Legal

Supervisory Authority

An independent public authority responsible for monitoring the application of data protection law in its jurisdiction.

A supervisory authority (also called a Data Protection Authority or DPA) is an independent public body established by an EU member state, responsible for monitoring and enforcing the application of the GDPR.

Powers

  • Investigative — conduct audits, obtain access to premises and data
  • Corrective — issue warnings, reprimands, orders, and fines
  • Advisory — issue opinions and approve BCRs

Examples

  • ANSPDCP — Romania
  • CNIL — France
  • ICO — United Kingdom
  • BfDI — Germany (Federal)
  • DPC — Ireland (lead authority for many tech companies)

One-Stop-Shop Mechanism

For cross-border processing, the supervisory authority in the country of the controller's main establishment acts as the lead supervisory authority, coordinating with other concerned authorities.

GDPR Articles 51–59.

Related Terms

Data ControllerPrivacy

The entity that determines the purposes and means of processing personal data.

DPOPrivacy

Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Binding Corporate RulesLegal

Internal data protection policies approved by a supervisory authority for multinational corporations to transfer data within their group.

Sub-Processor