Non-compliance with the forthcoming General Data Protection Regulation (GDPR) can mean significant fines and administrative penalties for non-compliant data controllers and processors. The GDPR will go into effect on May 25, 2018, when the former Data Protection Directive 95/46/EC is repealed. While the former directive was binding on all EU member states, it left to the national authorities of each state the choice of "forms or methods" to achieve compliance with its intended results. By contrast, the entire GDPR, including all of its enforcement provisions are binding immediately, and do not require any additional implementing measures. Entities which process the data of EU citizens must therefore understand their responsibilities under the GDPR and must be prepared to immediately comply with its provisions or risk significant administrative fines and penalties. This article (the fifth in our seven-part series on the GDPR) will discuss the GDPR's protocols for establishment of supervisory authorities and the factors such authorities will evaluate in the assessment of administrative fines and penalties for non-compliant entities.
"Supervisory Authorities" under the GDPR, and how they exercise their authority
Under Article 53 of the GDPR, each member state shall establish a "supervisory authority" which has "the qualifications, experience and skills, in particular in the area of the protection of personal data." Within a particular member state, each controller or processor will be subject to the authority of a single "lead supervisory authority1." The lead supervisory authority is determined by where the controller or processor has its "main establishment," or the place of "its central administration in the Union" (in other words, its headquarters, in most cases).
In cases in which a controller or processor operates in multiple jurisdictions, the lead supervisory authority will coordinate as needed with other "concerned" supervisory authorities on matters of compliance and enforcement. Whether through a "lead" or "non-lead" authority, the GDPR provides mechanisms for disputes to be resolved, decisions to be made, and for all parties to the matter to be notified.
Articles 57 and 58 further detail the "tasks" and "powers" charged to each supervisory authority, including the responsibility to, among others:
monitor and enforce the application of the regulation; handle complaints lodged by a data subject, or by a body, organization or association; and conduct investigations on the application of the regulation, including on the basis of information received from another supervisory authority...