Roles in GDPR
National Supervisory Authorities
National regulatory authorities have a variety of powers. These are set out in Article 50 of the GDPR.
Among other things, a national supervisory authority can decide on the following, if a company violates the rules of the GDPR:
Reprimand
A reprimand is a formal warning that a supervisory authority can decide on, for example if there is a violation of GDPR that is not so serious. It is a milder sanction than an administrative fine or a prohibition.
Administrative fine
An administrative fine is a fine that a supervisory authority can impose for infringements of the GDPR. This can amount to a maximum of €20 million or 4% of global annual turnover (the highest of the options). Please note that it is not the data subjects who receive the money from the administrative fine, but instead the sum must be paid to the state.
Prohibition
A supervisory authority may decide that a processing of personal data must cease and that the company may not carry out such processing.
Appeal against a decision of a national supervisory authority to a court
It is possible for a company to appeal a decision of a national supervisory authority to a court. Thereafter, it can be appealed in the various instances up to the Supreme Court, if the court chooses to take up the case. In addition, the Supreme Court can request an opinion from the European Commission if they are unsure of their decision.
National supervisory authorities publish publications and make recommendations regarding GDPR
GDPR is a comprehensive regulatory framework and the consequences can be devastating for companies that violate the regulation. There is a lot of information and a lot of rules for companies and their employees to keep track of. National supervisory authorities can often find valuable information about the GDPR. Among other things, recommendations and publications issued by the national supervisory authorities facilitate understanding of the GDPR and help interpret the regulatory framework.
Prior consultation prior to certain processing of personal data
For certain processing operations, a company may need to request prior consultation with the national data protection authority before the desired processing is carried out. Please note that the company must carry out an impact assessment first. In addition, the impact assessment shall be well documented. Thereafter, the company may need to request a prior consultation of the national supervisory authority, if the risk to the rights and freedoms of individuals remains high.
Representatives of the national supervisory authorities in the European Data Protection Board
All national supervisory authorities in the EU/EEA area have a member of the European Data Protection Board (EDPB). It is usually the national supervisory authority that represents the country on the EDPB. The EDPB is an independent body that, among other things, provides guidelines to national supervisory authorities and works to ensure that the GDPR is applied in the same way in all countries within the Union.
If a data subject wishes to obtain compensation for infringements of the GDPR
If a data subject believes that a company, organization or public body has violated the GDPR and wants to claim damages, the data subject needs to bring a civil action against the company. A supervisory authority does not represent data subjects in civil proceedings. Furthermore, the data subject needs to be responsible for and pay his/her legal fees and similar costs due to the case himself/herself.
However, it can be beneficial to a data subject in a civil case against a company, if the company in question has received a judgment or decision regarding the violation of the GDPR from the national supervisory authority.
The Court of Justice of the European Union gave its opinion in a case that reached the Supreme Administrative Court of Bulgaria
In Bulgaria, there was a cyberattack at the tax office that resulted in the personal data of millions of people ending up on the internet. A number of individuals, whose personal data was the subject of the personal data breach, therefore chose to sue the tax authority. The claim concerned compensation for non-material damage caused by the personal data breach.
The Supreme Administrative Court of Bulgaria requested a preliminary ruling from the Court of Justice of the European Union. The CJEU found that a fear of possible misuse of personal data in the future may constitute non-material damage. It may therefore be possible to obtain compensation. Note, however, that the fear must be well-founded.
A national supervisory authority may have several tasks
It is possible for a national supervisory authority to work in more areas than just GDPR. For example, camera surveillance, which is also covered by the GDPR, but which may be regulated by other laws and require permission to be carried out. In Sweden, for example, it is the national supervisory authority for the GDPR that also makes decisions regarding camera surveillance.
Independent supervisory authority
One thing that the European Commission specifically looks at when deciding whether or not a third country has an adequate level of protection is precisely whether the country in question has an independent national supervisory authority.
If a third country (that is, a country outside the EU/EEA) has an adequate level of protection, it is allowed to transfer personal data there without having to take any special security measures or get permission. However, it is not a company that can decide whether a country has an adequate level of protection or not, as it is only the European Commission that decides on this.
When making the assessment, the European Commission looks at, among other things, whether the country has an independent national supervisory authority for handling data protection issues, what legal possibilities data subjects have, whether the country respects human rights, etc. Please note that, for example, a region or state may have an adequate level of protection. In other words, it does not necessarily have to be a whole country per se that the decision covers.
Cross-border processing of personal data
When a processing of personal data is related to two or more countries within the EU, it is a cross-border processing of personal data. It may be that the company operates in several countries and sends personal data to the head office located in one of the countries for administration. Another example could be if the processing of personal data in a specific country is highly likely or will significantly affect data subjects in two or more Member States.
Supervisory authority if a company operates in several EU countries
As a general rule, companies should only have contact with a supervisory authority in one country. It does not matter whether the company is a data controller or a data processor. For example, the company does not need to notify a personal data breach involving personal data in several countries to the data protection authority in each country, but only to the company's lead supervisory authority. Therefore, it is important to know which it is. It is the supervisory authority in the country where the company has its main business.
Data subjects do not need to know which is the lead supervisory authority
Data subjects, on the other hand, can submit a notification of a violation of the GDPR to their own national supervisory authority located in their country of residence. Data subjects are thus not required to submit the notification to the company’s lead supervisory authority. The supervisory authorities within the Union cooperate and will transfer the case to the supervisory authority that is most appropriate in the case.
Several supervisory authorities can carry out supervision
It is not uncommon for national supervisors in several countries across the Union to cooperate and carry out targeted supervision together. Many of today’s companies are international and process personal data belonging to individuals who are located in several countries within the EU/EEA. If there is a personal data breach at such an international company, data subjects from several countries may be affected by the breach. In such cases, it may be the case that a supervisory authority carries out the supervision, while supervisory authorities from the other countries provide their views on the matter.
More about roles
Data controllers according to GDPR
It is the controller who determines the purpose and means of the processing, and is responsible for the processing of personal data. It is not a manager or employee of the company, but the company itself that holds this role. However, it may be an individual who is the data controller in some cases. For example, if it is a sole trader, or a private person who has installed a surveillance camera filming a public road. The controller must, among other things, demonstrate compliance with the GDPR. This means, among other things, having appropriate GDPR-related agreements and documents.