Lexicon > Controlling authority

IT Lexicon

Controlling authority

A supervisory authority is an independent public authority that is established by a European Union member state under the GDPR.

It monitors through investigative and enforcement powers the application of the GDPR and national laws on personal data protection in its territory.

Its missions are multiple since each control authority :

  • Monitors the application of the GDPR and ensures compliance;
  • Promotes public awareness and understanding of the risks, rules, safeguards and rights related to treatment;
  • Advises the National Parliament, the Government and other institutions and bodies on legislative and administrative measures for the protection of the rights and freedoms of natural persons with regard to processing;
  • Encourages awareness among controllers and processors of their obligations under this Regulation;
  • Provide, upon request, information to any data subject on the exercise of his or her rights under the GDPR and, where necessary, cooperate with the supervisory authorities of other Member States for this purpose;
  • Processes complaints submitted by a data subject or by a body, organization or association, investigates the subject matter of the complaint, to the extent necessary, and informs the complainant of the status and outcome of the investigation within a reasonable period of time, including if further investigation or coordination with another supervisory authority is required;
  • Cooperate with other supervisory authorities, including by sharing information, and provide mutual assistance in this context with a view to ensuring consistent application of the GDPR and the measures taken to ensure compliance with it ;
  • Conducts investigations into the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
  • Monitors relevant developments as they affect the protection of personal data, particularly in the area of information and communication technologies and business practices;
  • Adopt standard contract clauses;
  • Establishes and maintains a list in connection with the obligation to conduct a data protection impact assessment;
  • Provides guidance on treatment operations subject to prior consultation;
  • Encourages the development of codes of conduct, advises on and approves codes of conduct that provide sufficient safeguards;
  • Encourages the establishment of certification mechanisms as well as data protection labels and trademarks and approves the certification criteria;
  • Conducts periodic reviews of issued certifications, as appropriate;
  • Drafts and publishes requirements for the accreditation of a code of conduct monitoring body and a certification body;
  • Accreditation of an organization responsible for monitoring codes of conduct;
  • Authorizes standard contract clauses;
  • Approves binding corporate rules;
  • Maintains internal records of GDPR violations and actions taken.

The independence of the supervisory authorities and their members is essential for the exercise of their tasks and powers under the conditions provided for in the GDPR.

In this respect, the term of office of the members of the supervisory authorities may not be less than four years.

The main supervisory authorities of the Member States are the following:

  • Spanish Data Protection Agency (AEPD) – Spain
  • Autoriteit Persoonsgegevens (AP) – The Netherlands
  • Data Protection Authority (DPA) – Belgium
  • Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) – Germany
  • National Commission for Information Technology and Civil Liberties (CNIL) – France
  • Datatilsynet – Denmark
  • Garante per la protezione dei dati personali (Garante) – Italy

In situations of cross-border data processing (involving more than one Member State), the lead supervisory authority is in principle that of the principal or sole establishment of the controller or processor in relation to the processing.

States may designate several supervisory authorities, such as Germany and Spain, but designate the one that represents the State authorities, particularly in the context of their participation in the European Data Protection Committee.

Indeed, each control authority of the European Union member states participates in the European Data Protection Committee, which contributes to the consistent application of data protection rules within the Union.

GDPR focus

“Each Member State shall provide that one or more independent public authorities shall be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of personal data within the Union.”

Article 51(1) of the GDPR

Case law focus

The Finnish Supreme Court recalled “that to terminate the statutory mandate without respecting the rules and guarantees provided for by the applicable law would be incompatible with the requirement of independence”.

Korkein hallinto-oikeus, September 10, 2021, N°HFD:2021:125

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.