop
The GDPR applies across the EEA, using one set of data protection rules for all countries. This approach supports international companies, but also SMEs in their endeavours to develop and grow by offering their services in more than one EEA country.
In order to reduce the administrative burden of processing personal data in two or more EEA countries, the GDPR provides a system for cooperation between DPAs - the so-called "one-stop-shop" mechanism, in order to reach consensus between the numerous DPAs.
Where an organisation processes data in two or more EEA countries, the competent authority dealing with a complaint or a data breach, for example, shall be that of the country in which the data controller has its principal place of business. This makes it easier for data controllers as they do not have to comply with the different laws in each country in which they operate. In addition, they only have to interact with one DPA. Depending on your type of business and the products and services you offer, cross-border processing might also apply to your SME. Many smaller businesses, such as online shops, e-commerce websites, mobile and computer applications offer services in multiple countries.
If your SME processes data of individuals in different EEA countries, you are obliged to determine which is the competent DPA, or the lead authority. This is usually the DPA located in the EEA country where your organisation’s headquarters is located and where decisions regarding the purposes and means of processing personal data are being made.
In practice
- Online retailers, for example, selling clothes via their web shops to customers in several EEA countries, can and often do process personal data. In such a cross-border case, the competent authority must be the country of the main establishment of the online retailer (“principle place of business”).
Once you have determined which DPA is the lead, you need to only communicate with them. The lead DPA cooperates and participates in discussions with other concerned EEA DPAs.
Where a complaint with a cross-border element needs to be handled in the context of cooperation with another DPA, the following cooperation measures shall be taken:
- If another DPA received the complaint, they have the obligation to inform the lead DPA about the case;
- The DPA concerned may participate in drafting a decision on the complaint;
- During the preparation of a decision, the lead DPA, must take into account the opinion of the concerned DPA.
Determining the lead data protection authority
Key concepts
Cross-border processing of personal data
According to the GDPR, identifying a lead data protection authority is only relevant for organisations carrying out cross-border processing of personal data.
The GDPR defines ‘cross-border processing’ as either the:
- processing of personal data which takes place in more than one EEA country where the controller or processor is established in more than one EEA country; or
- processing of personal data which takes place in a single establishment of an organisation in the EEA but which substantially affects or is likely to substantially affect individuals in more than one EEA country.
In practice
- This means that where an organisation has establishments in Germany and Croatia, for example, and the processing of personal data takes place in the context of their activities, this will constitute cross-border processing.
- Alternatively, the organisation may only have an establishment in Germany. However, if its processing activity substantially affects – or is likely to substantially affect - individuals in Germany and Croatia then this will also constitute cross-border processing.
Understanding of “substantially affects”
The fact that an organisation processes an amount – even a large amount – of individuals’ personal data, in several EEA countries, does not necessarily mean that the processing has, or is likely to have, a substantial effect. Processing with little or no effect does not constitute cross-border processing, regardless of how many individuals it affects.
DPAs will interpret ‘substantially affects’ on a case-by-case basis. They will take into account the context of the processing, the type of data, the purpose of the processing and factors such as whether the processing:
- causes, or is likely to cause, damage, loss or distress to individuals;
- has, or is likely to have, an actual effect in terms of limiting individuals’ rights or denying an opportunity;
- affects, or is likely to affect individuals’ health, well-being or peace of mind;
- affects, or is likely to affect individuals’ financial or economic status or circumstances;
- leaves individuals open to discrimination or unfair treatment;
- involves the analysis of special categories of personal or other intrusive data, particularly the personal data of children;
- causes, or is likely to cause individuals to change their behaviour in a significant way;
- has unlikely, unanticipated or unwanted consequences for individuals;
- creates embarrassment or other negative outcomes, including reputational damage; or involves the processing of a wide range of personal data.
Lead data protection authority
Put simply, a ‘lead data protection authority’ or lead DPA is the DPA with the primary responsibility for dealing with a cross-border data processing activity, for example, when an individual makes a complaint about the processing of their personal data. The lead DPA will coordinate any investigation and work together with ‘concerned’ DPAs. Identifying the lead DPA depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.
If an organisation is established in only one EEA country, it has a single establishment in the EEA and the DPA of that country will be the lead DPA.
If an organisation is established in more than one EEA country, it is necessary to determine its main establishment, so the lead DPA can be identified.
Read more
Main establishment
In order to establish where the main establishment is, it is first necessary to identify the location of the organisation’s central administration in the EEA (“place of central administration; headquarters”), if any. This is the place where decisions about the purposes and means of the processing of personal data are taken.
In cases where decisions relating to different cross-border processing activities are taken within the central administration, there will be a single lead DPA in the EEA for the various data processing activities carried out by the multinational company. However, there may be cases where an establishment other than the place of central administration makes autonomous decisions concerning the purposes and means of a specific processing activity. In these situations, it will be essential for companies to identify precisely where the decisions on purpose and means of processing are taken. Correct identification of the main establishment is in the interests of data controllers and processors, because it provides clarity in terms of which DPA they have to deal with in respect of their various compliance duties under the GDPR.
Read more
In practice
- A clothing retailer has its headquarters (i.e. its ‘place of central administration’) in Sofia, Bulgaria. It has establishments in various other EEA countries, which are in contact with individuals there. All establishments make use of the same software to process customers’ personal data for marketing purposes. All the decisions about the purposes and means of the processing of customers’ personal data for marketing purposes are taken within its Sofia headquarters. This means that the company’s lead DPA for this cross-border processing activity is the Bulgarian DPA.
Organisations not established in the EEA
If your organisation is not established in the EEA, but is subject to the GDPR as it falls within the territorial scope of the GDPR, it might need to appoint a representative in one of the EEA countries.
However, if an organisation does not have an establishment in the EEA, the mere presence of a representative in one of the EEA countries does not trigger the “one-stop-shop” system. This means that organisations without any establishment in the EEA must deal with local DPAs in every EEA country they are active in, through their local representative.
Read more
Role of the European Data Protection Board
The EDPB is an independent European body with legal personality that contributes to the consistent application of data protection rules throughout the EEA and promotes cooperation between the EEA data protection authorities. The EDPB is composed of the heads of the DPAs and the European Data Protection Supervisor (EDPS) or their representatives.
In the EDPB, the DPAs work together to:
- provide general guidance (including guidelines, opinions, recommendations and best practices) on data protection law, specifically the GDPR;
- advise the European Commission on any issue related to the protection of personal data and new proposed legislation in the EU;
- adopt consistency decisions and opinions in cross-border data protection cases.
Instead of answering specific, individual requests, the EDPB issues general guidance.
The EDPB has adopted several guidance documents that are directly relevant for companies, including SMEs. These guidelines clarify different notions of the GDPR, such as the basic processing principles, data protection by design and default, international data transfers and data subject rights. You can find an overview of these documents here.
Consistency Mechanism
The consistency mechanism can have a direct impact on SMEs. In first instance, the consistency mechanism can be triggered when the lead DPA and the concerned DPAs cannot reach consensus on a specific cross-border case. In such instances, the case will be referred to the EDPB which will adopt a binding decision to settle the dispute.
In addition, the EDPB issues consistency opinions on some draft decisions prepared by EEA DPAs, which have cross-border effects (e.g. on a new set of standard contracts or on codes of conduct).
The EDPB can also issue consistency opinions on any matter of general application of the GDPR, or any issue having an effect in more than one EEA country. This work aims to ensure that the GDPR is understood and applied consistently in different EEA countries.