The EU General Data Protection Regulation (GDPR) has a very broad scope. It applies, to some certain extent, to practically every business trading in the EU, plus charities, public bodies and individuals.
It also covers an extremely wide range of activities, applying to practically any situation in which "personal data" is "processed." The expansion of information technology and big data means our personal data is being processed all the time.
Because the law is so pervasive, it has required the empowering of independent public bodies to handle complaints, conduct investigations and issue penalties. These are the Data Protection Authorities (DPAs).
Let's take a look at what these powerful organizations can do.
What is a Data Protection Authority?
A DPA is an independent public authority which applies data protection law at national level in an EU Member State. The GDPR calls DPAs "national supervisory authorities."
DPAs are powerful institutions that can investigate and fine both private companies and public bodies. And these are some serious fines - up to €20 million or 4 percent of a company's annual turnover for the previous year (whichever is higher).
They also provide help and guidance on matters of data protection to individuals, organizations and national parliaments.
The DPAs sit on the European Data Protection Board, which coordinates the activities of the DPAs and promotes cooperation between them. The European Data Protection Supervisor also sits on the Board. The Supervisor regulates data protection within the institutions of the EU itself.
What are the Functions of a Data Protection Authority?
DPAs fulfill a range of purposes for individuals, businesses and the general public.
A private individual living in the EU (or dealing with an EU company or public body) might contact a DPA if, for example:
- They want to make a complaint about how their personal data has been processed by a business
- They have had problems trying to exercise their data subject rights against an uncooperative company
A company or other organization might contact a DPA for one of the following reasons:
A DPA must also:
- Promote public and industry awareness of data protection
- Monitor developments in the field of data protection and privacy
- Maintain a list of prohibited data processing activities, or activities requiring pre-approval
Powers of Data Protection Authorities
A DPA has three types of powers, described at Article 58 of the GDPR:
- Investigatory powers
- Corrective powers
- Authorization and advisory powers
A DPA has six investigatory powers:
- To order a data controller or data processor to provide any information it requires
- To conduct investigations (data audits)
- To review data protection certificates
- To notify a data controller or data processor that it has been accused of violating the GDPR
- To collect any personal data it requires from a data controller or data processor
- To enter the premises of any data controller or data processor - but only in accordance with national law
A DPA has ten corrective powers:
- To give warnings where there is a danger that a data controller or data processor might violate the GDPR
- To issue reprimands
- To order a data controller or data processor to comply with an individual who is trying to exercise one of their data subject rights
- To order a data controller or data processor to comply with the GDPR, possibly providing a deadline for this
- To order a data controller to tell the affected people about a data breach
- To ban or restrict data processing
- To order that personal data is rectified or erased, and order that anyone who has received this personal data is informed about the change
- To withdraw or prohibit the issuing of data protection certificates
- To issue fines
- To order that personal data is no longer transferred to a particular non-EU country
Authorization and Advisory Powers
A DPA has ten authorization and advisory powers:
- To help a data controller carry out a Data Protection Impact Assessment
- To advise national lawmakers and governments on data protection
- To authorize particularly high risk data processing activities if these are restricted under national law
- To advise on, and approve, draft data protection codes of conduct
- To accredit data protection certification bodies
- To issue data protection certificates and approve certification criteria
- To adopt standard contractual clauses, which can be used in Data Processing Agreements, and to allow international data transfers
- To authorize non-standard contractual clauses
- To authorize administrative arrangements between public bodies conducting international data transfers
- To approve binding corporate rules, which can be used to allow international data transfers in multinational companies
Determining Your Data Protection Authority
Where a company processes personal data across multiple EU Member States, it might not be obvious which DPA it should be working with.
For example, let's say a website serves people across France, Belgium and Luxembourg. The website is hacked and personal data is leaked. Which DPA should the website owner notify?
Lead Supervisory Authority and the "One-Stop Shop" Mechanism
The "One-Stop Shop" mechanism allows companies operating across several EU Member States to select a Lead Supervisory Authority. This means choosing one DPA as the company's main point of contact in order to avoid having to deal with multiple DPAs for cross-border data processing projects.
Companies who have no EU establishment and so have nominated an EU Representative do not have access to the One-Stop Shop mechanism.
Identifying a Lead Supervisory Authority isn't exactly a free choice. A company must choose the DPA that operates in its main establishment.
A company's main establishment might be obvious. If a multinational company has its headquarters in France, then France is likely to be that company's main establishment.
Accordingly, the Article 29 Working Party suggests that a company's main establishment is where it has its "central administration."
There is a slightly different method for determining the central administration of a data controller (which "determines the purposes and means of the processing of personal data") and a data processor (which "processes personal data on behalf of a data controller").
For data controllers, the central administration is defined as:
"The place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented."
So, if a company has operations across multiple EU Member States, its main establishment will be in whichever Member State it makes decisions about how and why it should process personal data.
For data processors, the central administration is defined as "the place where the main processing activities take place."
However, data processors are more likely to have to deal with multiple DPAs. This is because they must cooperate with DPAs who are investigating their data controllers. Where a data processor is working with data controllers in multiple Member States, this could mean being required to interact with multiple DPAs.
Data Protection Authorities By State
Below is a list of the DPA representing each EU Member State at the time of writing this article.
||Österreichische Datenschutzbehörde (DSB)
||The DSB imposed its first fine in September 2018, on a sports betting company whose security cameras covered public areas.
||Autorité de la protection des données (APD-GBA)
||The APD-GBA released some figures covering the first 6 months of GDPR enforcement. It reported that it had been notified of 317 data breaches and received 148 complaints over this period.
||Commission for Personal Data Protection
||A controversial section of Bulgaria's GDPR implementing legislation (the Data Protection Law) has been criticized for allowing the Commission for Personal Data Protection to scrutinize the activities of journalists.
||Croatian Personal Data Protection Agency (AZOP)
||It has been alleged by a Croatian NGO that public authorities ignore rulings of the AZOP.
||Commissioner for Data Protection
||In February 2019, the Commissioner for Data Protection fined a hospital €5,000 for losing a patient's file.
||Office for Personal Data Protection
||The Office for Personal Data Protection is one of seven DPAs that has accused Google of violating the GDPR with its location tracking mechanism.
||The Datatilsynet was reported to have had some major issues handling the large caseload of data protection complaints after the GDPR came into force.
||Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
||The Estonian Data Protection Inspectorate is currently undertaking a major investigation into a breach of children's data from over 500 Estonian schools.
||Office of the Data Protection Ombudsman
||The Office of the Data Protection Ombudsman reported in 2019 that it had received reports of over 2700 data breaches since the GDPR came into force.
||Commission Nationale de l'Informatique et des Libertés (CNIL)
||France's CNIL is best-known for hitting Google with a €50 million fine in January 2019 after it found that its consent mechanisms were not GDPR-compliant.
||Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Germany has a number of DPAs covering different regions. The BfDI represents these DPAs at the European Data Protection Board.
In February 2019, it was reported that the BfDI had issued 41 fines since the GDPR came into force.
||Hellenic Data Protection Authority
||The Hellenic Data Protection Authority provides English transcripts of a number of its decisions.
||Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
||In February 2019, the NAIH fined a company an amount equivalent to 6.5 percent of its annual sales revenue after it failed to comply with a subject access request without good reason.
||Data Protection Commission
||The Data Protection Commission began an investigation into Facebook in December 2018, after private photos of around 7 million people were alleged to have been leaked to third party apps.
||Garante per la protezione dei dati personali
||Italy's DPA fined Facebook €10 million in December 2018, after Facebook was found to have misled users during its signup process, and unlawfully shared their data with third parties.
||Data State Inspectorate (DSI)
||Early drafts of Latvia's GDPR implementing legislation would have given the DSI controversial powers to raid businesses without warning.
||State Data Protection Inspectorate (ADA)
||In August 2018, Lithuania began a probe into the privacy practices of a taxi company, alleging the "excessive, unnecessary" collection of personal data.
||Commission Nationale pour la Protection des Données (CPND)
||The CPND recently put out a warning that private companies are fraudulently claiming to be empowered to conduct data audits on the CPND's behalf.
||Office of the Information and Data Protection Commissioner (IDPC)
||The IDPC fined the Maltese Land Authority €5,000 in February 2019 after inadequate security processes led to a data breach.
||The Dutch DPA announced in March 2019 that it is conducting investigations into several websites with allegedly non-compliant cookie solutions (known as "cookie walls").
||Urząd Ochrony Danych Osobowych (UODO)
||The UODO is involved in a large-scale investigation into ad auctions after a Polish digital rights charity alleged that such auctions reveal highly sensitive data in a way that breaches privacy rights.
||Comissão Nacional de Protecção de Dados (CNPD)
||The CNPD fined a hospital €400,000 in November 2018, after it was revealed that too many people had access to patients' personal data.
||The National Supervisory Authority for Personal Data Processing
||The Romanian DPA has been accused of misusing the GDPR after it threatened journalists with a fine for leaking personal data. Certain journalistic activities are covered by a "freedom of speech" exemption in the GDPR.
||Office for Personal Data Protection of the Slovak Republic
||Slovakia's DPA has been informed of the possible misuse of mobile phone numbers by a Slovakian taxi company after some women alleged that they had received advances via SMS from male taxi drivers.
||Information Commissioner of the Republic of Slovenia
||There has been some question as to whether Slovenia's DPA has the power to issue fines under the GDPR, due to a lack of Slovenian legislation that implements the GDPR into national law.
||Agencia Española de Protección de Datos (AEPD)
||The landmark case against the Spanish DPA, Google Spain v AEPD, was part of what gave rise to the well-known "right to be forgotten."
||In February 2019, the Datainspektionen began investigating the leak of recordings of around 2.7 million phone calls that were discovered on an unencrypted web server without password protection.
||Information Commissioner's Office
||In March 2019, the ICO released figures revealing that businesses took an average of 21 days to reveal data breaches - far longer than the mandatory maximum of 72 hours.
Getting to know your DPA is extremely important. They can they be a valuable source of information and advice. And you must also be ready to report a data breach to them as soon as possible after one has occurred.
- Operate in each EU Member State
- Sit on the European Data Protection Board
- Have powers of investigation, correction and authorization
If your company is established in the EU and operates across multiple EU Member States, be sure to determine which DPA is your Lead Supervisory Authority. This will allow you to take advantage of the One-Stop Shop mechanism.