Supervisory Authorities

All of the EU’s member states must provide one or more independent supervisory authorities, which must act independently of the government and must be provided with adequate resources to undertake their duties.

Supervisory authorities’ tasks will include:

• Monitoring the application of GDPR
• Promoting public awareness
• Handling complaints raised
• Give advice on processing operations when consulted
• Review certifications and conduct accreditation of certification bodies
• Approve binding corporate rules

Each supervisory authorities’ powers will include:

• The power to investigate through data protection audits
• Corrective powers through:
  • warnings,
  • reprimands,
  • limitations on processing
  • Withdrawal of certifications
  • Impose administration fines
  • Suspend data flows to third countries
• Authorisation and advisory powers

Entities operating in more than one state can choose a lead supervisory authority for all their pan-EU activities in order that they need liaise with only one SA.  These lead authorities will monitor compliance in respect of cross-border processing by an organisation whose main establishment is in that Member State.