Supervisory authority

A supervisory authority under the General Data Protection Regulation is a fully independent public body, established by each Member State, that is responsible for monitoring the application of the GDPR (Art. 51 GDPR). Because of its federal structure, Germany has the Federal Commissioner for Data Protection and Freedom of Information (BfDI) as well as the state data protection authorities of its 16 federal states. Their purpose is to protect the fundamental rights and freedoms of natural persons with regard to the processing of personal data while facilitating the free flow of data within the Union.

The tasks of a supervisory authority are set out in Art. 57 GDPR and range from raising public awareness and advising controllers and processors to handling complaints from data subjects. To carry out these tasks, Art. 58 GDPR grants extensive powers: investigative powers (such as access to premises and data, requests for information, and the conduct of audits), corrective powers (warnings, orders, and temporary or definitive bans on processing), and the power to impose administrative fines under Art. 83 GDPR. These fines can amount to up to 20 million euros or 4 percent of the total worldwide annual turnover.

Jurisdiction is generally determined by the place of establishment of the controller or processor. For cross-border processing, the lead supervisory authority mechanism (One-Stop-Shop, Art. 56 GDPR) applies: the authority in the location of the main establishment becomes the lead, but cooperates with the supervisory authorities concerned through the consistency mechanism to ensure uniform application of the law. At the European level, the European Data Protection Board (EDPB) coordinates the authorities and can issue binding dispute resolutions. For companies, the supervisory authority is therefore at once a point of contact, a regulator, and a potential sanctioning body.